[patmac]

I'm referring to Windows updates etc..Seems like after everytime we reboot, HP Solution Center pops up as well as some sort of Windows Installer. Going to check about keeping AVG from looking to update too. I've been canceling them. Just wondering if that will hose up the online scan while it's running. Going to upgrade to IE8 now, as well as updating the Java. Hopefully be back soon. Also, the hard drive seems like it's running, as if scanning. I checked in task manager, and nothing there, but there are alot of services running. Anyway to see why the drive is running? Thanks for your continued patience.

[NeonFx]

If you run into any problems with the Online scan then we'll know. We can try something else if your computer does not let it run to completion.

We had update Tuesday this week though. You might want to update your computer and then run the scan to minimize the possibility of it interfering.

[patmac]

Just updated IE and Java. Going to just try the online scan now, see what happens. Thanks.

[patmac]

Getting message boxes saying: Kaspersky requires an earlier version of Java and 7.0 download and operation requires Java Framework version 1.6 or later. Never get the ability to click on the "Accept" button to contine.

[NeonFx]

Did you restart after installing/updating Java?

[patmac]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, November 12, 2009
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, November 12, 2009 19:48:04
Records in database: 3197981
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 125593
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 02:17:38


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Windows\System32\tdlwsp.dll.vir Infected: Packed.Win32.TDSS.z 1
C:\Users\Dixie\Documents\Limewire\Saved\only one cure.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1

Selected area has been scanned.

[NeonFx]

Excellent. Please delete this infected file:

C:\Users\Dixie\Documents\Limewire\Saved\only one cure.mp3

How's your computer running?

[patmac]

OK, I deleted that file. What about the one in Qoobox? The PC ( according to the kid who got all these issues ) has been running OK. Are we on the road to recovery?

[NeonFx]

The one in QooBox will be cleaned up when we uninstall ComboFix.

Let's cleanup.

STEP 1

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

(If you use Vista or 7 just paste it into the text box that appears next to your start button)

ComboFix /Uninstall


STEP 2

To clean up OldTimer's tools, along with a few others, do the following:

• Run OTS.exe by double clicking on it
• Click on the "CleanUp" button on the top.
• You will be asked if you wish to reboot your system, select "Yes"

STEP 3

Remove any other tools or files we used by right-clicking on them or any folders they created, hold down the Shift key, and select "Delete" by clicking on it. This will delete the files without sending them to the RecycleBin.

You can also uninstall the other programs (HijackThis or MalwareBytes if we used them) by going to Start > Control Panel > Add/Remove programs (Programs and Features in Vista and Programs > Uninstall a Program in 7)

All Clean

Congratulations!, , your system is now clean. Now that your system is safe we would like you to keep it that way. Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates


Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. A HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine and prevent your computer from connecting to that website.

See how to get it HERE
(For Vista and 7 see HERE )

You can also use a tool to update your Hosts file. See HERE and HERE

If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Install WinPatrol
Download it HERE
You can find information about how WinPatrol works HERE and HERE

Note: This program will work alongside all other security programs without conflicts. It might ask you to allow certain actions that security programs perform often, but if you tell Scotty to remember the action by checking the option, the alerts will lessen.

Other Software Updates
It is very important to update the other software on your computer to patch up any security issues you may have. Go HERE to scan your computer for any out of date software. In particular make sure you download the updates for Java and Adobe as these are subject to many security vulnerabilities.

Setting up Automatic Updates
So that it is not necessary to have to remember to update your computer regularly (something very important to securing your system), automatic updates should be configured on your computer. Microsoft has guides for XP and Vista on how to do this.

Read further information HERE, HERE, and HERE on how to prevent Malware infections and keep yourself clean

Please mark this thread as "Solved" by clicking on the button at the top of this page. Let me know if you need anything else.

[patmac]

OK, I will marked solved when I get through the cleanup procedure. Also, I have a few general questions about this whole ordeal, questions to help me understand what happened etc...can I post those as well before marking solved? Thanks.
ps. lights out here

[NeonFx]

Yep, I'll answer your questions ^_^

Ask away when you're ready.

[patmac]

Ran the OTS cleanup and uninstalled Combofix. Here's a few questions if you please...did it in Notepad, the format maybe be a bit wacky.

1- There are now two desktop.ini icons on the desktop, one says Public, the other is the Admin user name what do we do with those?

2- What do I do with the threats listed in Resident Shield ( still turned off)? Most say "infected", a few out of the thousand or so say "moved to vault". Should I take care of them before I turn it back on?

3- Did the AVG resident shield help minimize the damage here? According to our son, the machine was not acting strangely. I know malware can operate without you knowing it.

4- On the family's main PC, I have a Limted User account that is used for internet facing activities, it is a XP machine, is there any value in doing the same on our son's Vista machine?

5- What did his computer have ? Rootkits? Trojans? Names? How many, just so I can show the kid, and he will see it coming from someone other than one of his parents.

6- I've always been asked to run HijackThis, why not this time?

7- Can I keep MalwareBytes? I use it and AVg on our main PC. I also use ATF Cleaner, should I get that for this machine?

8- I will do all of your suggestions, such as WinPatrol. Is the paid version of WinPatrol worth the money?

9- Is the General Security forum the place to ask more of these types of questions?

10- How do I know what apps and actvities will make his computer the most vulnerable? The kids are into Facebook, Farmville, iTouch apps, and even though they claim otherwise, Limewire. I told them Limewire itself isn't illegal, but the file sharing is.They claim they haven't used it since me telling them that. Should we delete all that music? How do I know what to keep and what to delete?

Thanks

[NeonFx]

Quote:

1- There are now two desktop.ini icons on the desktop, one says Public, the other is the Admin user name what do we do with those?

Those are called "Hidden Files". Windows will typically hide this from regular users because it doesn't want them deleting them. I needed to reveal them because malware will often use that technique to hide itself.

The OTS cleanup step should have reset that setting. In your case it seems it didn't. Please do the following:

1. Click on the Start button and in the text field that appears type in "Folder Options" and press Enter
2. Click on the "View" tab
3. Make sure "Do not show Hidden Files and Folders" is selected
4. Place a checkmark next to both "Hide Extensions for known files types" and "Hide protected Operating system files"
5. Click on OK to apply the changes and reboot the computer.

Quote:

2- What do I do with the threats listed in Resident Shield ( still turned off)? Most say "infected", a few out of the thousand or so say "moved to vault". Should I take care of them before I turn it back on?

You should turn your Resident Shield on and leave it on. You are probably looking at a history of detections and what AVG did for each of them. Since your computer is now clean, AVG should not be finding new things. Turn it back on and run a full system scan. Anything it finds, if it finds anything, will be only inert leftovers of the infections that were on the machine.

Quote:

3- Did the AVG resident shield help minimize the damage here? According to our son, the machine was not acting strangely. I know malware can operate without you knowing it.

Yes it did. AVG did most of the front end work on the machine and was keeping up a strong front. It managed to suppress the active components which explains why you didn't see any symptoms. It was not having much success with the main infection though because it only knows how to deal with things in its database. There are many infections that are not in these databases and it , along with most every other popular security program, will not be able to deal new infections.

Quote:

4- On the family's main PC, I have a Limted User account that is used for internet facing activities, it is a XP machine, is there any value in doing the same on our son's Vista machine?

Vista machines have something called User Account Control which does the same thing. Whenever you need to do something like installing programs or making changes to the system you will get a prompt asking you for permission. This in essence is the same thing as having a limited account, only that you have the opportunity to perform administrator activities. This would in theory prevent most infections since they would not have permission to make changes. A lot of people find this feature annoying and will disable following instructions such as THESE . To re-enable this feature just follow the instructions in Method 4 on that page but place a checkmark in the box that is unchecked in the instructions.

Quote:

5- What did his computer have ? Rootkits? Trojans? Names? How many, just so I can show the kid, and he will see it coming from someone other than one of his parents.

This system had a number of serious infections. Every company out there has different names to identify the infections so it really means nothing if I were to give you the specific names. You did have two of the newest RootKits out there though and a couple downloaders. Rootkits will work in the background and people will not normally be able to tell they're there from how the system feels but rather from the symptoms they experience.

One of the rootkits on this system is designed to protect the other infections. It's called Sirefef by some companies and it's designed to disable any program capable of cleaning a system of viruses. The other Rootkit you had is more accurately a Bootkit because it loads itself before Windows does and can control the system that way. What it actually does is still unknown as it's still only a few weeks old but it can be capable of anything from redirecting your search results online to obtaining your passwords and banking information to then send them out into the internet.

The Downloaders do what their name suggests: they download other infections. This is probably how you got the rootkits on your system. The use of Peer to Peer applications is the main reason people get infected with this kind of malware.

Quote:

6- I've always been asked to run HijackThis, why not this time?

I did not ask for a HijackThis report for two reasons:

1. In your first post where you were asking for assistance I noticed two things that are characteristic symptoms of serious infections. I had to take care of those two rootkits before even looking at anything else because they might have fought back if I did.

2. I asked for an OTS report instead which gave me not only everything HijackThis does, but much more. HijackThis is really only used today as a way to identify what is on a system but it is not enough to assess the state of the entire system. In this sense it is an outdated program because Malware has evolved and malware fighters have to evolve their techniques to combat it.

Quote:

7- Can I keep MalwareBytes? I use it and AVg on our main PC. I also use ATF Cleaner, should I get that for this machine?

You can keep MalwareBytes of course. It's turning out to be one of the best Antimalware scanners out there, but it does not perform some of the functions Antivirus programs perform. You will still need to have AVG installed.

You can use third party temporary file cleaners all you want, but you should know that Windows has its own temporary file cleaner as well. Go to Programs > Accessories > System Tools > Clean up to access it.

Quote:

8- I will do all of your suggestions, such as WinPatrol. Is the paid version of WinPatrol worth the money?

The free version of WinPatrol will scan your system every 2 minutes or so where the paid version will keep constant watch over the system. If you like the way it protects you then you should consider paying for the full version. Paying for it doesn't give you much more of a benefit, but if you feel like giving back to the creator then you should.

Quote:

9- Is the General Security forum the place to ask more of these types of questions?

Yes, if you have more of these types of questions you will be able to get replies from more than just one person in the General Security forum. The malware removal forum is designed in such a way so that helpers do not get interrupted when helping someone; which is essential when a malware fighter needs to have a plan of action. This prevents others from interjecting their opinions, but in some cases, as with these types of questions, more opinions on matters is a good thing.

Quote:

10- How do I know what apps and actvities will make his computer the most vulnerable? The kids are into Facebook, Farmville, iTouch apps, and even though they claim otherwise, Limewire. I told them Limewire itself isn't illegal, but the file sharing is.They claim they haven't used it since me telling them that. Should we delete all that music? How do I know what to keep and what to delete?

As I said earlier, Peer to Peer applications such as Limewire or those that handle what are called torrents are not only illegal, but are also the main method infections use to spread. Since the general scans came back clean with the exception of that one file we deleted, you can rest assured that the files already on your system are fine, but downloading new ones increases the risks of reinfection.

At the end of my All Clean speech I included three links to "Read further information." Those will explain other things you can do to keep your system clean.



Let me know if you need anything else. Make sure to mark this thread as Solved when you're ready.

[patmac]

OK. You mentioned one of the rootkits we had was more correctly called a bootkit. Did the fact we never rebooted the system, before your help, help our situation at all? Would this be standard procedure when you know you have infections, not booting or restarting if possible? What was it you saw in my first post that told you we had a serious infection? See, I like to know what we did, but I know you folks here just don't the have time to explain everything. Unless I can think of some more questions, I'll be marking this solved after you answer the above. Thanks again.

[NeonFx]

Quote:

Would this be standard procedure when you know you have infections, not booting or restarting if possible?

A restart only reloads the infection after it has unloaded the previous time the computer was shut down. It doesn't make it more serious or anything similar. The only benefit lies in if your Antivirus managed to disable the active components. A restart would recreate these components but your Antivirus would once again catch it.

Quote:

What was it you saw in my first post that told you we had a serious infection?

I identified them more from experience with these very infections. I was referring to these two entries:

Trojan Agent_r.OT. C:\Windows\System32\tdlwsp.dll
Trojan Generic14.CDAE C:\Windows\System32\cngaudit.dll

The first is a file that is a component of that bootkit I was talking about. If your Antivirus deleted it you would have seen it return the next time you rebooted the machine.

The second is a legitimate Windows file. It is a common loading point for that other rootkit I mentioned. Your antivirus found it to be infected so it needed to either be disinfected or replaced with a backup copy.

If you really want to learn more about this you should consider joining one of the free online training academies. I graduated from GeekU over at GeeksToGo.com but there are others HERE