Jump to content

MamaZappa

Honorary Members
  • Posts

    23
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Trying to do some cleanup for an elderly relative's computer. He runs a full scan using MalwareBytes every couple of days, and apparently he's been getting repeated hits on PUP.Optional.Mindspark and variants. He selects to delete / quarantine the files and then soon afterward, when he runs the scan again, it comes back. The recent logs date back to 5/23/2014 and suggest he may have downloaded something then. I see something about Yontoo, and BabMaint.exe. A prior log (from April) shows no issues. Windows XP (I know.... budget just isn't there to upgrade the hardware and we can't upgrade the OS, it's at least 8 years old and can barely handle XP). They have Avast, but that doesn't seem to be doing much (though in fairness today it suggested removal of some browser addons; I did this but Malwarebytes still says here there be dragons). Handicapping the cleanup process: I only have access to the computer for about another 36 hours while in town, and it's going to be disconnected for a chunk of that (moving). After that I'll be a thousand miles away - but he has a local tech who has helped out a few times. Hopefully that tech can finish sorting things out. All that said, here are the two FRST files: Addition.txt FRST.txt
  2. Oh - and FYI, I restored the file and re-scanned using today's AVG definitions and there was no problem. I also scanned using Malwarebytes. So I think it's a false positive by AVG.
  3. I'm still investigating what to do, but wanted to comment that I got this identical error from AVG in the past 24 hours. In fact this thread came up when I did a search for "vbs/small virus false positive". I've already submitted mine to AVG for analysis. I'll look into those other forums also.
  4. Nope, except for residual twitchiness! As an example, my work computer has Symantec and yesterday it threw up "install.exe wants access, grant?" and "recommended to grant permission" yesterday, I did some investigating, didn't recognize the directory (gobbledygook name, but it's been there for months), something about Visual C++... and Symantec sure thought it was legit... but I didn't know why it suddenly wanted it to "come out and play" so I said no. I've learned my lesson So I think we can call this one solved. Thanks again for all your help and patience.
  5. Huh - I may know where that .tmp file came from: I looked at the Program Guard tab on Online armor, and scrolled down to that time, and it was apparently related to a Sims3 screensaver. Which would make sense, this was about 10 minutes after we left for the morning. It makes sense I hadn't seen it since we did the cleanup; if my daughter has time on the computer, she's never away from it long enoough for the screensaver to kick in. No clue what the other files created a minute later were, but I'd guess they're less sinister than I'd feared!
  6. OK, now I'm getting a bit weirded out. Nothing showing up in AVG, but I checked Online Armor and at 10:42 today, a program in my daughter's appdata\local\temp file, ~gs205.tmp, was granted permission to run. Now, she wasn't even ON the computer at that time (though her user was logged on). I looked for it tonight and it's not there any more (and I made sure that the system wasn't hiding temp files etc.). At 10:43 AM, there is a file called 2056wrfiles.~lk. And a folder called A038wrd.~lk. That folder contains only a folder named 2992wrdata.~lk, and that contains only a file ~swd1.dat, which is 2.441 meg. I tried opening that up in wordpad and saw nothing but gibberish - no obvious patterns or recognizable characters. I haven't clobbered these yet but obviously am planning to do so. The approved file when nobody was on the computer is a bit scary though (why is Online Army approving unknown programs anyway???). And when I tweaked the kids' account settings just now so I could log in as them (to look at files in their users vs. from the admin account), I got "unable to set user settings for administrators or unknown users". Though it did change their permitted hours. This is most likely unrelated, but seems to point to a corruption in the parental controls files (possibly due to Windows Update issues). I'm beginning to wonder if I shouldn't just nuke the kids' users and re-establish them.
  7. Not so far - was going to post something list night but Real Life got in the way. No virus hits since the ones that got nabbed right as I was doing the cleanup (the Java files). The two oddball files I saw the other day: one was legit, an installer from something I recognized. The other (the .tmp file in my daughter's directory) still smelled bad, but it had been clobbered by that temp file cleaner so I wasn't able to look more closely at it. Sorta sorry I didn't - I assume I could have safely opened it in Notepad and it might have been enlightening (or not!). Anyway - no more flags from AVG except for the occasional tracking cookie, ditto Spybot, and no suspicious programs have added themselves to Online Armor. The kids do use Firefox, actually - I don't know if they popped into Internet Exploder for something, or something slipped by Firefox. They're actually pretty good about not trying to hack the settings so I don't think I'll need to lock them down, but it's useful to know how if this ever DOES become an issue. Still laughing at myself over this - my husband and I "know what we're doing" and we avoid dodgy websites, we're always the one to recognize suspicious emails "from" friends whose accounts have been hacked, we've never falling for click-jacking or those fake social-networking sites.... so we were feeling smug and this one caught us by surprise. At least we had some stuff done right (kids on limited accounts, up-to-date antivirus which was the first sign that a burglar was hiding in the closet phoning his buddies to come and play).
  8. Thanks - done, and before-and-after AVG scans didn't turn anything up (full scan plus rootkit scan). Half a gig freed up - remember when that was a lot of storage? I'd also googled that directory this morning and found a suggestion to go into the Control Panel and set the Java panel to say "don't save temp files". Of interest: Before the temp file cleanup, I was looking at the Allowed / Blocked list in Online Armor, and found the two entries listed below - both as Allowed (and I think Trusted). _08ADDC40567EABD8D2F55D.exe, 0.0.0.0, (0.0.0.0) C:\Users\Parents\AppData\Roaming\Microsoft\Installer\{29D2D2ED-8586-4306-A14D-2E618EDF61EE}\_08ADDC40567EABD8D2F55D.exe Hash(MD5): 672312E8486D5CB3A07332DAF1255A55 ~gs4330.tmp, 0.0.0.0, (0.0.0.0) C:\Users\Sonia\AppData\Local\Temp\~gs4330.tmp Hash(MD5): EC78B7BE83BEFED9BF018524EE73AACC The Windows Installer file was in the list as of shortly after I did the initial OnlineArmor setup on the evening of the 6th, and maybe that one is OK (though I've blocked it - I'm leery of files with random names). The one in Sonia's temp directory was added to the Online Armor list as of 8:21 PM on the 7th - at a time when my daughter would have been online - and it makes me VERY twitchy. I looked carefully at the list of sites she was visiting at that time and didn't see anything more alarming than quantserv.com (which to the best of my knowledge is nothing worse than tracking cookies). And of course someone clicked the wrong thing on an Online Armor popup today and now Youtube won't play videos (I'll sort that out tomorrow). Poor kids will be lucky to be able to read Wikipedia by the time I'm done locking everything down, LOL.
  9. Oh - and the infected files were found in the early morning on the 7th, i.e. just after I'd finished up and let the kids back on. I'm hoping they were just collateral damage from the original rootkit, but I can't trust that.
  10. Oh hell - AVG caught two more infected files last night. Infection / Trojan Horse Java/Exploit.BN in c:\users\Sonia\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\2e524588-7fe482da and .....\6.0\13\(similar string of random stuff). Exploit.BK in this case. Note that these are in the directories that AVG flagged before, when I mistakenly installed it too soon during the cleanup. Should I back up the documents folder for that user and delete the user entirely?
  11. The computer has now been updated with Spybot, and with Online Armor (paid - I don't want to have to remember to do manual updates!), in addition to AVG and Windows Firewall, plus of course Adblock, so (crossing fingers) hopefully we're OK here now. Off to do a bunch of password changes :::just in case::: though I haven't seen any unusual activity on any of my accounts. Will also be adding that IE add-in you mentioned just in case (though we rarely use "Internet Exploder") and the Noscript Firefox tool. A question (and this is just speculating): I'm assuming that the rootkit was responsible for all the attempts to download those Trojans, and that AVG plus limited privileges (kids don't have admin; we do but we're a lot more careful about where we go) reduced the harm. Is that a reasonable assumption? Interesting that we didn't have the redirect troubles either - for example I had no trouble finding MalwareBytes via google. Also, any idea why it only seemed to affect the one user? I'd have assumed that such a virus would have somehow gotten itself admin rights and downloaded the crap wherever it could. Again, many thanks - you folks do a tremendous service here. I am very, very grateful for all your assistance!!!!!
  12. Many thanks!!!! We're IT people here, just not specializing in PC security, so had no idea what to do once the machine got nailed. Just goes to show that even folks who "know better" can get nabbed sometimes! Out of curiosity, what critter did the computer have? is it one that I'd find info about if I did a web search? Also, whether it's one that likely came from a bad ad, or was embedded in the actual page she was enjoying, or was a result of something getting through the firewall. And what it was trying to do (just hijack our computer for botnet / DNS attacks? identity theft? something else?). In general, knowing more about it will help us avoid this in the future. We do of course maintain antivirus - AVG. In fact I've felt twitchy not having it installed these past few days, even though the kids have not been allowed near the computer and I haven't gone online with that machine except to do this maintenance. We're pretty careful about keeping up with the Windows updates; the main reason we don't have it auto-update is because we like to look at the list (though we do install everything once we've done so. Thanks for the info about the built-in firewall. We'd been running ZoneAlarm but found that it sometimes interfered with the computer even connecting to the internet, so we switched to the Windows one - I didn't realize it didn't block outbound. I think our router also has some firewall features, as most do... but given that Verizon set it up with WEP vs WPA (something we corrected immediately) I don't have too much faith in its firewall capabilities. Anyway - I'll add in one of the ones you suggested, as well as Spybot; I don't recall why we didn't install Spybot as soon as we got the computer 2 years ago but I assume I had a good reason at the time .
  13. Oh - and to clarify on IE9 - we usually use Firefox for browsing, but have IE9 installed.
  14. Done - we already had Vista SP 2 - fully up to date except for one Windows add-on that includes things like a toolbar (Windows Live Essentials - looks like stuff we don't use). Also already using IE 9. I've updated Java and Flash as well. So did the early scans actually show anything was actually on the computer? or is it impossible to tell? I know *something* was there at some point, just not sure whether AVG did its job and there was simply something attempting to re-infect every time my daughter did any surfing.
  15. maxhandle.exe showed nothing, nor did the Eset scanner (and as far as I could tell it didn't generate a log). Ditto BitDefender and MalwareBytes. At this point, does it look to you like all the steps have gotten rid of whatever was ailing this computer? I still haven't re-installed AVG and so am not letting the kids do any web surfing (or us adults, either!). BitDefender Report 2011-07-05 09.33.23.txt mbam-log-2011-07-04 (21-34-59).txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.