Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Rootkit.Agent.ODG trojan


  • This topic is locked This topic is locked
16 replies to this topic

#1 Remz

Remz

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 01 September 2009 - 07:58 PM

Split from and referred from: http://www.bleepingcomputer.com/forums/t/253626/infected-with-win32rootkitagentodg-trojan/ Pasting in some contextual information from initial post. ~ OB

I have recently been infected with the Rootkit mentionned in the title, and I tried different programs to remove it without success (spybot, malwarebytes, eset). I am using Windows Vista and navigating with IE8. The trojan first appeared in a scan with Eset a couple weeks ago, and it said it couldn't be removed. I tried removing it with Malwarebytes and Spybot, but it keeps reappearing (sometimes, eset or the other programs don't detect it). I have to admit that it tried to use Combofix once, but after it stalled on the first try, I decided I evidently wasn't qualified enough to use it. The only effect that I can see now, is that it sometimes redirects me to other web pages. But at the beginning, I couldn't even use Google. My computer never slowed down and internet is still otherwise working perfectly.

End of added material. ~ OB

Here are the logs for DDS and the stealth object Rootrepeal log...


DDS (Ver_09-07-30.01) - NTFSx86
Run by Remi Goupil at 20:52:41.99 on 01/09/2009
Internet Explorer: 8.0.6001.18813
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3068.1621 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\System32\nvraidservice.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\conime.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Remi Goupil\Desktop\RootRepeal.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Remi Goupil\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [CTXFIREG] CTxfiReg.exe
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.astonmartin.com/configurator/v8vantage_load.html
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {326A7290-FAE3-48C5-9FBA-F071633E1EB5} - hxxp://www.sonypictures.com/movies/casinoroyale/vividas/fulltrailer/player/vivid_ocx.jpeg
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/VistaMSNPUplden-ca.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158965947903
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-3-19 107256]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-3-19 731840]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2009-3-19 38240]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2007-1-2 3712]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R3 b57nd60x;%SvcDispName%;c:\windows\system32\drivers\b57nd60x.sys [2008-3-23 179712]
S2 gupdate1c9d299df619671;Google Update Service (gupdate1c9d299df619671);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\hotspot shield\bin\hsstrayservice.exe --> c:\program files\hotspot shield\bin\HssTrayService.EXE [?]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [2006-9-22 14095]
S3 rr;rr;c:\windows\system32\drivers\rr.sys [2009-9-1 34816]
S4 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2007-10-1 131368]

=============== Created Last 30 ================

2009-09-01 17:38 34,816 a------- c:\windows\system32\drivers\rr.sys
2009-08-30 08:31 2,048 a------- c:\windows\system32\tzres.dll
2009-08-13 08:06 --ds---- C:\khg
2009-08-13 08:06 318,976 a------- c:\windows\system32\CF13804.exe
2009-08-12 21:02 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-12 21:02 71,680 a------- c:\windows\system32\atl.dll
2009-08-12 21:02 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-12 21:02 218,624 a------- c:\windows\system32\msv1_0.dll
2009-08-12 21:02 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-12 21:02 270,848 a------- c:\windows\system32\schannel.dll
2009-08-12 21:02 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-08-12 21:02 439,864 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-12 21:02 72,704 a------- c:\windows\system32\secur32.dll
2009-08-12 21:02 9,728 a------- c:\windows\system32\lsass.exe
2009-08-12 21:01 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-12 21:01 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-12 21:01 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-12 21:01 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-12 21:01 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-12 21:01 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-12 21:01 18,432 a------- c:\windows\system32\amcompat.tlb
2009-08-12 21:01 88,576 a------- c:\windows\system32\tlntsess.exe
2009-08-12 21:01 71,168 a------- c:\windows\system32\telnet.exe
2009-08-12 21:01 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-12 21:01 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-11 23:00 318,976 a------- c:\windows\system32\CF18027.exe
2009-08-11 21:15 --ds---- C:\per
2009-08-11 21:15 318,976 a------- c:\windows\system32\CF30127.exe
2009-08-11 19:40 318,976 a------- c:\windows\system32\CF11527.exe
2009-08-11 19:01 --ds---- C:\cf
2009-08-11 19:01 318,976 a------- c:\windows\system32\CF3954.exe
2009-08-11 18:55 651 a------- c:\windows\wininit.ini
2009-08-11 18:33 --d----- c:\programdata\Spybot - Search & Destroy
2009-08-11 18:33 --d----- c:\program files\Spybot - Search & Destroy
2009-08-11 18:33 --d----- c:\progra~2\Spybot - Search & Destroy
2009-08-11 07:54 --ds---- C:\asasd
2009-08-11 07:54 318,976 a------- c:\windows\system32\CF4393.exe
2009-08-10 23:43 318,976 a------- c:\windows\system32\CF6395.exe
2009-08-10 22:48 107,205,182 a------- c:\windows\MEMORY.DMP
2009-08-10 22:27 318,976 a------- c:\windows\system32\CF24269.exe
2009-08-10 22:22 318,976 a------- c:\windows\system32\CF23198.exe
2009-08-10 22:11 318,976 a------- c:\windows\system32\CF21121.exe
2009-08-10 22:09 318,976 a------- c:\windows\system32\CF20797.exe
2009-08-10 22:03 318,976 a------- c:\windows\system32\CF19527.exe
2009-08-10 21:07 318,976 a------- c:\windows\system32\CF8669.exe
2009-08-10 20:52 216,064 a------- c:\windows\PEV.exe
2009-08-10 20:52 161,792 a------- c:\windows\SWREG.exe
2009-08-10 20:52 98,816 a------- c:\windows\sed.exe
2009-08-10 20:52 318,976 a------- c:\windows\system32\CF5570.exe
2009-08-10 20:28 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 20:28 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-10 20:28 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-07 15:52 1,110,399 a------- c:\windows\system32\UACqcukcxfiwt.db

==================== Find3M ====================

2009-07-21 17:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 17:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 17:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 16:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-06-15 10:53 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 10:52 23,552 a------- c:\windows\system32\lpk.dll
2009-06-15 10:52 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 10:51 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 08:42 289,792 a------- c:\windows\system32\atmfd.dll
2009-05-27 21:24 143,360 a------- c:\windows\inf\infstrng.dat
2009-05-27 21:24 143,360 a------- c:\windows\inf\infstor.dat
2009-05-27 21:24 51,200 a------- c:\windows\inf\infpub.dat
2009-05-27 20:48 665,600 a------- c:\windows\inf\drvindex.dat
2008-03-23 20:03 174 a--sh--- c:\program files\desktop.ini
2007-10-22 17:23 87,608 a------- c:\users\remigo~1\appdata\roaming\ezpinst.exe
2007-10-22 17:23 47,360 a------- c:\users\remigo~1\appdata\roaming\pcouffin.sys
2007-06-25 20:57 87,608 a------- c:\users\remigo~1\appdata\roaming\inst.exe
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-01-27 22:40 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-01-27 22:40 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-01-27 22:40 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-01-27 22:40 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2006-11-02 08:32 397,312 a--sh--- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16386_none_ef216b8c52ca2227\WinMail.exe

============= FINISH: 20:53:55.60 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft® Windows Vista™ Ultimate
Boot Device: \Device\HarddiskVolume2
Install Date: 01/10/2007 5:05:44 PM
System Uptime: 09/01/2009 6:28:46 PM (5642 hours ago)

Motherboard: Dell Inc. | | 0CK520
Processor: Intel® Core™2 Quad CPU @ 2.66GHz | Microprocessor | 2666/1066mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 144 GiB total, 73.112 GiB free.
D: is FIXED (NTFS) - 298 GiB total, 41.107 GiB free.
E: is FIXED (NTFS) - 144 GiB total, 60.929 GiB free.
F: is CDROM (CDFS)
G: is CDROM ()
Q: is FIXED (NTFS) - 466 GiB total, 61.542 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

µTorrent
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.1.0
Adobe Reader for Pocket PC 2.0
Adobe Stock Photos 1.0
AutoUpdate
Broadcom Gigabit Integrated Controller
CDDRV_Installer
Choice Guard
Collectorz.com Movie Collector
ConvertXtoDVD 2.2.2.256
Creative Audio Console
Creative Sound Blaster Properties
CyberLink PhotoNow
CyberLink PowerDirector
DivX Codec
DivX Version Checker
Download Accelerator Plus (DAP)
ESET Smart Security
ffdshow (remove only)
FLV Player 2.0, build 23
Google Earth
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java™ 6 Update 2
Java™ SE Runtime Environment 6
Java™ SE Runtime Environment 6 Update 1
Junk Mail filter update
KhalInstallWrapper
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft .NET Compact Framework 2.0
Microsoft .NET Compact Framework 3.5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.4
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Standard 2007 Trial
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
MKSAP 14 1.0
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB927977)
NVIDIA Drivers
NVIDIA nTune
OpenAL
PeerGuardian 2.0
QuickTime
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Sonic Encoders
Sound Blaster for Media Center
Sound Blaster X-Fi
Spybot - Search & Destroy
System Requirements Lab
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb972691)
UpToDate
Viewpoint Media Player
VLC media player 0.9.8a
VSO CopyToDVD 4
WebFldrs XP
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Mobile Device Center
Windows Mobile Device Center Driver Update
WinRAR archiver
XP Codec Pack
Xvid 1.2.1 final uninstall

==== Event Viewer Messages From Past Week ========

31/08/2009 7:37:38 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows CardSpace service to connect.
31/08/2009 7:37:38 AM, Error: Service Control Manager [7000] - The Windows CardSpace service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
29/08/2009 6:21:35 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.100.11 for the Network Card with network address 001AA0BFD5E4 has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
29/08/2009 6:08:24 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001AA0BFD5E4. The following error occurred: The semaphore timeout period has expired.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
01/09/2009 6:29:50 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: sptd
01/09/2009 6:29:50 PM, Error: Service Control Manager [7000] - The Google Update Service (gupdate1c9d299df619671) service failed to start due to the following error: The system cannot find the path specified.
01/09/2009 6:28:47 PM, Error: sptd [4] - Driver detected an internal error in its data structures for .

==== End Of File ===========================

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/01 20:50
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Stealth Objects
-------------------
Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: wininit.exe (PID: 568) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: services.exe (PID: 612) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: lsass.exe (PID: 624) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: lsm.exe (PID: 636) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: winlogon.exe (PID: 712) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETbjmocepi.dll]
Process: svchost.exe (PID: 832) Address: 0x001f0000 Size: 53248

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: svchost.exe (PID: 832) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: svchost.exe (PID: 904) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: svchost.exe (PID: 1060) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: svchost.exe (PID: 1128) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: svchost.exe (PID: 1168) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: svchost.exe (PID: 1264) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: SLsvc.exe (PID: 1280) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: svchost.exe (PID: 1328) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: svchost.exe (PID: 1528) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: spoolsv.exe (PID: 1744) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: svchost.exe (PID: 1768) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: Dwm.exe (PID: 2020) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: Explorer.EXE (PID: 268) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: taskeng.exe (PID: 472) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: taskeng.exe (PID: 500) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: svchost.exe (PID: 336) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: nvraidservice.exe (PID: 900) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: rundll32.exe (PID: 1076) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: egui.exe (PID: 1092) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: sidebar.exe (PID: 1096) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: rundll32.exe (PID: 1360) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: ehtray.exe (PID: 1368) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: ehmsas.exe (PID: 2088) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: ekrn.exe (PID: 2208) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: nTuneService.exe (PID: 2444) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: svchost.exe (PID: 2504) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: RichVideo.exe (PID: 2520) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: svchost.exe (PID: 2568) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: svchost.exe (PID: 2624) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: WLIDSVC.EXE (PID: 2708) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: SearchIndexer.exe (PID: 2724) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: WLIDSvcM.exe (PID: 2920) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: mobsync.exe (PID: 3224) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: svchost.exe (PID: 3304) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: conime.exe (PID: 2844) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: wmplayer.exe (PID: 3820) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: iexplore.exe (PID: 1292) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: iexplore.exe (PID: 2512) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETuvntcxur.dll]
Process: RootRepeal.exe (PID: 2412) Address: 0x10000000 Size: 32768

Object: Hidden Code [ETHREAD: 0x87db6b18]
Process: System Address: 0x88171790 Size: 1000

==EOF==

Edited by Orange Blossom, 01 September 2009 - 08:31 PM.


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:12 PM

Posted 17 September 2009 - 08:03 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Remz

Remz
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 17 September 2009 - 09:54 PM

Here is the DDS scan. I barely made any changes since the one posted above.


Remz

Attached Files



#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:12 AM

Posted 19 September 2009 - 12:08 AM

Hi Remz,



Welcome to BleepingComputer HijackThis Logs and Malware Removal, :(
My name is sundavis, I will be helping you to deal with your Malware problems today.

Due to the warning from the developer of combofix, this tool should not run by oneself for being unsupervised. Sometimes, it will result into an unbootable machine.
I notice you have not any antivirus program installed in your system. it's somewhat suicidal in this digital world nowadays. Please get the following AntiVir antivirus and install it. Restart the computer for changes to take effect.

AntiVir Free Edition



Step1

Please disable Spybot S&D's protection,or it will interfere.
  • You can enable it after you're clean.
  • Open Spybot and click on 'Mode' and check 'Advanced Mode'.
  • Click on 'Tools' in bottom left hand corner.
  • Click on the 'System Startup' icon.
  • Uncheck 'Teatimer' box and/or uncheck 'Resident'.
  • Click the 'Allow Change' box.
  • Then, check next to the computer clock to see if the icon for Spybot is still there.
  • If it is, right click it and choose 'exit Spybot-S&D Resident'.
  • Restart the computer.
  • If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
  • http://www.russelltexas.com/malware/teatimer.htm
Step2
  • Go to Start > All Programs > Windows Defender.
  • Click on Tools at the top.
  • Under Settings, click on Options.
  • Under Automatic scanning, uncheck (untick) Automatically scan my computer (recommended) box.
  • Under Real-time protection options, uncheck (untick) Use real-time protection (recommended) box.
  • Click on the Save button at the bottom right hand corner.
Step3

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please rename ComboFix.exe to Remz.exe before saving it to your desktop.

Note: If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.

1.Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

2.Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.


Step4

Please download GMER Rootkit Scanner from Here or Here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




In your next reply, please post back:


1.GMER log
2.ComboFix log Thanks

Edited by sundavis, 01 October 2009 - 09:53 PM.


#5 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:12 AM

Posted 22 September 2009 - 12:37 AM

Hi Remz,


Still with us? :(

#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:12 AM

Posted 25 September 2009 - 12:59 AM

Due to Lack of feedback, this topic is now Closed.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

#7 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:12 AM

Posted 01 October 2009 - 08:19 PM

Reopen as OP requested.

#8 Remz

Remz
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 05 October 2009 - 03:25 PM

Here is the Gmer log...

Combofix doesn't work. It stalled at trying to create a restore point... I've let it run for 8 hours!

Attached Files


Edited by Remz, 05 October 2009 - 05:49 PM.


#9 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:12 AM

Posted 05 October 2009 - 07:15 PM

Hi Remz,



I've let it run for 8 hours!

Did you rename it before saving it to your desktop? Please reboot your pc if it's still running. Delete the current copy and download it again and rename it Mzre.exe before saving it to your desktp.

Usually it will take 20 minutes or so. Disable your AV program before proceeding. If the problem still persists, see if you can boot into Safe Mode and work from there to run the tools.

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account.

After that, please do the following:


Step1

I notice you have MBAM installed in your system, Please rerun it as instructed in the following. Update your virus definitions before proceeding. If you can't update the program, you can download the virus definitions from Here and install manually.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • You can refer to this tutorial
Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Step2

Please go to SysProt Antirootkit homepage from Here , scroll down to the bottom of the page and download the attachments.
  • Unzip it to your desktop.
  • Double click Sysprot.exe to run the program.
  • Click on the Log tab.
  • In the Write to log box select all boxes.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same Sysprot folder. Copy/paste the log in your next reply.
In your next reply, please post back:


1.ComboFix log
2.MBAM log
3.Sysprot log Thanks.

Edited by sundavis, 05 October 2009 - 07:16 PM.


#10 Remz

Remz
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 06 October 2009 - 06:21 AM

Hi sundavis,

I've downoaded again Combofix and renamed it, then tried to run it in safe mode. I've let it run overnight, but it never went further than "Preparing to run"...

Can I run the MBAM and the other program?

Thanks,
Remz

#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:12 AM

Posted 06 October 2009 - 06:25 AM

Hi Remz,


OK! Let's jump over Combofix for now. Please proceed the next step as instructed in my previous post. Thanks

#12 Remz

Remz
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 06 October 2009 - 03:25 PM

Here are the 2 logs...

Remz

Attached Files



#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:12 AM

Posted 06 October 2009 - 03:47 PM

Hi Remz,



Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar




Step1


Older versions Java have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 15...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) the following Java Runtime Environment (JRE or J2SE) in the name, and the following update:

    Java™ 6 Update 2
    Java™ SE Runtime Environment 6
    Java™ SE Runtime Environment 6 Update 1


  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u15-windows-i586-p.exe to install the newest version.

Step2


Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step3


Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
  • You can refer to this animation
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


Step4


We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


In your next reply, please post back:


1.Kas Online Scan Report
2.OTListIt.txt and Extra.txt

Tell me how your pc is running now.

#14 Remz

Remz
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 09 October 2009 - 06:15 AM

My computer seem to be running fine... A bit slower than usual, but it doesn't seem to have any symptoms. But I have to say it never really have anything big happening...

Here are the logs in attachement.

Remz

Attached Files



#15 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:12 AM

Posted 09 October 2009 - 10:00 AM

Hi Remz,




Your logs appear clean now. :( If you have no remaining concerns on your pc, let's do some tidy up and we can send you on your way.

Step1

Click START then RUN
Now copy/paste Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Step2

Start OTL from your desktop.
  • Double click OTL and let it run
  • Then Click the Cleanup button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Update all these programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users