Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help verifying removal of win32:fakesysdef-0, js:fake-avp-hp, and othe


  • This topic is locked This topic is locked

#1
pblbsyl

pblbsyl

    New Member

  • Member
  • Pip
  • 8 posts
My Windows 7 laptop was infected by the following:
win32:installcore-am [pup]
win32:installcore-ax [pup]
java:downloader-aq [trj]
java:downloader-ar [trj]
java:agent-ave [expl]
java:agent-bau [expl]
java:agent-apt [expl]
java:agent-avp [expl]
java:cte-2011-3544-cn [expl]
java:cve-2012-0507-ks [expl]
java:cve-2011-3544-he[expl]
java:cve-2011-3544-cq[expl]
java:cte-2011-3544-cs [expl]
java:cve-2011-3544-ha [expl]
java:cve-2011-3544-cr [expl]
js: Redirector-JM [trj]
js:fake-av-hp [trj]
js:agent-ke [trj]
win32:fakesysdef-0 [trj]
NtCreateFile – log Error:0xc0000022 {Access Denied}

I have done the following:
1.) Changed all banking, credit card passwords, etc. using another computer.
2.) Ran a boot level scan several times using the free version of Avast!. I chose to move all infected files to the Chest. I now get a clean scan at boot.
3.) I followed the procedures outlined in this forum (ran Malwarebytes, OTL, and aswMBR.exe) and have attached the logs (please let me know if I should cut and paste the logs instead... I have seen both approaches, and apologies if I did the incorrect method).

I would really appreciate any advice on additional steps I should take. Is there any way to know for sure if my laptop is now safe for online banking, etc.? If not, do I just need to wipe the disk and start over? Thank you so much for any advice you can give.

Attached Files


  • 0

Advertisements


#2
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hello pblbsyl and welcome to GeeksToGo :)

My nickname is WhiteHat and I'm going to help you fix your problem.

  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.
  • Please do not try to fix anything without being asked
  • I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread.
  • Do not put your logs inside <Quote> and/or <Code> *important*
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • Lastly, Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. Some infections are so severe that we might encounter situations where the only recourse is to re-format and re-install your operating system. Don't worry, this only happens in severe cases, but, sadly, it does happen.
    In light of this be prepared to back up your data. Have means of backing up your data available.

In order to be notified when your topic has been replied to:

Click My Settings at the top of the page. An Option page will open. In the left hand column click Notification Options. On the new page that opens under the Notification Preferences section click Watch every topic I reply to and set the notification type to Immediate Notification

# Step 1 #
Please reopen Posted Image on your desktop.
  • Under the Posted Image box at the bottom, paste in the following

    :Files
    ipconfig /flushdns /c
    
    :Commands
    [CREATERESTOREPOINT]
    [EMPTYTEMP]
    
  • Then click the Posted Image button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

# Step 2 #
Please, Reopen MalwareBytes' Anti-Malware.

  • Go to the tab Updates and click in Download Update. If there's an update, allow MBAM to update its database.
  • Now, click on the tab Verify and select "Perform Full scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be
    prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

  • 0

#3
pblbsyl

pblbsyl

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi whitehat,
Thank you for such a fast response. I am following your instructions now and will update the post with the log files when it is complete.
Thank you.
  • 0

#4
pblbsyl

pblbsyl

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi WhiteHat,

Here are the logs...

OTL
---

All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Paige\Downloads\cmd.bat deleted successfully.
C:\Users\Paige\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Paige
->Temp folder emptied: 153506953 bytes
->Temporary Internet Files folder emptied: 305529186 bytes
->Java cache emptied: 1 bytes
->FireFox cache emptied: 125493232 bytes
->Flash cache emptied: 249167 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 53486 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 558.00 mb


OTL by OldTimer - Version 3.2.56.0 log created on 08122012_142639

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...
[2012/08/12 14:32:22 | 000,000,000 | ---- | M] () C:\Windows\temp\_avast_\Webshlock.txt : Unable to obtain MD5

Registry entries deleted on Reboot...


MBAM
----

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.12.05

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Paige :: PAIGE-PC [administrator]

Protection: Enabled

8/12/2012 2:37:37 PM
mbam-log-2012-08-12 (14-37-37).txt

Scan type: Full scan (C:\|D:\|F:\|G:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 384046
Time elapsed: 1 hour(s), 12 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Thanks again for your help...
  • 0

#5
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

How is your computer?
  • 0

#6
pblbsyl

pblbsyl

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi,
It seems fine, but do the logs look good to you? (I cut & paste the logs to you a few hours ago). I am not clear how to know if the laptop really is clean enough to use for sensitive data.
Thank you...
  • 0

#7
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Run ESET Online Scan

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Vista / 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
Please go here then click on: Posted Image

If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the following instructions work with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow Add-On/Active X to install.
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

  • 0

#8
pblbsyl

pblbsyl

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I am running ESET now. I will cut and paste the log file when completed. Thanks again.
  • 0

#9
pblbsyl

pblbsyl

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi,

Here are the results of ESET:

[email protected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=301b35d6bbff234e9c47158d12b2ab27
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-08-13 03:27:23
# local_time=2012-08-12 11:27:23 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=768 16777215 100 0 49276347 49276347 0 0
# compatibility_mode=5893 16776573 100 94 0 96365386 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=202744
# found=0
# cleaned=0
# scan_time=7847

Thank you...
  • 0

#10
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Remove OTL:

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click Do I have Java
  • It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point
  • (If you use Windows 7/Vista)
  • Go to Control Panel and select System
  • Select System
  • On the left select System Protection and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create

  • (If you use Windows XP)
  • Go to Start > All Programs > Acessories > System Tools > System Restore.
  • Select the option Create a restore point and click in Next.
  • Type in a name i.e. Clean
  • Select Create

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Posted Image Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place??

Keep safe.
  • 0

#11
pblbsyl

pblbsyl

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi WhiteHat,

Thank you very, very much for your help. Two last questions for you:

1.) I use the firewall that comes with Windows 7. Do you recommend I use another one?

2.) From all of the logs you have seen and the programs that have been run, do you think it is OK to use my laptop for online banking, logging into email, etc.?

Thank you...
  • 0

#12
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts

Do you recommend I use another one?

No. You can use the Windows 7 Firewall without any problem.

OK to use my laptop for online banking, logging into email, etc.?

I didn't see any infection in your logs.

:thumbsup:
  • 0

#13
pblbsyl

pblbsyl

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Great! Thank you for all of your help. Hope you have a great day.
  • 0

#14
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP