Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade  (Read 33927 times)

0 Members and 1 Guest are viewing this topic.

evilfantasy

  • Malware Removal Specialist
  • Moderator


  • Genius
  • Calm like a bomb
  • Thanked: 489
  • Experience: Familiar
  • OS: Windows 10
We will clean up the tools we have used when we are done.

Go ahead with the kaspersky scan. It won't remove anything but the log will be very helpful.

lectrocrew

    Topic Starter


    Mentor

  • ole dog learning new tricks
  • Thanked: 21
    • Yes
    • Yes
    • My first self-built computer
  • Certifications: List
  • Computer: Specs
  • Experience: Familiar
  • OS: Windows 10
Sorry for the delay. That scan took about an hour. Results below:

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Monday, April 21, 2008 4:18:40 PM
 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update: 21/04/2008
 Kaspersky Anti-Virus database records: 719150
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: extended
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   C:\
   D:\
   E:\
   F:\
   L:\

Scan Statistics:
   Total number of scanned objects: 97346
   Number of viruses found: 1
   Number of infected objects: 3
   Number of suspicious objects: 0
   Duration of the scan process: 00:56:47

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg8\Antispam\scoffset.bin.incr   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\AvgAm\avgam.lck   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\emc\Log\emc.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgam.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgcore.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgcore.log.1   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgfw8u.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgns.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgrs.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgsched.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\commonpriv.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\commonpub.log   Object is locked   skipped
C:\Documents and Settings\LocalService\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\gdql_lsa_LinksysAgent.log   Object is locked   skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\glog.log   Object is locked   skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent.log   Object is locked   skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent_GTActions.log   Object is locked   skipped
C:\Documents and Settings\Owner\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip   ZIP: infected - 1   skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Ahead\Nero Home\bl.db   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Ahead\Nero Home\is2.db   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008042120080422\index.dat   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\Owner\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\BWDocMap.pht   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\BWInfopakMap.pht   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chandir.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chandir.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chn.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chn.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\D0000000.FCS   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\inuse.txt   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\L0000003.FCS   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\main.log   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_die.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_die.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_dnd.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_dnd.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_ext.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_ext.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_rcv.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_rcv.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\storydb.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\storydb.idx   Object is locked   skipped
C:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
C:\System Volume Information\_restore{C900D7EF-0604-4853-84B0-ADDDB2906470}\RP3\change.log   Object is locked   skipped
C:\WINDOWS\Debug\PASSWD.LOG   Object is locked   skipped
C:\WINDOWS\SchedLgU.Txt   Object is locked   skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log   Object is locked   skipped
C:\WINDOWS\system32\CatRoot2\edb.log   Object is locked   skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb   Object is locked   skipped
C:\WINDOWS\system32\config\AppEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\default   Object is locked   skipped
C:\WINDOWS\system32\config\default.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\Internet.evt   Object is locked   skipped
C:\WINDOWS\system32\config\SAM   Object is locked   skipped
C:\WINDOWS\system32\config\SAM.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SecEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\software   Object is locked   skipped
C:\WINDOWS\system32\config\software.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SysEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\system   Object is locked   skipped
C:\WINDOWS\system32\config\system.LOG   Object is locked   skipped
C:\WINDOWS\system32\h323log.txt   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP   Object is locked   skipped
C:\WINDOWS\WindowsUpdate.log   Object is locked   skipped
F:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
F:\System Volume Information\_restore{C900D7EF-0604-4853-84B0-ADDDB2906470}\RP3\change.log   Object is locked   skipped
L:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp   Object is locked   skipped
L:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
L:\System Volume Information\_restore{C900D7EF-0604-4853-84B0-ADDDB2906470}\RP3\change.log   Object is locked   skipped

Scan process completed.

evilfantasy

  • Malware Removal Specialist
  • Moderator


  • Genius
  • Calm like a bomb
  • Thanked: 489
  • Experience: Familiar
  • OS: Windows 10
The log is clean. I am pretty sure that it was a false positive being given by Noadware.

Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.
.
  • Click START then RUN
  • Now type Combofix /u in the runbox
  • Make sure there's a space between Combofix and /u
  • Then hit Enter.
.
.
The above procedure will:
  • Delete:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Set a new, clean Restore Point.
    .
    Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it installed)

    1. Double click OTMoveIt2.exe to launch it.
    Vista users right click and choose Run As Administrator
    2. Click on the CleanUp! button.
    3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
    4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
    5. Once complete exit out of OTMoveIt2

    Set a New Restore Point to prevent possible reinfection from an old one
    Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.
    • Go to Start > Programs > Accessories > System Tools and click System Restore
    • Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
    • The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Next go to Start > Run and type Cleanmgr
    • Click OK
    • Click the More Options Tab.
    • Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.
    .
    Use the Secunia Software Inspector to check for out of date software.
    • Click Start Now
    • Check the box next to Enable thorough system inspection.
    • Click Start
    • Allow the scan to finish and scroll down to see if any updates are needed.
    • Update anything listed.
    .

    Let me know how things are now.

    lectrocrew

      Topic Starter


      Mentor

    • ole dog learning new tricks
    • Thanked: 21
      • Yes
      • Yes
      • My first self-built computer
    • Certifications: List
    • Computer: Specs
    • Experience: Familiar
    • OS: Windows 10
    Quote
    Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it installed)

    1. Double click OTMoveIt2.exe to launch it.
    Vista users right click and choose Run As Administrator
    2. Click on the CleanUp! button.
    When I click on the 'CleanUp button I get an error box that says:
    "OTMoveIt2
    I/O error 1784"
    I clicked the 'OK' in that box and tried clicking the CleanUp button again and got the same message.
    What did I miss?


    evilfantasy

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Calm like a bomb
    • Thanked: 489
    • Experience: Familiar
    • OS: Windows 10
    Did the list load into the box under the yellow bar?

    lectrocrew

      Topic Starter


      Mentor

    • ole dog learning new tricks
    • Thanked: 21
      • Yes
      • Yes
      • My first self-built computer
    • Certifications: List
    • Computer: Specs
    • Experience: Familiar
    • OS: Windows 10

    evilfantasy

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Calm like a bomb
    • Thanked: 489
    • Experience: Familiar
    • OS: Windows 10
    OK, open this attachment and copy then paste the entire list into the window under the yellow bar in OTMoveIt2. Then click the CleanUp button.

    [recovering space - attachment deleted by admin]

    lectrocrew

      Topic Starter


      Mentor

    • ole dog learning new tricks
    • Thanked: 21
      • Yes
      • Yes
      • My first self-built computer
    • Certifications: List
    • Computer: Specs
    • Experience: Familiar
    • OS: Windows 10
    Done but I get the same error message

    lectrocrew

      Topic Starter


      Mentor

    • ole dog learning new tricks
    • Thanked: 21
      • Yes
      • Yes
      • My first self-built computer
    • Certifications: List
    • Computer: Specs
    • Experience: Familiar
    • OS: Windows 10
    Below is a copy - paste of whats in that box.

    [nobackups]
    [deleteself]
    avenger.zip     <Avenger by Swandog46>
    avenger.exe
    Avenger
    avenger.txt
    bfu.zip         <BFU by Merijn>
    BFU
    combofix.exe    <ComboFix by sUBs>
    Combo-Fix.sys
    ComboFix
    erdnt
    QooBox
    ComboFix*.txt
    catchme         <delete service>
    catchme.exe
    fdsv.exe
    grep.exe
    moveex.exe
    nircmd.exe
    sed.exe
    swreg.exe
    Swsc.exe
    Swxcacls.exe
    VFind.exe
    WS2Fix.exe
    zip.exe
    tmp.reg
    dss.exe         <Deckard's System Scanner by Deckard>
    Deckard
    deljob.exe      <Author Unknown>
    deljob
    logit.txt
    FindAWF.exe     <FindAWF by noahdfear>
    AWF.txt
    fixwareout.exe  <FixWareout by LonnyRJones>
    fixwareout
    fsbl.exe        <F-Secure BlackLight>
    fsbl*.log
    gmer.exe        <GMER by Gmer>
    gmer.dll
    gmer.ini
    gmer.log
    gmer_uninstall.cmd
    gmer.sys
    gmer            <delete service>
    haxfix.exe      <Haxfix by Markie>
    haxfix.txt
    killbox.exe     <Killbox by Option^Explicit>
    !Killbox
    NoLop.exe       <NoLop by ?>
    NoLop.txt
    NoLopOLD.txt
    delete.bat
    OTMoveIt.exe    <OTMoveIt by OldTimer>
    OTMoveIt2.exe
    _OTMoveIt
    OTScanIt.exe    <OTScanIt by OldTimer>
    OTScanIt
    rustbfix.exe    <Rustbfix by Ejvindh>
    Rustbfix
    sdfix.exe       <SDFix by Andy_Manchesta>
    SDFix
    Silent Runners.vbs  <by Andrew ARONOFF>
    SmitfraudFix.exe <SmitfraudFix by S!Ri>
    SmitfraudFix
    rapport.txt
    SysInsite       <System Insite by Bobbi Flekman>
    VundoFix.exe    <VundoFix by Atribune>
    VundoFix Backups
    vundofix.txt
    vundofix.vft
    win32delfkil.exe <WinDelfKil by Markie>
    _backupD
    windelf.txt
    winpfind.exe    <WinPfind by OldTimer>
    WinPfind
    WinPFind3u.exe  <WinPFind3 by OldTimer>
    WinPFind3u
    WinPFind35u.exe  <WinPFind35 by OldTimer>
    WinPFind35u
    cleanup.txt

    evilfantasy

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Calm like a bomb
    • Thanked: 489
    • Experience: Familiar
    • OS: Windows 10
    Strange.

    These are the files we are trying to delete with OTMoveIt2. You may have to go in and manually delete them.

    C:\WINDOWS\system32\VCCLSID.exe
    C:\WINDOWS\system32\SrchSTS.exe
    C:\WINDOWS\system32\VACFix.exe
    C:\WINDOWS\system32\IEDFix.exe
    C:\WINDOWS\system32\Process.exe
    C:\WINDOWS\system32\dumphive.exe
    C:\WINDOWS\system32\WS2Fix.exe
    C:\WINDOWS\system32\tmp.reg
    C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe
    C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe
    C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip

    lectrocrew

      Topic Starter


      Mentor

    • ole dog learning new tricks
    • Thanked: 21
      • Yes
      • Yes
      • My first self-built computer
    • Certifications: List
    • Computer: Specs
    • Experience: Familiar
    • OS: Windows 10
    Ok. I've deleted 1 so far. Give me a few minutes.

    lectrocrew

      Topic Starter


      Mentor

    • ole dog learning new tricks
    • Thanked: 21
      • Yes
      • Yes
      • My first self-built computer
    • Certifications: List
    • Computer: Specs
    • Experience: Familiar
    • OS: Windows 10
    done, and only because I am trying to be cautious, do I now empty my 'Recycle Bin'?

    evilfantasy

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Calm like a bomb
    • Thanked: 489
    • Experience: Familiar
    • OS: Windows 10
    Yep, then do the rest of the instructions.

    lectrocrew

      Topic Starter


      Mentor

    • ole dog learning new tricks
    • Thanked: 21
      • Yes
      • Yes
      • My first self-built computer
    • Certifications: List
    • Computer: Specs
    • Experience: Familiar
    • OS: Windows 10
    Quote
    Use the Secunia Software Inspector to check for out of date software.

    Click Start Now

    Check the box next to Enable thorough system inspection.

    Click Start

    Allow the scan to finish and scroll down to see if any updates are needed.
    Update anything listed.

    When I clicked the start button in Secunia Software Inspector, it showed a message saying I needed Sun Java from www.java.com for Secunia Software Inspector to run correctly. so I went to java.com and downloaded the latest java file and verified that I have the latest version, but it looks like Secunia still has a problem with a java applet issue. Below is the current status:


    Detection Statistics:

    0 Applications Detected in Total
    0 Insecure Versions Detected
    0 Secure Versions Detected

    Running For:
    0 minutes, 0 seconds

    Errors Detected:
    0 Errors Detected     
     Enable thorough system inspection.
    Enable the Secunia Software Inspector to search for software installed in non-default locations.

    Beta Test! 10 days left of beta period
    Beta test the 2nd generation Secunia NSI, the network aware edition of the Software Inspector. Download NSISetup.exe 
    Status / Currently Processing:

    *There might be problems loading the Java Applet in your browser
    -------------------
    *I wrapped the last sentence in bold myself.
    what now?
    BTW, did I mention that I really appreciate your time doing this!!!

     
     

    evilfantasy

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Calm like a bomb
    • Thanked: 489
    • Experience: Familiar
    • OS: Windows 10
    You may need to restart the computer if you just downloaded the Java.