Solve : Randomly got infected?

1.	Solve : Randomly got infected?
Answer» No idea how it happened. Kaspersky started popping up randomly and I blocked everything. Then I did a scan with it, and it FOUND nothing. Now, I did a scan with superantispyware and it found 4 things: Adware.Tracking Cookie, Adware.Vundo-Variant/J, Trojan.Dropper/MSPrint-Fake, and Trojan.Unclassified/GTS. Hijackthis log attached. [recovering space - attachment deleted by admin]I see no INFECTION, but... Download Malwarebytes' Anti-Malware: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html to your desktop. * Double-CLICK mbam-setup.exe and follow the prompts to install the program. * At the END, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform full scan, then click Scan. * When the scan is complete, click OK, then Show Results to view the results. * Be sure that everything is checked, and click Remove Selected. * When completed, a log will open in Notepad. * Post the log back here. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt Post new HJT log.I haven't got around to malwarebytes' yet, I will probably use it today. But just now, kaspersky found Trojan.Win32.VapSup.fog in C:\System Volume Information\_restore{B779814F-9A1D-491F-919B-18573AAB5004}\RP218\A0091868.exe. I'm assuming I should clear all system restore points after malwarebytes'?Follow the steps one at a time...there's a reason they are done in a certain order...Quote I should clear all system restore points after malwarebytes'? As PATIO said...Logs attached. [recovering space - attachment deleted by admin]1. Print this post out, since you won't have an access to it, at some point. 2. Close all windows, except for HijackThis. 3. Put a checkmark next to the following HijackThis entries (some entries will be checkmarked to disable unnecessary startups; in those cases (marked with ), no actual program will be removed): - O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) - O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE - O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background - O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') - O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') - O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') - O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') - O4 - Global Startup: 802.11g Wireless Client Utility.lnk = ? 4. Click on Fix checked* button. 5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts, until menu appears) 6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders. 7. Delete following files/folders (if present): - ALCMTR.EXE file from C:\Windows 8. Restart in Normal Mode. 9. Post new HijackThis log.Done. I didn't delete the MSN entry because I use that a lot. [recovering space - attachment deleted by admin]I missed one unnecessary startup: - O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe Click "Fix checked". Other, then that.... Your computer is clean 1. Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "Slim" version. Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html. Run CCleaner. 2. Turn off System Restore: - Windows XP: 1. Click Start. 2. Right-click the My Computer icon, and then click Properties. 3. Click the System Restore tab. 4. Check "Turn off System Restore". 5. Click Apply. 6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. 7. Click OK. - Windows Vista: 1. Click Start. 2. Right-click the Computer icon, and then click Properties. 3. Click on System Protection under the Tasks column on the left side 4. Click on Continue on the "User Account Control" window that pops up 5. Under the System Protection tab, find Available Disks 6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:") 7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this. 8. Click OK 3. Restart computer. 4. Turn System Restore on. 5. Download, and install free version of ThreatFire: http://www.threatfire.com/. It'll give you an extra protection against malwares. It won't interfere with your antivirus program* 6. Read So how did I get infected in the first place?: http://www.castlecops.com/postlite7736-.html 7. Let me know, how your computer is doing. I already have ccleaner, system restore cleared. The computer is doing well, Kaspersky hasnt popped up. Very well

Answer»

No idea how it happened. Kaspersky started popping up randomly and I blocked everything. Then I did a scan with it, and it FOUND nothing. Now, I did a scan with superantispyware and it found 4 things: Adware.Tracking Cookie, Adware.Vundo-Variant/J, Trojan.Dropper/MSPrint-Fake, and Trojan.Unclassified/GTS. Hijackthis log attached.

[recovering space - attachment deleted by admin]I see no INFECTION, but...

Download Malwarebytes' Anti-Malware: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html to your desktop.

* Double-CLICK mbam-setup.exe and follow the prompts to install the program.
* At the END, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.I haven't got around to malwarebytes' yet, I will probably use it today. But just now, kaspersky found Trojan.Win32.VapSup.fog in C:\System Volume Information\_restore{B779814F-9A1D-491F-919B-18573AAB5004}\RP218\A0091868.exe. I'm assuming I should clear all system restore points after malwarebytes'?Follow the steps one at a time...there's a reason they are done in a certain order...Quote

I should clear all system restore points after malwarebytes'?

As PATIO said...Logs attached.

[recovering space - attachment deleted by admin]1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put a checkmark next to the following HijackThis entries (some entries will be checkmarked to disable unnecessary startups; in those cases (marked with *), no actual program will be removed):

- O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
- O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
- O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
- *O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
- *O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
- *O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
- *O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
- O4 - Global Startup: 802.11g Wireless Client Utility.lnk = ?

4. Click on Fix checked button.

5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts, until menu appears)

6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.

7. Delete following files/folders (if present):

- ALCMTR.EXE file from C:\Windows

8. Restart in Normal Mode.

9. Post new HijackThis log.Done. I didn't delete the MSN entry because I use that a lot.

[recovering space - attachment deleted by admin]I missed one unnecessary startup:
- *O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
Click "Fix checked".

Other, then that....

Your computer is clean

1. Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "Slim" version.
Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html.
Run CCleaner.

2. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Download, and install free version of ThreatFire: http://www.threatfire.com/. It'll give you an extra protection against malwares. It won't interfere with your antivirus program

6. Read So how did I get infected in the first place?: http://www.castlecops.com/postlite7736-.html

7. Let me know, how your computer is doing.

I already have ccleaner, system restore cleared. The computer is doing well, Kaspersky hasnt popped up. Very well

Solve : Randomly got infected?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment