Hello Mickey,

You had a rootkit infection that hides from most scans, but combofix removed it.

ASKTOOLBAR, <--this is open to debate , if you don't use it uninstall it via the Add Remove Programs in the Control Panel

How are things running now??

As of last night, pretty well. Occasionally my new updated firefox will spontaneously pop one of my tabs out into a new window (it is not always the tab I am working in either) but that is no big deal. More of an periodic annoyance. Any thoughts as NOW my system may finally be clean? Will check on system when I get home. Also, any recommendations on tools to prevent such rootkits in the future, or can I come back here periodically and run combo fix? Finally, can you direct me here or do I need to go back to the windows forum, to trim if possible, my start up?

This post has been edited by mickey7: Jul 16 2009, 01:48 PM

Hello Mickey,

Just a warning about Combofix, this is a very powerful tool and should only be run under the supervision of a helper on the forums. What it cleans on one system it may damage another , we will be uninstalling it in a bit. This forum, myself and sUbs will not be responsible if you run it on your own.

Run this free online virus scanner to make sure we got it all, and at that point I will link you to what programs to install to help keep you more secure.

Please run this free online virus scanner from ESET

• Note: You will need to use Internet explorer for this scan
  
• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Click Start
  
• Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
  
• Click Scan
  
• Wait for the scan to finish
  
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

OK here is the log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=12a4562ec303454fa9dd7c3ecdb0186c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-07-17 12:01:10
# local_time=2009-07-16 08:01:10 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1026 21 66 100 7873714687500
# scanned=58439
# found=0
# cleaned=0
# scan_time=2722

Great, looks like your in good shape

Here is the link to the Windows forum
http://forums.whatthetech.com/Microsoft_Windows_f119.html


Lets update your Java to make your system more secure

Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 6 Update 14, if not proceed with the instructions.

Download the latest version Here save it, do not install it yet.

Java SE Runtime Environment (JRE)JRE 6 Update 14 <--The wording is confusing but this is what you need

• Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
• Reboot your computer
• Install the latest version

You can verify the installation Here






TFC <--Yours to keep, run it about once aweek to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  
  
  • 
  
  
  
• When shown the disclaimer, Select "2"

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

• Spybot Search and Destroy 1.6
  Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  
• Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  
• Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  
• IE-Spyad
  IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  
• Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Safe Surfn
Ken

Ok my JAVA seems to already be updated
In the about screen it stated it was Version 6 Update 14 (build 1.6.0_14-b08) so I left that be. I try to stay up on that.
I ran the Combofix uninstaller and will leave well enough alone with that one -- unless god help me something happens again.
BTW when I was running that online scan my AVG kept popping up with resident shield threats. I just healed them and moved them to the vault. Basically cookies, so I wasn't concerned just curious because I usually don't get threat pop ups unless it is a potential virus. The cookies just just show up in the daily scans.
I do not have a specific firewall on my computer -- as I have been relying on my routers at this point. Bad idea?? I have turned off the windows one because it caused conflicts with the routers and resulted in sporadic disconnects etc...
Do I clear myself with the windows forum now or will they be able to speed me up in any fashion. I am sure there are a few things in my start up that are unnecessary.
Thanks for the list of ideas for keeping me clean. While waiting for your reply I was reading about some of those very items in the other forums. What about preventing those rootkits?
As you may know I already have Firefox3.5 on my machine and have enjoyed using Firefox for a couple of years now. But I do have that little quirky tabs popping open into new windows situation. Any thoughts on Chrome as a browser?

This post has been edited by mickey7: Jul 16 2009, 07:13 PM

Have been using Firefox my self for years and only use IE when I absolutely have to. Never used Chrome so don't know what to tell you on that one.

Here's a list of some free Firewalls, you should only use one, having one software firewall and one hardware firewall ( like your router is fine ) but not two software.

Free Firewalls

• Zone Alarm
• Sygate Personal Firewall Free Edition
• Outpost Firewall Free

Here is a leader in Computer security, Steve Gibson, run his Shields Up scan and see how you stand, with both the software firewall and the router you should come up as Stealth.
http://www.grc.com/intro.htm

Take Care,
Ken

one last question if you don't mind.....
There is a rootkit component to my AVG (at least it show rootkits found in the scan results. Why didn't my avg catch the one I had?

A Rootkit is very devious, it hides from the operating system and sometimes is hard to find. Are you saying that AVG has found one now, if so write it down and post it to me.

