Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection with Mal_otorun1


  • This topic is locked This topic is locked
2 replies to this topic

#1 csingl2

csingl2

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 17 March 2009 - 09:17 PM

Hi,

I'm ran TrendMicro's antiviral software and it displayed this infection: Mal_otorun1. However, the software wasn't able to remove it. Now, my browser (Mozilla) redirects to websites I didn't click on whenever I try to search in Google. Also, my browser will sometimes freeze up for now reason while surfing. In addition, my Windows Firewall seems to keep disconnecting. I'm hoping I don't have additional viruses as well.


Here is the DDS report:

---------------------------------------------------------------------

DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 19:02:17.30 on Tue 03/17/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_12

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: {4672c8ee-9d21-4777-ae70-103d5dd25ce8} - No File
BHO: {6584C510-924B-486A-A1A0-E380DE08C2DB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {89A0F543-201F-494B-9546-7835A2DE75DF} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - No File
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [AdobeBridge] "c:\program files\adobe\adobe bridge cs4\Bridge.exe" -stealth
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [MSServer] rundll32.exe c:\windows\system32\nnnoPIaw.dll,#1
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks premier\norton cleanup\WCQuick.lnk
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: {6584C510-924B-486A-A1A0-E380DE08C2DB} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\xXPfedAs

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\6ysnd18g.default\
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\6ysnd18g.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-03-17 16:56 <DIR> --d----- c:\program files\Trend Micro
2009-03-17 10:37 <DIR> --d----- c:\program files\common files\xing shared
2009-03-17 09:30 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-03-17 09:30 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-03-17 09:30 42,376 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-03-17 09:30 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-03-17 09:29 <DIR> --d----- c:\users\admini~1\appdata\roaming\PC Tools
2009-03-17 09:29 <DIR> --d----- c:\program files\Spyware Doctor
2009-03-17 09:17 <DIR> --d----- c:\programdata\Google Updater
2009-03-17 01:51 <DIR> --d----- c:\users\administrator\.housecall6.6
2009-03-16 22:52 <DIR> --d----- c:\program files\common files\Autodesk Shared
2009-03-11 23:13 36,868 a------- c:\program files\uninst-Echospace.exe
2009-03-11 23:10 36,868 a------- c:\program files\uninst-SoundKeys.exe
2009-03-11 23:05 90,112 a------- c:\windows\unvise32.exe
2009-03-11 18:31 <DIR> --d----- c:\programdata\FLEXnet
2009-03-11 18:21 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-03-11 16:46 355 ---shr-- C:\autorun.inf
2009-03-11 16:42 <DIR> --d----- c:\users\administrator\Turbo Squid Tentacles
2009-03-11 16:37 <DIR> --d----- c:\users\admini~1\appdata\roaming\Autodesk
2009-03-11 16:20 <DIR> --d----- c:\program files\Turbo Squid Tentacles
2009-03-11 16:19 <DIR> --d----- c:\program files\Microsoft WSE
2009-03-11 16:15 <DIR> --d----- c:\programdata\Autodesk
2009-03-11 16:14 <DIR> --d----- c:\program files\Autodesk
2009-03-10 17:49 2,033,152 a------- c:\windows\system32\win32k.sys
2009-03-10 17:49 268,288 a------- c:\windows\system32\schannel.dll
2009-03-08 16:39 626,688 a------- c:\windows\system32\msvcr80.dll
2009-03-08 16:23 <DIR> --dsh--- c:\windows\ftpcache
2009-03-03 14:28 <DIR> --d----- c:\program files\common files\Canon
2009-03-03 13:56 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-03-03 13:56 97,800 a------- c:\windows\system32\infocardapi.dll
2009-03-03 13:56 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-03-03 13:56 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-03-03 13:56 622,080 a------- c:\windows\system32\icardagt.exe
2009-03-03 13:56 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-03-03 13:56 11,264 a------- c:\windows\system32\icardres.dll
2009-03-03 13:56 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-03-03 13:53 <DIR> -cd-h--- c:\programdata\{4439F0FD-AFAF-434D-86E2-DEB14A9C58AC}
2009-03-03 13:53 <DIR> -cd-h--- c:\progra~2\{4439F0FD-AFAF-434D-86E2-DEB14A9C58AC}
2009-03-03 13:53 <DIR> --d----- c:\program files\iXi Tools
2009-03-03 13:51 96,760 a------- c:\windows\system32\dfshim.dll
2009-03-03 13:51 282,112 a------- c:\windows\system32\mscoree.dll
2009-03-03 13:51 41,984 a------- c:\windows\system32\netfxperf.dll
2009-03-03 13:51 158,720 a------- c:\windows\system32\mscorier.dll
2009-03-03 13:51 83,968 a------- c:\windows\system32\mscories.dll
2009-03-03 13:49 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-03 13:49 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-03 13:49 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-03 13:49 8,147,456 a------- c:\windows\system32\wmploc.DLL

==================== Find3M ====================

2009-03-17 18:37 86,016 a------- c:\windows\inf\infstrng.dat
2009-03-17 18:37 86,016 a------- c:\windows\inf\infstor.dat
2009-03-17 18:37 51,200 a------- c:\windows\inf\infpub.dat
2009-03-16 22:15 73,312 a------- c:\windows\system32\drivers\adfs.sys
2009-03-11 23:12 1,989 a------- c:\program files\trapcodeStarglow.log
2009-03-11 23:10 1,962 a------- c:\program files\trapcodeShine.log
2009-03-11 23:09 17,433 a------- c:\program files\trapcodeparticular.log
2009-03-11 23:08 1,944 a------- c:\program files\trapcodelux.log
2009-03-11 23:07 1,942 a------- c:\program files\trapcodehorizon.log
2009-03-11 23:06 19,540 a------- c:\program files\trapcodeform.log
2009-03-11 23:05 4,547 a------- c:\program files\trapcode3Dstroke.log
2009-03-05 09:58 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-14 23:11 827,392 a------- c:\windows\system32\wininet.dll
2008-11-20 18:51 22,328 a------- c:\users\admini~1\appdata\roaming\PnkBstrK.sys
2008-06-10 21:13 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 19:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-05-22 23:18 903,384 a--sh--- c:\windows\system32\hgfghRqr.ini2
2008-05-20 23:32 898,647 a--sh--- c:\windows\system32\hikRBcdd.ini2
2008-05-25 00:17 893,785 a--sh--- c:\windows\system32\ikSAIkkj.ini2
2008-05-23 17:01 893,785 a--sh--- c:\windows\system32\MTsDdMSs.ini2
2008-05-23 20:49 894,829 a--sh--- c:\windows\system32\sAdefPXx.ini2

============= FINISH: 19:04:53.92 ===============


Any help would be appreciated.

Thanks,

Chane

Attached Files



BC AdBot (Login to Remove)

 


#2 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 28 March 2009 - 12:38 PM

Hello csinql2,

I apologise for the delay, the forum is busy.
----------------------------------------------
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Checked (tick) all items except items in the C:\System Volume Information folder, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
----------------------------------------------
Download and Run HijackThis
Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
----------------------------------------------
Post back:
Malwarebytes' Anti-Malware report.
A new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#3 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 03 April 2009 - 11:12 AM

Due to the lack of feedback, this Topic is now closed and will not be reopened.
If you still need help, begin a new topic.

Applies only to the original poster, anyone else with similar problems please start a new topic.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users