Author Topic: so I got a little drunk and visited this website I'd normally avoid...  (Read 3959 times)

0 Members and 1 Guest are viewing this topic.

implike

  • Guest
And now it hurts to pee. Help?

Here's what happened: the Win 7 Security thing popped up last night while I was on some website looking for software (I hadn't even downloaded anything). It looked sneaky and illegit to me, so my computer-savvy friend walked me through a system restore. "Yay," I think, "it's gone!"

I updated avast! (because I generally ignore it until I have a problem) and downloaded MBAM because I remember it being awesome. Ran quick and full scans last night and this morning using both tools and couldn't find any viruses. Confident I'd beaten this virus thing, I vowed never to neglect my poor laptop again and spent the morning cleaning her up a bit with other necessary updates and even a bit of defragmenting.

Then I check out the avast! virus chest on a whim and find consrv.dll and msimg32.dll. A few Google searches later and I end up here. Bummer. It seems this is a much bigger problem than I initially figured. Now I feel like there's a rabid squirrel hiding in my computer, and at some unknown (but soon) date, he'll pop out and bite me. I'm living in terror. No more, I say, NO MORE!

My questions are: how likely is it that the system restore did anything remotely productive? (I haven't been able to find much about fixing the issue that way.) How are Win7 and consrv related? The advice given to others seems great but very involved, so it's not exactly something I can do while babysitting my exceedingly needy my 20-month-old nephew (as I'll be doing all day) - can I afford to wait?

Much appreciated.

Gargamel360

  • Guest
Re: so I got a little drunk and visited this website I'd normally avoid...
« Reply #1 on: December 18, 2011, 07:50:12 PM »
And now it hurts to pee. Help?
Best....help....request....ever.... ;D
My questions are: how likely is it that the system restore did anything remotely productive?
Slim.  System restore is not a good option for removing infections.  It can often get rid of current symptoms without dealing with the underlying problem. 
The advice given to others seems great but very involved, so it's not exactly something I can do while babysitting my exceedingly needy my 20-month-old nephew (as I'll be doing all day) - can I afford to wait?
The fixes are often specific to the infection, OS, installed programs, etc.  So they can be unique for each given case.  You first need a diagnostic.  This is where to start>>http://forum.avast.com/index.php?topic=53253.0 , then post the results back here.  It can be lengthly, but it is something that can be taken step-by-step, you don't need to be hovering over the PC waiting. ;)

implike

  • Guest
Re: so I got a little drunk and visited this website I'd normally avoid...
« Reply #2 on: December 18, 2011, 09:42:40 PM »
MBAM log...

implike

  • Guest
Re: so I got a little drunk and visited this website I'd normally avoid...
« Reply #3 on: December 18, 2011, 09:50:12 PM »
OTL logs...

implike

  • Guest
Re: so I got a little drunk and visited this website I'd normally avoid...
« Reply #4 on: December 18, 2011, 10:18:51 PM »
Screenshot & aswMBR log.

Should I click on "Fix MBR" (will that remove the two trojans?) or continue with the RogueKiller instructions?

Gargamel360

  • Guest
Re: so I got a little drunk and visited this website I'd normally avoid...
« Reply #5 on: December 18, 2011, 10:22:12 PM »
Screenshot & aswMBR log.

Should I click on "Fix MBR" (will that remove the two trojans?) or continue with the RogueKiller instructions?
Take no action till Essexboy gets a chance to review the logs, just to be safe.  He might possibly be back tonight, but maybe not till tomorrow.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: so I got a little drunk and visited this website I'd normally avoid...
« Reply #6 on: December 18, 2011, 10:28:06 PM »
OK lets kill those plus remove some security loopholes

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Quote
    :OTL
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
    FF - prefs.js..extensions.enabledItems: {e971b650-6098-11da-8cd6-0800200c9a66}:0.6.2
    [2011/12/17 22:05:20 | 000,009,904 | -HS- | M] () -- C:\Users\Elizabeth\AppData\Local\s0ab87n5rt3vfm
    [2011/12/17 22:05:20 | 000,009,904 | -HS- | M] () -- C:\ProgramData\s0ab87n5rt3vfm


    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

implike

  • Guest
Re: so I got a little drunk and visited this website I'd normally avoid...
« Reply #7 on: December 18, 2011, 11:08:33 PM »
Aye aye, cap'n!

You also want the log that popped up immediately upon rebooting, or is it irrelevant?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: so I got a little drunk and visited this website I'd normally avoid...
« Reply #8 on: December 19, 2011, 12:08:33 AM »
How is the computer behaving now ?

implike

  • Guest
Re: so I got a little drunk and visited this website I'd normally avoid...
« Reply #9 on: December 19, 2011, 12:25:17 AM »
The system restore I did last night seemed to have fixed the inisial (Win 7 Security whatever) problem. I've had no obvious issues since then.

I posted here because I discovered consrv.dll and msimg32.dll in the avast virus chest. They seem to still be there... not sure how to get them to go away, or if that's avast's way of taking care of them. I've yet to run a recent scan though. Not sure if the things I've done today took care of them? For some reason I thought consrv.dll had something to do with the Win 7 Security virus that wanted to eat my credit card information.

I did run aswMBR again and it seems to have come back clean.

implike

  • Guest
Re: so I got a little drunk and visited this website I'd normally avoid...
« Reply #10 on: December 19, 2011, 01:27:16 AM »
I highlighted, right-clicked and "scanned" both files. Below are the screenshots. (Not sure if it's relevant, but the "transfer time" corresponds with the time I got hit with the fake Windows security crap.)

I Googled the first one a bit and it seems scary. I'm pretty broke so the hackers can have the $12.82 in my bank account, but I'm TERRIFIED my porn will be stolen and somehow make its way across the internet and into the e-mail inbox of my great-uncle Seamus, who believes I currently reside in a nunnery. He's 92 years old. The shock could kill him. :o

I keep coming across ComboFix on the forums but I'll refrain from using it until I hear back from you.

Thanks for the help thus far.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: so I got a little drunk and visited this website I'd normally avoid...
« Reply #11 on: December 19, 2011, 09:14:36 PM »
Quote
MOD - [2009/07/14 09:15:51 | 000,232,448 | ---- | M] () -- \\?\globalroot\systemroot\syswow64\mswsock.DLL
MOD - [2009/07/14 09:15:51 | 000,232,448 | ---- | M] () -- \\.\globalroot\systemroot\syswow64\mswsock.dll
The above elements would show if you had the full blown infection, that would require combofix... But, they were not present on your system, so it looks like Avast killed them before they had a chance to get comfortable

 
Are you experiencing any problems ?

implike

  • Guest
Re: so I got a little drunk and visited this website I'd normally avoid...
« Reply #12 on: December 19, 2011, 09:48:48 PM »
Nope, no problems - just a bit paranoid. ;)

Thanks for all your help! Truly. Is this where I get the thumbs up spiel and instructions on how to remove the stuff I downloaded? (It's my favorite part!)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: so I got a little drunk and visited this website I'd normally avoid...
« Reply #13 on: December 19, 2011, 10:02:05 PM »
Hows about now  ;D

Subject to no further problems   :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Quote
    :Commands
    [resethosts]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself. 

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.
SPRING CLEAN

To manually create a new Restore Point
 
  • Go to Control Panel and select System
  • Select System
  • On the left select System Protection and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create
Now we can purge the infected ones
  • GoStart > All programs > Accessories > system tools
  • Right click Disc cleanup and select run as administrator
  • Select Your main drive and accept the warning if you get one
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up
  • Select OK
  • Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.  Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?

Keep safe  :wave: