ok here is the situation a friend of mine told me his laptop was infected and coludnt use it so i told him to bring it to fix it;)
tools i used:Gmer,SAS,Mbam,Hitman Pro,Dr Web Cure it,WebRoot SpySweeper,ComboFix,prevx,Comodo Antivirus and avast Free:)

first Gmer didnt detect nothing and scaner took for ever;D ,then hitman pro could work properlly and was terminated by malware when scaning;),Mbam could even open even if renamed to other name and in safe or any mode;D
then SAS after like a minute scaning got killed >:( then DR web cure it say that found zero virus:) nice going;D then SpySweeper found 1 rootkit 1 rouges and 2 trojans but aster i hit remove it was terminated and uninstall by the malware:) this is not a test is real life situation:thumb: :thumb: then run comodo and said zero virus??? then prevx and prevx says in gree ;D system secure no malware in system;D then here comes my only hope avast free;)
then install avast run a scan and it found 2 trojans,2 rootkits and send them tp the chest(quarentine)then i noticed no more redirection i was able to run all the scaners that got killed and after reboot i notice the speed of pc was back to normal,it was all good thanks to Avast Free Antivirus:thumb: :thumb: i am very impressed with avast:thumb:

yeah I like avast alot. The boot time scan is a wonderful option. The network sheild also stops alot of malware from infecting. I used it with CIS v5 but it didn't detect alot of exe's. Not really sure why.

Use boot CD like Kaspersky to further check system state.

yeah take your pick with any boot cd, kaspersky, eset, avira, avast. I would be checking combofix and then hijackthis. You could also run MBAM and EAM emergency kit, now that you are able to run programs again.

For Avast did you do a normal scan or a boot time scan?

@ jmonge

;D

Good job ;)

How would the average person deal with that, they wouldn't :(

What OS browser AV did they have ? How were they set up ?

What are the names of the malware you found ?

Are you sure the MBR is OK ?

I am curious as to what AV and other security applications were being used, and if they were up to date.

If Avast found and removed the malware, it would appear to me that the user did not have an up to date AV. Avast is a good one, of course.
I am also surprised that the other applications mentioned did so poorly.

Regards,
Jerry

@jmonge.......man what if you would have started with avast......:P

No matter what AV you use, some will detect one kind and others won't. I've ran files through jotti and virus total and avira didn't catch something that bitdefender did. I've seen files that only avira found and only dr web found. Thats why alot of people preach layered defense. No matter what you have at least one time its going to miss something. Yes avira and prevx have high detection rates but its no 100% and probably never will be. Not unless virus writers give up trying to screw peoples systems. Of course if that does happen you might want to look up and see if pigs are flying. ;)

I agree Avast is a fantastic product.

But keep in mind, no two situations/PCs/users are the same.

Next time when cleaning, if you use Hitman Pro, use its force breach mode, where you can hold the left ctril key + launching hitman pro, and it will terminate all non-essential windows processes, including rogue programs and malware (hitman pro should advertise this on the main screen, so more users are aware of this feature).

Ok that was the bomb! I just tried it out. It only found some cookies I didn't know about the force breach mode. Thats good stuff. I'll have to remember that for next time. Thanks saraceno.

Good Job dude and one more thing is that threat still quarantined if yes mind if you provide the MD5:)

@jmonge - you did a lot of work but your effort is worth nuts.
the security hole is still present and that system aint safe any longer.

► http://technet.microsoft.com/de-de/library/cc512587%28en-us%29.aspx
-{ Quote: "# You can't clean a compromised system by patching it. Patching only removes the
vulnerability. Upon getting into your system, the attacker probably ensured that there
were several other ways to get back in.

# You can't clean a compromised system by removing the back doors. You can never
guarantee that you found all the back doors the attacker put in. The fact that you can't
find any more may only mean you don't know where to look, or that the system is so
compromised that what you are seeing is not actually what is there.

# You can't clean a compromised system by using some 'vulnerability remover'. Let's say
you had a system hit by Blaster. A number of vendors (including Microsoft) published
vulnerability removers for Blaster. Can you trust a system that had Blaster after the tool
is run? I wouldn't. If the system was vulnerable to Blaster, it was also vulnerable to a number
of other attacks. Can you guarantee that none of those have been run against it?
I didn't think so." }-

jmonge, why did you simply not press the ctrl-button while starting Hitman pro? That would shut down ALL non required services and applications and let Hitman scan with ease without getting shut down.

J :( y did you not try avira :(:wacko: :wacko:
atleast good to know avast removed the crap though:thumb: :thumb: :thumb:

all it is ok now thanks to avast and i did a normal full scan it took for ever but it did the job,also the program didnt get termiated;) also i re-run all scaners again and the system remain clean;) it was xp pro with ie 7 and they have Mbam pro real time only;D

i did try the bridge control in hitman pro but it was terminated;) my friend took the laptop already i forgot to see the malware names but the rootkits where sys and driver;) the system remain stable ;) it is cure:thumb:

i think that malware writer knew about the control breach and insted of terminating other services(malware for scaning) hitman pro was terminated very soon:) all of them fail:thumbd: only avast remain strong and stable:thumb:
also i tried in same mode and the malware still works in safe mode and use msconfig tool and disable all posible services and only load diagnostic start up devices and services:) and still the 2 rootkits still do their evil work even with out internet:)
the very strange thing was that the browser worksso i took advantage and install avast very fast and scan:) also usb was correcpted:)
i was getting ready for a formatt but i wanted some thing different and it works

-{ Quote: "@jmonge - you did a lot of work but your effort is worth nuts.
the security hole is still present and that system aint safe any longer" }-

+1
Why not [suggest<->coerce] your friend to make an OS+programs and a separate data partition.
After installing and updating the lot, make an image of the OS+programs partition.
Show him how to restore the image and be done with it. This also guarantees the image. Perhaps write down the steps for future reference.

For average users who use their computer for 'everything' (including banking or other sensitive stuff), it's the easiest, fastest and most solid solution imo.
Next time a friend has a malware infection, you'll only have to remind him how to restore the image.

i did made an image for his system in case of emergency also i made some registry tweaks and put the good stuff in it like winpatrol;) i didnt do more as my friend wasnt paying me;D but i wanted to practise my litle knowdge;)

-{ Quote: "SpySweeper found 1 rootkit 1 rouges and 2 trojans" }-
Did you get a name for the rogue?

it is a new one to be honest i forgot it's name but it is the first time i saw this one:)

Avast should have it's detection name in its logs.

my friend took the pc already;D man avast nail the malware like peace of cake8)

-{ Quote: "my friend took the pc already;D man avast nail the malware like peace of cake8)" }-
::) ::) ::) ::) ::) ::)

+1
nothing to comment on such dumb action.
someone here attacked me why i am so rough with my comments...
THIS example is one of my reasons.

(dont let laymen do pro work)

i dont consider my self a pro but i learn on how to fix computers my self and i am even learning the hardware part also;D,

clone ranger they try to fix it and that's when my cell phone rang;D asking for help;D he is my friend so no problem,but is took me like 5 hours to fix it:thumb: i was going to do a formatt but i wanted to see which antivirus is capable of fixing it and avast was my surprice;) :thumb:

note:the good part was that it refuses to get terminated as this malware almost killed them all before scaning:) avast remain strong and stable

-{ Quote: "+1
Why not [suggest<->coerce] your friend to make an OS+programs and a separate data partition.
After installing and updating the lot, make an image of the OS+programs partition.
Show him how to restore the image and be done with it. This also guarantees the image. Perhaps write down the steps for future reference.

For average users who use their computer for 'everything' (including banking or other sensitive stuff), it's the easiest, fastest and most solid solution imo.
Next time a friend has a malware infection, you'll only have to remind him how to restore the image." }-

The best :thumb:

5 hours!?
~ Personal Comment Removed ~
it wont take me 2 hours - assuming all needed software is present on any media.

1. take an image/backup
2. clean up partition/format
3. install from scratch
4. install needed software
5. make system more secure
6. recover data from image
(6a. delete infected image)

conclusion
- system is secure again
- no loss of important files

jmonge - you have to learn a lot!
(including the EDIT-option in this forum...)

PS i have since 15 years separated partitions for OS and data.
conclusion of my first and one and only virus with win98

yes i have to learn alot yes;D but at least i made a heart happy:)
and got free coffee and stuff:)

-{ Quote: "yes i have to learn alot yes;D but at least i made a heart happy:)
and got free coffee and stuff:)" }-
God Bless You

thanks;) :)

note:i forgot to mention that i also tried UnHackMe and it fails also:)

-{ Quote: "thanks;) :)

note:i forgot to mention that i also tried UnHackMe and it fails also:)" }-;D ;D ;D ;D ;D ;D ;D did u try avira? the red umbrella:thumb: :thumb: :thumb:

["@jmonge - you did a lot of work but your effort is worth nuts.
the security hole is still present and that system aint safe any longer."]

I don't believe that, but time will tell. If it were mine I would trust it, and not go through all the procedures that the MS folks said was necessary.

I do know of a fair number of folks who have been infected and cleaned their systems with such programs as the OP used. After months all are running well. I can imagine that a system infected by several "infections" over a period of time might require reformatting, but to get a rogue or virus and go through all that is not necessary or a lot of systems are still infected, but give no indications.

Regards,
Jerry

like you said time will tell;D so far so good:thumb: almost one week already;D
i will keep you all updated

-{ Quote: "yes i have to learn alot yes;D but at least i made a heart happy:)
and got free coffee and stuff:)" }-
Good onya jmonge. :thumb:

thanks buddy;) ;D i feel i am learning more and more each day:thumb: thanks to my wilder's friends:thumb:

Brummelchen didn't give bad advice :thumb: But i have to say even though a complete wipe & reinstall of everything sounds quicker, it depends on how many programs etc & files etc etc they had. Many people don't have backup, so reinstalling the OS plus ALL the apps & ALL that other stuff & configuring ALL the settings/options/prefrences in EVERYTHING, could take days ! I know i've done it :o

Speaking from personnal experience, i have been able to clean other peoples comps more times than i can remember the Long way too :D Problem is or could be, lately the malware is a lot more intrusive/nasty and can appear to have gone, but hasn't totally :(

Anyway jmonge it was nice of you to offer to help and do what you did :thumb: Plus as you say, it's another real test learning experience. Well you didn't actually say that, otherwise i would have had to "Originally Posted by jmonge" ;D But that's what you meant ;)

the thing is that they didnt want to loose files and photos they have there that they love so much;D as i told them they will loose all of this fotos they look at me like you know maybe if they have a shut gun they will probably use it on me;D and i wanted to learn and prove that formatt is not the only way:) my friends bacon was save by avast free;)

-{ Quote: "the thing is that they didnt want to loose files and photos they have there that they love so much;D as i told them they will loose all of this fotos they look at me like you know maybe if they have a shut gun they will probably use it on me;D and i wanted to learn and prove that formatt is not the only way:) my friends bacon was save by avast free;)" }-

i hope you told them to back up their stuff.
next time they might not be so lucky.

man i did but i think they dont care:)i did tweak the registry alitle bit so that the browser is not allow to introduce malware any more:)

this:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
then find line 1806 and right click to it and modify it's value to 3 insted of 1
:)

-{ Quote: "man i did but i think they dont care:)i did tweak the registry alitle bit so that the browser is not allow to introduce malware any more:)

this:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
then find line 1806 and right click to it and modify it's value to 3 insted of 1
:)" }-

next time might be a hard drive failure instead of a virus.
if it's not backed up, it's as good as gone/lost. 8)

yes;)

-{ Quote: "man i did but i think they dont care:)i did tweak the registry alitle bit so that the browser is not allow to introduce malware any more:)

this:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
then find line 1806 and right click to it and modify it's value to 3 insted of 1
:)" }-
:thumb: :thumb: :thumb: :thumb: :thumb: :thumb: :thumb: :thumb: :thumb: :thumb:

-{ Quote: "+1
nothing to comment on such dumb action.
someone here attacked me why i am so rough with my comments...
THIS example is one of my reasons.

(dont let laymen do pro work)" }-


u are so arrogant....
cant u just advise people ....

-{ Quote: "

PS i have since 15 years separated partitions for OS and data.
conclusion of my first and one and only virus with win98" }-

so what?

if you want to share, please share.... that is what this forum for

and don't be too proud.

@ Kernelwars

I have regedit open and waiting at line 1806, but what exactly will the change from 1 - 3 do ?

-{ Quote: "@ Kernelwars

I have regedit open and waiting at line 1806, but what exactly will the change from 1 - 3 do ?" }-
1 is for intranet and 3 for internet::) ::) ::) ::)

-{ Quote: "@jmonge.......man what if you would have started with avast......:P" }-
Then jmonge would've made a post like:
"Man Avast is really cool. 8) It find 2 troj an 2 rootkit my frien pc. I really like that Avast, how about you." ;D

He would've had 2 or 3 replies and less opportunities to use emoticons :o;D:P ;) and then it would drop off the 1st page. >:(

Just sayin' :peace: :P

-{ Quote: " 2 hours - assuming all needed software is present on any media.

3. install from scratch
4. install needed software
5. make system more secure
" }-
Sully and Kees will help to cut down on that time a lot with their Safe-Admin. ;)
The time it takes to wipe and reinstall + 3 minutes.

-{ Quote: "@ Kernelwars

I have regedit open and waiting at line 1806, but what exactly will the change from 1 - 3 do ?" }-
I think Kees was playing around with that key where if the value is changed to 1 then only a meta file is downloaded instead of the exe. Not really sure on that though?

jmonge...I commend you, even though another has mocked. You are learning and helping at the same time. :thumb: So, the time taken is inconsequential.

But, it looks like this well known maxim comes into play "no good deed goes unpunished" > http://www.phrases.org.uk/bulletin_board/27/messages/317.html

1806 enables/disables the question with downloaded files from unsecure zones
opening in secure zones
► http://forums.mozillazine.org/viewtopic.php?f=23&t=645496&st=0&sk=t&sd=a&start=90

HTH

@bryanjoe
i can afford that point for me - much people rely on my opinion - i dont miss
one in a hundred. posting his action here dont earn only congrats.
btw - still havent found the EDIT button too? ::)

@Tarnak - nothing against his personal experience.
at first sight it seems ok, but digging deeper there is no gold to claim.
in few cases cleaning is the only option - but not here as it seems.
and if his friend dont change behaviour the next crash is coming for sure.

PS "Sully and Kees" are who?
3 Minutes is the time here to recover from image ;)

-{ Quote: "
@bryanjoe
i can afford that point for me - much people rely on my opinion - i dont miss
one in a hundred. posting his action here dont earn only congrats.
btw - still havent found the EDIT button too? ::)
" }-

oh please....
if you aint here to share, please afford posting non-relevant remarks.
......

since we are not gonna benefit from it either...

ps.... i never rely on your opinon....

-{ Quote: "Originally Posted by Kernelwars

1 is for intranet and 3 for internet" }-

But what does the change do ?

-{ Quote: "Originally Posted by Franklin

I think Kees was playing around with that key where if the value is changed to 1 then only a meta file is downloaded instead of the exe. Not really sure on that though?" }-

Thanks, but Kernelwars is saying the opposite 1 - 3 ?

Found this - http://support.microsoft.com/kb/182569 - 1806 Miscellaneous: Launching applications and unsafe files - but doesn't mention the reg entry numbers etc.

@ Brummelchen

Just seen your post :thumb: From the link

-{ Quote: "changing the 1806 value from 1 (prompt) to 3 (disable)" }-

Now we know ;) I prefer 1 = prompt actually, still safe if only allow known/wanted stuff :thumb:

sharing WHAT?
i already wrote a solution - if you dont read dont bother me again.
and - this topic only is about cleaning up - not to prevent.
he didnt asked for that - and the computer is already gone.
its not my fault if jmonge dont ask before he acts.

@cloneranger - due to firefox regarding the rules of trusted zones i have 1806 set to 0 (null).
that dword is a relict for me coming from windows xp with ie6 which dont offer
that setting (comes with ie7). i stored a reg-file with that setting in my tweak
folder and its valid on win7. hth

-{ Quote: "But what does the change do ?



Thanks, but Kernelwars is saying the opposite 1 - 3 ?

Found this - http://support.microsoft.com/kb/182569 - 1806 Miscellaneous: Launching applications and unsafe files - but doesn't mention the reg entry numbers etc.

@ Brummelchen

Just seen your post :thumb: From the link



Now we know ;) I prefer 1 = prompt actually, still safe if only allow known/wanted stuff :thumb:" }-
u ofcourse want to change zones:o if u want to access intranet sites zone then value 1 and for the Internet sites zone value 3..but as you are saying 1=prompt I think you are talking about interface value in that case 65536 adminapproved & 3 is disabled:o :o

Brummelchen offers sound advice, for sure, but under the circumstances with little experience under his belt and the infected pc not having a backup image on hand, jmonge did a good job. In the end his friend was happy with a working pc. It might be worth finding out how the pc became infected in the first place and maybe advise on and develop a security strategy to prevent it from happening again. Some nice resources worth reading here from Blue (http://www.wilderssecurity.com/showthread.php?p=1538690#post1538690).

cloneranger the default value is 1 and by changing to 3 then all files will be access denny from browser(IE=microsoft)

i have this line 1806 with it's value 3 with IE6 and it works just fine;) so it works to block all drive by attacks i tested this alone againts them and remain safe but if i have it change to 1 is not save as it will not prompt when injecting without one's knowledge so clone ranger i will prefer to change it's value to 3;) :thumb: very safe

note:i am currently testing this with malware without any antivirus just winpatrol plus and for about 2 weeks already havent get infected:thumb: i am doing this for the sake of testing and to see if it works and it does:thumb:

Didn't have the 1806 line here in Win 7 so added it with a value of 3 then stopped/started explorer.

Starting with a fresh sandboxed FF I tried to download 3 malwares and CCleaner but all four were auto canceled with only four zero byte files showing that can be manually recovered from the sandbox.

I think Kees refered to these as meta data or something similar?

222319

222320

zero bytes is a good sign man:thumb: so it works for firefox too???

i wonder if it works with chrome???

chrome does not regard trusted zones like firefox do. simple as that.

-{ Quote: "zero bytes is a good sign man:thumb: so it works for firefox too???" }-
From usability point of view it means you can't download anything with firefox?

-{ Quote: "From usability point of view it means you can't download anything with firefox?" }-
If you merge the below reg files all you have to do is restart IE or FF to implement. No need to stop/start explorer like I did earlier.

No exe downloads:
-{ Quote: "Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=dword:00000003
" }-

Allowed exe downloads:
-{ Quote: "Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=dword:00000001
" }-

I see, Thank you :)

very handy dandy;)
@wat0114 thanks for advise and i think it was by going to the dark side as always you know what i mean;D

RE - [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=dword = ?

I'm confused now ;D

That entry is still unchanged at 1 on my comp as i've left it alone, due to,

With both IE6 & FF v3 i have always set both up to prompt me before a DL, and it Always works = :thumb: So i guess the registry settings for those selected options must be elsewhere, and it would "appear" to me, that these override the discussed Zones\3 ?

Yep CloneRanger you or I and probably all Wilders folks have most things sorted but for a normal user that block exe downloads reg setting could be of help.

Such as the fake scan site below which tries to trick the user into downloading/executing the fake Microsoft Security Essentials alert.

-{ Quote: "Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=dword:00000001" }-
222331


-{ Quote: "Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=dword:00000003" }-
222332

jmonge when you first start messing with an infected box boot into safe and check msconfig and kill whatever looks wrong or odd running at startup, check the Add/Remove programs and use as many apps then as possible in Safe Mode, then try booting to the desktop and life will be much simpler.

Also I always run like Malwarebytes and SuperAntispyware typically first in a quick mode just to gain back some system ability then I go for full modes...

P.S. After looking at your first post and all those apps you ran and you still had problems, backup data and just REFORMAT the box and be done with it! ;) Sometimes it's better just to reinstall the darn thing rather then mucking forever trying to clean it, trust me I've been there already and you've got to know from the beginning when it's better not to try and save it. ;)

i did that buddy;)

-{ Quote: "
P.S. After looking at your first post and all those apps you ran and you still had problems, backup data and just REFORMAT the box and be done with it! ;) " }-

Although I don't like the idea of cleaning a highly infected system (in my case if it were to happen to me I'd restore a recent image) and reformatting or better yet wiping will guarantee removal of the malware, how long does it take to do this, including all drivers, patches, software and user settings? A long time, like at least 1/2 a day, so it's not the best or most efficient way, and probably could be considered a "lamer's" way of doing things, although someone with little experience could be forgiven for going that route. Anyone who continues, however, in allowing their rig to get infected without learning from previous ordeals by applying preventative measures such as updated antivirus, sandboxing, limited account use, anti-executable...etc, nor (and just as importantly) quick recovery measures such as image/restore applications, and of course safe surfing/downloading habits is obviously content on relying on the less efficient or effective cleansing or reformatting approaches instead.

-{ Quote: "Although I don't like the idea of cleaning a highly infected system (in my case if it were to happen to me I'd restore a recent image) and reformatting or better yet wiping will guarantee removal of the malware, how long does it take to do this, including all drivers, patches, software and user settings? A long time, like at least 1/2 a day, so it's not the best or most efficient way, and probably could be considered a "lamer's" way of doing things, although someone with little experience could be forgiven for going that route. Anyone who continues, however, in allowing their rig to get infected without learning from previous ordeals by applying preventative measures such as updated antivirus, sandboxing, limited account use, anti-executable...etc, nor (and just as importantly) quick recovery measures such as image/restore applications, and of course safe surfing/downloading habits is obviously content on relying on the less efficient or effective cleansing or reformatting approaches instead." }-


Well I said reformat, because most likely there was no backup image, like something, as Image For Windows.

Now IFW is the smartest way to go if to much infection and you're back to clean in around 10 mins on average with most image restores...

-{ Quote: "Well I said reformat, because most likely there was no backup image, like something, as Image For Windows.

Now IFW is the smartest way to go if to much infection and you're back to clean in around 10 mins on average with most image restores..." }-

With W 7 there is a backup and imaging program integral. I have done that and made the recvover CD. However, I have no idea what to do if I needed it, and am surprised that 10 minutes would fix the problem.

How would one wipe the system to clean it and then do the restore image? Could you do that in 10 minutes?
Thanks,
Jerry

-{ Quote: "With W 7 there is a backup and imaging program integral. I have done that and made the recvover CD. However, I have no idea what to do if I needed it, and am surprised that 10 minutes would fix the problem.

How would one wipe the system to clean it and then do the restore image? Could you do that in 10 minutes?
Thanks,
Jerry" }-

you either boot from your W7 disk or a System Repair Disk (that you can create in Control Panel/Backup and Restore).

i haven't tried with the System Repair Disk but with the W7 disk you just select the Repair option then Restore from image disk.
btw, do not rename the folder that was created during the Imaging otherwise it won't work.

the first few minutes the system seems to hang (because there's no Please stand by indicator) but let it do it's thing.

takes about 20 minutes for me.
and it's VERY solid.
i must've re-imaged my system at least 50 times and the W7 built in Restore has never failed me.
unlike some commercial products i've tried.

here is a guide with pics:
http://www.howtogeek.com/howto/7702/restoring-windows-7-from-an-image-backup/

Thanks, Moontan. I appreciate the help.

Regards,
Jerry