Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Backdoor.IRC.Zapchast/RogueAntiSpyware.AntiSpyware_LLC


  • This topic is locked This topic is locked
13 replies to this topic

#1 alexb85

alexb85

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 08 January 2009 - 06:09 PM

Backdoor.IRC.Zapchast RogueAntiSpyware.AntiSpyware_LLC
Recently on Spyware Doctor these two appeared. They do not appear on Malwarebytes' Anti-Malware or SUPERAntiSpyware scans.


DDS (Ver_09-01-07.01) - NTFSx86
Run by Alex at 14:59:40.74 on Thu 01/08/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vistaāā€˛¢ Home Premium 6.0.6001.1.1252.1.1033.18.1917.711 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\STacSV.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Wallpaper Master\Wallpaper.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\sttray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\program files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\mcupdate.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Alex\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0070917
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [<NO NAME>]
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [dscactivate] c:\dell\dsca.exe 3
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [WallpaperChanger] c:\program files\wallpaper master\Wallpaper.exe -startup
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\users\alex\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\users\alex\appdata\roaming\micros~1\windows\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll,c:\progra~1\google\google~2\GOEC62~1.DLL,avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\alex\appdata\roaming\mozilla\firefox\profiles\cy71uy6a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - IMDB
FF - prefs.js: keyword.URL - chrome://google-cjk-partner/locale/partner.properties
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\alex\appdata\roaming\mozilla\firefox\profiles\cy71uy6a.default\extensions\{190b412f-3273-4922-9954-56e8bcb5e113}\plugins\NPnsv.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-31 97928]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 AvgWfpX;AVG Free8 Firewall Driver x86;c:\windows\system32\drivers\avgwfpx.sys [2008-8-31 69128]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-31 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-31 231704]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-9-17 29744]

=============== Created Last 30 ================

2009-01-07 10:43 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-01-07 10:43 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-01-07 10:42 <DIR> --d----- c:\users\alex\appdata\roaming\SUPERAntiSpyware.com
2009-01-07 10:42 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-07 10:41 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-06 21:42 <DIR> --d----- c:\program files\Trend Micro
2009-01-06 20:49 <DIR> --d----- c:\users\alex\appdata\roaming\Malwarebytes
2009-01-06 20:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-06 20:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 20:49 <DIR> --d----- c:\programdata\Malwarebytes
2009-01-06 20:49 <DIR> --d----- c:\progra~2\Malwarebytes
2009-01-06 20:49 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 18:44 110,592 a----r-- c:\windows\system32\RCSigProc.dll
2008-12-30 18:44 200,704 a----r-- c:\windows\system32\Strato7.dll
2008-12-30 18:44 6,475,096 a------- c:\windows\system32\NEFcodec.dll
2008-12-30 18:35 <DIR> --d----- c:\programdata\Automator
2008-12-30 18:35 <DIR> --d----- c:\progra~2\Automator
2008-12-30 18:35 20 ----h--- c:\programdata\PKP_DLdw.DAT
2008-12-30 18:35 20 ----h--- c:\progra~2\PKP_DLdw.DAT
2008-12-25 16:41 <DIR> --d----- c:\users\alex\appdata\roaming\Any Video Converter
2008-12-21 16:37 <DIR> --d----- c:\program files\iPod
2008-12-21 16:37 <DIR> --d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-21 16:37 <DIR> --d----- c:\program files\iTunes
2008-12-21 16:37 <DIR> --d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-21 16:10 <DIR> --d----- c:\users\alex\appdata\roaming\LEGO Company
2008-12-09 20:34 2,048 a------- c:\windows\system32\tzres.dll

==================== Find3M ====================

2009-01-07 15:50 3,375 a------- c:\windows\bthservsdp.dat
2009-01-03 02:07 20 ----h--- c:\programdata\PKP_DLdu.DAT
2009-01-03 02:07 20 ----h--- c:\progra~2\PKP_DLdu.DAT
2008-12-30 18:32 106,496 a------- c:\windows\system32\ATL71.DLL
2008-11-04 11:16 143,360 a------- c:\windows\inf\infstrng.dat
2008-11-04 11:16 86,016 a------- c:\windows\inf\infstor.dat
2008-11-04 11:16 51,200 a------- c:\windows\inf\infpub.dat
2008-10-31 19:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-10-31 19:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-10-31 19:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-10-31 19:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-10-31 19:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-31 19:44 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-10-31 17:21 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-10-28 22:29 2,927,104 a------- c:\windows\explorer.exe
2008-10-21 19:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-20 21:25 296,960 a------- c:\windows\system32\gdi32.dll
2008-10-20 21:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-16 14:08 162,064 a------- c:\windows\system32\wuwebv.dll
2008-10-16 13:56 31,232 a------- c:\windows\system32\wuapp.exe
2008-10-16 12:56 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-10-16 12:55 83,456 a------- c:\windows\system32\wudriver.dll
2008-10-15 20:47 827,392 a------- c:\windows\system32\wininet.dll
2008-09-15 14:17 174 a--sh--- c:\program files\desktop.ini
2008-09-15 13:58 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 04:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 04:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 04:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 04:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 15:01:48.18 ===============

Any help is greatly appreciated.

EDIT: Spyware doctor says the zapchast was from personales.ya.com, if it helps any. I believe this is from an e-greeting spam message? Also, it says all of them are browser cookies.

Attached Files


Edited by alexb85, 09 January 2009 - 02:51 PM.


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 19 January 2009 - 02:46 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

There doesn't appear to be an infection. What items are flagged?

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Download and Run DDS
If you already have a copy of DDS, there is not need to download a new one.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. If you are using Windows Vista, right click the icon and select "Run as Administrator". Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

With Regards,
The Panda

#3 alexb85

alexb85
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 19 January 2009 - 06:56 PM

Hello Panda, here is the new DDS log:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Alex at 14:44:24.14 on Mon 01/19/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1917.741 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\STacSV.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Wallpaper Master\Wallpaper.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\sttray.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\program files\mozilla firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Alex\Downloads\dds.com
C:\Windows\system32\wuauclt.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0070917
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [<NO NAME>]
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [dscactivate] c:\dell\dsca.exe 3
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [WallpaperChanger] c:\program files\wallpaper master\Wallpaper.exe -startup
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\users\alex\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\users\alex\appdata\roaming\micros~1\windows\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll,c:\progra~1\google\google~2\GOEC62~1.DLL,avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\alex\appdata\roaming\mozilla\firefox\profiles\cy71uy6a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - IMDB
FF - prefs.js: keyword.URL - chrome://google-cjk-partner/locale/partner.properties
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\alex\appdata\roaming\mozilla\firefox\profiles\cy71uy6a.default\extensions\{190b412f-3273-4922-9954-56e8bcb5e113}\plugins\NPnsv.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-31 97928]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 AvgWfpX;AVG Free8 Firewall Driver x86;c:\windows\system32\drivers\avgwfpx.sys [2008-8-31 69128]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]

=============== Created Last 30 ================

2009-01-07 10:43 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-01-07 10:43 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-01-07 10:42 <DIR> --d----- c:\users\alex\appdata\roaming\SUPERAntiSpyware.com
2009-01-07 10:42 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-07 10:41 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-06 21:42 <DIR> --d----- c:\program files\Trend Micro
2009-01-06 20:49 <DIR> --d----- c:\users\alex\appdata\roaming\Malwarebytes
2009-01-06 20:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-06 20:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 20:49 <DIR> --d----- c:\programdata\Malwarebytes
2009-01-06 20:49 <DIR> --d----- c:\progra~2\Malwarebytes
2009-01-06 20:49 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 18:44 110,592 a----r-- c:\windows\system32\RCSigProc.dll
2008-12-30 18:44 200,704 a----r-- c:\windows\system32\Strato7.dll
2008-12-30 18:44 6,475,096 a------- c:\windows\system32\NEFcodec.dll
2008-12-30 18:35 <DIR> --d----- c:\programdata\Automator
2008-12-30 18:35 <DIR> --d----- c:\progra~2\Automator
2008-12-30 18:35 20 ----h--- c:\programdata\PKP_DLdw.DAT
2008-12-30 18:35 20 ----h--- c:\progra~2\PKP_DLdw.DAT
2008-12-25 16:41 <DIR> --d----- c:\users\alex\appdata\roaming\Any Video Converter
2008-12-21 16:37 <DIR> --d----- c:\program files\iPod
2008-12-21 16:37 <DIR> --d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-21 16:37 <DIR> --d----- c:\program files\iTunes
2008-12-21 16:37 <DIR> --d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-21 16:10 <DIR> --d----- c:\users\alex\appdata\roaming\LEGO Company

==================== Find3M ====================

2009-01-09 11:09 3,375 a------- c:\windows\bthservsdp.dat
2009-01-03 02:07 20 ----h--- c:\programdata\PKP_DLdu.DAT
2009-01-03 02:07 20 ----h--- c:\progra~2\PKP_DLdu.DAT
2008-12-30 18:32 106,496 a------- c:\windows\system32\ATL71.DLL
2008-11-04 11:16 143,360 a------- c:\windows\inf\infstrng.dat
2008-11-04 11:16 86,016 a------- c:\windows\inf\infstor.dat
2008-11-04 11:16 51,200 a------- c:\windows\inf\infpub.dat
2008-10-31 19:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-10-31 19:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-10-31 19:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-10-31 19:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-10-31 19:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-31 19:44 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-10-31 17:21 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-10-28 22:29 2,927,104 a------- c:\windows\explorer.exe
2008-10-21 19:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-21 17:22 2,048 a------- c:\windows\system32\tzres.dll
2008-09-15 14:17 174 a--sh--- c:\program files\desktop.ini
2008-09-15 13:58 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 04:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 04:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 04:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 04:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 14:47:03.32 ===============

EDIT: I'm not able to post the GMER log, it says its too long, if that doesn't sound right I can redo it for you

I haven't made any changes, I haven't even been using my laptop, but I have been reading the forum and know that I should uninstall viewpoint media player, I haven't yet though.

I think maybe because I scanned and erased the infections on spyware doctor before doing the DDS log the first time it didn't show up? I'm in the process of running a full scan to see if anything comes up and I'll report back.

Attached Files


Edited by alexb85, 19 January 2009 - 07:00 PM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 19 January 2009 - 07:13 PM

Hello Alex.

Please upload the GMER log to me.

Submit File Sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://www.bleepingcomputer.com/forums/t/193512/infected-backdoorirczapchastrogueantispywareantispyware-llc/
  • Select the GMER log.
  • Under the comments section, say that the file was too large.
Post back here when it is uploaded.

With Regards,
The Panda

#5 alexb85

alexb85
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 19 January 2009 - 07:25 PM

Just sent it, oops sorry, I didn't put in the comments section that it was too large =/

EDIT: Well, I just completed a full scan on Spyware Doctor and nothing came up, a few days after initially posting this thread I ran Spyware Doctor in Safe Mode and deleted the infections that way, but I don't think that would make a difference would it? Since running it in safe mode I hadn't checked my laptop until today.

Spyware Doctor said all the infections were browser cookies, is that normal? I haven't had any problems with the actual laptop to speak of, but when I saw a Backdoor infection on Spyware Doctor I freaked and came here.

If there is any insight you can offer as to why they would just disappear like that I would be very grateful. Also, currently I have Spyware Doctor (obviously hah), Malwarebytes' Anti-Malware, and SUPERAnti-Spyware along with AVG free. Do I need all of these and are there any programs you recommend instead of the ones I have?

Edited by alexb85, 19 January 2009 - 08:27 PM.


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 20 January 2009 - 11:46 AM

Hello Alex.

Browser cookies are normal to have. I probably have a few "tracking cookies".

Let's clear the temp folders and see what an online scan can find.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


With Regards,
The Panda

#7 alexb85

alexb85
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 20 January 2009 - 01:04 PM

Hello again,

I'm afraid I'm using Vista on my laptop, should I still do the ATF Cleaner even though it's for XP and 2000 only? I'm in the process of running Kaspersky and will update this post when it is done.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 20 January 2009 - 04:13 PM

No. Sorry, forgot this was a Vista.

I should add "If you are using Vista and are seeing this, call Panda an idiot" :thumbsup: .

The Panda

Edited by PropagandaPanda, 20 January 2009 - 04:14 PM.


#9 alexb85

alexb85
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 20 January 2009 - 04:40 PM

Here is the Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, January 20, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, January 20, 2009 15:58:15
Records in database: 1654946
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 121114
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 03:10:49

No malware has been detected. The scan area is clean.

The selected area was scanned.


So far so good I suppose? Is there anything else you can think of, or would you give it the all clear?

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 20 January 2009 - 04:47 PM

Looks good to me.

Unless there are any issues at the moment, you are good to go.

Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#11 alexb85

alexb85
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 20 January 2009 - 05:12 PM

I guess my only questions would be:

-Do you have any idea why the infected cookies are not there anymore? I had deleted them a few times before, through Spyware Doctor, and they were always back when I went to scan it on startup again.

-Is there a program I should have in addition to or to replace Spyware Doctor, Malwarebytes Anti-Malware, or SUPERAntiSpyware. Should I replace AVG free with something else?

Thank you very, very much for all your help. I greatly appreciate it!

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 20 January 2009 - 06:17 PM

Hello.

Do you have any idea why the infected cookies are not there anymore?

It is possible that an active infection was replacing the files that were detected. When the infection was removed, the cookies stayed gone.

-Is there a program I should have in addition to or to replace Spyware Doctor, Malwarebytes Anti-Malware, or SUPERAntiSpyware. Should I replace AVG free with something else?

That looks like enough protection. AVG is a great free antivirus, and I would keep it.

With Regards,
The Panda

#13 alexb85

alexb85
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 20 January 2009 - 06:43 PM

Well, I just did some full scans and everything is coming up clean, thank you again!

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 21 January 2009 - 08:10 AM

Glad I could help.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users