Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Win32.Brontok --Insecure Internet Activity popup

7 replies to this topic

#1 L-A5

L-A5

• Members
• 2 posts
• OFFLINE
•
• Local time:02:39 PM

Posted 04 June 2009 - 09:02 PM

Hi There, I have recently been infected with a 'virus'.
The 1st symptom started long ago, when McAfee started telling me EVERYDAY that I have updates to install. Some sort of 'mcafee suite', and even when I updated it, it would continue to popup and remind me.

This had gone on for nearly a month and I just put things off, clicking ignore most days.

Recently I have been struggling with more serious problems.
The most common is that often while clicking on linkks to navigate a website, a popup occurs which reads:

"Insecure Internet activity. Threat of virus attack
Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes.
Also insecure Internet activity can result in revealing your personal information.
To get full advanced real-time protection for PC and Internet activity, register your antivirus software. "

I have never clicked on any of the links it recommends.

My computer also restarts on its own sometimes, and frequently shuts my internet windows down. It also often freezes when I just boot up my computer.

At one point last week random elevator-sounding music played when all of my windows were closed. --that hasn't happened since.

I have downloaded many programs to run scans, as my Spybot was not opening. The only scanning program I have been able to run is SuperAntiSpyware. Everything else either doesn't open, or it tells me there was an error and it had to close.
SuperAntiSpyware tells me it got rid of some minor threats and some high-threat ones. The serious ones were labeled:
Win32Trojan Agent
Win32TDSS

I have read forums about running SmitFraudFix, but again, it says there is an error and it won't work. It worked as soon as I installed it, but I closed the program, since it was recommended I be in safe-mode and I wasn't at the time.

Also, a less frequent 'popup' or warning -is from Security Center Alert saying that

'Your firewall has blocked some features of this program"
--Win32.Brontok
Risk Level: High
'this is a worm that spreads via internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine'

Block suspicious software? Y/N

--------
Here is are my DDS files
Thats about all the information I can offer,
hope to hear back soon.

Thanks!

L-A

----------------------------------------

DDS (Ver_09-05-14.01) - NTFSx86
Run by Lori-Anne at 22:53:28.42 on Tue 06/02/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.107 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Lori-Anne\Desktop\DAEMON Tools\daemon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"C:\WINDOWS\system32\drivers\svchost.exe"
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Lori-Anne\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: WinInet Class: {39fc2065-c9c7-49cd-8942-44cc2dedc844} - c:\windows\ieocx.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [DAEMON Tools] "c:\documents and settings\lori-anne\desktop\daemon tools\daemon.exe" -lang 1033
uRun: [WeatherEye] c:\program files\theweathernetwork\weathereye\WeatherEye.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe
mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [realteczs] "c:\documents and settings\lori-anne\application data\google\pfysw721318.exe" 2
mRun: [realteks] "c:\documents and settings\lori-anne\application data\google\uqrke8412012.exe" 2
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\debeviva.dll ,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-20 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-1-15 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-1-15 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2008-1-15 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-1-15 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-1-15 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-1-15 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-15 40488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-15 33832]
S3 Viaudan;Viaudan;c:\windows\system32\diantz.exe [2004-8-3 85504]

=============== Created Last 30 ================

2009-05-31 23:04 <DIR> --d----- c:\windows\system32\KB905474
2009-05-31 11:06 45,740 a------- c:\windows\system32\drivers\svchost.exe
2009-05-22 21:12 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-22 21:12 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-22 21:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-22 02:29 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-21 23:49 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-21 23:49 <DIR> --d----- c:\docume~1\lori-a~1\applic~1\SUPERAntiSpyware.com
2009-05-21 23:06 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-20 23:51 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-20 23:49 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-20 23:49 <DIR> --d----- c:\program files\Lavasoft
2009-05-20 23:43 <DIR> --d----- c:\program files\SpyWall
2009-05-20 23:30 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-19 23:15 190 a------- c:\docume~1\lori-a~1\applic~1\asd.bat
2009-05-19 23:13 28,672 a------- c:\windows\ieocx.dll

==================== Find3M ====================

2009-04-30 01:36 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-03-06 10:44 283,648 a------- c:\windows\system32\pdh.dll
2009-02-28 23:47 24,696 a------- c:\docume~1\lori-a~1\applic~1\GDIPFONTCACHEV1.DAT
2009-02-12 17:05 8,192 a--sh--- c:\program files\Thumbs.db
2008-10-28 23:48 8,762,107 a------- c:\program files\DVD2iPodReg.exe
1999-05-29 04:08 308,120 a------- c:\program files\SCR256.BMP
1999-05-29 04:08 307,288 a------- c:\program files\SCR16.BMP
1999-05-29 04:08 127,488 a------- c:\program files\dsetup.dll
1999-05-29 04:08 104,398 a------- c:\program files\Llogo.bmp
1999-05-29 04:08 90,112 a------- c:\program files\rctrec.exe
1999-05-29 04:08 63,056 a------- c:\program files\dsetup16.dll
1999-05-29 04:08 45,568 a------- c:\program files\UniFish3.exe
1999-05-29 04:08 41,984 a------- c:\program files\dsetup32.dll
1999-05-29 04:08 40,678 a------- c:\program files\SLOGO.BMP
1999-05-29 04:08 61 a------- c:\program files\AUTORUN.INF

============= FINISH: 22:56:28.96 ===============

#2 Net_Surfer

Net_Surfer

• Banned
• 2,154 posts
• OFFLINE
•
• Gender:Male
• Local time:11:39 AM

Posted 15 June 2009 - 04:01 AM

Hello and to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Kind regards
Net_Surfer

#3 L-A5

L-A5
• Topic Starter

• Members
• 2 posts
• OFFLINE
•
• Local time:02:39 PM

Posted 17 June 2009 - 02:35 PM

here is my updated dds.txt

DDS (Ver_09-05-14.01) - NTFSx86
Run by Lori-Anne at 15:30:32.43 on Wed 06/17/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.138 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Lori-Anne\Desktop\DAEMON Tools\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"C:\WINDOWS\system32\drivers\svchost.exe"
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lori-Anne\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: WinInet Class: {39fc2065-c9c7-49cd-8942-44cc2dedc844} - c:\windows\ieocx.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [DAEMON Tools] "c:\documents and settings\lori-anne\desktop\daemon tools\daemon.exe" -lang 1033
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe
mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [realteczs] "c:\documents and settings\lori-anne\application data\google\pfysw721318.exe" 2
mRun: [realteks] "c:\documents and settings\lori-anne\application data\google\uqrke8412012.exe" 2
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\debeviva.dll ,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-6-2 42376]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-20 64160]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-6-2 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-6-2 81288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-1-15 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-1-15 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2008-1-15 144704]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-6-2 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-6-2 1073544]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-1-15 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-1-15 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-1-15 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-15 40488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-15 33832]
S3 Viaudan;Viaudan;c:\windows\system32\diantz.exe [2004-8-3 85504]

=============== Created Last 30 ================

2009-06-12 16:34 <DIR> --d----- C:\b419c62f6c4335863dddfa5250
2009-06-02 23:05 42,376 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-06-02 23:05 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-06-02 23:05 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-06-02 23:05 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-06-02 23:05 <DIR> --d----- c:\program files\Spyware Doctor
2009-06-02 23:05 <DIR> --d----- c:\docume~1\lori-a~1\applic~1\PC Tools
2009-06-02 23:04 <DIR> --d----- c:\docume~1\lori-a~1\applic~1\GetRightToGo
2009-05-31 23:04 <DIR> --d----- c:\windows\system32\KB905474
2009-05-31 11:06 45,740 a------- c:\windows\system32\drivers\svchost.exe
2009-05-22 21:12 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-22 21:12 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-22 21:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-22 02:29 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-21 23:49 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-21 23:49 <DIR> --d----- c:\docume~1\lori-a~1\applic~1\SUPERAntiSpyware.com
2009-05-21 23:06 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-20 23:51 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-20 23:49 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-20 23:49 <DIR> --d----- c:\program files\Lavasoft
2009-05-20 23:43 <DIR> --d----- c:\program files\SpyWall
2009-05-20 23:30 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-19 23:15 190 a------- c:\docume~1\lori-a~1\applic~1\asd.bat
2009-05-19 23:13 28,672 a------- c:\windows\ieocx.dll

==================== Find3M ====================

2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-30 01:36 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-04-29 00:52 3,060,736 a------- c:\windows\system32\SETC1.tmp
2009-04-29 00:52 1,023,488 a------- c:\windows\system32\SETC9.tmp
2009-04-29 00:52 616,448 a------- c:\windows\system32\SETBA.tmp
2009-04-29 00:52 474,112 a------- c:\windows\system32\SETBB.tmp
2009-04-29 00:52 16,384 a------- c:\windows\system32\SETC2.tmp
2009-04-29 00:52 1,495,552 a------- c:\windows\system32\SETBC.tmp
2009-04-29 00:52 659,456 a------- c:\windows\system32\wininet.dll
2009-04-29 00:52 659,456 a------- c:\windows\system32\SETB9.tmp
2009-04-29 00:52 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-27 05:18 351,744 a------- c:\windows\system32\SETCB.tmp
2009-04-17 05:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 11:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-02-28 23:47 24,696 a------- c:\docume~1\lori-a~1\applic~1\GDIPFONTCACHEV1.DAT
2009-02-12 17:05 8,192 a--sh--- c:\program files\Thumbs.db
2008-10-28 23:48 8,762,107 a------- c:\program files\DVD2iPodReg.exe
1999-05-29 04:08 308,120 a------- c:\program files\SCR256.BMP
1999-05-29 04:08 307,288 a------- c:\program files\SCR16.BMP
1999-05-29 04:08 127,488 a------- c:\program files\dsetup.dll
1999-05-29 04:08 104,398 a------- c:\program files\Llogo.bmp
1999-05-29 04:08 90,112 a------- c:\program files\rctrec.exe
1999-05-29 04:08 63,056 a------- c:\program files\dsetup16.dll
1999-05-29 04:08 45,568 a------- c:\program files\UniFish3.exe
1999-05-29 04:08 41,984 a------- c:\program files\dsetup32.dll
1999-05-29 04:08 40,678 a------- c:\program files\SLOGO.BMP
1999-05-29 04:08 61 a------- c:\program files\AUTORUN.INF

============= FINISH: 15:33:42.48 ===============

#4 Net_Surfer

Net_Surfer

• Banned
• 2,154 posts
• OFFLINE
•
• Gender:Male
• Local time:11:39 AM

Posted 17 June 2009 - 03:57 PM

Hello L-A5, and to Bleeping Computer Malware Removal Forum, My Nick is Net_Surfer I'll be glad to help you with your computer problems.

I will be working on your Malware issues, this may or may not solve other issues you may have with your machine.

Sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to.

Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown Here.

-----------------------------------------------------------

Please be patient and I'd be grateful if you would note the following:

The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.

2. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
3. All of my posts need to be checked by my coach, so please be patient while I attempt to remove your malware.
4. Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime Please, Do NOT install any new programs or update anything unless told to do so while we are fixing your problem.

Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

Kind regards
Net_Surfer

#5 Net_Surfer

Net_Surfer

• Banned
• 2,154 posts
• OFFLINE
•
• Gender:Male
• Local time:11:39 AM

Posted 18 June 2009 - 11:09 AM

Hello L-A5 again,

Sorry for the delay. The forum is exceptionally busy. I have reviewed your logs and proposed a fix. I am patiently waiting for my coach to approve the clean-up.

If possible I would encourage you to minimize use of that computer until we can get it cleaned up. I appreciate your patience.

Regards,
Net_Surfer

#6 Net_Surfer

Net_Surfer

• Banned
• 2,154 posts
• OFFLINE
•
• Gender:Male
• Local time:11:39 AM

Posted 20 June 2009 - 07:21 AM

Hello L-A5.

You had ran the DDS Scan with the anti-virus enabled.
"AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}"

Please I need that you ensure the disabling of anti-virus, spybot teatimer. before you attempt to run the following tools.

Before we start fixing anything you should write/print out these instructions or copy/paste them to a NotePad file.

If you can not download and run the following tools, then I would like for you to try another approach.

If you have the use of another computer please either use a Flash Drive or a CD to download the following and transfer them for use on the infected machine.
Be sure you put them on the desktop of the infected computer.

-------*******************^********************--------

Ok.. L-A5, please observe these rules while we work:
• Perform all actions in the order given.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Do not attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.
• In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.
• Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
• Please continue to review my answers until I tell you that your machine is clean and free of malware. (Remember absence of symptoms does not mean that everything is clear).
Just because you can't see a problem doesn't mean it isn't there.

If you can do these things, everything should go smoothly
.

----------------------------^-------------------------------

AskBar.dll is a file that has been reported by many as an adware or malware related software BHO program. This file will run as a BHO in your browser everytime you browse the internet.
Normally this is also found with one or more other Askbar files on your computer,

if you did not install this intentionally on your computer then I recommend removing this as soon as possible or disabling your browser BHOs. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
This spyware commonly goes by the name "Ask Bar".
---
This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

http://vil.nai.com/vil/content/v_146646.htm

----------------------------^-------------------------------

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps
:

Step #1.
I see you are running Teatimer. I suggest you to disable it
Firstly, we need to disable SpyBot's Teatimer which can interfere with the fixes.

TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
• Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
• If prompted with a legal dialog, accept the warning.
• Click and then on "Advanced Mode"
• You may be presented with a warning dialog. If so, press
• Click on
• Click on
• Uncheck this checkbox:
• Close/Exit Spybot Search and Destroy
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

You need to disable your McAfee Antivirus and Spyware Doctor before running OTM, as they will prevent it from running.

To disable McAfee Virusscan:
Please navigate to the system tray on the bottom right hand corner and look for a sign.
• right-click it -> chose "Change Settings."
• Turn everything OFF from within "Advanced" option button.
• a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.

To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.

Step #2.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\diantz.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal:
http://www.virustotal.com/

Step #3.

Install ERUNT
(This tool will create a complete backup of your registry to ensure we have a safety net If something goes wrong. Do not delete the backup until we are finished).
• Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
• Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program HERE

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Warning: Altering system files; & or modifying the registry can be risky and BleepingComputer.com and its members cannot accept liability for any adverse effects caused by following advice freely given on this site.

Step #4.

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of OTM fixing tool.. Please visit HERE if you don't know how...Please re-enable them back after performing all steps given

We need to execute an OTM script
• Double click the icon on your desktop to run it.
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right click and choose Copy.) Then..Paste the code under the area. Do not include the word "Code".
:processes
explorer.exe

:services

:files
c:\windows\system32\drivers\svchost.exe
c:\windows\ieocx.dll
c:\windows\system32\debeviva.dll

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39fc2065-c9c7-49cd-8942-44cc2dedc844}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"realteczs"=-
"realteks"=-
"SVCHOST.EXE"=-

:Commands
[EmptyTemp]
[Reboot]
• Push the large button.
• Copy/Paste the contents under the line here in your next reply.
• If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
CAUTION:
The above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Step #5.
If you are unsure on how to do this, please read this guide
Your anti spyware program is: TeaTimer from Spybot S&D
MBAM
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes' Anti-Malware
• Launch Malwarebytes' Anti-Malware
• Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
• If an update is found, the program will automatically update itself.
• Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
• Make sure the "Perform Full Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Tutorial if needed

Step #6.

Run random's system information tool (RSIT)

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Please note that it is important that RSIT be run and a log created while in normal mode. *If you run it and create your log while in safe mode, you will be asked to redo it again properly.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open.

log.txt (<<--- will be maximized) and info.txt (<<--- will be minimized)
• the report log from Jotti or virustotal
• The report log from OTM
• The report log of MBAM
• The two logs of RSIT.
And a description of any remaining problems in your next post.

How is your Computer running now?.

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks.
Kind regards
Net_Surfer

#7 Net_Surfer

Net_Surfer

• Banned
• 2,154 posts
• OFFLINE
•
• Gender:Male
• Local time:11:39 AM

Posted 22 June 2009 - 07:10 PM

Bump
Hello L-A5.

Are you still there
???

Please continue to review my answers until I tell you your machine appears to be clear. Remember absence of symptoms does not mean that everything is clear.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Unfortunately, if I do not hear back from you within 2 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread.

Kind regards
Net_Surfer

Edited by Net_Surfer, 22 June 2009 - 07:11 PM.

#8 kahdah

kahdah

• Security Colleague
• 11,138 posts
• OFFLINE
•
• Gender:Male
• Location:Florida
• Local time:02:39 PM

Posted 25 June 2009 - 06:06 AM

Due to lack of feedback, this topic has been closed.