Avast WEBforum

Other => Viruses and worms => Topic started by: JENT1701 on May 24, 2011, 06:16:08 PM

Title: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 24, 2011, 06:16:08 PM
Holy cow, I'm havin some problems here!  I was doing a boot scan on a friends computer. Running Win XP SP3 with all the updates. Came up with infected file Win 32 Fun Web, couldn't repair, so I stuck it in the Virus chest along with some other files also with the same Fun Web virus or Malware name. When I was done and went to reboot, the computer would barely operate. Had to go into safe mode in order to get it to work.  :o Can anybody throw me a bone?   ???  By the way, my name is Jonathan. I'm a newbie...nice to meet you.  :)
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: essexboy on May 24, 2011, 08:17:14 PM
With funweb the easiest way to get rid of it is use Malwarebytes

(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).

Double Click mbam-setup.exe to install the application.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 24, 2011, 10:23:51 PM
Ok, thank you. It will be a little while b4 I get back to my friends house, but I will do that. Thanks for the info. I am going to have her restore the files until I get there so she can use it.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: SafeSurf on May 25, 2011, 07:02:29 AM
Quote from: JENT1701 on May 24, 2011, 10:23:51 PM
I am going to have her restore the files until I get there so she can use it.
No need to...just run MBAM as suggested.  If you restore, these bad files will remain on your machine unless you delete your system restore files.

Just follow the directions of the MBAM (Malwarebytes) as posted.  Let us know if you have any questions.  Thank you.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 25, 2011, 07:34:29 AM
Ok, downloaded the program, and installed it, ran it. (This is something my friend did over the phone with me. She lives 2hrs away) Came up with a ton of files that we removed. Aaaand no difference in performance.  >:( Saved a log and did a restore from about a week or 2 ago. No change. Barely boots up in normal mode. The thing that really bugs me is that it was running fine until I did that boot scan with Avast and after that it all went downhill. This happened to once before with this computer, but I don't remember exactly what I did to fix it. This shouldn't be happening. I always get all the fun jobs. Ugh!  :o On the bright side, I did install Malawarebytes on my laptop and desktop and found some stuff on my desktop that I cleared up, so thanks for that. Any thoughts???   ???
Oh yea, I will have her send me a copy of the report to send to you.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: SafeSurf on May 25, 2011, 07:45:19 AM
Did your friend quarantine any infections found?

What version and product of Avast is he/she using?

What is the OS?  Fully updated?

Is the machine acting normally prior to doing the boot scan?

Edit:  Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0). 

Follow the directions for obtaining the OTS logs (save them as ANSI and not Unicode).  Post the OTS log as an attachment (Additional Options > Attach > Post).  Please do not make any further changes to your machine after you have provided the logs.  Thank you.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 25, 2011, 10:08:40 PM
Ok, this is a lot for me to digest, since I am not as familiar with all the terms being used, but I will get all the info together. I downloaded OTS on my computer so I will be familiar with it. (What does OTS stand for?) Also what is ANSI and Unicode? Sorry for my ignorance, I'm still learning. Thanks, Jon
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: essexboy on May 25, 2011, 10:13:03 PM
OTS is an acronym for Old Timers Scanner (the auther is Old Timer  ;D)

For ANSI
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Untitled.gif)
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 26, 2011, 05:01:59 AM
Okay, that's simple enough, I noticed that one way of saving a file was Unicode Indian.  Does that mean it stores the information and sends it as smoke signals?   :P  Boy now that's what I call an old style of internet. LOL  :D
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 26, 2011, 08:28:52 AM
Spent time with her on the phone last night and had her send me the info. She is really doing well for somebody that was not computer savvy.  I decided to copy and paste your questions with my responses to keep a clear channel of communication. I also attached the logs from MBAM and OTS Hope this will help.  Thanks for your assistance.

Did your friend quarantine any infections found?              Yes she did

What version and product of Avast is he/she using?         Avast Free    version 110525-1

What is the OS?  Fully updated?      Windows XP Home Edition Version 2002 SP 3  All updates installed.

Is the machine acting normally prior to doing the boot scan?    Yes, all seemed fine until after the boot scan.

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

She is still having problems after running MBAM AND OTS.  Should I create a new topic as mentioned in the above thread?
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: Pondus on May 26, 2011, 10:38:29 AM
Quote
Should I create a new topic as mentioned in the above thread?
you already have when you started this   ;)


Quote
What version and product of Avast is he/she using?         Avast Free    version 110525-1
This is the virus signature version and not the program version
(11=year - 2011 / 05=month - may / 25=day / -1= number of release that day

latest program version is 6.0.1125
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 26, 2011, 10:45:52 AM
Ooops my bad on both counts. The current version installed is 6.0.1125  I had just reinstalled it recently.  Sorry 'bout that.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: SafeSurf on May 26, 2011, 10:55:47 AM
Thank you for providing the logs and the information.  How is the machine running after performing the MBAM scan and quarantine?

Essexboy will be giving you instructions and have you perform things on the machine.  He is on the forum late UK time zone.  In the meantime, please instruct your friend not to use her machine unless it is for malware removal and not to sync anything with it.

When we are all done with the malware removal and then removing tools from the machine, we will need to update some software on the machine that is outdated as well, but we will instruct you how to do this and cannot do it now.

Let us know if you have any questions.  Thank you.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 26, 2011, 07:18:12 PM
Unfortunately it is still running very slow on normal boot up, but she says it is fine in safe mode. I had her run a full scan before going to bed last night and she sent me the results this morning which I have attached. Nothing found, so at least we know that is good. I have a feeling that we need to go into task manager under normal boot up and see if there is something running there. Thanks for your help so far. This is more knowledge under my belt for future reference.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: essexboy on May 26, 2011, 07:20:01 PM
Hi lets see what this does, on completion of this run could you go back to normal mode and let me know how it runs

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Registry - Safe List]
< FireFox Extensions [Program Folders] > ->
YY -> Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
YY -> Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[Files/Folders - Modified Within 30 Days]
NY ->  Disk Cleanup.job -> C:\WINDOWS\tasks\Disk Cleanup.job
NY ->  dfrg.job -> C:\WINDOWS\tasks\dfrg.job
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 26, 2011, 09:54:26 PM
Ok, had her do that exactly. Unfortunately it did not produce a log. Drat!  >:( It just prompted for a restart. She restarted in Normal Windows, but it's still real slow booting up, so I had her go back to safe mode. Is there anyway to retrieve the log like in MBAM? Should we try the fix again?  Thanks for your time.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: essexboy on May 26, 2011, 10:16:35 PM
I really need to work from normal mode as that is where I have the best chance of seeing what is wrong - so lets get the big boy on the job

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 26, 2011, 10:40:24 PM
Uh oh, this sounds like business. She is out right now, but I will run through it and show her how to do it when she returns. It does seem logical that we get it goin in normal mode since that is where the problem lies. Otherwise it flies in Safe mode. I think we can get it goin, it's just gonna be stubborn. Thanks for your help.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: essexboy on May 26, 2011, 10:46:32 PM
If necessary then run combofix from safe mode with networking that should relieve the pressure on normal mode, but obviously it would be prefereable to run from normal mode


Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 26, 2011, 10:49:30 PM
Understood. Thanks
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 27, 2011, 08:50:35 AM
Okay this is where we stand. Got her to download and run combofix. Had to do it in Safe Mode. Computer was completely locked in Normal mode. (I attached the log). Restarted the computer in normal mode and it was still locked. This time as a hunch I had her fire up Task manager. Right away she pointed out that Avast was using up 100% CPU. (She mentioned that it wasn't responding much when she tried to disable it for OTS and Combofix downloads). Couldn't get it to close in Task Manager, so we restarted in Safe Mode. Checked Task Manager. No Avast Running. CPU at around 2-15%. Fired up Control Panel, Add/Remove Programs and removed Avast completely. Restarted in normal mode and the Windows startup chime never sounded so good!Woo! Hoo! Finally!!! ;D After that I had her reinstall Avast. Wasn't much more I could think of to do until I talked to you, but I did have her run another Full Scan with MBAM in normal mode and told her to call it a night. The computer is doin good now, but I want to make sure it stays that way.
       Also as posted by SafeSurf "When we are all done with the malware removal and then removing tools from the machine, we will need to update some software on the machine that is outdated as well, but we will instruct you how to do this and cannot do it now."  I really want to get all the bugs out as much as possible. This is for a good friend and a great person. It's 2:47AM here and I'm gonna get some well deserved rest. Thanks again for all your help so far.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 27, 2011, 09:06:42 AM
Oh yea, one other thing. I practiced downloading and running some of these tools on my own machines so I could tell my friend how to use them. I found a few bugs and even a rootkit hiding in my laptop, so I am very thankful to you for that as well. I may need to start a thread or two on those if necessary.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: Pondus on May 27, 2011, 09:13:40 AM
Just adding this: Malwarebytes can have up to 10 updates on a day, so always click the update button so you have latest signatures before you scan  (pro version will auto update)
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 27, 2011, 09:15:41 AM
Wow! Thanks  ;D
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: Pondus on May 27, 2011, 09:28:40 AM
If you open Malwarebytes > settings > warn if database is outdated > and sett this to 1 day (default is 7)
then you will get a prompt for update if database is older then one day
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 28, 2011, 09:30:09 AM
Took care of that thanks.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 28, 2011, 09:34:01 AM
Quote from: SafeSurf on May 26, 2011, 10:55:47 AM

When we are all done with the malware removal and then removing tools from the machine, we will need to update some software on the machine that is outdated as well, but we will instruct you how to do this and cannot do it now.

Let us know if you have any questions.  Thank you.


I was wondering if you could help me with that outdated software issue. I thought I had everything up to date. Thanks, Jon
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: SafeSurf on May 28, 2011, 11:05:56 AM
Quote from: JENT1701 on May 28, 2011, 09:34:01 AM
Quote from: SafeSurf on May 26, 2011, 10:55:47 AM

When we are all done with the malware removal and then removing tools from the machine, we will need to update some software on the machine that is outdated as well, but we will instruct you how to do this and cannot do it now.

Let us know if you have any questions.  Thank you.


I was wondering if you could help me with that outdated software issue. I thought I had everything up to date. Thanks, Jon
I need Essexboy to give me the OK on your Combofix first, then remove his tools from the machine (he will give you instructions on how to do this).  Then while having your friend use the machine normally, I will give you some tips and help you with the updating.  Essexboy will also give you some suggestions for keeping safe in the future.  Thanks.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 28, 2011, 06:31:37 PM
Ok, thanks. I just reviewed my earlier posts and remembered that we never got a log from Combofix, probably due to the earlier problems. I would guess that I should have her run it again in Normal mode and hopefully it will provide a log this time so that we will know where to go from here. So far the other malware programs have come up clean in their scans. Thanks again.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: essexboy on May 28, 2011, 06:58:49 PM
Sorry did not get notified for this

One further driver to remove and then you should be good to go

1. Please open Notepad2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote
KillAll::

File::
c:\windows\system32\drivers\egmenb.sys

Driver::
krjb

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 28, 2011, 07:12:00 PM
Hey no problem.  Ahhhh. Yes, okay. I was kinda wondering how to get the program running. Probably won't get to it 'till later on in the day. She is out for a while. Thanks.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: essexboy on May 28, 2011, 07:22:46 PM
Thanks for understanding  ;D
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on May 29, 2011, 07:30:06 AM
Poop happens.. ;)  nobody's perfect
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on June 02, 2011, 04:58:55 PM
Hey there, sorry for the delay. Things have been a bit hairy especially with the holiday weekend. I had my friend run Combofix on her machine yesterday. Here are the results. Thanks.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: essexboy on June 02, 2011, 07:23:19 PM
OK he did not want to go - so bigger hammer time

1. Please download The Avenger2 (http://swandog46.geekstogo.com/avenger2/download.php) by Swandog46 to your Desktop.2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote
Begin copying here:

Drivers to delete:
krjb

Files to delete:
c:\windows\system32\drivers\egmenb.sys

Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
4. The Avenger will automatically do the following:5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh OTL log .
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on June 02, 2011, 10:34:09 PM
Ok, I think I got that. So, after I do all that you want the log from Avenger 2 and you want me to run Old Time Scanner and send the log for that as well, correct?
Wow you guys have a trained eye for this stuff. I never would have guessed that there was still a problem. I tried looking up the file "c:\windows\system32\drivers\egmenb.sys" online just to find out more about it, but it only sent me back to this thread. What is it anyway?
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: essexboy on June 02, 2011, 11:10:22 PM
Yes if I could have the log - No idea what it is yet so lets see if Avast can tell us

The Avenger makes backups of all actions it takes, and saves those backups in the folder C:\Avenger (if C:\ is your system drive).
The backups are zipped and password-protected with password "infected", to prevent accidental reinfection when viewing backups of live malware.
The most recent backup is called "backup.zip", and the rest are named by date and time of creation.

Could you pass that zipped file to Avast please as malware - if you are not sure how to do this then let me know and I will walk you through it

Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on June 04, 2011, 12:54:43 AM
One more question. I downloaded Avenger so that I can run through it with her on the phone. (obviously I won't be clicking on "Execute" as it only pertains to her machine) I noticed when the "input script here" box opens, there are 2 boxes to check.  Scan for rootkits and Automatically disable rootkits found.  Should I have her check those boxes?  Thanks.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: essexboy on June 04, 2011, 03:12:57 PM
Either which - we definitely need the scan, but the disable key is problematic in it effectiveness 
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on June 09, 2011, 08:47:56 AM
Sorry for the delay in getting back, personal problems. I actually ran the program myself and from what I can see, it appears to have either fixed the problem, or it couldn't find it, if I am reading the log correctly.  I have attached the Avenger log and reran OTS and provided that log as well. Let me know where we stand with this. Thanks so much for your time, Jon.
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: essexboy on June 09, 2011, 12:56:37 PM
Looks good - the driver was deleted from the registry, but the file was gone

What problems remain ? 
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on June 09, 2011, 05:34:58 PM
I'm not quite sure what needs to be done, ??? I thought I had performed all the software updates, but it was stated earlier:

Quote from: SafeSurf on May 26, 2011, 10:55:47 AM
When we are all done with the malware removal and then removing tools from the machine, we will need to update some software on the machine that is outdated as well, but we will instruct you how to do this and cannot do it now.

Otherwise it seems to be working great.  ;D
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: essexboy on June 09, 2011, 05:58:22 PM
OK lets remove my rubbish then

Subject to no further problems   :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Empty Temp Folders]
[EmptyFlash]
[ClearAllRestorePoints]
  

Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTS and hit the cleanup button.  It will remove all the programmes we have used plus itself.  

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)   Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

SPRING CLEAN
 
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)
For the first run I would recommend a boot defrag and disk check

(http://i1224.photobucket.com/albums/ee362/Essexboy3/Puran.gif)


Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
 
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).  Update and run weekly to keep your system clean

Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe  :wave:
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: JENT1701 on June 10, 2011, 04:45:20 AM
That kept me busy today, but I did all that, plus I found a BIOS update and a few other downloads from Compaq I overlooked. Apparently that nasty little bug must have done something to the updating for Adobe and Java, because they were set to automatically update. I think it has been floating around for quite some time. Thank you so much for your help and for introducing me to some very interesting and educational tools. All is well now. Have a great day.   ;D
Title: Re: Boot time scan and Fun Web/ Fun Cards
Post by: essexboy on June 10, 2011, 12:56:09 PM
Glad to hear all is well  ;D