Computer Hope
Software => Computer viruses and spyware => Topic started by: carlrowley1 on February 23, 2010, 11:39:00 PM
-
Hello guys
I had gone to a web-site, looked harmless enough, and got one of them "your computer is infected" and all sorts of warnings.
I managed to click every X on the screen without any of them coming back, and ran a malwarebytes scan, and picked this up.
But is this related to the "your computer is infected" messages i was getting, or is there something else lurking around..
Or basically is this what malwareBytes had just picked up from the site i had just been to..., the messages have gone know
[Saving space, attachment deleted by admin]
-
Please visit this webpage for a tutorial on downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
See the area: Using ComboFix, and when done, post the log back here.
-
Please visit this webpage for a tutorial on downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
See the area: Using ComboFix, and when done, post the log back here.
Hello dragonMaster
Just done a search before i seen your reply
Just checking if necessary to do this, MBAM has changed the value in the registry to (0) so it is not picking this up anymore.
This thread (bottom post)
http://forums.malwarebytes.org/index.php?showtopic=12349
All this indicates is that the ability to make changes to active desktop is disabled and MBAM is attempting to enable it . If you don't want to see this again tell MBAM to ignore the scan result .
I believe this is from one of the developers of MBAM
But i'll carry on with the combofix scan dragonMaster if its needed, no problem.
Here's another thought , why diden't McAfee site advisor pick this up, all the web-sites listed had green ticks on them.
Anyway its only a 30 day free trial, changed it now to avast
-
Please do not post advice unless you are Malware Specialist on this forum. Dave
-
Download ComboFix from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
===
Then do this script:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges]
AWF::
REBOOT::
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://i35.tinypic.com/2v3rg44.jpg)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.
-
Download ComboFix from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Hello dragonMaster.
I should have mentioned i have windows 7 64 bit
Yes downloaded from the link, but apparantly it says incompatable OS, this only works on XP and 2000.
Also, as soon as i drag CFScript.txt into comboFix.exe the program will run, but CFScript.txt still shows on the desk top.
-
Oh ok.
Please open Notepad and enter in the following:
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges]
Then, click File > Save as...
Save as file.reg to your Desktop.
Choose Save as type... All Files.
Click Save.
Then, exit Notepad.
Double-click on file.reg, and it will finish quickly. Confirm prompts then restart your computer.
Please post a new Malwarebytes log in your next reply.
-
Oh ok.
Please open Notepad and enter in the following:Then, click File > Save as...
Save as file.reg to your Desktop.
Choose Save as type... All Files.
Click Save.
Then, exit Notepad.
Double-click on file.reg, and it will finish quickly. Confirm prompts then restart your computer.
Please post a new Malwarebytes log in your next reply.
Sorry dragonMaster
Is this what i have to copy to note pad
Windows Registry Editor Version 5.00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges
I wasen't sure i shoud copy the "windows registry Editor Version 5,00" thats all
-
Yes. Make sure the exact lines in the codebox are copied in to notepad.
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges]
-
OK, drangonMaster here is the new MBAM scan, looks fine
[Saving space, attachment deleted by admin]
-
Good. Any more issues?
-
Good. Any more issues?
No dragonMaster all is fine, computer running nice and smooth.
Just out of interest, don't you use hijackThis any more, even if it is only for an initail scan
-
Sometimes.
Do you want to know how to protect your self in the future? Also, want to clean up the computer?
-
Sometimes.
Do you want to know how to protect your self in the future? Also, want to clean up the computer?
Any advice would be great, here's what i have at present. MBAM , SWB, Avast 5.0 , and Winpatrol.
And i do regular clean ups with, ccleaner
-
To manually create a new Restore Point
- Go to Control Panel and select System and Maintenance
- Select System
- On the left select Advance System Settings and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- Go back to the System and Maintenance page
- Select Performance Information and Tools
- On the left select Open Disk Cleanup
- Select Files from all users and accept the warning if you get one
- In the drop down box select your main drive i.e. C
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
You are now done
To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe (http://oldtimer.geekstogo.com/OTC.exe) by OldTimer:
- Save it to your Desktop.
- Double click OTC.exe.
- Click the CleanUp! button.
- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
==
Please download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- It will close all programs when run, so make sure you have saved all your work before you begin.
- Click the Start
button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
- Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
==
Download Security Check by screen317 from SpywareInfoforum.org (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or Changelog.fr (http://screen317.changelog.fr/SecurityCheck.exe).- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
-
Great Dragon master, bit late now, i'll do this tomorrow and post back...... 8)
Thanks
-
Okey dokey. :)
-
Okey dokey. :)
OK, DragonMaster, here is the checkup log
Results of screen317's Security Check version 0.99.1
Windows 7 (UAC is enabled)
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Free Antivirus
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
WinPatrol 2009
SpywareBlaster 4.2
CCleaner
Java(TM) 6 Update 14
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.1
``````````````````````````````
Process Check:
objlist.exe by Laurent
WinPatrol winpatrol.exe
system32 AvastSvc.exe -?-
Alwil Software Avast5 AvastUI.exe
``````````````````````````````
DNS Vulnerability Check:
`````````End of Log```````````
Humm, i'll see about the java update now
-
Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.
Software recommendations
Firewall- Tallemu Online Armor (http://www.tallemu.com/products-online-armor-free.php): the free version is just as good as the premium. I have linked you to the free version.
- Comodo Firewall (http://www.comodo.com/home/internet-security/firewall.php): the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
- PC Tools Firewall Plus (http://www.pctools.com/firewall/download/): free and excellent firewall.
AntiSpyware- SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here (http://www.bleepingcomputer.com/tutorials/tutorial49.html).
- Spybot - Search & Destroy (http://www.safer-networking.org/en/tutorial/index.html).
Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.
Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.
Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm (http://www.spywarewarrior.com/rogue_anti-spyware.htm)
Securing your computer- Windows Updates (http://update.microsoft.com) - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
- hpHosts file (http://hosts-file.net) replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.
If you are interested:
- Firefox may be downloaded from here: http://www.getfirefox.com (http://www.getfirefox.com)
- Opera is available here: http://www.opera.com/download/ (http://www.opera.com/download/)
See this page (http://www.geekpolice.net/computer-security-f27/preventing-malware-and-being-resistant-to-the-dangers-of-the-internet-t16961.htm) for more info about malware and prevention.
-
Great and thankyou dragonMaster
hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future
I am used to the host file in XP, clicking on " hpHosts file" would this just replace the host file automatically in windows 7 and also in vista
-
Go to the download page and grab the Installer for Windows. Download it and install it and it shall do the work for you. :)
-
Go to the download page and grab the Installer for Windows. Download it and install it and it shall do the work for you. :)
Just one more thing dragonMaster, should i set the DNS client to manual, or keep it started (automatic) just a bit confused over this
Only in extreme situations should you disable this service as caching DNS lookups reduces network traffic and makes internet surfing performance faster
-
Leave it to manual. :)
-
Leave it to manual. :)
OK, DragonMaster all done.......Great.. 8)
Another point.
I have a folder on my c:\drive called [ 32788R22FWJFW ] it has other folder's in it [EN_US] [ LICENSE] and [N_] plus lots of sys,dat,cmd. files is this related to " combofix " and is it safe to delete
-
To uninstall ComboFix
- Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
- In the field, type in ComboFix /uninstall
(http://i582.photobucket.com/albums/ss269/Cat_Byte/Combofix_uninstall_image.jpg)
(Note: Make sure there's a space between the word ComboFix and the forward-slash.)
- Then, press Enter, or click OK.
- This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
-
Hello DragonMaster
NO windows carn't find " Combofix " [run] ( Combofix /Uninstall )
I think when it was installed , and when i tryed to run it and got the pop-up dialog saying " incompatible OS " i deleted the file on the desktop, which is probably the reason it won't uninstall...
-
OK. No biggie. Just delete the folders from it.
That includes that numbered folder, the file C:\combofix.txt, and C:\Qoobox
-
OK. No biggie. Just delete the folders from it.
That includes that numbered folder, the file C:\combofix.txt, and C:\Qoobox
OK dragonMaster, i just deleted the whole folder [ 32788R22FWJFW ] those other two folder's are not there, looks fine anyway.... 8)
-
Go to the download page and grab the Installer for Windows. Download it and install it and it shall do the work for you. :)
Sorry DragonMaster, How is this updated or can you just leave it like that
-
You can leave it like that.
It updates from time to time, and you can use the same installer over the current install, if you wish to update.
-
You can leave it like that.
It updates from time to time, and you can use the same installer over the current install, if you wish to update.
Thats great Dragonmaster.... 8)
Just of the subject a bit, i have just been reading an artical about what the (master boot record) is and does.
What protects the master boot record from becoming infected with a virus , would Avast 5.0 stop any virus attacks.
I have paragon backup and recovery, installed on this windows 7 machince, and i have just created a rescue boot disk, but i am still learning how it all works.
But it has an option for correcting the MBR in case you are ever infected with a virus, but the main thing is how can you protect yourself from a virus getting there in the first place......
-
Most Master Boot Record infections are caused by malware infecting your computer. It is a rootkit, which bypasses system security and infects core system files. Then, with that type of administrative access, it can infect your Master Boot Record.
Stay away from cracks, keygens, music downloads, illegal software, etc.
If you would like to learn about malware, and helping people fight it, I would recommend to see this thread: http://www.computerhope.com/forum/index.php/topic,57605.0.html
-
Most Master Boot Record infections are caused by malware infecting your computer. It is a rootkit, which bypasses system security and infects core system files. Then, with that type of administrative access, it can infect your Master Boot Record.
Stay away from cracks, keygens, music downloads, illegal software, etc.
If you would like to learn about malware, and helping people fight it, I would recommend to see this thread: http://www.computerhope.com/forum/index.php/topic,57605.0.html
Thanks DragonMaster jay....
noted that one down, the link seems pritty good... :)
-
Hello there Dragonmaster jay
The ATF cleaner i downloaded, although this is a pritty good tool, i already have ccleaner.
Does ATF cleaner do the same things a ccleaner or does the ATF cleaner have an additional feature, so it might be worth keeping both
-
Occasionally, you can clean a little deeper with ATF, but I use both. Both seem to pick up something, when I run them both at one time.