Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with sopidkc, msa, msb and f


  • This topic is locked This topic is locked
11 replies to this topic

#1 fixmybug2009

fixmybug2009

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 12 July 2009 - 03:04 PM

Hello,

Noticed strange processes running yesterday, including sopidkc, msa, msb and f.exe. Manually deleted these in normal Windows mode before I found this site.

Just ran DDS. Here is the log. Please keep clean my computer!

Thanks!!


Edited to remove the DDS log per member request
rigel

Edited by rigel, 09 August 2009 - 11:57 AM.


BC AdBot (Login to Remove)

 


#2 fixmybug2009

fixmybug2009
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 12 July 2009 - 03:08 PM

Meant to add ran DDS in safe mode, after figuring out how to log into safe mode with networking

#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:30 AM

Posted 22 July 2009 - 02:40 AM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • MBAM log
  • log.txt
  • info.txt
Thanks

unite.jpg


#4 fixmybug2009

fixmybug2009
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 24 July 2009 - 08:38 PM

Thanks Syler. Here are the files:

Malwarebytes' Anti-Malware 1.39
Database version: 2494
Windows 5.1.2600 Service Pack 2

7/24/2009 6:02:42 PM
mbam-log-2009-07-24 (18-02-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 283521
Time elapsed: 1 hour(s), 21 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 47
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 37

