Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacking, Among Other Things


  • This topic is locked This topic is locked
9 replies to this topic

#1 WNG3000

WNG3000

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 31 October 2009 - 07:27 AM

A friend of mine decided to download and install a pirated version of Norton Internet Security 2010 and, unsurprisingly, it contained several viruses. Norton Internet Security 2010, which I was running at the time, managed to quarantine some of the viruses, but it's clear that not everything was picked up. So far the only visible problem is that my browser is being hijacked. I'm being redirected to random websites whenever I click on links, and occasionally new windows open with several random tabs.

Also, if it helps at all, I saw a very suspicious file called Norton2009reset.exe and deleted it, but it keeps cropping up again and again.


My DDS.txt:

DDS (Ver_09-10-26.01) - NTFSx86
Run by WNG at 4:54:38.44 on Sat 10/31/2009
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2046.961 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Windows\snuvcdsm.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\WNG\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.0.0.136\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.0.0.136\IPSBHO.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.0.0.136\coIEPlg.dll
mRun: [<NO NAME>]
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [SNUVCDSM] c:\windows\snuvcdsm.exe
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\wng\appdata\roaming\mozilla\firefox\profiles\uu613esp.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1100000.088\SymDS.sys [2009-10-31 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1100000.088\SymEFA.sys [2009-10-31 169008]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-10-31 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-10-31 59664]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20090829.001\BHDrvx86.sys [2009-10-31 506928]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1100000.088\ccHPx86.sys [2009-10-31 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20090828.002\IDSVix86.sys [2009-10-31 342576]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-9-14 21520]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1100000.088\Ironx86.sys [2009-10-31 114736]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1100000.088\symtdiv.sys [2009-10-31 338480]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.0.0.136\ccSvcHst.exe [2009-10-31 126392]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-10-31 33552]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S4 .norton2009Reset;Norton2009 Reset;c:\programdata\norton\norton2009reset.exe --> c:\programdata\norton\Norton2009Reset.exe [?]

=============== Created Last 30 ================

2009-10-31 10:46:05 0 d-----w- c:\users\wng\appdata\roaming\Tific
2009-10-31 10:37:49 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-31 10:37:49 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-31 10:37:49 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-31 10:37:48 0 d-----w- c:\program files\Symantec
2009-10-31 10:37:48 0 d-----w- c:\program files\common files\Symantec Shared
2009-10-31 10:37:07 0 d-----w- c:\programdata\Norton
2009-10-31 10:37:07 0 d-----w- c:\program files\Norton Internet Security
2009-10-31 10:36:54 0 d-----w- c:\programdata\NortonInstaller
2009-10-31 10:36:54 0 d-----w- c:\program files\NortonInstaller
2009-10-31 08:04:49 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-10-31 08:04:49 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-10-31 08:04:49 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-10-31 08:04:48 0 d-----w- c:\programdata\PC Tools
2009-10-31 08:04:48 0 d-----w- c:\program files\ThreatFire
2009-10-31 07:50:00 0 d-----w- c:\program files\Trend Micro
2009-10-31 06:32:47 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-31 06:32:47 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-31 06:31:07 0 d-----w- c:\programdata\Kaspersky Lab
2009-10-31 06:31:07 0 d-----w- c:\program files\Kaspersky Lab
2009-10-31 06:04:50 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-10-31 05:47:21 0 d-----w- c:\programdata\Kaspersky Lab Setup Files
2009-10-31 05:16:57 0 d-----w- c:\program files\iPod
2009-10-31 05:16:56 0 d-----w- c:\program files\iTunes
2009-10-30 10:14:52 0 d-----w- c:\windows\system32\drivers\NIS
2009-10-30 10:11:32 0 d-----w- c:\programdata\PCSettings
2009-10-30 09:51:48 24791 ----a-w- c:\users\wng\appdata\roaming\addons.dat
2009-10-29 07:08:24 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-29 07:06:57 0 d-----r- c:\program files\Skype
2009-10-29 07:06:48 0 d-----w- c:\programdata\Skype
2009-10-27 03:00:22 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2009-10-27 03:00:21 46928 ----a-r- c:\windows\system32\AdobePDF.dll
2009-10-27 02:52:12 0 d-----w- C:\_AcroTemp
2009-10-27 02:10:10 0 d-----w- c:\program files\VideoLAN
2009-10-27 01:10:38 0 d-----w- c:\users\wng\appdata\roaming\WinPatrol
2009-10-27 01:10:32 0 d-----w- c:\program files\BillP Studios
2009-10-26 07:20:30 0 d-----w- c:\programdata\FLEXnet
2009-10-26 06:55:18 0 d-----w- c:\programdata\Adobe
2009-10-26 06:47:58 0 d-----w- c:\program files\common files\Macrovision Shared
2009-10-26 03:42:55 0 d-----w- c:\program files\uTorrent
2009-10-26 03:42:34 0 d-----w- c:\users\wng\appdata\roaming\uTorrent
2009-10-26 03:17:55 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-10-26 03:17:55 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-10-26 03:16:34 0 d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-26 03:15:15 0 d-----w- c:\program files\Bonjour
2009-10-26 03:14:14 0 d-----w- c:\programdata\Apple Computer
2009-10-26 03:12:31 0 d-----w- c:\programdata\Apple
2009-10-26 03:06:59 0 d-----w- c:\windows\PCHEALTH
2009-10-26 03:06:03 0 d-----w- c:\program files\Defraggler
2009-10-26 03:03:45 0 d-----w- c:\programdata\Microsoft Help
2009-10-26 02:56:15 0 d-----w- c:\program files\CCleaner
2009-10-26 02:49:22 0 d-----w- c:\users\wng\appdata\roaming\Webroot
2009-10-26 02:49:20 0 d-----w- c:\programdata\Webroot
2009-10-26 02:49:20 0 d-----w- c:\program files\Webroot
2009-10-26 02:49:20 0 d-----w- c:\program files\common files\Webroot Shared
2009-10-26 02:48:51 194888 ----a-w- c:\windows\Unwash6.exe
2009-10-26 02:48:45 0 d-----w- c:\programdata\Symantec
2009-10-26 02:25:25 0 d-----w- c:\users\wng\appdata\roaming\JAM Software
2009-10-26 02:21:02 0 d-----w- c:\programdata\AIM
2009-10-26 02:20:54 0 d-----w- c:\program files\AIM
2009-10-26 02:20:16 0 d-sh--w- c:\windows\Installer
2009-10-26 02:20:14 0 d-----w- c:\program files\common files\Software Update Utility
2009-10-26 02:20:08 0 d-----w- c:\program files\common files\AOL
2009-10-26 01:58:18 0 d-----w- C:\REP
2009-10-26 01:54:48 0 d-----w- c:\programdata\Google
2009-10-26 01:23:15 0 d-----w- c:\programdata\NVIDIA
2009-10-26 01:20:45 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-26 01:18:33 797216 ----a-w- c:\windows\system32\nvcplui.exe
2009-10-26 01:18:33 453152 ----a-w- c:\windows\system32\nvuninst.exe
2009-10-26 01:18:33 420384 ----a-w- c:\windows\system32\nvcpl.cpl
2009-10-26 01:18:33 1108512 ----a-w- c:\windows\system32\nvcpluir.dll
2009-10-26 01:17:10 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2009-10-26 01:17:07 0 d-----w- c:\program files\Synaptics
2009-10-26 01:16:37 0 d-----w- c:\program files\CONEXANT
2009-10-26 01:08:17 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-26 01:05:12 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-10-26 01:05:12 2613248 ----a-w- c:\windows\explorer.exe
2009-10-26 01:05:12 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2009-10-26 01:05:11 71168 ----a-w- c:\windows\system32\fontsub.dll
2009-10-26 01:05:11 507568 ----a-w- c:\windows\system32\winload.exe
2009-10-26 01:05:11 442920 ----a-w- c:\windows\system32\winresume.exe
2009-10-26 01:05:11 293888 ----a-w- c:\windows\system32\atmfd.dll
2009-10-26 01:05:11 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-26 01:05:11 108544 ----a-w- c:\windows\system32\t2embed.dll
2009-10-26 01:04:23 34816 ----a-w- c:\windows\system32\msasn1.dll
2009-10-26 00:59:28 0 d-----w- c:\windows\Panther
2009-10-26 00:48:27 0 d-----w- C:\Windows.old
2009-10-26 00:32:00 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2009-10-26 00:31:37 0 d-----w- c:\windows\system32\wbem\Performance
2009-10-26 00:04:05 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-10-25 23:42:45 8192 --sha-r- C:\BOOTSECT.BAK
2009-10-21 03:34:56 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-15 04:18:34 36880 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-10-03 02:39:36 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys

==================== Find3M ====================

2009-09-14 21:46:36 21520 ----a-w- c:\windows\system32\drivers\klim6.sys
2009-09-10 17:29:50 1761280 ----a-w- c:\windows\system32\drivers\snp2uvc.sys
2009-09-10 02:01:40 27675 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-09-01 22:29:50 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-08-18 06:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-10 15:14:26 27184 ----a-w- c:\windows\snuvcdsm.exe
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 4:57:57.80 ===============

Attached Files


Edited by WNG3000, 31 October 2009 - 07:49 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:24 AM

Posted 06 November 2009 - 06:41 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#3 WNG3000

WNG3000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 06 November 2009 - 08:25 PM

Thank you for responding!

I have to say that I've run Spyware Doctor a few days after my post (I'm sorry! I know I shouldn't), and it removed the following:

Threat Name - Spyware.Possible_Website_Hijack
Type - Bad Host Entry
Risk Level - High
Infection - 127.0.0.1, lcsitemain.symantec.com

Threat Name - Spyware.Possible_Website_Hijack
Type - Bad Host Entry
Risk Level - High
Infection - 127.0.0.1, lc1alt.symantec.com

Threat Name - Backdoor.Bifrose
Type - File
Risk Level - High
Infection - C:\USERS\WNG\APPDATA\ROAMING\addons.dat

----------

So far my browser appears to be free from the hijacker, I think. No random redirects or pop-ups have appeared after the aforementioned removals. Regardless, I'm not sure if my computer is completely virus or trojan-free. Here is my updated DDS report:



DDS (Ver_09-10-26.01) - NTFSx86
Run by WNG at 4:54:38.44 on Sat 10/31/2009
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2046.961 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Windows\snuvcdsm.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\WNG\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.0.0.136\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.0.0.136\IPSBHO.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.0.0.136\coIEPlg.dll
mRun: [<NO NAME>]
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [SNUVCDSM] c:\windows\snuvcdsm.exe
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\wng\appdata\roaming\mozilla\firefox\profiles\uu613esp.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1100000.088\SymDS.sys [2009-10-31 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1100000.088\SymEFA.sys [2009-10-31 169008]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-10-31 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-10-31 59664]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20090829.001\BHDrvx86.sys [2009-10-31 506928]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1100000.088\ccHPx86.sys [2009-10-31 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20090828.002\IDSVix86.sys [2009-10-31 342576]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-9-14 21520]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1100000.088\Ironx86.sys [2009-10-31 114736]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1100000.088\symtdiv.sys [2009-10-31 338480]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.0.0.136\ccSvcHst.exe [2009-10-31 126392]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-10-31 33552]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S4 .norton2009Reset;Norton2009 Reset;c:\programdata\norton\norton2009reset.exe --> c:\programdata\norton\Norton2009Reset.exe [?]

=============== Created Last 30 ================

2009-10-31 10:46:05 0 d-----w- c:\users\wng\appdata\roaming\Tific
2009-10-31 10:37:49 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-31 10:37:49 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-31 10:37:49 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-31 10:37:48 0 d-----w- c:\program files\Symantec
2009-10-31 10:37:48 0 d-----w- c:\program files\common files\Symantec Shared
2009-10-31 10:37:07 0 d-----w- c:\programdata\Norton
2009-10-31 10:37:07 0 d-----w- c:\program files\Norton Internet Security
2009-10-31 10:36:54 0 d-----w- c:\programdata\NortonInstaller
2009-10-31 10:36:54 0 d-----w- c:\program files\NortonInstaller
2009-10-31 08:04:49 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-10-31 08:04:49 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-10-31 08:04:49 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-10-31 08:04:48 0 d-----w- c:\programdata\PC Tools
2009-10-31 08:04:48 0 d-----w- c:\program files\ThreatFire
2009-10-31 07:50:00 0 d-----w- c:\program files\Trend Micro
2009-10-31 06:32:47 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-31 06:32:47 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-31 06:31:07 0 d-----w- c:\programdata\Kaspersky Lab
2009-10-31 06:31:07 0 d-----w- c:\program files\Kaspersky Lab
2009-10-31 06:04:50 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-10-31 05:47:21 0 d-----w- c:\programdata\Kaspersky Lab Setup Files
2009-10-31 05:16:57 0 d-----w- c:\program files\iPod
2009-10-31 05:16:56 0 d-----w- c:\program files\iTunes
2009-10-30 10:14:52 0 d-----w- c:\windows\system32\drivers\NIS
2009-10-30 10:11:32 0 d-----w- c:\programdata\PCSettings
2009-10-30 09:51:48 24791 ----a-w- c:\users\wng\appdata\roaming\addons.dat
2009-10-29 07:08:24 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-29 07:06:57 0 d-----r- c:\program files\Skype
2009-10-29 07:06:48 0 d-----w- c:\programdata\Skype
2009-10-27 03:00:22 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2009-10-27 03:00:21 46928 ----a-r- c:\windows\system32\AdobePDF.dll
2009-10-27 02:52:12 0 d-----w- C:\_AcroTemp
2009-10-27 02:10:10 0 d-----w- c:\program files\VideoLAN
2009-10-27 01:10:38 0 d-----w- c:\users\wng\appdata\roaming\WinPatrol
2009-10-27 01:10:32 0 d-----w- c:\program files\BillP Studios
2009-10-26 07:20:30 0 d-----w- c:\programdata\FLEXnet
2009-10-26 06:55:18 0 d-----w- c:\programdata\Adobe
2009-10-26 06:47:58 0 d-----w- c:\program files\common files\Macrovision Shared
2009-10-26 03:42:55 0 d-----w- c:\program files\uTorrent
2009-10-26 03:42:34 0 d-----w- c:\users\wng\appdata\roaming\uTorrent
2009-10-26 03:17:55 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-10-26 03:17:55 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-10-26 03:16:34 0 d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-26 03:15:15 0 d-----w- c:\program files\Bonjour
2009-10-26 03:14:14 0 d-----w- c:\programdata\Apple Computer
2009-10-26 03:12:31 0 d-----w- c:\programdata\Apple
2009-10-26 03:06:59 0 d-----w- c:\windows\PCHEALTH
2009-10-26 03:06:03 0 d-----w- c:\program files\Defraggler
2009-10-26 03:03:45 0 d-----w- c:\programdata\Microsoft Help
2009-10-26 02:56:15 0 d-----w- c:\program files\CCleaner
2009-10-26 02:49:22 0 d-----w- c:\users\wng\appdata\roaming\Webroot
2009-10-26 02:49:20 0 d-----w- c:\programdata\Webroot
2009-10-26 02:49:20 0 d-----w- c:\program files\Webroot
2009-10-26 02:49:20 0 d-----w- c:\program files\common files\Webroot Shared
2009-10-26 02:48:51 194888 ----a-w- c:\windows\Unwash6.exe
2009-10-26 02:48:45 0 d-----w- c:\programdata\Symantec
2009-10-26 02:25:25 0 d-----w- c:\users\wng\appdata\roaming\JAM Software
2009-10-26 02:21:02 0 d-----w- c:\programdata\AIM
2009-10-26 02:20:54 0 d-----w- c:\program files\AIM
2009-10-26 02:20:16 0 d-sh--w- c:\windows\Installer
2009-10-26 02:20:14 0 d-----w- c:\program files\common files\Software Update Utility
2009-10-26 02:20:08 0 d-----w- c:\program files\common files\AOL
2009-10-26 01:58:18 0 d-----w- C:\REP
2009-10-26 01:54:48 0 d-----w- c:\programdata\Google
2009-10-26 01:23:15 0 d-----w- c:\programdata\NVIDIA
2009-10-26 01:20:45 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-26 01:18:33 797216 ----a-w- c:\windows\system32\nvcplui.exe
2009-10-26 01:18:33 453152 ----a-w- c:\windows\system32\nvuninst.exe
2009-10-26 01:18:33 420384 ----a-w- c:\windows\system32\nvcpl.cpl
2009-10-26 01:18:33 1108512 ----a-w- c:\windows\system32\nvcpluir.dll
2009-10-26 01:17:10 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2009-10-26 01:17:07 0 d-----w- c:\program files\Synaptics
2009-10-26 01:16:37 0 d-----w- c:\program files\CONEXANT
2009-10-26 01:08:17 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-26 01:05:12 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-10-26 01:05:12 2613248 ----a-w- c:\windows\explorer.exe
2009-10-26 01:05:12 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2009-10-26 01:05:11 71168 ----a-w- c:\windows\system32\fontsub.dll
2009-10-26 01:05:11 507568 ----a-w- c:\windows\system32\winload.exe
2009-10-26 01:05:11 442920 ----a-w- c:\windows\system32\winresume.exe
2009-10-26 01:05:11 293888 ----a-w- c:\windows\system32\atmfd.dll
2009-10-26 01:05:11 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-26 01:05:11 108544 ----a-w- c:\windows\system32\t2embed.dll
2009-10-26 01:04:23 34816 ----a-w- c:\windows\system32\msasn1.dll
2009-10-26 00:59:28 0 d-----w- c:\windows\Panther
2009-10-26 00:48:27 0 d-----w- C:\Windows.old
2009-10-26 00:32:00 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2009-10-26 00:31:37 0 d-----w- c:\windows\system32\wbem\Performance
2009-10-26 00:04:05 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-10-25 23:42:45 8192 --sha-r- C:\BOOTSECT.BAK
2009-10-21 03:34:56 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-15 04:18:34 36880 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-10-03 02:39:36 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys

==================== Find3M ====================

2009-09-14 21:46:36 21520 ----a-w- c:\windows\system32\drivers\klim6.sys
2009-09-10 17:29:50 1761280 ----a-w- c:\windows\system32\drivers\snp2uvc.sys
2009-09-10 02:01:40 27675 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-09-01 22:29:50 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-08-18 06:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-10 15:14:26 27184 ----a-w- c:\windows\snuvcdsm.exe
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 4:57:57.80 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:24 AM

Posted 07 November 2009 - 05:31 AM

Hi WNG3000,


Can you run a rootkit scanner too

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Thanks :(
Posted Image
m0le is a proud member of UNITE

#5 WNG3000

WNG3000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 08 November 2009 - 06:15 PM

Sorry, but the application doesn't seem to play nicely with Windows 7!

I got this error upon startup:

Posted Image

followed by this error after I started running the scan:

Posted Image

followed by numerous other errors, followed by it crashing.

Is there another rootkit scanner that I should use? Thanks!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:24 AM

Posted 08 November 2009 - 06:23 PM

Windows 7, eh? I had to go looking for a suitable rootkit scanner.

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Posted Image
m0le is a proud member of UNITE

#7 WNG3000

WNG3000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 09 November 2009 - 03:39 AM

I ran the program, but all of the results were listed as "Removable: Yes (but clean up not recommended)", and most of the results appear legitimate, so I'm not sure which I should remove.

This is the result of the rootkit scan:

Posted Image

I haven't removed anything yet.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:24 AM

Posted 09 November 2009 - 05:44 PM

No, those entries are all legitimate. The PC seems to be clean as you suspected it is.

You haven't got any further symptoms and all the logs have been clear.


You're clean. Good stuff! :(

Let's do some clearing up

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it WNG3000, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#9 WNG3000

WNG3000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 09 November 2009 - 06:58 PM

Thank you so much! I appreciate your help and expertise. :(

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:24 AM

Posted 14 November 2009 - 06:15 AM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users