Please help with Trojan.FakeAlert

View previous topic View next topic Go down

Please help with Trojan.FakeAlert

Post by AZmike on 9th March 2009, 3:23 am

I have a system that is experiencing a lot of system problems with applications. I am likely the victim of a virus, as teenagers seemed to have downloaded freely on the system. As of this time, no version of web application will work, and a number of applications that start cannot complete their function. I have run MalwareBytes for example and detected some elements that need to be deleted, but when I attempt this it just hangs. The same is true for McAfee Antivirus and SpyBot.

I was able to run HijackThis which could produce a log through completion. Although interesting it also crashed just as the log completed. Attached is the log. Please help as you are able, thank you very much.

Mike

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:43 PM, on 3/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\user\Desktop\anti virus\hijackgpthis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dwwin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)
O2 - BHO: (no name) - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)
O2 - BHO: (no name) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\a24600141.dll"" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\a24600141.dll"" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\a24600141.dll"" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\a24600141.dll"" (User 'Default user')
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 9500 bytes

AZmike
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-02-20
OS OS : Windows XP
Points Points : 28593
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please help with Trojan.FakeAlert

Post by Belahzur on 9th March 2009, 2:58 pm

Hello.

Please disable Ad-Watch, as it may hinder the removal of some HijackThis entries. You can re-enable it after your computer is clean. Please see here for instructions on how to disable it:
[You must be registered and logged in to see this link.]

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)
    O2 - BHO: (no name) - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)
    O2 - BHO: (no name) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - (no file)
    O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\a24600141.dll"" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\a24600141.dll"" (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\a24600141.dll"" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\a24600141.dll"" (User 'Default user')


  • Press "Fix Checked"
  • Close Hijack This.

Now lets find this little devil.

  • Now open a new notepad file.
  • Input this into the notepad file:

    regedit /e C:\report.txt "HKEY_Local_Machine\software\microsoft\windows nt\currentversion\drivers32"
    start notepad C:\report.txt

  • Save this as look.bat, save it to your desktop.
  • Double click look.bat to run it.
  • Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

"Look" report

Post by AZmike on 10th March 2009, 12:19 am

Hi,

I had a difficult time turning off some functions as suggested, but I did my best. When I try to get to the Adaware menu, it just hangs on launch. There are many things that appear to hang the system, but luckily, your suggested methods are not some of them. I ran the sequence as you suggested, and the report is as follows:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"vidc.iyuv"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"vidc.yuy2"="msyuv.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"wave1"="C:\\DOCUME~1\\user\\APPLIC~1\\MACROM~1\\Common\\a24600141.dll"
"midi1"="C:\\DOCUME~1\\user\\APPLIC~1\\MACROM~1\\Common\\a24600141.dll"
"mixer1"="C:\\DOCUME~1\\user\\APPLIC~1\\MACROM~1\\Common\\a24600141.dll"
"midi2"="C:\\DOCUME~1\\user\\APPLIC~1\\MACROM~1\\Common\\a24600141.dll"
"wave2"="C:\\DOCUME~1\\user\\APPLIC~1\\MACROM~1\\Common\\a24600141.dll"
"aux2"="C:\\DOCUME~1\\user\\APPLIC~1\\MACROM~1\\Common\\a24600141.dll"
"aux1"="C:\\DOCUME~1\\user\\APPLIC~1\\MACROM~1\\Common\\a24600141.dll"
"mixer2"="C:\\DOCUME~1\\user\\APPLIC~1\\MACROM~1\\Common\\a24600141.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"mixer"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"

It might also be notable that the functions that are turned off during the HijackThis section seem to also disable the windows (file) explorer. So while I was able to get the log done, I had to reboot in order to get the file off the computer. All of the detail I am writing to you now is on a different machine since the infected one does not have internet access currently.

Thanks so much for you help.

Mike

AZmike
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-02-20
OS OS : Windows XP
Points Points : 28593
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please help with Trojan.FakeAlert

Post by Belahzur on 10th March 2009, 12:34 am

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\a24600141.dll
    C:\Documents and Settings\user\Application Data\Macromedia\Common\a24600141.dll

    :reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "wave1"="wdmaud.drv"
    "midi1"="wdmaud.drv"
    "mixer1"="wdmaud.drv"
    "midi2"="wdmaud.drv"
    "wave2"="wdmaud.drv"
    "aux2"="wdmaud.drv"
    "aux1"="wdmaud.drv"
    "mixer2"="wdmaud.drv"


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

OldTimer log

Post by AZmike on 10th March 2009, 1:21 am

Hi,

I was able to execute the script, which seemed to go as expected. I am not sure if you expected a change in machine performance or not. The log from the panel is attached. Thanks again for your help and time.

Mike

========== FILES ==========
LoadLibrary failed for C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\a24600141.dll
C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\a24600141.dll NOT unregistered.
C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\a24600141.dll moved successfully.
LoadLibrary failed for C:\Documents and Settings\user\Application Data\Macromedia\Common\a24600141.dll
C:\Documents and Settings\user\Application Data\Macromedia\Common\a24600141.dll NOT unregistered.
C:\Documents and Settings\user\Application Data\Macromedia\Common\a24600141.dll moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\"wave1"|"wdmaud.drv" /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\"midi1"|"wdmaud.drv" /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\"mixer1"|"wdmaud.drv" /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\"midi2"|"wdmaud.drv" /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\"wave2"|"wdmaud.drv" /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\"aux2"|"wdmaud.drv" /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\"aux1"|"wdmaud.drv" /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\"mixer2"|"wdmaud.drv" /E : value set successfully!

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03092009_181740

AZmike
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-02-20
OS OS : Windows XP
Points Points : 28593
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please help with Trojan.FakeAlert

Post by Belahzur on 10th March 2009, 9:29 am

Hello.
I think there should be some noticeable change because the malicious file is gone.
Lets see what's left.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

DDS

Post by AZmike on 11th March 2009, 1:39 am

Hi,

I am sorry to report that things dont look as positive on this end. We still have several symptoms, and pretty much the system seems the same as it was. No internet browsers (Firefox, Explorer) will run. The system takes about 3 minutes to boot on, obviously other processes are spawning that I cannot see. While the same functions will run as before, nothing much new seems to be coming back. The worst part is, DDS will also not run... it just hangs and seems to don nothing. Some other applications are like that too (see the browsers above), but the system is operational.

I took a short time to run MalwareBytes again. It found the same 6 or so errors it did when I started the process. One of them is the subject of this thread, others seem to be part of the root kit. Anyway, this was just something extra to try to see if the system is changing.

I guess we have to try another approach. I hope the information is helpful, but so far not great news. Thanks very much for your assistance.

Regards,

Mike

AZmike
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-02-20
OS OS : Windows XP
Points Points : 28593
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please help with Trojan.FakeAlert

Post by Belahzur on 11th March 2009, 1:43 am

Hello.
Just a random question. Will none of the 3 versions of DDS run? each link contains a different kind of version of DDS, so if one doesn't run, try another.

If not, we have other tools we can try. Only run this if DDS will not run.


  • Download random's system information tool (RSIT) by random/random from [You must be registered and logged in to see this link.] and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of log.txt (<< will be maximized) and save info.txt (<< will be minimized) for later.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

More on DDS

Post by AZmike on 12th March 2009, 7:36 am

Hi,

Thanks for the DDS tip, I was not aware that the downloads were different. I did download and try all 3 versions. The scrips and com versions did not spawn a process it seemed, it was as if it tried and just did not do anything. The the virus on the system patience is a virtue (it even takes about 3 mins to boot up). I let then try to "run" this way for 5 mins or more... and rebooted when I did not get a response. The MSDOS version went better, as it did seem to execute with a typical DOS screen and a message about it takes 3 mins or so to complete the scan. I tried this 4 times with the same results. The last 2 times I let it sit for 20 minutes or more. It never failed, or gave another message, or came back with a log / text file. It just seemed to hang there. So I have no output from DDS to show you other than my experience.

I did download RSIT. After the failures above, I tried this, noting that HijackThis was on the desktop so it would not have to "look for it" as its message showed. I know that while the network is connected, no internet traffic currently flows (it seems) so it would not be able to download it. RSIT was tried 2 times with the same results. It starts up with a screen, and I say continue. It comes up with a small window that says "writing header information". This window seems to have a progress bar, although no movement was ever seen in this bar. RSIT also seems to hang up right there, and was allowed to run in this configuration for 15 minutes or more.

In short, the problem I have with a number of applications seems to block the normal operation of these as well. This is a nasty one for sure! Some applications seem to run through completion, others do not start, and others seem to run until a certain point it hit and then hang. I have given you my account of MalwareBytes for example which can complete a scan, but then hangs during the quarantine process of cleanup. So I can see a list of problems to fix, but so far nothing allows me to target them.

I am far from an expert, but I have not tried yet a safe mode approach, nor have I tried a system restore. Given the way it is acting I do not have high hopes for either, but I wanted you to know where I am in the process. Please let me know what you feel a next step might be. I can also capture a screen shot of some of the applications in their paused form if it helps to understand where they hang if I was not clear above.

Thanks,

Mike

AZmike
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-02-20
OS OS : Windows XP
Points Points : 28593
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please help with Trojan.FakeAlert

Post by Belahzur on 12th March 2009, 1:36 pm

Hello.
Boot to safe mode, see if DDS will run there as it could be protection programs blocking the script.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

DDS in safe mode

Post by AZmike on 13th March 2009, 5:06 am

Hi,

Thanks for the suggestion. In safe mode the computer clearly does not have the "lag" that it does in normal mode. The blocking function seems to be not harmful in this mode. Several functions worked fairly quickly, including boot. This is presently a painful process in normal mode.

I ran the Dos version of DDS, and it worked exactly as expected. Completely different than in normal mode. It produced both log files. The DDS.txt log is pasted below. I am not sure how to include the attach.txt as a link (I am able to put it in a ZIP file as requested). If you want me to paste this, or have an easy method to attach just let me know.

So not sure what the next step is, but clearly the problem exists with a module that is loaded on boot in normal mode from my perspective. Please let me know.

Thanks,

Mike

DDS (Ver_09-02-01.01) - NTFSx86 MINIMAL
Run by user at 21:54:33.04 on Thu 03/12/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.607 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\user\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - No File
BHO: {3EC8255F-E043-4cae-8B3B-B191550C2A22} - No File
BHO: {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [lxddmon.exe] "c:\program files\lexmark 2500 series\lxddmon.exe"
mRun: [lxddamon] "c:\program files\lexmark 2500 series\lxddamon.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
dRun: [rundll32.exe] rundll32.exe "c:\documents and settings\localservice\application data\macromedia\common\a24600141.dll""
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\yto3drd5.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-21 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-2-21 201320]
S1 navigator;navigator;\systemroot\fd.dll --> \systemroot\fd.dll [?]
S2 72F4147A5E50BA80;72F4147A5E50BA80;c:\docume~1\user\locals~1\temp\72f4147a5e50ba80\72F4147A5E50BA80 []
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2008-8-17 99248]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-21 359248]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-21 144704]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-2-21 38496]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-21 695624]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-21 79304]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-21 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-21 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-21 40488]

=============== Created Last 30 ================

2009-03-02 13:15 364,560 a------- c:\windows\sysguard.exe
2009-03-02 13:15 6,144 a------- c:\windows\fd.dll
2009-02-21 17:09 11,476 a------- c:\windows\system32\Config.MPF
2009-02-21 16:48 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-02-21 16:48 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-02-21 16:48 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-02-21 16:48 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-02-21 16:48 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-02-21 16:48 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-02-21 16:47 --d----- c:\program files\McAfee.com
2009-02-21 16:47 --d----- c:\program files\common files\McAfee
2009-02-21 16:37 --d----- c:\docume~1\user\applic~1\McAfee.com Personal Firewall
2009-02-21 16:33 32,768 a------- c:\windows\system32\instlsp.exe
2009-02-21 16:33 11,264 a------- c:\windows\system32\sporder.dll
2009-02-21 16:33 94,208 -------- c:\windows\system32\mclsp.dll
2009-02-21 16:32 --d----- c:\program files\McAfee
2009-02-21 16:32 --d----- c:\docume~1\alluse~1\applic~1\McAfee.com Personal Firewall
2009-02-21 16:31 --d----- c:\docume~1\alluse~1\applic~1\McAfee.com
2009-02-21 15:47 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-21 15:46 -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-21 15:45 --d----- c:\program files\Lavasoft
2009-02-21 12:11 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-21 12:11 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-21 10:54 --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-02-21 10:54 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-21 10:54 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-21 10:54 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-21 10:54 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-19 21:14 --d----- C:\_OTMoveIt

==================== Find3M ====================

2009-01-15 11:42 18,240 a---h--- c:\windows\system32\mlfcache.dat
2008-12-20 16:15 826,368 a------- c:\windows\system32\wininet.dll
2007-04-22 13:29 308,304 a------- c:\windows\inf\uiu\recycler\s-1-5-21-761282051-2000171375-326769644-1000\Df2.exe
2006-03-10 22:13 1,581,056 a------- c:\windows\inf\uiu\a1600\MIXER.EXE
2006-03-10 22:12 294,912 a------- c:\windows\inf\uiu\b_15592\atiiiexx.dll
2006-03-10 22:11 2,121,728 a------- c:\windows\inf\uiu\a1200\MicCal.exe
2006-03-10 22:10 1,740,800 a------- c:\windows\inf\uiu\a0400\sisgl.dll
2006-03-10 22:09 344,064 a------- c:\windows\inf\uiu\a0100\igfxsrvc.dll
2006-03-06 15:20 243,712 a------- c:\windows\inf\uiu\yk51x86.sys
2006-03-06 15:19 40,960 a------- c:\windows\inf\uiu\ialmuRUS.dll
2006-03-06 15:18 921,600 a------- c:\windows\inf\uiu\a1900\g200icd.dll
2006-03-06 15:17 172,032 a------- c:\windows\inf\uiu\a0101\nvwrsde.dll
2004-08-03 23:06 544,768 a------- c:\windows\inf\uiu\sysprepxp\setupmgr.exe
2004-08-03 23:06 88,576 a------- c:\windows\inf\uiu\sysprepxp\sysprep.exe
2004-08-03 23:06 88,576 a------- c:\program files\sysprep.exe
2004-08-03 23:06 25,600 a------- c:\windows\inf\uiu\sysprepxp\setupcl.exe
2004-08-03 23:06 25,600 a------- c:\program files\setupcl.exe
2000-08-27 15:07 64,272 a------- c:\windows\inf\uiu\tools\sysprep.exe
1999-10-20 07:18 27,920 a------- c:\windows\inf\uiu\tools\setupcl.exe
1999-07-08 07:02 34,816 a------- c:\windows\inf\uiu\tools\pnpids.exe
2008-09-06 08:05 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 21:55:18.98 ===============

AZmike
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-02-20
OS OS : Windows XP
Points Points : 28593
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please help with Trojan.FakeAlert

Post by Belahzur on 13th March 2009, 9:28 am

Hello.
Do this next OTMoveIt script in safe mode so it runs without being interfered with.


  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    navigator
    72F4147A5E50BA80

    :files
    c:\windows\fd.dll
    c:\windows\sysguard.exe

    :reg
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "rundll32.exe"=-


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

new OT script results

Post by AZmike on 13th March 2009, 2:26 pm

Hi,

Working in safe mode again, and it does seem very smooth. I ran the script in OT as you indicated. No problems with getting it done. The results are attached. Please let me know what the next step is.

Thanks much,

Mike

========== SERVICES/DRIVERS ==========
Service navigator stopped successfully.
Service navigator deleted successfully.
Service 72F4147A5E50BA80 stopped successfully.
Service 72F4147A5E50BA80 deleted successfully.
========== FILES ==========
LoadLibrary failed for c:\windows\fd.dll
c:\windows\fd.dll NOT unregistered.
c:\windows\fd.dll moved successfully.
c:\windows\sysguard.exe moved successfully.
========== REGISTRY ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\rundll32.exe deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03132009_072323

AZmike
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-02-20
OS OS : Windows XP
Points Points : 28593
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please help with Trojan.FakeAlert

Post by Belahzur on 13th March 2009, 2:26 pm

Hello.
See if normal mode is okay now, the leftover malware is gone as far as I can see now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Normal mode working

Post by AZmike on 13th March 2009, 2:52 pm

Hi,

That last pass worked like a charm. In normal mode all of the applications seem to be running. I took a brief time to do some quick scans (MalwareBytes) and it indicates no problems either. The internet browser services are working again too. So everything that I can tell seems to have been restored. I am not sure if you have any more steps, but from my view things look very good! Thanks so much for your help, and have a great day.

Regards,

Mike

AZmike
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-02-20
OS OS : Windows XP
Points Points : 28593
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please help with Trojan.FakeAlert

Post by Belahzur on 13th March 2009, 2:58 pm

That should do it. Delete the tools we have used [OTMoveIt and DDS]

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum