A Virus Squeaked Through My AVG...

[Wheezy]

I was browsing my regular websites when I saw the dreaded two-second flash of Adobe powering up. Then the "Thread Detected" message from AVG popped up. I haven't detected any real problems with my computer (I can still access everything normally, normal loading times, etc.), but I want to clean up the virus before it gets dangerous.

=========================================================

DDS (Ver_09-06-26.01) - NTFSx86
Run by Wheezy at 22:27:00.09 on Thu 07/09/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2066 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Steam\Steam.exe
C:\DOWNLOADS\FRAPS\FRAPS.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\******\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://minnesota.twins.mlb.com/index.jsp?c_id=min
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\downlo~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {c33dad78-bc65-4546-9016-b27b8e4db416} - c:\windows\system32\nubukagi.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [Fraps] c:\downloads\fraps\FRAPS.EXE
mRun: [QuickTime Task] "c:\program files\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [rafuwupagu] Rundll32.exe "c:\windows\system32\defanedi.dll",s
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\betawako.dll
LSA: Notification Packages = scecli c:\windows\system32\betawako.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shelli~1\applic~1\mozilla\firefox\profiles\kuae1v1r.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.thesporecommunity.com/forums.php
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\plugins\npqtplugin.dll
FF - plugin: c:\program files\plugins\npqtplugin2.dll
FF - plugin: c:\program files\plugins\npqtplugin3.dll
FF - plugin: c:\program files\plugins\npqtplugin4.dll
FF - plugin: c:\program files\plugins\npqtplugin5.dll
FF - plugin: c:\program files\plugins\npqtplugin6.dll
FF - plugin: c:\program files\plugins\npqtplugin7.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-2 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Drivsheer x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-2 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-2 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-2 298776]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [2004-7-30 56576]

=============== Created Last 30 ================

2009-07-09 02:29 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-06-22 20:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar

==================== Find3M ====================

2009-07-09 21:18 50,176 a--sh--- c:\windows\system32\momanala.dll
2009-06-22 20:19 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-22 20:19 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-07 10:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 10:44 344,064 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-27 04:29 18,432 a------- c:\windows\system32\dllcache\iedw.exe
2009-04-17 04:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-17 04:58 1,846,656 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:11 584,192 -------- c:\windows\system32\dllcache\rpcrt4.dll
2008-01-15 02:49 1,498 a------- c:\program files\Calculator.lnk
2007-06-29 06:25 574,784 ac------ c:\program files\QTPlugin.ocx
2007-06-29 06:25 6,124,864 a------- c:\program files\QuickTimePlayer.exe
2007-06-29 06:25 303,104 ac------ c:\program files\QTUIPanelControl.dll
2007-06-29 06:25 749,568 ac------ c:\program files\QTOControl.dll
2007-06-29 06:25 684,032 ac------ c:\program files\QTOLibrary.dll
2007-06-29 06:25 618,496 ac------ c:\program files\QTInfo.exe
2007-06-29 06:25 8,612 ac------ c:\program files\QuickTime Read Me.htm
2007-06-29 06:24 55,622 ac------ c:\program files\Sample.mov
2007-06-29 06:24 18,663 ac------ c:\program files\Sample.qtif
2007-06-29 06:24 286,720 a------- c:\program files\QTTask.exe
2007-06-29 06:24 483,328 ac------ c:\program files\PictureViewer.exe
2006-10-21 16:54 152 ---shr-- c:\windows\system32\11D43EA203.sys
2009-04-09 21:18 50,176 a--sh--- c:\windows\system32\betawako.dll
2009-04-09 21:18 50,176 a--sh--- c:\windows\system32\defanedi.dll
2006-10-21 16:54 7,520 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2009-04-09 21:18 50,176 a--sh--- c:\windows\system32\nubukagi.dll

============= FINISH: 22:27:38.18 ===============

[mas_pogi]

hi.

Welcome to TSF

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

---------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

--------------------------------------------------------------------------
Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. You can find instructions HERE.
  
  AVG 8.5
  Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.
  • Click on Open AVG Interface.
  • Double click on Resident Shield
  • Deselect the option to "Enable Resident Shield."
  • Save changes, and exit the application.
  • To re-enable AVG 8.5 later, please select "Enable Resident Shield" again.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Mark

[Wheezy]

Hi Mark. My ComboFix log is attached.

[mas_pogi]

hi.

Quote:

ComboFix 09-07-09.08 - ****** 07/10/2009 22:11.13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2114 [GMT -5:00]
Running from: c:\documents and settings\ *****\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

Did you edit the log?

Makr

[Wheezy]

Quote:

Originally Posted by mas_pogi

Did you edit the log?

Censoring habit, sorry! Should be fixed now.

[mas_pogi]

hi.

Quote:

Censoring habit, sorry! Should be fixed now.

Some are still in asterisk. Please do not modify any log during the course of our fixes.

Do this one for me,

Goto Click on

Copy and paste this one in the run box

Code:

C:\Qoobox\ComboFix-quarantined-files.txt

A text file should open. Copy the content and post it here in your next reply.

Mark

[Wheezy]

Log is attached (too many characters to post in reply).

[mas_pogi]

hi.

Did your run Combofix prior in creating a thread here? You already ran combofix a couple of times. Any reasons why?



Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------------------
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. You can find instructions HERE.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/393469-virus-squeaked-through-my-avg.html#post2235081

COLLECT::
C:\WINDOWS\system32\jibelowu.dll
C:\WINDOWS\system32\gupuponi.dll

FCOPY::
c:\windows\$NtUninstallKB895961$\termsrv.dll | c:\windows\system32\termsrv.dll

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.
------------------------------------------------------------------------
These indicate some settings have been changed

These are "Change the way Security Center Alerts Me" in Control Panel > Security Center.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001


This means they are turned off. If that's your choice, that's fine, otherwise tick the boxes to turn the notifications back on.
------------------------------------------------------------------------

Your Java is out of date.

Java(TM) 6 Update 11 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

--------------------------------------------------------------------------

Run ESET Online Scan

*Close any open programs
*Turn off the real time scanner of any existing antivirus program while performing the online scan. You can find the instructions You can find instructions HERE.

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

-------------------------------------------------------------------------

How's your computer now?


In your reply, please post

C:\combofix.txt
ESET scan result
Answer to my questions

Mark

[Wheezy]

Hi Mark,

I have come across a virus or two on this machine before. Through this website I've been instructed by analysts (on this website only) to use ComboFix to heal my infections. I've never used it on my own though, only when/as directed.

From the start of this thread, my computer has been acting normally other than the "Thread Detected" alerts I get from AVG on start-up.

I could not find the file "C:\QooBox\Quarantine\[4]-Submit_date@time.zip" on my computer. In addition, after ComboFix was finished nothing popped up about submitting a file. Please advise!

Attached are the ComboFix log. Below is the ESET Scanner log.

=================================================

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=bbc42eb39892ba479b6730b85f81843c
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-07-12 05:33:39
# local_time=2009-07-12 12:33:39 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1026 37 83 100 16568790450745
# scanned=113948
# found=10
# cleaned=0
# scan_time=5516
C:\Downloads\Virus Programs 10.18.2007\SmitfraudFix\Process.exe Win32/PrcView application 00000000000000000000000000000000 I
C:\Downloads\Virus Programs 10.18.2007\SmitfraudFix\restart.exe Win32/Shutdown.NAA application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\betawako.dll.vir a variant of Win32/Kryptik.XN trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\defanedi.dll.vir a variant of Win32/Kryptik.XN trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\momanala.dll.vir a variant of Win32/Kryptik.XN trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\nubukagi.dll.vir a variant of Win32/Kryptik.XN trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\termsrv.dll.vir Win32/Spy.Ursnif.A virus 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\viyeputu.dll.tmp.vir a variant of Win32/Kryptik.XN trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP118\A0018090.exe Win32/Virut.NBP virus 00000000000000000000000000000000 I
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP159\A0025047.dll Win32/Spy.Ursnif.A virus 00000000000000000000000000000000 I

[mas_pogi]

hi.

Quote:

I have come across a virus or two on this machine before. Through this website I've been instructed by analysts (on this website only) to use ComboFix to heal my infections. I've never used it on my own though, only when/as directed.

Thanks for letting me know. That would be okay. No worries.

Quote:

From the start of this thread, my computer has been acting normally other than the "Thread Detected" alerts I get from AVG on start-up.

what alert? Could you describe it? a screenshot would be better.

Quote:

I could not find the file "C:\QooBox\Quarantine\[4]-Submit_date@time.zip" on my computer. In addition, after ComboFix was finished nothing popped up about submitting a file. Please advise!

Seems the file I'm suppose to upload is no longer there.

Your ESET scan shows that you had been hit by Virut before. But I think it was cleaned right away and what was left are remnants. They are in your system restore, they don't pose a problem unless we will manually restore to that point. Qoobox is our Tool Qurantine folder.

And for Smithfraudfix, we also use this tool but more intended for analyst for dispatching. Please delete that folder or file,

C:\Downloads\Virus Programs 10.18.2007\SmitfraudFix
--------------------------------------------------------------------------

I want to have another GMER scan just to be in the safe side before we wrap this up. Please have a scan like you did in the first post. Post it here after wards.


In your reply please post back the GMER log and the AVG alert.

Mark

[Wheezy]

Quote:

Originally Posted by mas_pogi

In your reply please post back the GMER log and the AVG alert.

Hi Mark,

I've powered down and booted up my machine a few times, but I never got an AVG alert pop-up to screen cap.

GMER log attached.

[mas_pogi]

hi.

Quote:

I've powered down and booted up my machine a few times, but I never got an AVG alert pop-up to screen cap.

All is well now

Congratulations! You now appear clean!

We Need to Clean Up Our Mess

1. Uninstall ComboFix
   Remove Combofix now that we're done with it.
   • Click on your Start Menu, then Run....
   • Now copy and paste this one in the runbox. Then HIT enter.
     
     
     Code:

     ComboFix /u

     
     
     
   Uninstalling ComboFix will do the following:
   1. Delete ComboFix and its components from your computer.
   2. Delete other tools commonly used during the malware removal process.
   3. Resets clock settings to standard format.
   4. Re-hides file extensions and hidden/system files.
   5. Clears System Restore cache and creates new restore point.
   
   
2. Please also delete the DDS.scr located at your desktop.
   

-----------------------------------------------
Recommendations
Below are some recommendations to lower your chances of (re)infection.

1. Install Spyware Blaster and update it regularly
   If you wish, the commercial version provides automatic updating.
   
   
2. Install the MVPs hosts file, and update it regularly
   You can use the HostMan host file manager to do this automaticly if you wish.
   For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
   
   
3. Install an Anti-Spyware program, and update it regularly
   Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
   SUPERAntiSpyware is another good scanner with high detection and removal rates.
   Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
   
   
4. Keep Windows (and your other Microsoft software) up to date!
   I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
   
   Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
   
   
5. Keep your other software up to date as well
   Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
   
   
6. Stay up to date!
   The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Please respond to this thread one more time so we can mark this thread as resolved.

Maraming salamat.

Mark

[Wheezy]

ComboFix has been uninstalled and things seem to be in working order. Thank you so much for your help, Mark!

[mas_pogi]

hi.

It is a pleasure to help you.

Surf safely.

Since the problem appears to be resolved, it will now be archived.


Mark