Sudden Attack Sea ( Virus or False Positive)?

[SafeSurf]

@ derekdiong1,

Did you reboot after uninstalling McAfee?

As derick123 said (people I've helped tend to remember ), yes, run MBAM Full scan and post your results...I need to make sure your machine is clean.  Post your results (cut and paste).

If you come out clean with MBAM, then follow my previous post directions for doing an Avast uninstall/clean install.  Most likely Avast got corrupt with McAfee (having 2 AV's on your machine).  Reboot.

Do a test drive with Avast and run a Full and boot-time scan.

Report back your results.

[derekdiong1]

yes i did reboot after cleaning MacAfee,now downloading MBAM scared that it will detect launcher.exe as a virus!

[derekdiong1]

Heres the MBAM log:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5162

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

11/22/2010 1:18:23 PM
mbam-log-2010-11-22 (13-18-23).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 317587
Time elapsed: 59 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 36
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\baidubar.tool (Trojan.Cinmus) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{d12f94fa-fc9a-41f7-b808-7fbb419dd7a6} (Trojan.Cinmus) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{4c2bfec9-f03c-4f74-932e-5723e603b4ac} (Trojan.Cinmus) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{7ef05eff-0e62-4040-8d81-73a10d8de60f} (Trojan.Cinmus) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{d158174c-004b-4a2e-9410-5442c10c60d2} (Trojan.Cinmus) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{77fef28e-eb96-44ff-b511-3185dea48697} (Trojan.Cinmus) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{77fef28e-eb96-44ff-b511-3185dea48697} (Trojan.Cinmus) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77fef28e-eb96-44ff-b511-3185dea48697} (Trojan.Cinmus) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77fef28e-eb96-44ff-b511-3185dea48697} (Trojan.Cinmus) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a7f05ee4-0426-454f-8013-c41e3596e9e9} (Trojan.Cinmus) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a7f05ee4-0426-454f-8013-c41e3596e9e9} (Trojan.Cinmus) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{b580cf65-e151-49c3-b73f-70b13fca8e86} (Trojan.Cinmus) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{b580cf65-e151-49c3-b73f-70b13fca8e86} (Trojan.Cinmus) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b580cf65-e151-49c3-b73f-70b13fca8e86} (Trojan.Cinmus) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{e5d5d4a1-17f0-41d7-b1c6-0979f91e6f46} (Trojan.Cinmus) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e5d5d4a1-17f0-41d7-b1c6-0979f91e6f46} (Trojan.Cinmus) -> No action taken.
HKEY_CLASSES_ROOT\baidubar.tool.1 (Trojan.Cinmus) -> No action taken.
HKEY_CLASSES_ROOT\baidubarex.bdhomepage (Adware.BDSearch) -> No action taken.
HKEY_CLASSES_ROOT\baidubarex.bdhomepage.1 (Adware.BDSearch) -> No action taken.
HKEY_CLASSES_ROOT\baidubarex.bdhomepage.2 (Adware.BDSearch) -> No action taken.
HKEY_CLASSES_ROOT\baidubarex.bdhomepage.3 (Adware.BDSearch) -> No action taken.
HKEY_CLASSES_ROOT\baidubarex.bdhomepage.4 (Adware.BDSearch) -> No action taken.
HKEY_CLASSES_ROOT\baidubarx.bandie (Trojan.Cinmus) -> No action taken.
HKEY_CLASSES_ROOT\baidubarx.bandie.1 (Trojan.Cinmus) -> No action taken.
HKEY_CLASSES_ROOT\baidubarx.toolband (Trojan.Cinmus) -> No action taken.
HKEY_CLASSES_ROOT\baidubarx.toolband.1 (Trojan.Cinmus) -> No action taken.
HKEY_CLASSES_ROOT\barbroker.bdbroker (Adware.BDSearch) -> No action taken.
HKEY_CLASSES_ROOT\barbroker.bdbroker.1 (Adware.BDSearch) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{7a33ce9e-4f33-4b4e-b263-6aeeab6c3dc2} (Adware.BDSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{5becd27b-dcf5-4def-b066-486a47245c03} (Adware.BDSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7a33ce9e-4f33-4b4e-b263-6aeeab6c3dc2} (Adware.BDSearch) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{3a8c9d89-3271-45f4-98c0-56b0f5a16172} (Adware.BDSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{2923508c-9425-4a61-b9ce-a98239055916} (Adware.BDSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9f44453e-1e46-4d5c-b57c-112ff2edae82} (Spyware.OnlineGames) -> No action taken.
HKEY_CURRENT_USER\Software\Baidu (Adware.Bdsearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduBarX (Adware.BDSearch) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b580cf65-e151-49c3-b73f-70b13fca8e86} (Trojan.Cinmus) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{b580cf65-e151-49c3-b73f-70b13fca8e86} (Trojan.Cinmus) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Documents and Settings\Owner\Application Data\Baidu (Trojan.Cinmus) -> No action taken.
C:\Documents and Settings\Owner\Application Data\Baidu\Toolbar (Trojan.Cinmus) -> No action taken.
C:\Documents and Settings\Owner\Application Data\Baidu\Toolbar\Custom Buttons (Trojan.Cinmus) -> No action taken.
C:\Documents and Settings\Owner\Application Data\Baidu\Toolbar\DownloadTmp (Trojan.Cinmus) -> No action taken.

Files Infected:
C:\Program Files\Baidu\Toolbar\BaiduBarX.dll (Trojan.Cinmus) -> No action taken.
C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\rzr-cod4.exe (Trojan.Agent.CK) -> No action taken.
C:\Program Files\Baidu\Toolbar\BarBroker.exe (Adware.BDSearch) -> No action taken.
C:\Program Files\QvodPlayer\QvodBand.dll (Spyware.OnlineGames) -> No action taken.
C:\Downloads\QvodSetup3_ccch.exe (Adware.Agent) -> No action taken.
C:\Documents and Settings\Owner\Application Data\Baidu\Toolbar\iexp.dat (Trojan.Cinmus) -> No action taken.
C:\Documents and Settings\Owner\Application Data\Baidu\Toolbar\logex.dat (Trojan.Cinmus) -> No action taken.
C:\Documents and Settings\Owner\Application Data\Baidu\Toolbar\namedsites.dat (Trojan.Cinmus) -> No action taken.

there are some infected files should i delete them?? reply ASAP!!

[Asyn]

there are some infected files should i delete them?? reply ASAP!!

Let Mbam quarantine the findings..!!
See the instructions SafeSurf posted in reply #41...!
asyn

[SafeSurf]

Click the “remove selected” button to quarantine anything found.  You will find the infection details under the Quarantine tab.
Copy & Paste the entire report in your next reply.

You need to update MBAM again, then run the Full scan again, this time see the quote above and as Asyn and I both said....let MBAM quarantine the infections.  Right now they are still sitting in your machine because you told it to "take no action."  You need to let MBAM quarantine it.  You do NOT want to delete them.

After this, I want you to do the following:

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0. 

Follow the directions for obtaining the OTL logs.  Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post). 

Please do not make any further changes to your machine once you have provided the logs.

I will review the logs and I am going to refer you to our Certified Malware expert, named Essexboy.  He will also review your logs and give you further instructions, however he comes on the forum late UK time.  He will respond to you in this thread, so remember to check this thread daily.  I will continue to provide assistance in the meantime, then remain in the background while he works with you.

Let me know if you have any questions.  Thank you.

[essexboy]

Hi there lets do a final check to see if there was a sality infection

Step 1. Preparation to disinfection:

Download the file Sality.zip
Extract SalityKiller.exe
Run the file SalityKiller.exe

Step 2. Registry repair: (Allow the files to merge when requested)

Download Sality_regkeys.zip
Extract the file Sality_RegKeys.zip 
Run the file Disable_autorun.reg from the archive Sality_RegKeys.zip

Step 3.  Finalising :(Allow the files to merge when requested)

From the archive Sality_RegKeys.zip run the file of the registry key: 

• under Windows 2000 run the registry file SafeBootWin200.reg 
• under Windows XP run the registry file SafeBootWinXP.reg 
• under Windows 2003 run the registry file SafeBootWinServer2003.reg 
• under Windows Vista / 2008 run the registry file SafebootVista.reg
• under Windows 7 / 2008 R2 run the registry file SafebootWin7.reg

FULL SCAN

Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download
 
It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that

ANALYSIS LOG

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    

[SafeSurf]

Thanks Essexboy. 

[derekdiong1]

wait,now which step sould i do?? safesurf's or essexboy's steps?? and is it really safe don't want my parents to worry!!If i screw this up my dad won't buy me a new com!!

[DavidR]

Go with essexboy's instructions as they are more specific to your problem if you have the Sality file infecter virus it needs special tools to try and a) kill/stop Sality running and infecting other files (steps 1-3) and b) try and repair any files infected by Sality (the full scan with the DrWeb scan.

Finally after that an analysis to see if there are any other remnants/issues and attach the logs as asked for.

[derekdiong1]

I wanna ask how to run in safe mode?? And everyone here is so friendly!!THX guys!!

[Asyn]

I wanna ask how to run in safe mode?? And everyone here is so friendly!!THX guys!!

Press F8 while your system is booting.

[SafeSurf]

derekdiong1,

I was referring you to Essexboy, who is our Certified Malware Removal expert.  He come on the forum usually late UK time, so remember to check this thread daily as he will give you specific instructions for your malware removal.  I will remain in the background while he works with you.  Thank you.

[derekdiong1]

When u mean booting its in the windows loading screen??

[derekdiong1]

There was nothing detected on Dr.Cure.

The OTL log is to big can't type here.

[Asyn]

The OTL log is to big can't type here.

Attach the log...!
If you write a new post: -> Additional Options -> Attach
asyn