No no Ken. I didn't mean to alarm you. While we were working last night my avg finished it's nightly scan. It does a pop up from the systray and lets me know what if anything it finds. There is a line for infections, warnings etc.... There is also a line item for rootkits and it has never not shown me 0/0 (for found/healed etc). My question was if AVG has this in its scan,why did it not find the bugger that gave me all this mess?

EDIT: When I go home and booted up and tried to go into Firefox I again got the resident shield pop up warning. This time I clicked on the details tab and it showed the path of the error as dealing with Firefox.exe. Below is the exported resident shield detection results.

Resident Shield detection
"Infection";"Object";"Result";"Detection time";"Object Type";"Process"
"Found ";"C:\Documents and Settings\Kathryne Miller\Application Data\Mozilla\Firefox\Profiles\q5ok45qo.default\cookies.sqlite";"Potentially dangerous object";"7/17/2009, 5:29:07 PM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Found ";"C:\Documents and Settings\Kathryne Miller\Application Data\Mozilla\Firefox\Profiles\q5ok45qo.default\cookies.sqlite";"Healed";"7/16/2009, 7:52:57 PM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Found ";"C:\Documents and Settings\Kathryne Miller\Cookies\kathryne miller@zedo[1].txt";"Moved to Virus Vault";"7/16/2009, 7:17:51 PM";"file";"C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe"
"Found ";"C:\Documents and Settings\Kathryne Miller\Cookies\kathryne miller@doubleclick[1].txt";"Moved to Virus Vault";"7/16/2009, 7:17:50 PM";"file";"C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe"
"Found ";"C:\Documents and Settings\Kathryne Miller\Cookies\kathryne miller@atdmt[2].txt";"Moved to Virus Vault";"7/16/2009, 7:17:50 PM";"file";"C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe"
"Found ";"C:\Documents and Settings\Kathryne Miller\Cookies\kathryne miller@advertising[2].txt";"Moved to Virus Vault";"7/16/2009, 7:17:50 PM";"file";"C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe"
"Found ";"C:\Documents and Settings\Kathryne Miller\Cookies\kathryne miller@ad.yieldmanager[1].txt";"Moved to Virus Vault";"7/16/2009, 7:17:50 PM";"file";"C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe"
"Found ";"C:\Documents and Settings\Kathryne Miller\Application Data\Mozilla\Firefox\Profiles\q5ok45qo.default\cookies.sqlite";"Healed";"7/16/2009, 7:17:35 PM";"file";"C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe"
"Found ";"C:\Documents and Settings\Kathryne Miller\Application Data\Mozilla\Firefox\Profiles\q5ok45qo.default\cookies.sqlite";"Healed";"7/15/2009, 8:18:11 PM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"


This post has been edited by mickey7: Jul 17 2009, 03:35 PM

Mickey,

Everything AVG found where cookies and they where removed .

The dirtbags that write this garbage are constantly changing file names and such, as soon as the providers like AVG and the rest update there database, new files are added, its a never ending process. What one program finds another may not. These dirtbags even read these forums to see what we are doing to try and get ahead of us. Its a real cat and mouse game.

This is what you need to do.

1. Keep your AV updated and run a scan at least once a week
2. Keep Malwarebytes, update it and run a scan at least once a week
3. Install that firewall.
4. Install the programs that I linked you to in my previous post.

Remember, the weakest link in the chain is you so practice safe surfing. Don't open spam messages, don't open attachments in your email. Stay out of porn sites. Dont fall for installing any security software because it popped up in your browser with a warning, legit vendors don't operate that way. Don't install any video codecs unless you know for sure there legit.


Feel free to access my website from the link in my signature, I have more information on this subject,

Ken

I do do those things except the firewall but I will. I wonder then why the resident shield keeps popping up when I open firefox -- home page is yahoo.com

All your start pages on your HJT log are legit, try changing your homepage to something else and see if it goes away. The resident shield just warns you of something it found, maybe just a tracking cookie. You need to write down what it found and post it please.

That posting I put in the prior post was the log from the resident shield and if you look at the top entry from today's date you will see what I mean. I realize that they all seem to be cookies but I never had any pop ups declaring that before.

http://forums.avg.com/

Why don't you post in the AVG forum and ask about it. Outside of cookies there was nothing bad that came up. You may have the resident shield set to high, I really am not familiar with it so dont know how to tell you how to set it.