Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Very Slow Computer, Possible Malware


  • This topic is locked This topic is locked
12 replies to this topic

#1 yoongoo

yoongoo

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 10 May 2010 - 06:03 AM

Hi,

My name is Simon. I am having a hard time with my laptop due to its very slow performance. I believe that it is because of malware. My computer sometimes runs at 100% CPU usage when nothing that i know of is running. Also my antivirus software, avira, can not update. An error message pops up that is can not update. I also tried the spybot search and destroy, but for some reason i can not update it. A similar error message pops up saying that an error had occured during the updates. I would appreciate some help and advice. Thank you. The dds file is copied here and the two other files are attached.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Simon at 3:54:01.59 on Mon 05/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.505 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Simon\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Simon\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\simon\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LVCOMSX] "c:\program files\common files\logishrd\lcommgr\LVComSX.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244003990230
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244017315640
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\simon\applic~1\mozilla\firefox\profiles\31sem27o.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - plugin: c:\documents and settings\simon\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-6 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-6 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-6 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-6 56816]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]

=============== Created Last 30 ================

2010-05-09 05:30:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-09 05:30:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-09 05:30:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2009-06-18 17:53:13 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 3:54:49.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:25 AM

Posted 11 May 2010 - 06:43 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 yoongoo

yoongoo
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 11 May 2010 - 07:52 PM

Hi Mole,

Thank you for you helping me. I will be looking forward to your assistance. I'm very eager to fix my laptop, so I will try to reply immediately. Thanks.



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:25 AM

Posted 12 May 2010 - 03:35 PM

Some malware symptoms so let's see what we can find

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#5 yoongoo

yoongoo
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 12 May 2010 - 09:33 PM

Hello,

Here's the log.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4094

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/12/2010 7:26:41 PM
mbam-log-2010-05-12 (19-26-41).txt

Scan type: Full scan (C:\|F:\|)
Objects scanned: 184321
Time elapsed: 1 hour(s), 14 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{B546A53E-A09A-4068-9654-0AF598E85EBA}\RP200\A0053565.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B546A53E-A09A-4068-9654-0AF598E85EBA}\RP200\A0053566.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B546A53E-A09A-4068-9654-0AF598E85EBA}\RP200\A0053567.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:25 AM

Posted 13 May 2010 - 05:18 PM

Some echoes of malware. There are copies sitting in the system restore (there were, MBAM's zapped them)


Please run SAS

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image
m0le is a proud member of UNITE

#7 yoongoo

yoongoo
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 13 May 2010 - 09:35 PM

Hi,

Here's the log.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/13/2010 at 06:52 PM

Application Version : 4.37.1000

Core Rules Database Version : 4932
Trace Rules Database Version: 2744

Scan type : Complete Scan
Total Scan Time : 01:19:30

Memory items scanned : 568
Memory threats detected : 0
Registry items scanned : 6137
Registry threats detected : 0
File items scanned : 66886
File threats detected : 69

Adware.Tracking Cookie
C:\Documents and Settings\Simon\Cookies\simon@ad.mediatoday.co[2].txt
C:\Documents and Settings\Simon\Cookies\simon@adv.segye[3].txt
C:\Documents and Settings\Simon\Cookies\simon@ad.citibank.dn2005[2].txt
C:\Documents and Settings\Simon\Cookies\simon@ad.newdaily.co[3].txt
C:\Documents and Settings\Simon\Cookies\simon@atwola[1].txt
C:\Documents and Settings\Simon\Cookies\simon@ad.asiae.co[2].txt
C:\Documents and Settings\Simon\Cookies\simon@click.realclick.co[3].txt
C:\Documents and Settings\Simon\Cookies\simon@ar.atwola[1].txt
C:\Documents and Settings\Simon\Cookies\simon@interworksmedia.co[3].txt
C:\Documents and Settings\Simon\Cookies\simon@ad.pressian[2].txt
C:\Documents and Settings\Simon\Cookies\simon@mediatoday.co[1].txt
C:\Documents and Settings\Simon\Cookies\simon@ad-indicator[2].txt
C:\Documents and Settings\Simon\Cookies\simon@ade.realclick.co[2].txt
C:\Documents and Settings\Simon\Cookies\simon@ad.moneyro.co[1].txt
C:\Documents and Settings\Simon\Cookies\simon@ad1.sportschosun[2].txt
C:\Documents and Settings\Simon\Cookies\simon@ads.realclick.co[3].txt
C:\Documents and Settings\Simon\Cookies\simon@insightexpressai[1].txt
C:\Documents and Settings\Simon\Cookies\simon@at.atwola[2].txt
C:\Documents and Settings\Simon\Cookies\simon@adcount.ohmynews[3].txt
C:\Documents and Settings\Simon\Cookies\simon@ad.hankooki[2].txt
C:\Documents and Settings\Simon\Cookies\simon@ad2.cbs.co[2].txt
C:\Documents and Settings\Simon\Cookies\simon@ads.e-radiokorea[1].txt
C:\Documents and Settings\Simon\Cookies\simon@tacoda[6].txt
C:\Documents and Settings\Simon\Cookies\simon@ad.sportsseoul[2].txt
C:\Documents and Settings\Simon\Cookies\simon@ad.wsod[3].txt
C:\Documents and Settings\Simon\Cookies\simon@realmedia.co[2].txt
C:\Documents and Settings\Simon\Cookies\simon@naked[1].txt
C:\Documents and Settings\Simon\Cookies\simon@cdn.at.atwola[4].txt
C:\Documents and Settings\Simon\Cookies\simon@ad-indicator[1].txt
C:\Documents and Settings\Simon\Cookies\simon@ad.hankooki[1].txt
C:\Documents and Settings\Simon\Cookies\simon@ad.mediatoday.co[1].txt
C:\Documents and Settings\Simon\Cookies\simon@ad.naver[1].txt
C:\Documents and Settings\Simon\Cookies\simon@ad.newdaily.co[2].txt
C:\Documents and Settings\Simon\Cookies\simon@ad.pressian[1].txt
C:\Documents and Settings\Simon\Cookies\simon@ad.sportsseoul[1].txt
C:\Documents and Settings\Simon\Cookies\simon@ad.synerpact[2].txt
C:\Documents and Settings\Simon\Cookies\simon@ad.wsod[1].txt
C:\Documents and Settings\Simon\Cookies\simon@ad2.cbs.co[1].txt
C:\Documents and Settings\Simon\Cookies\simon@adcount.ohmynews[1].txt
C:\Documents and Settings\Simon\Cookies\simon@ade.realclick.co[1].txt
C:\Documents and Settings\Simon\Cookies\simon@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Simon\Cookies\simon@ads.hankooki[2].txt
C:\Documents and Settings\Simon\Cookies\simon@ads.realclick.co[2].txt
C:\Documents and Settings\Simon\Cookies\simon@adv.segye[1].txt
C:\Documents and Settings\Simon\Cookies\simon@ar.atwola[2].txt
C:\Documents and Settings\Simon\Cookies\simon@ar.atwola[3].txt
C:\Documents and Settings\Simon\Cookies\simon@ar.atwola[4].txt
C:\Documents and Settings\Simon\Cookies\simon@at.atwola[1].txt
C:\Documents and Settings\Simon\Cookies\simon@atdmt[1].txt
C:\Documents and Settings\Simon\Cookies\simon@atdmt[2].txt
C:\Documents and Settings\Simon\Cookies\simon@atwola[2].txt
C:\Documents and Settings\Simon\Cookies\simon@atwola[3].txt
C:\Documents and Settings\Simon\Cookies\simon@atwola[4].txt
C:\Documents and Settings\Simon\Cookies\simon@bs.serving-sys[2].txt
C:\Documents and Settings\Simon\Cookies\simon@cdn.at.atwola[1].txt
C:\Documents and Settings\Simon\Cookies\simon@cdn.at.atwola[2].txt
C:\Documents and Settings\Simon\Cookies\simon@cdn.at.atwola[3].txt
C:\Documents and Settings\Simon\Cookies\simon@click.realclick.co[2].txt
C:\Documents and Settings\Simon\Cookies\simon@doubleclick[1].txt
C:\Documents and Settings\Simon\Cookies\simon@interworksmedia.co[2].txt
C:\Documents and Settings\Simon\Cookies\simon@mediatoday.co[2].txt
C:\Documents and Settings\Simon\Cookies\simon@microsoftinternetexplorer.112.2o7[1].txt
C:\Documents and Settings\Simon\Cookies\simon@msnportal.112.2o7[1].txt
C:\Documents and Settings\Simon\Cookies\simon@realmedia.co[1].txt
C:\Documents and Settings\Simon\Cookies\simon@serving-sys[2].txt
C:\Documents and Settings\Simon\Cookies\simon@tacoda[1].txt
C:\Documents and Settings\Simon\Cookies\simon@tacoda[2].txt
C:\Documents and Settings\Simon\Cookies\simon@tacoda[3].txt
C:\Documents and Settings\Simon\Cookies\simon@tacoda[5].txt


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:25 AM

Posted 14 May 2010 - 02:43 PM

Nothing nasty there, a few cookies.

How is the PC running?
Posted Image
m0le is a proud member of UNITE

#9 yoongoo

yoongoo
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 14 May 2010 - 03:24 PM

It's running alot smoother than before. Thank you.

Is there any free software that prevent this problem from happening in the future? Should i keep the mbam and SAS use it regularly?

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:25 AM

Posted 14 May 2010 - 04:11 PM

Yes, both SAS and MBAM are useful.

There's some great freeware around and the last link below covers a lot of them.

You will be told about Avast and Antivir on Bleeping Computer, they are the best two free antiviruses around at the moment. One of these with SAS as an antispyware and MBAM as an occasional runner is quite powerful. There are also third party firewalls which add an additional protection, Online Armor and ZoneAlarm are good. Comodo is also good but not the best.


Let's clean up...

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it yoongoo, happy surfing!

Cheers.

m0le

Edited by m0le, 14 May 2010 - 05:44 PM.

Posted Image
m0le is a proud member of UNITE

#11 yoongoo

yoongoo
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 14 May 2010 - 05:31 PM

Not sure what combofix is because i didn't use it, but did the rest of the things you told me. Thank you for your assistance, mole. Glad my laptop runs fine again.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:25 AM

Posted 14 May 2010 - 05:44 PM

Edited that out. Sorry.

Please make a new restore point.

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

You're welcome for the help thumbup2.gif

Edited by m0le, 14 May 2010 - 05:45 PM.

Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:25 AM

Posted 16 May 2010 - 06:49 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users