Malware Spyware (1 of 2 post)

How's your computer working now?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

hi Dave,

Running eset right now. The print spooler is working now so i can print. I reinstalled adober reader last night and was able to open pdf files, but this morning adobe reader didnt work again. why is it that evertime you run superantispyware it finds 50-60 adware , removes it , reboots and it all seems to come back?

why is it that evertime you run superantispyware it finds 50-60 adware , removes it , reboots and it all seems to come back?

I will have to see the log before I answer that.

Hi Dave,

here's the esetscan log;

C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\Documents and Settings\Dien Truong\Application Data\Sun\Java\Deployment\cache\6.0\12\109c020c-29a18758 a variant of Win32/Kryptik.AEQM trojan cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XEMRDRZ6\index[1].htm JS/Iframe.CV trojan cleaned by deleting - quarantined
C:\Program Files\1ClickDownload\uninst.exe Win32/Adware.1ClickDownload application deleted - quarantined
C:\Program Files\Yontoo\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Dien Truong\Application Data\Muvuhi\umtee.exe.vir Win32/Spy.Zbot.AAQ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{89FCB8C9-C704-4D49-B214-A171A6CBA08C}\RP374\A0300893.exe Win32/Spy.Zbot.AAQ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{89FCB8C9-C704-4D49-B214-A171A6CBA08C}\RP378\A0301244.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\System Volume Information\_restore{89FCB8C9-C704-4D49-B214-A171A6CBA08C}\RP378\A0301245.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\System Volume Information\_restore{89FCB8C9-C704-4D49-B214-A171A6CBA08C}\RP378\A0301246.exe Win32/Adware.1ClickDownload application deleted - quarantined
C:\System Volume Information\_restore{89FCB8C9-C704-4D49-B214-A171A6CBA08C}\RP378\A0301247.dll a variant of Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\redbook.sys a variant of Win32/Rootkit.Kryptik.LP trojan unable to clean

hi Dave,

everything seems to be working accept the adobe reader! thanks.
here's the esetscan log:

C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\Documents and Settings\Dien Truong\Application Data\Sun\Java\Deployment\cache\6.0\12\109c020c-29a18758 a variant of Win32/Kryptik.AEQM trojan cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XEMRDRZ6\index[1].htm JS/Iframe.CV trojan cleaned by deleting - quarantined
C:\Program Files\1ClickDownload\uninst.exe Win32/Adware.1ClickDownload application deleted - quarantined
C:\Program Files\Yontoo\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Dien Truong\Application Data\Muvuhi\umtee.exe.vir Win32/Spy.Zbot.AAQ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{89FCB8C9-C704-4D49-B214-A171A6CBA08C}\RP374\A0300893.exe Win32/Spy.Zbot.AAQ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{89FCB8C9-C704-4D49-B214-A171A6CBA08C}\RP378\A0301244.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\System Volume Information\_restore{89FCB8C9-C704-4D49-B214-A171A6CBA08C}\RP378\A0301245.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\System Volume Information\_restore{89FCB8C9-C704-4D49-B214-A171A6CBA08C}\RP378\A0301246.exe Win32/Adware.1ClickDownload application deleted - quarantined
C:\System Volume Information\_restore{89FCB8C9-C704-4D49-B214-A171A6CBA08C}\RP378\A0301247.dll a variant of Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\redbook.sys a variant of Win32/Rootkit.Kryptik.LP trojan unable to clean

And now for the bad news.

C:\WINDOWS\system32\drivers\redbook.sys a variant of Win32/Rootkit.Kryptik.LP trojan unable to clean

It appears your system is infected with a rootkit. A rootkit is a powerful piece of malware, that allows hackers full control over your computer for means of sending attacks over the Internet, or using your computer to generate revenue.

Malware experts have recommended that we make it clear that with the system under control of a hacker, your computer might become impossible to clean 100%.

Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and security tools to prevent detection and removal. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is sent back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do
It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot
be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?

Guides for format and reinstall:

how-to-reformat-and-reinstall-your-operating-system-the-easy-way

However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Should you have any questions, please feel free to ask.

hi Dave,

thanks for telling me the bad news.

I have important project to do right now for the next 2 months and need your help to clean this computer as much as possible. Then i will reformat after that, also understand not to do any financial transaction on thsi machine, thanks again.

Ok. Please run this and post the log. Run another ESET scan afterwards and post the log.

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
  
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
  
  
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
  
  
• Click the Report button and copy/paste the contents of it into your next reply
  

Note:It will also create a log in the C:\ directory..

hi Dave,

here's the esetscan log:

C:\TDSSKiller_Quarantine\25.04.2012_13.44.32\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\25.04.2012_13.44.32\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined

hi Dave,

btw, the adobe reader is working , thanks.

It appears the the computer is clean but,as I mentioned in my Rootkit warning,we can never be 100% sure. Anyway, let's do some cleanup.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

************************************************
To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

• Click the CleanUp button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
**************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
**********************************************
Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
**********************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Hi Dave,

I tried running TFC twice and both times it froze up. I left it on all night last night and this morning it was still frozen. Not sure if i should have disabled any of the antivirus or anything.

DIENT42 wrote:

Hi Dave,

I tried running TFC twice and both times it froze up. I left it on all night last night and this morning it was still frozen. Not sure if i should have disabled any of the antivirus or anything.

TFC has been misbehaving lately. Just forget about it and do a disk cleanup instead.