Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Last known good config used,malware issues


  • This topic is locked This topic is locked

#121
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Looks good. To be sure that everything is OK please proceed with these two final steps:

Step 1

Posted Image Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware.
  • Select the Update tab.
  • Click on Check for Updates button.
  • Click on OK.
  • Select the Scanner tab.
  • Select Perform quick scan, then click on Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 2

Download fresh AVPTool from Here to your desktop

Run the program you have just downloaded to your desktop (it will be randomly named )

We will run a virus scan only
  • On the first tab select all elements down to including Computer and then select start scan (1)
  • Once it has finished select report (2) and post that.

Posted Image

  • Please be patient as this scan could take a long time to complete.
  • Click on Exit to uninstall AVP tool. You may need to restart your computer after that.

When completed the above, please post back the following in the order asked for:
  • MBAM log
  • AVP Tool report

  • 0

Advertisements


#122
arclight

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

23/06/2011 20:38:07
mbam-log-2011-06-23 (20-38-07).txt

Scan type: Quick scan
Objects scanned: 180519
Time elapsed: 10 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


The AVP scan is clean so far but i have to finish scanning later .

I'll post it when it done. I just wanted to update since its been 3 days
  • 0

#123
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
OK. No problem.
  • 0

#124
arclight

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
Autoscan: completed 5 hours ago (events: 8, objects: 359722, time: 00:17:40)
23/06/2011 21:08:29 Task started
23/06/2011 21:11:27 Task stopped
23/06/2011 22:47:51 Task started
24/06/2011 01:53:27 Processing error C:\WINDOWS\SoftwareDistribution\Download\8ee00d71f39e208a68f66b95ce6c35a908e01233/PE_Patch/hotfixexpress/files/sqlexpr.exe/PE_Patch Read error
24/06/2011 01:53:27 Processing error C:\WINDOWS\SoftwareDistribution\Download\cd018d94d828cf0ce279013468adf077ab104f22/PE_Patch Read error
24/06/2011 01:53:32 Task stopped
24/06/2011 19:32:08 Task started
24/06/2011 19:49:49 Task completed


I stopped and started it once or twice as it took a while to finish
  • 0

#125
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

Why are you using Microsoft SQL Server?
  • 0

#126
arclight

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
I think i installed it for use in a Uni project

I haven't used it though for months, possibly a year or so.

Its not running in the task manger atm.
  • 0

#127
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Your logs shows that your system is clean. If you have no further issues with your computer, then please proceed with the following housekeeping procedures outlined below.

Removing the tools we used:

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now copy/paste this: ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /Uninstall, it needs to be there.

    Posted Image

  • Please follow the prompts to uninstall Combofix.
  • This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

NEXT...

OTL Clean-Up:

  • Reopen Posted Image on your desktop.
  • Click on Posted Image
  • You will be prompted to reboot your system. Please do so.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.


There are a few things I recommend you to do once your computer is completely clean:

Updates for Windows - One of the essentials is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically.

How to turn on Automatic Updates for Windows:

Updates for other installed software

A common attack method for hacking attempts and malware installs is to exploit known vulnerabilities in programs that are commonly installed on a person's computer. These vulnerabilities could allow a remote user or malware developer to install malware, keyloggers, and backdoors on to your computer without your knowledge or permission.
Some of the programs that are commonly exploited include Adobe Shockwave, Adobe Reader, Sun Java, Adobe Flash, and even Windows itself. Therefore it is crucial that everyone remain vigilant as to when a security vulnerability is found in our installed programs and to update it when a security update is released. Unfortunately, no one has the time to stay on top of these updates, which can happen frequently.

I highly recommend you to install Secunia Personal Software Inspector (PSI) that can be used to scan your computer for known vulnerable programs, provide information on the vulnerability, and provide a location to an update for the vulnerable program. A tutorial on how to use Secunia Personal Software Inspector (PSI) can be found here: Keep Software Updated with Secunia PSI.

Web Browsers - Picking the right internet browser is very important. You need to find one that suits your needs but that is also safe. All browsers listed below are far more secure than Internet Explorer, immune to almost all known browser hijackers, and also have the best built-in pop up blockers.

Although, if you prefer staying with Internet Explorer I highly recommend you do this :

Make Internet Explorer more secure:
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the options Download signed and unsigned ActiveX controls to Prompt, and Initialize and Script ActiveX controls not marked as safe to Disable.
  • Next click OK, then Apply button and then OK to exit the Internet Properties page.

Tips to protect yourself against malware and reduce the potential for re-infection:

Now after all these steps, your PC will be more secure. However it is important to note that you can still get infected if you are not careful. One of the best security programs you can have is common sense. As malware gets more sophisticated, you need to be more wary. If you do get caught though and the above steps can't help prevent it, we will be here to help you out.

Stay secure and thank you for choosing GeeksToGo.
  • 0

#128
arclight

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
I have one question

In the AVP log for the manual disinfection it mentioned possible root-kits/suspicious objects

C:\WINDOWS\system32\Drivers\sbhr.sys

This also appears in rootkitunhooker as a hook


It seems to be the driver for Sunbelt counterspy which i haven't used and i assumed was uninstalled

Should i take any action for this?
  • 0

#129
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
It's not malicious file but we can remove it. Please follow the steps below:

We need to run an OTL Fix

  • Download OTL to your desktop.
  • Please right click on Posted Image on your desktop and click on Run as administrator.
  • Under the Custom Scans/Fixes box copy and paste this in:

    :OTL
    SRV - [2007/06/15 15:17:44 | 000,789,232 | ---- | M] (Sunbelt Software) [Disabled | Stopped] -- C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe -- (SBCSSvc)
    DRV - [2007/09/14 19:27:40 | 000,015,544 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sbhr.sys -- (SBHR)
      	
    :Files
    C:\WINDOWS\system32\drivers\sbhr.sys
    C:\Program Files\Sunbelt Software
    ipconfig /flushdns /c
    
    :Reg
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    [reboot]
  • Click on Posted Image button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click on Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

  • 0

#130
arclight

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
All processes killed
========== OTL ==========
Service SBCSSvc stopped successfully!
Service SBCSSvc deleted successfully!
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe moved successfully.
Error: Unable to stop service SBHR!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBHR deleted successfully.
C:\WINDOWS\system32\drivers\sbhr.sys moved successfully.
========== FILES ==========
File\Folder C:\WINDOWS\system32\drivers\sbhr.sys not found.
C:\Program Files\Sunbelt Software\CounterSpy folder moved successfully.
C:\Program Files\Sunbelt Software folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
H:\cmd.bat deleted successfully.
H:\cmd.txt deleted successfully.
========== REGISTRY ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: JMC
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: user
->Temp folder emptied: 26006110 bytes
->Temporary Internet Files folder emptied: 2479132 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 46754348 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 10665 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 72.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: JMC

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: user
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

OTL by OldTimer - Version 3.2.24.0 log created on 07022011_205341

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
  • 0

Advertisements


#131
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

How is your computer running now? Any problems?
  • 0

#132
arclight

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
I haven't had any issues running the PC the last few days

I installed a firewall as well called commodo which was recommended to me from a colleague at work
  • 0

#133
arclight

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
This isn't really a huge issue but when windows loads i get asked to install stopzilla

C:\DOCUME~1\user\LOCALS~1\Temp\STOPzilla\

This is the file path.It atempts to install but then can't then i hit cancel.

I uninstalled stopzilla and i don't see it in startup in msconfig either.
  • 0

#134
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

Please download and install Stopzilla then uninstall it.
  • 0

#135
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP