Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Websites keep getting redirected to strange sites, was infected with worm.koobface before and Trojan.Agent/Gen-Virut[PP]


  • This topic is locked This topic is locked
13 replies to this topic

#1 khunkao

khunkao

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 21 September 2009 - 11:08 AM

I ran Malwarebytes twice and SuperAntispyware once. Among the infections detected and removed included:

Trojan.Agent/Gen-Virut[PP]
Worm.Koobface
Trojan.Dropper
Koobface.Trace
Adware.Gdown

However after restarting the machine, some legitimate websites are still being redirected to weird sites. A few sites don't work, they just sit there.

Am I still infected?

Here is the DDS.LOG
The Attach and Ark logs are attached


-------------------------------------------


DDS (Ver_09-07-30.01) - NTFSx86
Run by jmwintle at 11:20:20.41 on Mon 09/21/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.766.403 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Qqest Software Systems\TimeForce\ClockLink\ClockLinkService.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\sYSteM32\SvchOst.eXE -k fioo32
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\nlcspro\csagtprosvc.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\MI812F~1\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft OfficeXP\OFFICE11\WINWORD.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\jmwintle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
mDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uInternet Settings,ProxyServer = 172.30.1.100:8080
uInternet Settings,ProxyOverride = 127.0.0.1;192.168.90.*;64.147.113.*;198.181.235.*;<local>
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: IDXHlprObj Class: {31816979-f864-4acf-919f-d0b3b56432e6} - c:\windows\downloaded program files\IDXIEController.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_07\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_07\bin\jusched.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SAM]
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Realtime Monitor] c:\progra~1\ca\etrust~1\realmon.exe -s
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [WinVNC] "c:\program files\ultravnc\WinVNC.exe" -servicehelper
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft officexp\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\mi812f~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi812f~1\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://www.sidestep.com/get/k00719/sb02a.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246895691734
DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} - hxxps://go.com/net6helper.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} - hxxp://idxsite/IDXWeb/IDXWF/Context/IDXTools.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {EECF9899-FC3A-4841-986F-30B874921B36} - hxxp://idxsite/IDXWeb/IDXWF/Context/IDXBrowser.cab
TCP: {68C85B14-92C8-4BA5-BF71-A6D391F30F2E} = 10.11.12.10,10.11.12.20,24.29.99.35,24.29.99.36
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jmwintle\applic~1\mozilla\firefox\profiles\hjvcxeux.default\
FF - prefs.js: browser.search.selectedEngine - Google

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\mozilla firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");

============= SERVICES / DRIVERS ===============

R?2 fioo32;fioo32;c:\windows\system32\SvchOst.eXE -k fioo32 [2004-8-4 14336]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R1 fio32;fio32;c:\windows\system32\drivers\fio32.sys [2009-9-21 37632]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 ClockLink;ClockLink Scheduler;c:\program files\qqest software systems\timeforce\clocklink\ClockLinkService.exe [2007-12-17 480256]
R2 NLCSAgent;NLCS Agent;c:\windows\system32\nlcspro\csagtprosvc.exe [2008-8-7 1163264]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2009-8-11 1692224]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2009-8-11 6016]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 2944]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20050615.008\naveng.sys [2008-8-4 73760]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20050615.008\navex15.sys [2008-8-4 632000]

=============== Created Last 30 ================

2009-09-21 10:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-21 10:20 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-21 10:20 <DIR> --d----- c:\docume~1\jmwintle\applic~1\SUPERAntiSpyware.com
2009-09-21 10:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-21 09:31 <DIR> --d----- c:\docume~1\jmwintle\applic~1\Malwarebytes
2009-09-21 09:30 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-21 09:30 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-21 09:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-21 09:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-21 09:29 4,045,528 -------- C:\mbam-setup.exe
2009-09-21 08:17 1 ----h--- c:\windows\bk23567.dat
2009-09-21 08:17 1 a------- c:\windows\fdgg34353edfgdfdf
2009-09-21 08:16 51,200 a------- c:\windows\system32\fio32.dll
2009-09-21 08:16 37,632 a------- c:\windows\system32\drivers\fio32.sys
2009-09-21 08:15 2 a------- c:\windows\010112010146101105.rx
2009-09-14 11:08 3,840 a------- c:\windows\system32\drivers\BANTExt.sys
2009-09-14 11:08 <DIR> --d----- c:\program files\Belarc

==================== Find3M ====================

2009-08-03 14:03 60,744 a------- c:\documents and settings\jmwintle\g2mdlhlpx.exe

============= FINISH: 11:20:32.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:02 PM

Posted 21 September 2009 - 01:44 PM

Hi,

I notice that there is a proxy set on your machine for Internet Explorer, is this something that you or another computer user has set?
uInternet Settings,ProxyServer = 172.30.1.100:8080
uInternet Settings,ProxyOverride = 127.0.0.1;192.168.90.*;64.147.113.*;198.181.235.*;<local>


I would like to check a file out before we begin cleaning.
  • Make sure to use Internet Explorer for this scan.
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page

    c:\windows\system32\drivers\fio32.sys
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
Post these results, along with the answer to my above question in your next reply.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 khunkao

khunkao
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 21 September 2009 - 01:53 PM

Yes that proxy IP was manually set.

I am unable to run the Virscan upload. It tells me the scanner is down and it needs 1 day to fix.

#4 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:02 PM

Posted 21 September 2009 - 01:57 PM

Hi,

In that case, could you please upload the file here instead:
http://www.bleepingcomputer.com/submit-mal....php?channel=72

Please also submit this file:
c:\windows\system32\fio32.dll

Thanks.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#5 khunkao

khunkao
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 21 September 2009 - 02:12 PM

File was submitted

#6 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:02 PM

Posted 21 September 2009 - 02:27 PM

Thanks for that. Looks like you do indeed have some Koobface left on your computer.

Please download GooredFix from the location below and save it to your Desktop
Download Mirror #1
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
After that, please open MalwareBytes again, update it, and run a Full Scan. If it finds anything, please post the log it provides.

Let me know how things are running after that. Please run DDS again and post the first log it gives (DDS.txt), so we can see if anything is left.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#7 khunkao

khunkao
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 21 September 2009 - 10:06 PM

It looks like the websites are responding normally. MBAM found an instance of Adware.Gdown.


-----------------------------------------------GooredFix-------------------------------------------

GooredFix by jpshortstuff (21.09.09.5)
Log created at 16:33 on 21/09/2009 (jmwintle)
Firefox version 1.0 (en-US)

========== GooredScan ==========

Removing service: "fioo32" -> Successful (reboot)
Removing service: "fioo32" -> Failed [1072] (reboot)
Deleting file: "C:\WINDOWS\bk23567.dat" -> Failed [1223] -> Delete on reboot
Deleting file: "C:\WINDOWS\010112010146101105.rx" -> Failed [1223] -> Delete on reboot
Deleting file: "C:\WINDOWS\system32\fio32.dll" -> Failed [1223] -> Delete on reboot
Deleting file: "C:\WINDOWS\system32\drivers\fio32.sys" -> Failed [1223] -> Delete on reboot

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [18:44 09/12/2004]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(Key not found)

========== Reboot ==========

Deleting "C:\WINDOWS\bk23567.dat" -> Failed [1223]
Deleting "C:\WINDOWS\010112010146101105.rx" -> Failed [1223]
Deleting "C:\WINDOWS\system32\fio32.dll" -> Failed [1223]
Deleting "C:\WINDOWS\system32\drivers\fio32.sys" -> Failed [1223]

-=E.O.F=-

----------------------------------------MBAM-----------------------------------------------

Malwarebytes' Anti-Malware 1.41
Database version: 2838
Windows 5.1.2600 Service Pack 2

9/21/2009 10:39:16 PM
mbam-log-2009-09-21 (22-39-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 178807
Time elapsed: 48 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1439\A0092946.ocx (Adware.Gdown) -> Quarantined and deleted successfully.


------------------------------------------------------- DDS-----------------------------------------------------------


DDS (Ver_09-07-30.01) - NTFSx86
Run by jmwintle at 22:59:17.18 on Mon 09/21/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.766.477 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Qqest Software Systems\TimeForce\ClockLink\ClockLinkService.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\nlcspro\csagtprosvc.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\jmwintle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
mDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uInternet Settings,ProxyServer = 172.30.1.100:8080
uInternet Settings,ProxyOverride = 127.0.0.1;192.168.90.*;64.147.113.*;198.181.235.*;<local>
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: IDXHlprObj Class: {31816979-f864-4acf-919f-d0b3b56432e6} - c:\windows\downloaded program files\IDXIEController.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_07\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_07\bin\jusched.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SAM]
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Realtime Monitor] c:\progra~1\ca\etrust~1\realmon.exe -s
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [WinVNC] "c:\program files\ultravnc\WinVNC.exe" -servicehelper
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft officexp\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\mi812f~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi812f~1\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://www.sidestep.com/get/k00719/sb02a.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246895691734
DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} - hxxps://go.com/net6helper.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} - hxxp://idxsite/IDXWeb/IDXWF/Context/IDXTools.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {EECF9899-FC3A-4841-986F-30B874921B36} - hxxp://idxsite/IDXWeb/IDXWF/Context/IDXBrowser.cab
TCP: {68C85B14-92C8-4BA5-BF71-A6D391F30F2E} = 10.11.12.10,10.11.12.20,24.29.99.35,24.29.99.36
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jmwintle\applic~1\mozilla\firefox\profiles\hjvcxeux.default\
FF - prefs.js: browser.search.selectedEngine - Google

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\mozilla firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");

============= SERVICES / DRIVERS ===============

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R1 fio32;fio32;c:\windows\system32\drivers\fio32.sys [2009-9-21 37632]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 ClockLink;ClockLink Scheduler;c:\program files\qqest software systems\timeforce\clocklink\ClockLinkService.exe [2007-12-17 480256]
R2 NLCSAgent;NLCS Agent;c:\windows\system32\nlcspro\csagtprosvc.exe [2008-8-7 1163264]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2009-8-11 1692224]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2009-8-11 6016]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 2944]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20050615.008\naveng.sys [2008-8-4 73760]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20050615.008\navex15.sys [2008-8-4 632000]

=============== Created Last 30 ================

2009-09-21 10:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-21 10:20 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-21 10:20 <DIR> --d----- c:\docume~1\jmwintle\applic~1\SUPERAntiSpyware.com
2009-09-21 10:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-21 09:31 <DIR> --d----- c:\docume~1\jmwintle\applic~1\Malwarebytes
2009-09-21 09:30 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-21 09:30 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-21 09:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-21 09:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-21 09:29 4,045,528 -------- C:\mbam-setup.exe
2009-09-21 08:17 1 ----h--- c:\windows\bk23567.dat
2009-09-21 08:17 1 a------- c:\windows\fdgg34353edfgdfdf
2009-09-21 08:16 51,200 a------- c:\windows\system32\fio32.dll
2009-09-21 08:16 37,632 a------- c:\windows\system32\drivers\fio32.sys
2009-09-21 08:15 2 a------- c:\windows\010112010146101105.rx
2009-09-14 11:08 3,840 a------- c:\windows\system32\drivers\BANTExt.sys
2009-09-14 11:08 <DIR> --d----- c:\program files\Belarc

==================== Find3M ====================

2009-08-03 14:03 60,744 a------- c:\documents and settings\jmwintle\g2mdlhlpx.exe

============= FINISH: 22:59:49.42 ===============

#8 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:02 PM

Posted 22 September 2009 - 03:21 PM

Hi,

OK, let's clean up the remainders.

Please download OTM by OldTimer.
  • Save it to your desktop.
  • Please click OTM and then click >> run.
  • Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Processes
explorer.exe

:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{BA52B914-B692-46c4-B683-905236F6F655}"=-

:services
fio32

:files
c:\windows\bk23567.dat
c:\windows\fdgg34353edfgdfdf
c:\windows\system32\fio32.dll
c:\windows\system32\drivers\fio32.sys
c:\windows\010112010146101105.rx

:Commands
[emptytemp]
[Reboot]
  • Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Post a new DDS log alongside that, and let me know if you are having any more problems with the computer.

Edited by jpshortstuff, 22 September 2009 - 03:21 PM.

Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#9 khunkao

khunkao
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 22 September 2009 - 03:47 PM

Don't seem to be any problems.
Here are the logs

-------------------------------OTM----------------------------

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{BA52B914-B692-46c4-B683-905236F6F655} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA52B914-B692-46c4-B683-905236F6F655}\ not found.
========== SERVICES/DRIVERS ==========

Service\Driver fio32 deleted successfully.
========== FILES ==========
c:\windows\bk23567.dat moved successfully.
c:\windows\fdgg34353edfgdfdf moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\fio32.dll
c:\windows\system32\fio32.dll NOT unregistered.
c:\windows\system32\fio32.dll moved successfully.
c:\windows\system32\drivers\fio32.sys moved successfully.
c:\windows\010112010146101105.rx moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 90753 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Administrator.CADUCEUS_NY001
->Temp folder emptied: 1328 bytes
->Temporary Internet Files folder emptied: 200915 bytes

User: All Users

User: cmegaro
->Temp folder emptied: 918 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: idx
->Temp folder emptied: 643 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: jmwintle
->Temp folder emptied: 25475380 bytes
File delete failed. C:\Documents and Settings\jmwintle\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 28029994 bytes
->Java cache emptied: 382240 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 21015654 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 34702 bytes

%systemdrive% .tmp files removed: 6597 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 5565909 bytes
Windows Temp folder emptied: 186765119 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 255.30 mb


OTM by OldTimer - Version 3.0.0.6 log created on 09222009_163850

Files moved on Reboot...

Registry entries deleted on Reboot...


----------------------------- DDS --------------------------------------------


DDS (Ver_09-07-30.01) - NTFSx86
Run by jmwintle at 16:45:39.07 on Tue 09/22/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.766.485 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Qqest Software Systems\TimeForce\ClockLink\ClockLinkService.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\nlcspro\csagtprosvc.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\jmwintle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
mDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uInternet Settings,ProxyServer = 172.30.1.100:8080
uInternet Settings,ProxyOverride = 127.0.0.1;192.168.90.*;64.147.113.*;198.181.235.*;<local>
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: IDXHlprObj Class: {31816979-f864-4acf-919f-d0b3b56432e6} - c:\windows\downloaded program files\IDXIEController.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_07\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [SUPERAntiSpyware] c:\docume~1\jmwintle\locals~1\temp\ssupdate.exe software\superantispyware.com\SUPERAntiSpyware
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_07\bin\jusched.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SAM]
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Realtime Monitor] c:\progra~1\ca\etrust~1\realmon.exe -s
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [WinVNC] "c:\program files\ultravnc\WinVNC.exe" -servicehelper
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft officexp\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\mi812f~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi812f~1\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://www.sidestep.com/get/k00719/sb02a.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246895691734
DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} - hxxps://go.com/net6helper.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} - hxxp://idxsite/IDXWeb/IDXWF/Context/IDXTools.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {EECF9899-FC3A-4841-986F-30B874921B36} - hxxp://idxsite/IDXWeb/IDXWF/Context/IDXBrowser.cab
TCP: {68C85B14-92C8-4BA5-BF71-A6D391F30F2E} = 10.11.12.10,10.11.12.20,24.29.99.35,24.29.99.36
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jmwintle\applic~1\mozilla\firefox\profiles\hjvcxeux.default\
FF - prefs.js: browser.search.selectedEngine - Google

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\mozilla firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");

============= SERVICES / DRIVERS ===============

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 ClockLink;ClockLink Scheduler;c:\program files\qqest software systems\timeforce\clocklink\ClockLinkService.exe [2007-12-17 480256]
R2 NLCSAgent;NLCS Agent;c:\windows\system32\nlcspro\csagtprosvc.exe [2008-8-7 1163264]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2009-8-11 1692224]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2009-8-11 6016]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 2944]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20050615.008\naveng.sys [2008-8-4 73760]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20050615.008\navex15.sys [2008-8-4 632000]

=============== Created Last 30 ================

2009-09-22 16:38 <DIR> --d----- C:\_OTM
2009-09-21 23:08 <DIR> --d----- c:\program files\SpywareBlaster
2009-09-21 10:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-21 10:20 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-21 10:20 <DIR> --d----- c:\docume~1\jmwintle\applic~1\SUPERAntiSpyware.com
2009-09-21 10:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-21 09:31 <DIR> --d----- c:\docume~1\jmwintle\applic~1\Malwarebytes
2009-09-21 09:30 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-21 09:30 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-21 09:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-21 09:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-21 09:29 4,045,528 -------- C:\mbam-setup.exe
2009-09-14 11:08 3,840 a------- c:\windows\system32\drivers\BANTExt.sys
2009-09-14 11:08 <DIR> --d----- c:\program files\Belarc

==================== Find3M ====================

2009-08-03 14:03 60,744 a------- c:\documents and settings\jmwintle\g2mdlhlpx.exe

============= FINISH: 16:46:13.31 ===============

#10 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:02 PM

Posted 22 September 2009 - 03:54 PM

You appear to be running two AntiViruses - CA and Symantec. Its not a good idea to run more than one AntiVirus (or Firewall) as they can conflict with each other and slow your computer down. I strongly recommend removing one if you have both running.

If you are having no other problems, we can clean up and wrap this topic up :(
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#11 khunkao

khunkao
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 22 September 2009 - 03:59 PM

Actually the Symantec is just an orphaned Program Files menu item. I uninstalled Liveupdate just to be safe but left CA running.

Looks good! Thanks for your help!

#12 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:02 PM

Posted 22 September 2009 - 04:13 PM

Hi,

Ah, I see. Symatec is also registered as your main AntiVirus program. Symantec have released a removal tool that should clean up these bits and bobs if it interests you:
Norton Removal Tool
  • Download the Norton Removal Tool and save it to your Desktop.
  • Close and applications and browsers that you may have open.
  • Double-click the Norton Removal Tool on your Desktop.
  • Follow the on-screen instructions, and reboot if and when necessary.
You can now delete any other tools, like GooredFix and the GooredFix Backups folder.

Clean up with OTMoveIt3
  • Right-click OTMoveIt3.exe and select Run As Administrator... to run it.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
You can now delete any other tools I had you download and use, unless you wish to keep them.


Set correct settings for files that should be hidden in Windows Vista
  • Click Start.
  • Open My Computer.
  • Select Folder and Search Options
  • Select the View Tab.
  • Under the Hidden files and folders heading select Hide hidden files and folders.
  • Check Hide file extensions for known file types
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Now that your system appears to be clean, there's just a few steps I'd like you to take to prevent any future infections.
  • System restore:
    We will now clear your existing system restore points and establish a new clean restore point:
    • Click on the Start button to open your Start Menu.
    • Click on the Control Panel menu option.
    • Click on the System and Maintenance menu option.
    • Click on the System menu option.
    • Click on System Protection in the left-hand task list.
    • Create the manual restore point you should click on the Create button. When you press this button a prompt will appear asking you to provide a title for this manual restore point.
    • Type in a title for the manual restore point and press the Create button.
    • Close the System window after you have been advised that the procedure has been successfully completed.
    • Next, go to Start > Run and type in cleanmgr
    • Select the More options tab
    • Choose the option to clean up system restore and OK it.

      This will remove all restore points except the new one you just created.
    Make sure you do this now, as your System Restore may have infected files in it.

  • Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis.

  • Make sure you update your Anti-Virus software regularly, new viruses are being developed all the time.

  • Another programs that it would be useful to have [OPTIONAL]:

    Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.
Also, please read this great article by Tony Klein: So How Did I Get Infected In First Place

Glad we could be of assistance.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Stay Clean!

jpshortstuff
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#13 khunkao

khunkao
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 23 September 2009 - 08:45 AM

Hi, I actually have XP not Vista. I did however, Turn off System Restore and turned it back on and Cleaned up Restore points except for the most recent from the Disk Cleanup utility.
thanks for the useful links and once again, thank you so much for your help!

#14 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:02 PM

Posted 23 September 2009 - 08:59 AM

Whoops, not sure how that happened, sorry about that :(

Glad we could help you :(
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users