Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop up ad infection


  • Please log in to reply
7 replies to this topic

#1 ingvild

ingvild

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 20 April 2009 - 10:51 PM

Hello,
I recently started getting unwanted popups on my computer. I tried to resolve it myself & ran HijackThis. I found some suspicious things under the rundll32.exe, but I really don't know enough about this in order to take care of the problem - assuming it's related. Can someone help?

Thanks,
Ingvild


DDS (Ver_09-03-16.01) - NTFSx86
Run by user at 22:35:11.14 on Mon 04/20/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.833 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3e0d5321-7223-4204-8019-bdc58304a7bd} - c:\windows\system32\dujuruto.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_11\bin\jusched.exe"
mRun: [UVS11 Preload] c:\program files\ulead systems\ulead videostudio 11\uvPL.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [buyewimoti] Rundll32.exe "c:\windows\system32\lewowesa.dll",s
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [e0bb3f97] rundll32.exe "c:\windows\system32\ketahope.dll",b
mRun: [CPMe3880c0b] Rundll32.exe "c:\windows\system32\pipibuju.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176430213873
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\kudavori.dll c:\windows\system32\pipibuju.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pipibuju.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\pipibuju.dll
LSA: Notification Packages = scecli c:\windows\system32\kudavori.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\3l98z62u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-20 64160]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-5-4 9049]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-8 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090404.003\naveng.sys [2009-4-4 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090404.003\navex15.sys [2009-4-4 876144]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-5-4 115008]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\nortel networks\Extranet_serv.exe [2007-5-4 626688]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]

=============== Created Last 30 ================

2009-04-20 21:39 1,409,571 ---sh--- c:\windows\system32\epohatek.ini
2009-04-20 21:36 <DIR> --d----- c:\program files\Trend Micro
2009-04-20 21:32 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-20 21:23 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-20 21:22 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-20 21:21 <DIR> --d----- c:\program files\Lavasoft
2009-04-20 09:39 1,409,571 ---sh--- c:\windows\system32\uyidimev.ini
2009-04-19 09:09 1,409,558 ---sh--- c:\windows\system32\ifadedoy.ini
2009-03-31 16:31 <DIR> --d----- c:\docume~1\user\applic~1\Digilabs

==================== Find3M ====================

2009-04-20 21:39 89,600 a--sh--- c:\windows\system32\pipibuju.dll
2009-04-20 21:39 81,408 a--sh--- c:\windows\system32\ketahope.dll
2009-04-20 21:39 47,104 a--sh--- c:\windows\system32\jemitawa.exe
2009-04-20 09:39 51,200 a--sh--- c:\windows\system32\doyodige.dll
2009-04-20 09:39 63,488 a--sh--- c:\windows\system32\redorabu.exe
2009-04-20 09:39 99,328 -------- c:\windows\system32\vemidiyu.dll
2009-04-20 09:39 108,032 a--sh--- c:\windows\system32\soyeviwa.dll
2009-04-19 09:09 108,032 a--sh--- c:\windows\system32\kopuwiro.dll
2009-04-19 09:09 63,488 a--sh--- c:\windows\system32\bubedena.exe
2009-02-26 09:56 15,360 a------- c:\windows\system32\drivers\NetMotCM.sys

============= FINISH: 22:36:22.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 peku006

peku006

    Malware Fighter


  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 23 April 2009 - 11:33 AM

Hello and welcome to Bleeping Computer

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:
  • I f you don't know or understand something please don't hesitate to ask
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.
1 - Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  • Double click on ComboFix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix should never take more that 20 minutes including the reboot if malware is detected.

2 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)

Thanks peku006
Posted Image
Posted Image

#3 ingvild

ingvild
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 09 May 2009 - 08:37 PM

Thank you so much for helping me! For some reason your post did not show up until recently, so I did try some things on my own - hopefully it will not interfere with your instructions.

Here's the log file:

ComboFix 09-05-08.03 - user 05/09/2009 20:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.972 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\etorasan.ini
c:\windows\system32\goferiho.exe
c:\windows\system32\gukehere.dll
c:\windows\system32\ifadedoy.ini
c:\windows\system32\omidupaw.ini
c:\windows\system32\oyoboraj.ini
c:\windows\system32\sehajiwi.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-10 to 2009-05-10 )))))))))))))))))))))))))))))))
.

2009-05-05 12:22 . 2009-05-05 12:22 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-05 02:50 . 2009-05-05 02:50 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-05-05 00:13 . 2009-05-05 00:13 61440 ----a-w c:\windows\system32\drivers\mbobmo.sys
2009-05-04 18:20 . 2009-05-04 18:20 -------- d-----w c:\documents and settings\user\Application Data\Malwarebytes
2009-05-04 18:20 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-04 18:20 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-04 18:20 . 2009-05-04 18:20 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-04 18:20 . 2009-05-05 01:28 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 23:20 . 2009-05-05 01:25 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-21 02:36 . 2009-04-21 02:36 -------- d-----w c:\program files\Trend Micro
2009-04-21 02:32 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-21 02:23 . 2009-05-05 02:24 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-21 02:22 . 2009-04-21 02:22 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-21 02:21 . 2009-04-21 02:21 -------- d-----w c:\program files\Lavasoft
2009-04-21 02:21 . 2009-04-21 02:23 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-10 01:29 . 2007-04-13 13:11 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-17 03:01 . 2008-06-27 03:55 -------- d-----w c:\program files\Yahoo! Games
2009-02-26 14:56 . 2009-02-26 14:56 15360 ----a-w c:\windows\system32\drivers\NetMotCM.sys
2009-02-26 14:07 . 2007-04-13 04:03 66256 ----a-w c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-20 19:32 . 2007-04-13 04:01 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 19:32 . 2007-04-13 04:01 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 19:32 . 2007-04-13 04:01 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 19:32 . 2007-04-13 04:01 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 19:32 . 2007-04-13 04:01 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-30 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-30 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]
"UVS11 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 341488]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-16 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-05 516440]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-01-30 1622016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/20/2009 9:23 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 953168]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [5/4/2007 7:58 AM 9049]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/8/2009 12:07 AM 101936]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [5/4/2007 7:58 AM 115008]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [5/4/2007 7:58 AM 626688]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]
.
Contents of the 'Scheduled Tasks' folder

2009-05-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 02:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\3l98z62u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-09 20:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3604)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-10 20:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-10 01:34

Pre-Run: 84,196,712,448 bytes free
Post-Run: 84,210,700,288 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

156 --- E O F --- 2008-10-26 00:37

#4 peku006

peku006

    Malware Fighter


  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 10 May 2009 - 01:57 AM

Hi ingvild

1 - Run Malwarebytes' Anti-Malware
  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Click on Perform full scan, then click on Scan.
  • Leave the default options as it is and click on Start Scan.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.

    Posted Image
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
2 - Status Check
Please reply with

1. the Malwarebytes' Anti-Malware Log
description of any problems you are having with your PC

Thanks peku006
Posted Image
Posted Image

#5 ingvild

ingvild
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 13 May 2009 - 09:20 AM

Thanks again. Malwarebytes' scan came out clean. Hopefully that means I'm good to go?

Here's the log:

Malwarebytes' Anti-Malware 1.36
Database version: 2122
Windows 5.1.2600 Service Pack 2

5/13/2009 9:18:40 AM
mbam-log-2009-05-13 (09-18-40).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 151745
Time elapsed: 45 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 peku006

peku006

    Malware Fighter


  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 13 May 2009 - 09:34 AM

Hi Ingvild

Looking good :thumbup2:
We will run one online scan to be sure that there is nothing left.

1 - Update Java

Please download JavaRa and unzip it to your desktop.
  • Double-click on JavaRa.exe to start the program.
  • Click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a log file has been produced. Click OK.
  • A log file will pop up. Please save it to a convenient location.
Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on the download to install the newest version.
2 - Clean temp files
Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose: Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.
if you use Firefox: Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera: Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program
[/list]3 - Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

4 - Status Check
Please reply with
the Kaspersky online scanner report


Thanks peku006
Posted Image
Posted Image

#7 ingvild

ingvild
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 14 May 2009 - 07:20 PM

Thanks again! Here's the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, May 14, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, May 14, 2009 21:37:03
Records in database: 2177507
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\

Scan statistics:
Files scanned: 65880
Threat name: 3
Infected objects: 24
Suspicious objects: 0
Duration of the scan: 02:16:41


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02580000\4BFF26CE.VBN Infected: Trojan.Win32.Monder.bzdz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C0000\49FF2EC0.VBN Infected: Trojan.Win32.Monder.bzdz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C0001\49FF2ECD.VBN Infected: Trojan.Win32.Monder.bzdz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C0002\49FF2EE0.VBN Infected: Trojan.Win32.Monder.bzdz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C0003\49FF2EF0.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C0006\49FF32D7.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C0007\49FF3B2E.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C0008\49FF3B3F.VBN Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C0009\49FF3B4D.VBN Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C000B\49FF3B6A.VBN Infected: Trojan.Win32.Monder.bzdz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C000D\49FF3B85.VBN Infected: Trojan.Win32.Monder.bzdz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C000E\49FF3B93.VBN Infected: Trojan.Win32.Monder.bzdz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C000F\49FF3BA1.VBN Infected: Trojan.Win32.Monder.bzdz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C0010\49FF3BB3.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C0011\49FF3BC6.VBN Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C0014\49FF3BFC.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C0016\49FF3DD5.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C0017\49FF3DE9.VBN Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C001A\49FF3E1D.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C001C\49FF3E3C.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BC00001\4BFF9E6C.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BC00002\4BFF9E78.VBN Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BC00005\4BFF9EAB.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BC00007\4BFF9EC4.VBN Infected: Packed.Win32.Krap.p 1

The selected area was scanned.

#8 peku006

peku006

    Malware Fighter


  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 15 May 2009 - 02:08 AM

Hi Ingvild

Log looks clean...great job! :thumbup2:

Please empty your Norton AntiVirus Quarantine. f you don't know how, click here.

To remove all of the tools we used and the files and folders they created do the following:

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources
  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users