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{09de17b0-a527-4eee-9c6e-2d7c2e9b505f} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f4fe513-e22f-4f1f-bb77-b1ed95e434cf} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{222f56e3-3116-4066-91d4-c3874e71e5dd} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{23e150c2-00c7-46e6-a968-724d41b051d6} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3124ad41-99ee-4e18-a605-ed5ee59466bc} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{37735f70-d4aa-4aed-99d0-88955c4bd74b} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4a2b9ad8-5540-46a3-bbb4-8ded5fb09de8} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4e79578b-5f0f-4594-90f9-2c309e59c2bc} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5484d9fa-6c4f-4c0b-8946-1b8ef15897a4} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{661b35ba-6035-4f06-a22a-c4cb19f873b2} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{66df69b7-ad8d-48dd-a4fe-23d336c621a9} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6d9a6231-1550-4652-a353-48e2c9194b19} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90fd4b8b-ce76-48b8-909e-e4d3844727ab} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{910c1d35-55b3-4956-a4f9-1460d06f33d4} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b87e031d-7b2a-4721-873e-c9be9962d64a} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d2a630e4-1ba7-4012-8672-35adbb47aa86} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0b68791-936d-490e-8cd9-a31022b55b35} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d445895c-b621-4d33-9898-4078cd171186} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8755ce6e-0bf7-4441-8751-fb728941b0b4} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8755ce6e-0bf7-4441-8751-fb728941b0b4} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{8755ce6e-0bf7-4441-8751-fb728941b0b4} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{afb06512-6247-4819-98ca-94fa19c734d7} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8ab8528f-ac8b-416d-9b84-92d97729c195} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{a4566604-f73b-4dd5-8a21-87e7a808d426} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0ca51d02-7739-43ea-8d9a-1e8ad4327b03} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ca51d02-7739-43ea-8d9a-1e8ad4327b03} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ca51d02-7739-43ea-8d9a-1e8ad4327b03} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5478d59a-b281-4f58-ad2e-103474434377} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4ffb0262-eb74-461f-bbc8-7818df633687} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{08b13a8e-eb71-4421-b417-4ec0995d5bfc} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5aa23b9d-99c0-4a41-a25d-58e806766680} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7fd094e7-c8b9-40bd-9f80-f20a7194d2e6} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{81b9a3d6-d79f-403e-939b-4f2be8fd2a34} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d977d6a9-be13-496d-9be4-175dfac12628} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dbbb7978-af21-4ef4-9ad1-b2f4bc75696c} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{dbbb7978-af21-4ef4-9ad1-b2f4bc75696c} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{deee7fe9-3e06-43ee-b04d-18866cd0ad9c} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{deee7fe9-3e06-43ee-b04d-18866cd0ad9c} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e03667bc-5eda-4fd8-992c-ed73265afaa0} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f4fb516e-8f16-44fd-ab1d-260c32b7cf9a} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{201e93ea-c7e1-4849-9985-0d2207a3f528} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bab1ac41-6ff7-4f2e-a04e-5c592ccfea7d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\p4p service (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\p4p service (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p4p service (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\addressbarexpress (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Sohu R&D (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{dbbb7978-af21-4ef4-9ad1-b2f4bc75696c} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{bab1ac41-6ff7-4f2e-a04e-5c592ccfea7d} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Adware.BHO) -> Data: c:\windows\system32\sodahk.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Adware.BHO) -> Data: system32\sodahk.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Common Files\Sogou PXP (Adware.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\P4P\rss.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\P4P\autolink.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\P4P\sodaie.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comploader.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\P4P\ToolBar.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\socul.dll (Adware.BHO) -> Quarantined and deleted successfully.
c:\program files\common files\sogou pxp\p2psvr.exe (Adware.BHO) -> Quarantined and deleted successfully.
c:\program files\P4P\dlmgr.dll (Adware.BHO) -> Quarantined and deleted successfully.
c:\program files\P4P\feed.dll (Adware.BHO) -> Quarantined and deleted successfully.
c:\program files\P4P\p4pipc.dll (Adware.BHO) -> Quarantined and deleted successfully.
c:\program files\P4P\skinpacker.exe (Adware.BHO) -> Quarantined and deleted successfully.
c:\program files\P4P\soda.exe (Adware.BHO) -> Quarantined and deleted successfully.
c:\program files\P4P\sodalib.dll (Adware.BHO) -> Quarantined and deleted successfully.
c:\program files\P4P\strmfea.exe (Adware.BHO) -> Quarantined and deleted successfully.
c:\program files\P4P\tbupdate.dll (Adware.BHO) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b7affc1a-8ab3-4141-aa3d-bd2df76a1666}\RP554\A0103081.old (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b7affc1a-8ab3-4141-aa3d-bd2df76a1666}\RP555\A0104079.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b7affc1a-8ab3-4141-aa3d-bd2df76a1666}\RP555\A0104081.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b7affc1a-8ab3-4141-aa3d-bd2df76a1666}\RP555\A0104083.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b7affc1a-8ab3-4141-aa3d-bd2df76a1666}\RP555\A0104084.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b7affc1a-8ab3-4141-aa3d-bd2df76a1666}\RP557\A0106449.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b7affc1a-8ab3-4141-aa3d-bd2df76a1666}\RP558\A0106451.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b7affc1a-8ab3-4141-aa3d-bd2df76a1666}\RP560\A0107711.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b7affc1a-8ab3-4141-aa3d-bd2df76a1666}\RP560\A0108121.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b7affc1a-8ab3-4141-aa3d-bd2df76a1666}\RP560\A0108123.ocx (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b7affc1a-8ab3-4141-aa3d-bd2df76a1666}\RP560\A0108124.tlb (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b7affc1a-8ab3-4141-aa3d-bd2df76a1666}\RP560\A0108125.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b7affc1a-8ab3-4141-aa3d-bd2df76a1666}\RP560\A0108126.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b7affc1a-8ab3-4141-aa3d-bd2df76a1666}\RP560\A0108129.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b7affc1a-8ab3-4141-aa3d-bd2df76a1666}\RP560\A0108131.dll (Spyware.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Fonts\windef.Log (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SODAHK.DLL (Adware.BHO) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\unsocul.exe (Adware.BHO) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\tmp0_782598125154.bk.old (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\txpxr_374101370566.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.



Edited DDS logs per member request ~ rigel

Edited by rigel, 09 August 2009 - 11:42 AM.


#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:30 AM

Posted 25 July 2009 - 11:16 AM

Hi fixmybug2009,

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Next

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
Then please post back here with the following:
  • Gmer log
  • OTListIt.txt
  • Extra.txt
Thanks

unite.jpg


#6 fixmybug2009

fixmybug2009
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 25 July 2009 - 04:27 PM

Thanks. Here are the files:

Edit: Logs removed per member request

Edited by rigel, 09 August 2009 - 11:49 AM.


#7 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:30 AM

Posted 26 July 2009 - 06:08 PM

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    IE - URLSearchHook: {982CB676-38F0-4D9A-BB72-D9371ABE876E} - Reg Error: Key error. File not found
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [KernelFaultCheck] File not found
    O4 - HKU\.DEFAULT..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe File not found
    O4 - HKU\S-1-5-18..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe File not found
    O8 - Extra context menu item: &Save Image to Folder - C:\Program Files\AskBarOEM1000\bar\bin\askBarOEM1000.dll File not found
    O8 - Extra context menu item: &Save Image to MyStuff - C:\Program Files\AskBarOEM1000\bar\bin\askBarOEM1000.dll File not found
    O8 - Extra context menu item: &Save Link to Folder - C:\Program Files\AskBarOEM1000\bar\bin\askBarOEM1000.dll File not found
    O8 - Extra context menu item: &Save Link to MyStuff - C:\Program Files\AskBarOEM1000\bar\bin\askBarOEM1000.dll File not found
    O8 - Extra context menu item: &Save Page to Folder... - C:\Program Files\AskBarOEM1000\bar\bin\askBarOEM1000.dll File not found
    O8 - Extra context menu item: &Save this Page to MyStuff - C:\Program Files\AskBarOEM1000\bar\bin\askBarOEM1000.dll File not found
    O8 - Extra context menu item: 发送图片到手机 - C:\Program Files\P4P\cx.htm ()
    O8 - Extra context menu item: 使用搜狗直通车下载 - C:\Program Files\P4P\dl.htm ()
    O8 - Extra context menu item: 添加到“我的订阅” - C:\Program Files\P4P\rss.htm ()
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
    :Files
    C:\Program Files\WeatherBug
    C:\Program Files\P4P
    :Reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "Alcmtr"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Biomenu]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSecurity]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherBug]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "P4P Service"=-
    :Services
    P4P Service
    :Commands
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

unite.jpg


#8 fixmybug2009

fixmybug2009
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 26 July 2009 - 09:40 PM

Thanks, Syler. Here are the files:

Edited logs per member request ~ rigel

Edited by rigel, 09 August 2009 - 11:53 AM.


#9 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:30 AM

Posted 27 July 2009 - 09:31 AM

Hi,

Thats looking better how is your computer running now?

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Next

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Then please post back with the Kaspersky report and a new OTL log.

Thanks

unite.jpg


#10 fixmybug2009

fixmybug2009
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 30 July 2009 - 07:53 PM

Much better now. Here are the files:



Files scanned 177915

Threat names 0

Infected objects 0

Suspicious objects 0

Duration of the scan 02:55:48




edit: Logs removed per member request

Edited by rigel, 09 August 2009 - 11:54 AM.


#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:30 AM

Posted 31 July 2009 - 09:21 AM

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Congratulations! You now appear clean! :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Cleaning and creating restore points
  • Click Start, right click My Computer and select properties.
  • Select the System Restore tab then check the box "Turn off System Restore".
  • Click Apply then Ok, then restart your computer
  • Now follow these steps again, but instead of checking "Turn off System Restore" Uncheck it.
Now that you have cleaned out you restore points you need to set a new restore point
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Select "Create a restore point" then click Next.
  • Type a name under Restore point description then click Create.
Additional instructions can be found here if needed.

Note: This does not need to be done on a regular basis.

Keeping Windows updated
It is extremley important to keep windows upto date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates is always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install a Firewall
I can not stress how important it is that you use a third party Firewall on your computer. Without a firewall your computer is
succeptible to being hacked and taken over. Windows firewall is good for blocking inbound connections but it does not block
outbound connections. So if Malware manages to get onto your computer it will be able to send data out when it wants.
Here are some free firewalls I would recomend, only install one of these.

Zone Alarm
comodo Note: Only Install the Firewall as a standalone if you already have an AntiVirus installed on your computer.

After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.

Install an AntiSpyware Program
A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.
Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.
Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.
Tutorials on using these programs can be found below:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions below.

http://www.mvps.org/winhelp2002/hosts.htm

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing :)
Syler

unite.jpg


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:30 AM

Posted 02 August 2009 - 05:07 PM

Since this issue appears resolved ... this Topic is closed. Glad we could help. :thumbup2:

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users