[sean.dbtrader]

Also, I seem to be having a similar problem on another computer in my network. See my post at http://www.geekstogo...ojan-detected/.

Is there something about my network that is making me susceptible to these viruses?

[Advertisements]

I think Avast boot-time scan is our best weapon. I know it takes a long time but after you ran it, Bitdefender did not see any hidden processes, just some missing files. Run it again and see if it comes up clean this time. Then run Combofix again and post its log.

[RKinner]

I think Avast boot-time scan is our best weapon. I know it takes a long time but after you ran it, Bitdefender did not see any hidden processes, just some missing files. Run it again and see if it comes up clean this time. Then run Combofix again and post its log.

[RKinner]

Zero Access spreads via infected websites. It mostly gets PCs which do not have up to date Java, Adobe Flash or Adobe Reader. You are also running one of the weaker anti-viruses (McAfee). This is a newer version from what we have seen in the past so it may also have a network worm component to it that helps it move to networked PCs. I have PM'd WhiteHat to let him know that you have a second infected PC.

[sean.dbtrader]

When you say to run ComboFix again is there a particular CFScript.txt I should use or just run it without a script?

[sean.dbtrader]

Can i use the avast boot-time scan on the computer in this post (http://www.geekstogo...rojan-detected/)? Do I need to remove McAfee first?

[RKinner]

no script with combofix this time.

[sean.dbtrader]

OK, here are the asw and ComboFix files. Is the computer clean now?

Attached Files

•  aswBoot.txt   48.42KB   123 downloads
•  ComboFix.txt   11.42KB   80 downloads

[RKinner]

Combofix is happy now. No new whack-a-mole files.

Avast shows some junk in the temp files so you may have hit a bad site again since it last ran. Go into IE, Tools, Internet Options, General and click on Delete under Browsing History. On the next page we really only need to have Temporary Internet Files checked. No need to delete the others. Then hit Delete.

It also shows some bad files. Not malware just corrupted. These should be manually removed:
C:\Program Files\TradeStation 8.4 (Build 1693)\Program\Cache\G\GME.cor
C:\Program Files\TradeStation 8.4 (Build 1693)\Program\Cache\J\JBHT.cor
C:\Program Files\TradeStation 8.4 (Build 1693)\Program\Cache\W\WERN.cor
C:\Proj\Windows7\MetaTrader\Paket 5!.rar
C:\Windows\Installer\b401510e.msp

I would then run the boot-time scan again and see if it comes up clean which it should.

Look at the last line in the aswBoot file you just posted. It may give you a hint as to which website caused the problem. Do you remember clicking on such an article? I would avoid that website in the future.

Try the ESET scan now and see if it will work

Use IE and go to http://eset.com/onlinescan and click on ESET online Scanner. Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).

# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish
# Once the scan is completed, you may close the window.
# Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
# Copy and paste that log as a reply.

It appears that some of your TradeStation 8.4 files were compromised so you probably will need to uninstall it and reinstall.


If ESET runs and comes back clean we can clean up:

We need to clean up System Restore.

Copy the following:

:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Run OTL. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

You do not have the latest Java. Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

Uninstall Java™ SE Runtime Environment 6

Get the latest at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Note on Java and Firefox. For some reason Java does not remove old consoles from Firefox. Any time you update Java you should do Firefox, Add-ons, Extensions and disable any old Java Consoles

They will look like: Java Console 6.xx. The xx corresponds to the update number. When they switch to 7 update 0 then it will be Java Console 7.

Multiple Java Consoles will slow down the Firefox boot. After any change to Firefox or its extension you should run Speedyfox. (Mentioned later.)



Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash, Acrobat or Reader.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.) Anything by Adobe or Java must be kept up-to-date as these are prime candidates for exploitation by bad websites.

If you use Firefox or Chome (and you should) then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/ tho the free version only works on the first 200 ads per day. Another add-on but somewhat more advanced is NoScript. This keeps a bad website from running Java or JavaScript. The downside is that if you want the website to run a script then you have to tell NoScript that it is OK. This can be a real pain if you have a lot of new websites but if you mainly read the same ones then it's not so bad.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron

[sean.dbtrader]

I have both a wireless and ethernet cable router. Are there any guides to configuring these for better security?

Both are Linksys.

Edited by sean.dbtrader, 20 August 2012 - 11:53 AM.

[RKinner]

Main thing with a router is to have something besides the default password. Some people recommend changing the default 192.168.0 or 192.168.1 to something else say 192.168.25 but if you have a good password on the router it shouldn't matter. Your wireless link should use the WPA2 or WPA encryption. WEP is too easy to break these days.

[sean.dbtrader]

ESET did not come back clean. It found the following.

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\cute-sleepy-kittens-meowing[1].txt HTML/ScrInject.B.Gen virus deleted - quarantined
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\indqiobtcwdl[1].pdf JS/Exploit.Pdfka.PGF.Gen trojan cleaned by deleting - quarantined
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\mplayer_tuguu[1].exe a variant of Win32/InstallIQ application cleaned by deleting - quarantined

Is there anything further I should do?

[RKinner]

If that's all it found then things look pretty good. I would clean the temporary internet files. These are copies of web pages that you have visited.

Open IE, Tools, Internet Options, General then click on Delete. In the next window you can uncheck everything but Temporary Internet Files then Delete.