Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Loud Sound From Fire Alarm System Shuts Down Nasdaq's Scandinavian Data Center

Featured Deal: Get 96% off the MCSA SQL Server Training Deal

Virus found but not sure how to remove it safe

Started by bokche , Jan 22 2010 02:20 AM

This topic is locked

17 replies to this topic

#1 bokche

Members
12 posts
OFFLINE

Local time:03:49 PM

Posted 22 January 2010 - 02:20 AM

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

can someone, please, examine these logs for me... i'm having problem with IE6 (windows XP) which suddenly can't be run from quick lunch, nor favorites works when click on it

have avira installed, updated and ran a scan, but found nothing... ran Malwarebytes' Anti-Malware, but also found nothing... HJT found a WormRadar.com file, but not sure if it's safe to remove/fix it by myself:

Here's HJT log:

QUOTE

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:40, on 13/01/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
H:\HiJackThis\Tutorial\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

--
End of file - 4688 bytes

Then found this forum, read a guide for posting log files, which follows:

QUOTE

DDS (Ver_09-12-01.01) - FAT32x86
Run by Bokche at 18:01:56,06 on 20/01/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.130 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Bokche\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-15 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-12-8 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-12-8 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-15 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-15 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-8 56816]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-12-8 723632]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-11-22 15504]
S3 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [2008-3-7 65664]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-11-22 170640]

=============== Created Last 30 ================

2010-01-18 15:46:03 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-18 15:46:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-16 15:39:33 0 d-----w- c:\program files\Trend Micro
2010-01-12 16:36:21 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-01-12 16:36:21 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-01-04 20:31:39 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2010-01-04 20:31:39 20992 ----a-w- c:\windows\system32\dllcache\rtl8139.sys
2010-01-01 13:19:36 57344 ----a-w- c:\windows\system32\Wnaspint.dll
2009-12-25 23:18:25 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-25 23:18:12 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-25 23:18:12 0 d-----w- c:\docume~1\bokche\applic~1\SUPERAntiSpyware.com
2009-12-25 23:17:30 0 d-----w- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2009-12-15 21:26:14 82380 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
2009-12-08 20:53:52 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-12-08 20:53:52 179792 ----a-w- c:\windows\system32\guard32.dll
2009-12-08 20:53:52 132296 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-11-25 10:19:04 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-20 20:23:36 180848 ----a-w- c:\docume~1\bokche\applic~1\GDIPFONTCACHEV1.DAT
2009-10-27 20:06:24 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2008-08-26 18:19:40 2 --sha-r- c:\windows\winstart.bat

============= FINISH: 18:03:32,55 ===============

If I need to attach my "attach.txt" or zip file, or "ark.txt" file, please let me now. Thanks in advance.

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 extremeboy

Malware Response Team
12,975 posts
OFFLINE

Gender:Male
Local time:10:49 AM

Posted 28 January 2010 - 08:43 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

Do you still require help?

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.

For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.

Thanks again and we apologize for the delay.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to

#3 extremeboy

Malware Response Team
12,975 posts
OFFLINE

Gender:Male
Local time:10:49 AM

Posted 31 January 2010 - 03:03 PM

Hello.

Are you still there? Do you still require help?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy

#4 extremeboy

Malware Response Team
12,975 posts
OFFLINE

Gender:Male
Local time:10:49 AM

Posted 02 February 2010 - 03:52 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy

#5 extremeboy

Malware Response Team
12,975 posts
OFFLINE

Gender:Male
Local time:10:49 AM

Posted 11 February 2010 - 07:54 PM

Re-opened upon user's request.

#6 bokche

Topic Starter

Members
12 posts
OFFLINE

Local time:03:49 PM

Posted 12 February 2010 - 04:39 AM

Hello EB,

Thanks for reply and for your help.
One of the problems was with IE6 internet browser, which i couldn't start from quick-lunch menu. Now it works (don't know how), but when I click "favorites" menu, and then "link" it does nothing, sometimes it freezes for a moment. Can't use my favorite links I saved.
Next, when I run CCleaner to clean the registry, among other reg keys, it finds a key which it appearly deletes, but when i analyse again, the key is still there "Unused File Extension {80b8c23c-16e0-4cd8-bbc3-cecec9a78b79} HKCR\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}". Somehow, in the meantime, i solved this too, the key is deleted.
Also, something was making 0 bytes files (no extension) in the root of all drives, from time to time. I solve this just by deleting them.
Before I found this forum, I used HJT program, which log I posted in my initial post. There I noticed this line:
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter
May I delete this? And how?

Also this, which I posted once before in another topic, but just to mention:
Have two OS, both Windows XP, on first partitions on two separate HDD. When HDDs are both connected to PC (as master and slave), everything's working fine and I can boot whichever OS I want. I made it just in case if something fails on one of HDD's, and have different applications installed on them because of memory.
When 1st HDD is disconnected, after turning PC on, I get message:
PRESS A KEY TO REBOOT
and 2nd HDD will not boot, nor show the boot menu from which i usually pick which OS i want.
I noticed that boot.ini file is located on the 1st HDD. I copied it to the root of 2nd HDD (also NTDETECT.COM & ntldr), but it still won't work. Tried also to change jumpers and checked everything in BIOS, but it just won't work with 2nd HDD.
Why I can't boot into XP installed on the 2nd HDD, when the 1st is disconnected?

About the logs. I read in "Preparation guide before using HJT" in this site, that attach.txt log shouldn't be posted unless it's asked from the helpers. That's why I didn't send it in initial topic. Here are the new logs:

QUOTE

DDS (Ver_09-12-01.01) - FAT32x86
Run by Bokche at 21:14:29,34 on 11/02/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.174 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Bokche\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-15 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-12-8 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-12-8 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-15 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-15 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-8 56816]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-12-8 723632]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-11-22 15504]
S3 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [2008-3-7 65664]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-11-22 170640]

=============== Created Last 30 ================

2010-02-01 22:31:01 91 ----a-w- c:\windows\system32\temp_0000_85-24.aok
2010-01-31 19:48:12 0 d-----w- c:\windows\APW_DATA
2010-01-29 16:18:36 82380 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
2010-01-18 15:46:03 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-18 15:46:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-16 15:39:33 0 d-----w- c:\program files\Trend Micro

==================== Find3M ====================

2009-12-08 20:53:52 179792 ----a-w- c:\windows\system32\guard32.dll
2009-11-20 20:23:36 180848 ----a-w- c:\docume~1\bokche\applic~1\GDIPFONTCACHEV1.DAT
2008-08-26 18:19:40 2 --sha-r- c:\windows\winstart.bat

============= FINISH: 21:16:10,28 ===============

I also attached "attach.zip" and "ark.txt" files as described in the tutorial.
If anything else is needed, please say.
Thanks for helping.

Attached Files

Attach.zip 1.89KB 12 downloads
Ark.txt 13.69KB 10 downloads

#7 extremeboy

Malware Response Team
12,975 posts
OFFLINE

Gender:Male
Local time:10:49 AM

Posted 12 February 2010 - 04:24 PM

Hello.

QUOTE

here I noticed this line:
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter
May I delete this? And how?

We can deal with it if needed be, but it's not malicious.

I'm not exactly sure on the HDD problem, we can send you over to the tech related forums after that and someone could help you out with that.

---
Let's get an online scan performed.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Open the Kaspersky WebScanner
page.
Click on the button on the main page.
The program will launch and fill in the Information section on the left.
Read the "Requirements and Limitations" then press the button.
The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
Once the files have been downloaded, click on the ...button.
In the scan settings make sure the following are selected:
- Detect malicious programs of the following categories:
  Viruses, Worms, Trojan Horses, Rootkits
  Spyware, Adware, Dialers and other potentially dangerous programs
- Scan compound files (doesn't apply to the File scan area):
  Archives
  Mail databases
  By default the above items should already be checked.
- Click the button, if you made any changes.
Now under the Scan section on the left:

Select My Computer
The program will now start and scan your system. This will run for a while, be patient and let it finish.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.

You can refer to this animation by sundavis if needed.

Do you have ay symptoms of any infections? For instance: redirects, lots of popups etc...?

With Regards,
Extremeboy

#8 bokche

Topic Starter

Members
12 posts
OFFLINE

Local time:03:49 PM

Posted 18 February 2010 - 01:59 PM

Thank you for your responce... about scaning with kaspersky - i have very slow connection at home (it's dial up) and think i need to take my HDD to somewhere else to scan it... after that i send a report
thanks

#9 extremeboy

Malware Response Team
12,975 posts
OFFLINE

Gender:Male
Local time:10:49 AM

Posted 19 February 2010 - 05:11 PM

Okay. Sorry about that, didn't know you were using a slow internet connection, otherwise we can run a downloaded scanner which may be better. Anyhow, let me know how it goes.

#10 bokche

Topic Starter

Members
12 posts
OFFLINE

Local time:03:49 PM

Posted 22 February 2010 - 06:20 AM

Hello EB,
"a downloaded scanner"... if you give me a link of the scanner, I can download it and bring it to my PC with a flash drive, and then install or run it. Can I do that?
it would be better then taking and moving my HDD...
waiting for your suggestion
thanks

#11 extremeboy

Malware Response Team
12,975 posts
OFFLINE

Gender:Male
Local time:10:49 AM

Posted 23 February 2010 - 07:53 PM

This tool...

The tool has been changed slightly, when saving it the log you will need to select all entries and copy it somewhere and save it then you can attach it here.

Download and Run Kaspersky Virus Removal Tool

I suggest you read over the instructions and then print/save the instructions onto notepad or somewhere so you can have a reference and follow the instructions correctly when in Safe Mode; since you won't have access to this page anymore

Please download Kaspersky Virus-Removal Tool and save it to your desktop.
Alternate Download Mirror 2
Reboot your computer into SafeMode.
You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Then, use your up arrow key to highlight SafeMode then hit enter. Additional instructions can be found over here

Please disable all anti-malware protection before running this tool. Refer to this page if you are not sure how.
Double click the installer on your desktop and follow the prompts. Kaspersky Virus Removal Tool will open after the installation. If you are using Vista, please right-click and select run as administrator
Click Next to continue.
It will by default install it to your desktop folder. Click Next.
Hit Ok at the prompt for scanning in Safe Mode.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.

System Memory

Startup Objects

Disk Boot Sectors.

My Computer.

Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok. Then choose OK again then you are back to the main screen.

Then click on Scan at the to right hand Corner. Please be patient while the scan completes. It may take a while.
It will automatically Neutralize any objects found.
If some objects are left un-neutralized then click the button that says Neutralize all
If it says it cannot be Neutralized then chooose The delete option when prompted.
When the scan is finished, click the Report... button in the lower middle, select Save to file..., and save it onto your desktop as "KasReport".
Close out of the program. When asked to uninstall, select Yes. <- Make sure you have save the log file on your desktop before uninstalling it.
Attach back with the KasReport in your next reply please.

#12 bokche

Topic Starter

Members
12 posts
OFFLINE

Local time:03:49 PM

Posted 26 February 2010 - 04:25 AM

Hi EB,

I scaned my comp with the tool you suggested with the options specified. Scan took about 20 hours. When I clicked "report" button, there was no option "save to file", so I used "select all" and copied the selection to the notepad txt file, which is attached.

All the Kaspersky reported as a virus was just some software's files which are not even used.

My IE is still not working well, it freezes and favorites doesn't work and menus as well. I can surf, google, read mail...

any suggestions
thanks

Attached Files

KasReport.txt 8.72KB 10 downloads

#13 extremeboy

Malware Response Team
12,975 posts
OFFLINE

Gender:Male
Local time:10:49 AM

Posted 26 February 2010 - 05:40 PM

Have you tried an alternative browser such as: Firefox and see if the problems are there too?

--
Post a new DDS log so I can see the current condition of your machine.

#14 bokche

Topic Starter

Members
12 posts
OFFLINE

Local time:03:49 PM

Posted 02 March 2010 - 06:30 AM

I tried FireFox and it worked allright, but I prefer IE. What could it be so my favorites don't work in IE?

Here are the logs:

QUOTE

DDS (Ver_09-12-01.01) - FAT32x86
Run by Bokche at 0:21:56,79 on 02/03/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.235 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Bokche\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-15 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-12-8 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-12-8 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-15 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-15 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-8 56816]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-12-8 723632]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-11-22 15504]
S3 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [2008-3-7 65664]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-11-22 170640]

=============== Created Last 30 ================

2010-02-11 21:36:23 600 ----a-w- c:\documents and settings\bokche\PUTTY.RND
2010-02-01 22:31:01 91 ----a-w- c:\windows\system32\temp_0000_85-24.aok
2010-01-31 19:48:12 0 d-----w- c:\windows\APW_DATA

==================== Find3M ====================

2010-03-01 19:19:10 82380 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
2010-02-15 20:58:10 249856 ------w- c:\windows\Setup1.exe
2010-02-15 20:58:08 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-12-08 20:53:52 179792 ----a-w- c:\windows\system32\guard32.dll
2008-08-26 18:19:40 2 --sha-r- c:\windows\winstart.bat

============= FINISH: 0:23:12,63 ===============

Attached Files

Attach.zip 2.17KB 10 downloads

#15 extremeboy

Malware Response Team
12,975 posts
OFFLINE

Gender:Male
Local time:10:49 AM

Posted 02 March 2010 - 05:20 PM

Not exactly sure, but perhaps you can try backing your favourites up. Delete it and then copy it back to the location or just re-add some of the sites. Alternatively if you don't mind FireFox you can import them from IE to FF. Lastly would be perhaps re-install IE.

Logs are clean so let's wrap up!

Please follow/read the steps below to remove the tools we used, purge a system restore and for some more information.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.

Download OTC by OldTimer and save it to your desktop.
Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
Then Click the big button.
You will get a prompt saying "Being Cleanup Process". Please select Yes.
Restart your computer when prompted.

Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then use Disk Cleanup to remove all but the most recently created Restore Point.
Go to Start > Run and type: Cleanmgr
Click "Ok"
Disk Cleanup will scan your files for several minutes, then open.
Click the "More Options" Tab.
Click the "Clean up" button under System Restore.
Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
Click Yes, then click Ok.
Click Yes again when prompted with "Are you sure you want to perform these actions?"
Disk Cleanup will remove the files and close automatically.

Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

Congratulations! You now appear clean!

Now that you are clean, please follow and read some of the prevention tips below.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

Some of the main things you should consider to perform/read are:

Disabling Autorun/Play on Flash-Drive/Removable Drives
Avoid gaming sites, underground web pages, pirated software sites, and Peer to Peer Programs
Keep Windows Updated through going to Windows Updates
Updating Non-Microsoft Programs
Keeping Security softwares updated

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck