Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Antivirus 2009 infection


  • This topic is locked This topic is locked
7 replies to this topic

#1 Gatorade96

Gatorade96

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 28 October 2008 - 09:40 AM

Help! I have been infected by a trojan virus. It is probably very familiar to you guys. It pops up windows saying the computer has been infected and needs to go to a site to fix it. Many pop ups and re-directs. I used the latest available Noton and then AVG. No luck there. They said they found the virus and removed it to the virus vault but it keeps coming back and attacking over and over again. I am posting my HijackThis Log below. I also ran RSIT info and log as well as Kaspersky Online Scan and hove those in the misplaced HTJ thread. Can someone please take a look at these and help me out? Or tell me if I need to do something else?

Thanks!
Charlie


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:43 AM, on 10/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\System32\igfxtray.exe
F:\WINDOWS\System32\hkcmd.exe
F:\WINDOWS\AGRSMMSG.exe
F:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
F:\WINDOWS\shicoxp.exe
F:\WINDOWS\caxchg.exe
F:\Program Files\Gateway Utilities\GWInkMonitor.exe
F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
F:\Program Files\Synaptics\SynTP\SynTPLpr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Synaptics\SynTP\SynTPEnh.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\PROGRA~1\AVG\AVG8\avgtray.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\Program Files\Roxio\GoBack\GBPoll.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Roxio\GoBack\GBTray.exe
F:\Program Files\Common Files\Motive\McciCMService.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Program Files\Norton Personal Firewall\NISUM.EXE
F:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
F:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
F:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
F:\Program Files\Norton Personal Firewall\ccPxySvc.exe
F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
F:\PROGRA~1\AVG\AVG8\avgrsx.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pbskids.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - F:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] F:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [shicoxp] F:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [caxchg] F:\WINDOWS\caxchg.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "F:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SynTPLpr] F:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] F:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] F:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] F:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] F:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [A00F3B194B9.exe] F:\DOCUME~1\POLLOCK\LOCALS~1\Temp\_A00F3B194B9.exe
O4 - HKCU\..\Run: [A00F3D3528B.exe] F:\DOCUME~1\POLLOCK\LOCALS~1\Temp\_A00F3D3528B.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GoBack.lnk = F:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ViewTIFF for Java - http://www.miami-dadeclerk.com/MortgageFor...in/TIFFView.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205556356421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1219349586015
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jdk...ows-i586-jc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - F:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: __c00E1EC2 - F:\WINDOWS\system32\__c00E1EC2.dat
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - F:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: GBPoll - Roxio, Inc. - F:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive Communications, Inc. - F:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - F:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - F:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - F:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PrismXL - Lanovation - F:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - F:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9577 bytes

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 PM

Posted 01 November 2008 - 08:29 AM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run OTScanIt
Download OTScanIt2 by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box.
  • Under the Additional Scans bar, click "Extras". Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.


Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 Gatorade96

Gatorade96
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 01 November 2008 - 10:45 AM

Hey Panda, thanks for the reply. I have attached the file you requested.

Charlie

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 PM

Posted 01 November 2008 - 11:43 AM

Hello Gatorade96.

I see that you are running more than one antivirus program: Symantec Norton and AVG. It is not recommended that you do so. In addition to wasting resources, the programs may detect virus signatures in the other and cause false positives. The different drivers used by the programs can cause crashes.

Please uninstall them until you are only running one antivirus using Add/Remove Programs. If your Norton suscription has ended, then uninstall it. If it is still active, uninstall AVG.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run.

To disable Norton Antivirus.
  • Right click on thr Norton icon (Posted Image) beside your click and select Disable Auto-Protect.
  • Select a disabled duration of 5 hours to ensure that it will not interfere with this fix.
  • Click OK to apply the settings.
When done properly, you should recieve a pop-up warning saying that protection was disabled. The Norton icon should now look like Posted Image.

To disable AVG:
  • Please navigate to the system tray on the bottom right hand corner and look for this Posted Image sign.
  • Right click it-> select Quit Control Center.
  • A warning will pop up, click Yes
Run Fix with OTScanIt
We will run OTScanIt again, but the directions are slightly different. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Registry - Safe List]
    < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "mmtask" -> c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe [c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe]
    < Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "A00F3B194B9.exe" -> %SystemDrive%\DOCUME~1\POLLOCK\LOCALS~1\Temp\_A00F3B194B9.exe [F:\DOCUME~1\POLLOCK\LOCALS~1\Temp\_A00F3B194B9.exe]
    YN -> "A00F3D3528B.exe" -> %SystemDrive%\DOCUME~1\POLLOCK\LOCALS~1\Temp\_A00F3D3528B.exe [F:\DOCUME~1\POLLOCK\LOCALS~1\Temp\_A00F3D3528B.exe]
    < Run [HKEY_USERS\S-1-5-21-1085031214-1336601894-839522115-1004\] > -> HKEY_USERS\S-1-5-21-1085031214-1336601894-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "A00F3B194B9.exe" -> %SystemDrive%\DOCUME~1\POLLOCK\LOCALS~1\Temp\_A00F3B194B9.exe [F:\DOCUME~1\POLLOCK\LOCALS~1\Temp\_A00F3B194B9.exe]
    YN -> "A00F3D3528B.exe" -> %SystemDrive%\DOCUME~1\POLLOCK\LOCALS~1\Temp\_A00F3D3528B.exe [F:\DOCUME~1\POLLOCK\LOCALS~1\Temp\_A00F3D3528B.exe]
    < Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    YY -> __c007D36 -> %SystemRoot%\system32\__c007D36.dat
    < MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
    YN -> \{4eaf8c12-f48b-11dc-8b17-00e0b8674003} -> 
    YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4eaf8c12-f48b-11dc-8b17-00e0b8674003}\Shell -> 
    YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4eaf8c12-f48b-11dc-8b17-00e0b8674003}\Shell\AutoRun\command -> 
    [Files/Folders - Created Within 30 Days]
    NY -> __c007D36.dat -> %SystemRoot%\System32\__c007D36.dat
    NY -> __c006CF11.dat -> %SystemRoot%\System32\__c006CF11.dat
    NY -> __c00D4FA8.dat -> %SystemRoot%\System32\__c00D4FA8.dat
    [Files/Folders - Modified Within 30 Days]
    NY -> __c007D36.dat -> %SystemRoot%\System32\__c007D36.dat
    NY -> __c00E1EC2.dat -> %SystemRoot%\System32\__c00E1EC2.dat
    [Reboot]
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.

Download and run MalwareBytes Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

You can refer to this page which has a visual of the instructions above.


Re-enable your protection at this time.
Take a new scan with OTScanIt leaving the settings at default. Attach that log. Please also include a new HijackThis log

How is your comptuer running now?

With Regards,
The Panda

#5 Gatorade96

Gatorade96
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 01 November 2008 - 07:34 PM

Hey Panda, I ran the scans and have posted three and attached one of the five logs that you asked for but I can't find the OTscan log that shows the final scan after the reboot from the fix. I am pretty sure they popped up but then went away on the reboot. I just don't know where they are stored. Please let me know if you need that log and where I can find it. As far as how the computer is running, it has been running great for the last two days. No pop ups or redirects. However since I hadn't made any changes and the trojan was still found in the Malwarebytes scan before I removed it I just think it wasn't activating. Please let me know what you think about my logs.

Charlie


------------------------------------------------------------------------------------------------------------------------
OTscan fix log.

[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\mmtask deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\A00F3B194B9.exe deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\A00F3D3528B.exe deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1085031214-1336601894-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\A00F3B194B9.exe not found.
Registry value HKEY_USERS\S-1-5-21-1085031214-1336601894-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\A00F3D3528B.exe not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c007D36\ deleted successfully.
File move failed. F:\WINDOWS\system32\__c007D36.dat scheduled to be moved on reboot.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4eaf8c12-f48b-11dc-8b17-00e0b8674003}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4eaf8c12-f48b-11dc-8b17-00e0b8674003}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4eaf8c12-f48b-11dc-8b17-00e0b8674003}\Shell\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4eaf8c12-f48b-11dc-8b17-00e0b8674003}\Shell\AutoRun\command\ not found.
[Files/Folders - Created Within 30 Days]
File move failed. F:\WINDOWS\System32\__c007D36.dat scheduled to be moved on reboot.
F:\WINDOWS\System32\__c006CF11.dat moved successfully.
F:\WINDOWS\System32\__c00D4FA8.dat moved successfully.
[Files/Folders - Modified Within 30 Days]
File move failed. F:\WINDOWS\System32\__c007D36.dat scheduled to be moved on reboot.
F:\WINDOWS\System32\__c00E1EC2.dat moved successfully.
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.0.28b fix logfile created on 11012008_131821

Files moved on Reboot...
F:\WINDOWS\system32\__c007D36.dat moved successfully.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Malware scan log

Malwarebytes' Anti-Malware 1.30
Database version: 1352
Windows 5.1.2600 Service Pack 3

11/1/2008 8:03:08 PM
mbam-log-2008-11-01 (20-03-08).txt

Scan type: Quick Scan
Objects scanned: 57519
Time elapsed: 12 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c007d36 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------------------------------------------------------------------------------------------------------------
Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:40 PM, on 11/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\System32\igfxtray.exe
F:\WINDOWS\System32\hkcmd.exe
F:\WINDOWS\AGRSMMSG.exe
F:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
F:\WINDOWS\shicoxp.exe
F:\WINDOWS\caxchg.exe
F:\Program Files\Gateway Utilities\GWInkMonitor.exe
F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
F:\Program Files\Synaptics\SynTP\SynTPLpr.exe
F:\Program Files\Synaptics\SynTP\SynTPEnh.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Roxio\GoBack\GBTray.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\Program Files\Roxio\GoBack\GBPoll.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Common Files\Motive\McciCMService.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Program Files\Norton Personal Firewall\NISUM.EXE
F:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
F:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
F:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
F:\Program Files\Norton Personal Firewall\ccPxySvc.exe
F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
F:\Program Files\trend micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pbskids.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] F:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [shicoxp] F:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [caxchg] F:\WINDOWS\caxchg.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "F:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SynTPLpr] F:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] F:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] F:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] F:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] F:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GoBack.lnk = F:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ViewTIFF for Java - http://www.miami-dadeclerk.com/MortgageFor...in/TIFFView.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205556356421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1219349586015
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jdk...ows-i586-jc.cab
O20 - Winlogon Notify: __c007D36 - F:\WINDOWS\system32\__c007D36.dat (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - F:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: GBPoll - Roxio, Inc. - F:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive Communications, Inc. - F:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - F:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - F:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - F:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PrismXL - Lanovation - F:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - F:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8903 bytes
--------------------------------------------------------------------------------------------------------------------------------

Final OTscan log attached.
--------------------------------------------------------------------------------------------------------------------------------

Attached Files



#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 PM

Posted 01 November 2008 - 08:51 PM

Hello Gatorade96.

You had posted the right logs.

Your computer is clean from what I see :thumbsup:

Run Cleanup with OTScantIt
This will remove all the tools we used.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Click the CleanUp bottun.
  • Restart if prompted.
Set New System Restore Point
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restor.
  • Choose the radio button marked "Create a Restore Point" on the first screen then click Next. Give the R.P. a name then click Create. The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type:
    cleanmgr
  • Click OK.
  • Click the More Options Tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please also have a look at the following links, giving some advice and suggestions for preventing future infections: Visit the Windows Update Site regularly.
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
    Note that it will download them for you, but you still have to actually click install.
    If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates separately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

For general slowness problems, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#7 Gatorade96

Gatorade96
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 02 November 2008 - 08:51 AM

:thumbsup: :) :) :) :)

Thanks for the help Panda! I am currently doing the updates and will get my Norton updated shortly. I need to buy the upgrade as my subscription has expired.

Thanks again!

Charlie

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 PM

Posted 02 November 2008 - 08:58 AM

Hello Charlie.

You are very welcome :thumbsup: .

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users