Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection - srosa (Worm.Bagle), Trojan.Agent


  • This topic is locked This topic is locked
13 replies to this topic

#1 Barbizon

Barbizon

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:48 PM

Posted 20 November 2009 - 07:49 AM

Have infections. Malaware lists
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srosa (Worm.Bagle)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drvsyskit (Worm.Bagle)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\german.exe (Worm.Bagle)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mule_st_key (Worm.Bagle)
C:\Documents and Settings\Propriétaire\Application Data\drivers\downld (Worm.Bagle)

C:\Documents and Settings\Propriétaire\Application Data\m (Trojan.Agent)
C:\Documents and Settings\Propriétaire\Application Data\dllhst3g.exe (Trojan.Agent)

Cannot reinstall McAfee, start in safe mode, etc.

Please help!


DDS (Ver_09-10-26.01) - NTFSx86
Run by Propri‚taire at 13:12:09,04 on 20/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.2022.1431 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Propriétaire\Bureau\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.neuf.fr/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://recherche.neuf.fr/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://recherche.neuf.fr/ie/default.html
uWindows: load=c:\docume~1\propri~1\locals~1\applic~1\micros~1\cmstp.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [TkBellExe] "c:\program files\fichiers communs\real\update_ob\realsched.exe" -osboot
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\fichiers communs\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uExplorerRun: [Cisvc] c:\docume~1\propri~1\applic~1\micros~1\cisvc.exe /waitservice
mExplorerRun: [DllHst] c:\docume~1\propri~1\applic~1\dllhst3g.exe /waitservice
mExplorerRun: [Cisvc] c:\docume~1\propri~1\locals~1\applic~1\micros~1\cisvc.exe /waitservice
dExplorerRun: [MstInit] c:\docume~1\propri~1\locals~1\applic~1\micros~1\mstinit.exe /waitservice
StartupFolder: c:\docume~1\propri~1\menudm~1\progra~1\dmarra~1\transbar.lnk - c:\windows\bricopacks\vista inspirat 2\transbar\TransBar.exe
StartupFolder: c:\docume~1\propri~1\menudm~1\progra~1\dmarra~1\ubericon.lnk - c:\windows\bricopacks\vista inspirat 2\ubericon\UberIcon Manager.exe
StartupFolder: c:\docume~1\propri~1\menudm~1\progra~1\dmarra~1\y'zsha~1.lnk - c:\windows\bricopacks\vista inspirat 2\yzshadow\YzShadow.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\dmarra~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251307792859
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5805/mcfscan.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\fichiers communs\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\propri~1\applic~1\mozilla\firefox\profiles\0jrwwr2o.default\
FF - prefs.js: browser.startup.homepage - hxxp://webmail.aol.com/44148/aol/fr-fr/Suite.aspx|http://www.google.com/ig
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\propriã©taire\application data\mozilla\firefox\profiles\0jrwwr2o.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
FF - plugin: c:\program files\google\google updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S2 gupdate1ca2d785eccba62;Service Google Update (gupdate1ca2d785eccba62);c:\program files\google\update\GoogleUpdate.exe [2009-9-4 133104]
S3 BCASPROT;Advanced System Protector;c:\program files\systweak\advanced system protector\sasprot32.sys [2009-11-18 6656]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-9-3 30192]

=============== Created Last 30 ================

2009-11-20 10:12:46 94720 ----a-w- c:\docume~1\propri~1\applic~1\dllhst3g.exe
2009-11-19 22:58:17 0 d-sh--w- c:\documents and settings\propriétaire\Recent
2009-11-19 10:32:18 0 d-----w- c:\program files\McAfee.com
2009-11-19 10:21:39 0 d-----w- c:\docume~1\propri~1\applic~1\Safer Networking
2009-11-19 10:20:33 0 d-----w- c:\program files\Safer Networking
2009-11-19 10:19:45 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-19 10:19:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-19 10:09:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-19 01:13:19 0 d-----w- C:\Av
2009-11-18 23:11:55 781688 -c----w- c:\windows\system32\dllcache\npds.zip
2009-11-18 23:11:54 760029 -c----w- c:\windows\system32\dllcache\npdrmv2.zip
2009-11-18 17:11:08 0 d-----w- c:\docume~1\propri~1\applic~1\Systweak
2009-11-18 17:11:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Systweak
2009-11-18 17:10:56 0 d-----w- c:\program files\Systweak
2009-11-18 17:10:15 17136 ----a-w- c:\windows\system32\sasnative32.exe
2009-11-18 15:51:18 0 d-----w- c:\program files\AVG
2009-11-18 15:29:06 0 d-----w- c:\docume~1\propri~1\applic~1\Uniblue
2009-11-18 10:04:09 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-18 09:06:13 0 d-----w- c:\windows\McAfee.com
2009-11-17 21:05:58 0 d-----w- c:\docume~1\propri~1\applic~1\McAfee
2009-11-17 17:50:35 0 d-----w- c:\docume~1\propri~1\applic~1\m
2009-11-17 17:47:00 7168 ----a-w- c:\windows\system32\srosa2.sys
2009-11-17 17:44:33 0 d--h--w- c:\docume~1\propri~1\applic~1\drivers
2009-11-17 15:32:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Azureus
2009-11-17 15:32:06 0 d-----w- c:\docume~1\propri~1\applic~1\Azureus
2009-11-17 15:02:32 0 d-----w- c:\documents and settings\propriétaire\WINDOWS
2009-10-30 18:38:14 221 ----a-w- c:\windows\NCLogConfig.ini
2009-10-30 00:29:08 2146304 ----a-w- c:\windows\system32\GPhotos.scr

==================== Find3M ====================

2009-11-20 10:11:35 2883584 ---ha-w- c:\documents and settings\propriétaire\NTUSER.DAT
2009-11-19 10:09:24 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-04 15:54:12 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-26 07:16:20 84766 ----a-w- c:\windows\system32\perfc00C.dat
2009-10-26 07:16:20 510742 ----a-w- c:\windows\system32\perfh00C.dat
2009-10-10 10:22:34 19096 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-13 16:55:39 128557 ----a-w- c:\windows\hpoins11.dat
2009-09-11 14:18:20 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:04:39 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 12:32:45 64851 ----a-w- c:\windows\BricoPackUninst.cmd
2009-09-03 12:32:45 6120 ----a-w- c:\windows\BricoPackFoldersDelete.cmd
2009-09-03 12:32:45 219648 ----a-w- c:\windows\system32\uxtheme.dll
2009-08-29 07:56:53 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:01:24 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 19:04:47 21892 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-23 21:00:38 922112 ------w- c:\windows\system32\imapi2fs.dll
2009-08-23 21:00:38 426496 ------w- c:\windows\system32\imapi2.dll

============= FINISH: 13:12:29,71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:48 PM

Posted 27 November 2009 - 10:55 AM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 Barbizon

Barbizon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:48 PM

Posted 29 November 2009 - 03:53 AM

Syler, Thanks so much for your reply. I THINK I've gotten rid of the infections, but am not sure. By running Malawarebytes several times, I was, to my surprise, able to re-install McAfee VirusScan. I have run a few scans that indicate the computer is clean.

I have, in any case, run RSIT, and am including the reports for you. Does all seem to be OK?

Thank you all for the kind help you give us!

Attached Files

  • Attached File  info.txt   20KB   16 downloads
  • Attached File  log.txt   34.95KB   15 downloads


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:48 PM

Posted 29 November 2009 - 06:57 AM

Barbizon,

I can see that you are still quite infected, please follow these next steps.


Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.



Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



Please post back here with the following logs:
  • Report.txt
  • MBAM log
  • Gmer log
  • New Rsit log
Thanks

unite.jpg


#5 Barbizon

Barbizon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:48 PM

Posted 29 November 2009 - 12:39 PM

Syler,

Thanks to SDFix help, I was able to get into safe mode to run it!

Attached are the logs you requested.

Attached Files



#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:48 PM

Posted 29 November 2009 - 01:51 PM

Barbizon,

That's a bit strange, I see that a lot of bad entries that were in your initial Rsit log have gone, but their are no signs of them being removed in your logs,
did you run Malwarebytes twice?


Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\flec003.exe]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "EnableLUA"=-
    :Files
    C:\Documents and Settings\Propriétaire\Application Data\dllhst3g.exe
    C:\WINDOWS\dllhst3g.exe
    C:\WINDOWS\mngui.INI
    C:\Av
    :Commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please post back here with the following logs:
  • OTM results
  • New Rsit log
Thanks

unite.jpg


#7 Barbizon

Barbizon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:48 PM

Posted 01 December 2009 - 02:51 AM

syler,

I ran SDFix in safe mode.
Then I ran in normal mode Malawarebytes once, then GMER.
Should I have run the second two in safe mode?

I will now download and run ERUNT and OTM and do as instructed.

#8 Barbizon

Barbizon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:48 PM

Posted 01 December 2009 - 03:56 AM

syler,

Can't find the "Results" line...

I'm attaching the OTM log and new Rsit log as requested.

P.S. I had already removed
File/Folder C:\Documents and Settings\Propriétaire\Application Data\dllhst3g.exe not found.
File/Folder C:\Av not found.
And seen that neither came back after re-boot.

Attached Files



#9 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:48 PM

Posted 01 December 2009 - 12:15 PM

Hi Barbizon,

That looks better now, please let me know in your next reply if you are having anymore problems?


Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Then in your next reply, please let me know if you are having any more problems and post back here with the following logs:
  • Kaspersky report
  • New Rsit log
Thanks

unite.jpg


#10 Barbizon

Barbizon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:48 PM

Posted 02 December 2009 - 03:26 AM

Hi syler,

I'm attaching the Kaspersky online scan log (nothing found) and the latest Rsit log as you requested.

Th computer seems to be running correctly - no apparent problems...

Attached Files



#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:48 PM

Posted 02 December 2009 - 09:43 AM

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Cleaning and creating restore points
  • Click Start, right click My Computer and select properties.
  • Select the System Restore tab then check the box "Turn off System Restore".
  • Click Apply then Ok, then restart your computer
  • Now follow these steps again, but instead of checking "Turn off System Restore" Uncheck it.
Now that you have cleaned out you restore points you need to set a new restore point
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Select "Create a restore point" then click Next.
  • Type a name under Restore point description then click Create.
Additional instructions can be found here if needed.

Note: This does not need to be done on a regular basis.


Congratulations! You now appear clean! :(

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keeping Windows updated
It is extremley important to keep windows upto date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates are always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions below.

http://www.mvps.org/winhelp2002/hosts.htm

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing :(
Syler

unite.jpg


#12 Barbizon

Barbizon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:48 PM

Posted 03 December 2009 - 05:08 AM

Hi Syler,

Thanks sooo much to all your team and to you personally! What would we all do without you...

Shall I now uninstall ERUNT, GMER and NTREGPT?

I will install the programs you suggest and follow your instructions - to the letter!

#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:48 PM

Posted 03 December 2009 - 10:38 AM

You're very welcome Barbizon :(

Yes you can remove them programs if you want.

unite.jpg


#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:48 PM

Posted 08 December 2009 - 10:42 AM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users