"Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]

[sbMama]

Will do! Though the information is overwhelming, I am learning so much.

I was about to run the rootkit check and remembered that I have not backed up my computer. I've done multiple searches for the antivirus2009 since yesterday, there are no findings.  So I assume I can back up... um, can someone please tell me a simple way to do that (if there is such a thing)?

=)

[wyrmrider]

well it takes a whole stack of floppy disks...
or do you have a cd burner
and/ or a spare hard drive
How many megabytes of backup do you require?
there are some on-line sites

any one else have any comments on this diversion?

go ahead and run the rootkit scan
we're past the really dangerous part - of course no guarantees

[sbMama]

lol @ whole stack of floppys... that made me laugh out loud!

my d drive is the one I used to put all my important items that were on the c drive after it crashed. I have 43.6gb of my c drive in use, and  only 31.2gb free on the d drive.

I have a cd burner and some data cds, so should I just 'move' what I can, or is it better to upload it to my partners website storage?

Do you think there is a minimal risk of seriously messing things up if I run the rootscan without backing up?

[wyrmrider]

well you can have the important stuff on both drives
and then unplug the d drive
or upload to the server
or burn some cds
I do not think there is much risk but remember Murphy's law

Incidently new version of mbam out
update to 1.27

[sbMama]

Good Morning!

Any idea which Icesword version is more effecient/effective?
version 1.22 or 1.20(this one is suppose to be more recent)
http://www.castlecops.com/t165203-IceSword_Instructions_in_English_Illustrated.html

=========================
I updated MBAM and ran it overnight. I attached the log
=========================
I ran the uninstall avast program and it went well.
Now, the uninstall program for avira looks scary. I originally uninstalled the program through the uninstall windows feature. I did a search for avira this morning and one cookie popped up. I began the process of uninstalling and then got scared and thought I'd triple check in and make sure it's absolutley necessary. Here are the steps I was following:
Step by Step Procedure for Fixing Problem

1) Right-click on My Computer

2) Click on Manage

3) Click on the plus sign(+) next to Services and Applications in the left-hand column

4) Click on Services

5) Find the service called Windows Management Instrumentation, right-click on it, and choose Stop.

6) Open My Computer

7) Double-click on Drive C (or whatever drive Windows is installed on)

Double-click on the Windows folder

9) Double-click on System32

10) Double-click on WBEM

11) Right-click on the Repository folder and click Delete and remove it

12) Close the My Computer windows and return to the Windows services screen using steps 1 - 4 shown above

13) Find the service called Windows Management Instrumentation, right-click on it, and choose Start. Restarting this service will rebuild the repository folder information.

14) Restart your computer

Once the computer has restarted, open Windows Security Center or run Belarc Advisor. Only your currently installed antivirus and firewall programs should be listed.
=============================
off to run Sdfix!

[wyrmrider]

well I'd check this first - it might be sorta gone already
Once the computer has restarted, open Windows Security Center or run Belarc Advisor. Only your currently installed antivirus and firewall programs should be listed.
I like Belarc Advisor and am NOT familiar with windows security center- But perhaps you should/ will be

The problem with this is that there could still be lots of entries in the registry/ files/ folders that the above procedure will not show

Where did you get that removal procedure?
I usually use this one
http://www.pchell.com/virus/uninstallantivir.shtml

this was in the Wilders thread that I googled- very similar to what you found

what version antivir did you have
I assume you have already been here
http://www.avira.com/en/support/av7_upgrade_tools.html
run the tool and the registry cleaner- just do not check the Norton items
If you had Version 8 go here
http://www.avira.com/en/support/faq/details.html?id=135
In control panel click on Administrative Tools, then Services, from the list of services find Windows Management Instrumentation right click mouse and from dropdown list stop the service.

Find folder C:\windows\system32\wbem, inside this folder identify the repository folder and delete only this folder (the repository folder) from your computer.

In Administrative Tools find Windows Management Instrumentation service again, and re-start the service by right clicking mouse and pressing start from dropdown list. Restarting this service re-builds the repository folder database on your computer, which should now only contain information about your currently installed antivirus & firewall programs.

To reset the Windows Security Centre you must re-boot your computer, hopefully this will cure your problems

http://www.wilderssecurity.com/showthread.php?t=134193
read the whole thing

Now
If we are not having AV conflict problems this can wait till we're done
but I would do it after the fire is good and out

you might have to refresh Norton or switch to Avast if Norton proves to bulky for your tastes

[wyrmrider]

MBAM log looks great  nothing re-sprouting

see
http://www.malwarebytes.org/forums/index.php?s=584cb290961e92afee36b59640b65881&showtopic=6196&pid=27303&st=0&#entry27303
for that one hit

I think if the root scan and SDFix find nothing we're done
then we can talk prevention
who wants to do this again

I have no idea which Icesword is later-- Polonus?
uh sb
did you see the date on that "latest" post  uh 2006
methinks use the higher number

[sbMama]

I ran SuperAntiSpyware and it found about 36 threats. I attached the log. Since I had to run errands, I haven't ran SDfix yet.

I will do the above shortly.

thank you

***modified to add

I could have sworn they were both posted/released in the same year.

I've been staring at this comp too long! 

[polonus]

Hi sbMama,

These files are putting back your malware, because you are not in SafeMode and or have System Restore enabled:
Trojan.Unclassified/GTS
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A5E3A11-A1D8-4AFC-A188-75FCD5DB812E}\RP57\A0008372.DLL

Adware.Vundo-Variant/J
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A5E3A11-A1D8-4AFC-A188-75FCD5DB812E}\RP57\A0009371.DLL

Rogue.Smart AntiVirus 2009
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A5E3A11-A1D8-4AFC-A188-75FCD5DB812E}\RP61\A0011002.EXE

How to disable system restore and later after cleansing enable it again, read:
http://support.microsoft.com/kb/310405
Instruction with pictures here: http://vil.nai.com/vil/systemhelpdocs/disablesysrestore.aspx
polonus

[wyrmrider]

Polonus writes

 your system is undefended - no resident AV and no software Firewall.
dbl check that Norton is on after each procedure

WE gotta get a software firewall installed

He apparently did not do a safe mode and system restore disabled cleansing routine, so the infected system registry is putting the malware back again and again, when something in normal mode and system restore enabled situation stays behind it is enough the resurrect malware from files or temporary files or registry settings that stayed unnoticed,

polonus

we need to disable system restore as there are things there
http://support.microsoft.com/kb/310405

GKSRAEMQ.DLL  we have not seen this one before in this thread


Polymorphic File Exploit
next time you run hjt see if this has shown up
O3 - Toolbar: gksraemq - {9638003E-5BE9-4A57-98BA-CA691478858A} - C:\WINDOWS\gksraemq.dll


 Gksraemq toolbar, it is the latest fake security BHO (Browser Helper Object) for Internet Explorer browser. This bogus toolbar may: hijack your homepage, disable some Windows features, generate fake security alerts and warning e.t.c. Gksraemq toolbar (gksraemq.dll infector) promote rogue anti-spyware products. Moreover, Gksraemq may slow your computer and secretly install additional malware.

sdfix added a detection
v1.221 (03/09/08)

where are you finding this crap?

[sbMama]

well I'd check this first - it might be sorta gone already
Once the computer has restarted, open Windows Security Center or run Belarc Advisor. Only your currently installed antivirus and firewall programs should be listed.
I like Belarc Advisor and am NOT familiar with windows security center- But perhaps you should/ will be

I used Belarc and it shows the following:
Virus Protection
Norton AntiVirus Version 15.50
    Virus Definitions Version 9/9/2008 Rev 8
    Last Disk Scan on Monday, September 08, 2008 11:26:25 PM
    Realtime File Scanning On

I also have been looking at the history and it shows active. Please see attached.

Where did you get that removal procedure?
I usually use this one http://www.pchell.com/virus/uninstallantivir.shtml
what version antivir did you have

I used that link, but since Avira no longer shows up in my add/remove programs, I could not use the normal procedure so I selected this link: http://www.pchell.com/support/multiple_antivirus_in_security_center.shtml. But I just checked the security center and don't see avira listed there either. I had the most recent version. , then followed this, which is on that page:


this was in the Wilders thread that I googled- very similar to what you found

I assume you have already been here
http://www.avira.com/en/support/av7_upgrade_tools.html
run the tool and the registry cleaner- just do not check the Norton items
If you had Version 8 go here
http://www.avira.com/en/support/faq/details.html?id=135

I haven't,but I'll go tehre shortly.

In control panel click on Administrative Tools, then Services, from the list of services find Windows Management Instrumentation right click mouse and from dropdown list stop the service.

done

Find folder C:\windows\system32\wbem, inside this folder identify the repository folder and delete only this folder (the repository folder) from your computer.

done

In Administrative Tools find Windows Management Instrumentation service again, and re-start the service by right clicking mouse and pressing start from dropdown list. Restarting this service re-builds the repository folder database on your computer, which should now only contain information about your currently installed antivirus & firewall programs.

done

To reset the Windows Security Centre you must re-boot your computer, hopefully this will cure your problems

http://www.wilderssecurity.com/showthread.php?t=134193
read the whole thing

will do

Now
If we are not having AV conflict problems this can wait till we're done
but I would do it after the fire is good and out

you might have to refresh Norton or switch to Avast if Norton proves to bulky for your tastes

[sbMama]

How to disable system restore and later after cleansing enable it again, read:
http://support.microsoft.com/kb/310405
Instruction with pictures here: http://vil.nai.com/vil/systemhelpdocs/disablesysrestore.aspx
polonus

I only ran the uninstall avast in safe mode.
should I run all the scans again in safe mode?

I wasn't aware that system restore was enabled. What order should I follow, disable, restart in safe mode, run scan(s), restart again and then enable?

thanks P

[polonus]

Hi sbMama,

Disable System Restore and then run a full SAS scan.
Also give us a fresh HijackThis log file after you have done that,

polonus

[sbMama]

Polonus writes

 your system is undefended - no resident AV and no software Firewall.
dbl check that Norton is on after each procedure

WE gotta get a software firewall installed

from what norton says, I'm under the impression that I am being defended.
what to do what to do...

also, do I run another hjt and select fix for:  O3 - Toolbar: gksraemq - {9638003E-5BE9-4A57-98BA-CA691478858A} - C:\WINDOWS\gksraemq.dll

***do I go into safe mode first, then disable system res, then scan?

[wyrmrider]

That 03 should be gone with SDFIX
Polonus saw a snapshot when you had AV turned off not to worry - you now have verified with Belarc and will again with a hjt after running rootkit and SDFIX

I do not know what you are referring to with this
"***do I go into safe mode first, then disable system res, then scan?"  scan with what
SDFIX?  just follow the instructions for SDFIX exactly
post back If I'm missing something


You can clean up system restore anytime
you/we know that there are infected items in restore which will show up in scans
not to panic

also just finish up the antivir uninstall using the major geeks page or the  links to antivir webpage at this point

do not start running scans again
you can do what polonus suggests anytime and we will do it before finishing

now your Norton list
the first three are quarantine files  so not to worry

then it found a cookie
then removed an av2009 file- good
however it looks as if these were Antivir quarantine files

then it removed these files

9/6/2008 1:24:02 PM,Virus scanner,Downloader.Zlob!gen.3,Fully removed,File,2008.09.05.041,15.5.0.23,SYSTEM,LIFEBOOK,Risk category: Virus;Overall Risk Impact: Low;Performance: Low;Privacy: Low;Removal: Low;Stealth: Low;Action taken: Fully removed;Affected Areas;Files & Directories;c:\windows\edkx.exe

9/6/2008 1:24:02 PM,Virus scanner,Downloader.Zlob!gen.3,Fully removed,File,2008.09.05.041,15.5.0.23,SYSTEM,LIFEBOOK,Risk category: Virus;Overall Risk Impact:
Low;Performance: Low;Privacy: Low;Removal: Low;Stealth: Low;Action taken: Fully removed;Affected Areas;Files & Directories;c:\windows\sxmaokgf.exe

let's get the rootkit thing run then SDFIX