Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly infected with ro0.exe


  • This topic is locked This topic is locked
39 replies to this topic

#1 sparrow76

sparrow76

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 06 February 2011 - 03:30 PM

DDS (Ver_10-12-12.02) - NTFSx86
Run by Blender at 8:51:20.14 on Sun 02/06/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.27 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Documents and Settings\Blender\Desktop\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Blender\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn4\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SUPERAntiSpyware] c:\documents and settings\blender\desktop\SUPERAntiSpyware.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1286116665921
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1286116652718
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\documents and settings\blender\desktop\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\documents and settings\blender\desktop\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\documents and settings\blender\desktop\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\documents and settings\blender\desktop\SASKUTIL.SYS [2010-5-10 67656]
S3 cpuz132;cpuz132;\??\c:\docume~1\blender\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\blender\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

=============== Created Last 30 ================

2011-02-06 01:43:25 -------- d-----w- C:\Autoruns
2011-02-05 21:50:36 -------- d-----w- c:\docume~1\blender\applic~1\SUPERAntiSpyware.com
2011-02-05 21:50:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-02-05 16:34:55 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-02-05 16:34:12 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-02-05 16:33:12 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-02-05 16:32:38 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-02-05 15:51:26 -------- d-----w- c:\program files\Eusing Free Registry Defrag
2011-02-05 15:34:50 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2011-02-05 14:53:38 -------- d-----w- c:\docume~1\blender\locals~1\applic~1\PackageAware
2011-02-05 12:53:30 -------- d--h--w- c:\docume~1\alluse~1\applic~1\CanonIJEGV
2011-01-22 22:26:42 -------- d--h--w- c:\docume~1\alluse~1\applic~1\CanonIJScan
2011-01-22 22:10:52 303104 ----a-w- c:\windows\system32\CNC250L.dll
2011-01-22 22:10:52 15872 ----a-w- c:\windows\system32\CNHMCA.dll
2011-01-22 22:10:52 1310720 ----a-w- c:\windows\system32\CNC250C.dll
2011-01-22 22:10:52 110592 ----a-w- c:\windows\system32\CNC250I.dll
2011-01-22 22:10:52 106496 ----a-w- c:\windows\system32\CNC250U.dll
2011-01-22 22:10:42 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-01-22 22:10:42 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-01-22 22:09:45 -------- d-----w- c:\docume~1\blender\applic~1\Canon Easy-WebPrint EX
2011-01-22 22:08:24 -------- d-----w- c:\program files\common files\CANON
2011-01-22 22:03:20 70656 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPP9W.DLL
2011-01-22 22:03:20 27648 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPD9W.DLL
2011-01-22 22:03:20 272384 ----a-w- c:\windows\system32\CNMLM9W.DLL
2011-01-22 22:03:04 90112 ----a-w- c:\windows\system32\CNC250O.dll
2011-01-22 22:03:01 178176 ----a-w- c:\windows\system32\CNMIU9W.DLL
2011-01-22 22:02:13 -------- d-----w- c:\program files\Canon

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

============= FINISH: 8:53:38.34 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:49 PM

Posted 10 February 2011 - 06:25 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 sparrow76

sparrow76
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 11 February 2011 - 10:27 PM

Thank you for helping me with this concern. I was on the internet and one site I went to suddenly started throwing up pop-up boxes and saying "Your computer may be affected with malware" and then acted like it was scanning something and started checking off boxes next to malware names. I quickly did a hard shut-down since I didn't know if it was an advertisement scheme or if it was actually installing this stuff. When I reloaded, I first did the online free beta version of TrendMicro which came back with nothing. Then I ran HijackThis which returned a list of safe/neutral options and one "nasty" entry called ro0.exe. I tried to fix it through HijackThis, but even though it said it cleared it, it would still show next time I ran the scan. I followed the path to the folder on my hard drive and manually deleted the ro0.exe file. Now, the scan still shows the file being there, but it also states "file missing". I don't remember if it ever said that when I first ran the scan. I looked this up on the internet and learned this backdoor malware can hide in other files and I just want to be sure it's off my computer. I appreicate the help.

I can not get an ark.txt file because I've twice run the GMER program and it froze my system to the point I had to do a hard shut-down.

Thank you again,
sparrow76

Attached File  Extras.Txt   33.01KB   1 downloads
Attached File  OTL.Txt   72.39KB   2 downloads

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:49 PM

Posted 12 February 2011 - 07:41 AM

Hello, sparrow76.
The file is gone, but there's still a leftover registry entry we can take care of. That is a backdoor virus.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.


Registry Cleaner Warning


I also see that you have a registry cleaner installed (in your case Eusing Free Registry Cleaner). Here at BC, we do not recommend using registry cleaners. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/index.php?showtopic=238799&st=0&p=1326578&#entry1326578



Step 1

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.

You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.



Step 2

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script
  • Please download OTL from one of the following mirrors if you do not still have it.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Paste the following code under the Custom Scans/Fixes box at the bottom.
    :OTL
    O4 - HKU\S-1-5-21-3719885985-2505351160-3990708003-1005..\Run: [SUPERAntiSpyware]  File not found
    SRV - File not found [Auto | Stopped] --  -- (ro0Srv)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
    O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Documents and Settings\Blender\Desktop\SASWINLO.DLL -  File not found
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} -  File not found
    @Alternate Data Stream - 2972 bytes -> C:\WINDOWS\System32\OEMLOGO.BMP:Q30lsldxJoudresxAaaqpcawXc
    @Alternate Data Stream - 266 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0CA8EFF8
    @Alternate Data Stream - 225 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C22674B6
    :Commands
    [EmptyTemp]
    
    
  • Click the Run Fix button at the top.
  • let the program run unhindered and reboot when it is done.
  • You will get a log when it is done, please post that in your reply.
  • Please then create a new OTL report....
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here.



Step 3

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 4

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 sparrow76

sparrow76
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 12 February 2011 - 09:05 PM

Wow. That's a lot to take in. I would actually be okay with reformating and reinstalling the OS, but I have no idea where the actual CDs are for that (this computer is older and has been moved a few times). My husband thinks he can reformat by using something built into the computer itself. Would this help or because it's not from original CDs, would this just wipe out new stuff without really getting rid of the virus?

sparrow76

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:49 PM

Posted 13 February 2011 - 08:32 AM

If you restored from a recovery partition that often comes on new computers, it would reimage everything like the day you bought it so it would be 100% clean initially. Don't forget to backup first, and scan your backup for viruses. Don't back up programs, windows, executable files (e.g. EXE, SCR, BAT, PIF, COM, etc.) or system files (DLL, SYS). Just back up your documents only...photos, letters, videos/movies, etc.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 sparrow76

sparrow76
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 13 February 2011 - 04:07 PM

I discovered that my computer is a dinosaur and has no built-in reinstall ability. So I did the steps you listed in your post. I've attached the txt files and the ESETScan finished with no threats found, so it didn't give me any list.

Attached File  OTL.txt   10.88KB   2 downloads
Attached File  OTL2.Txt   48.95KB   2 downloads
Attached File  mbam-log-2011-02-13 (12-45-34).txt   1.35KB   1 downloads

sparrow76

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:49 PM

Posted 14 February 2011 - 07:10 PM

OK, the good news is that we have removed what we can see of the rootkit so it's likely disabled. How is your computer running at this point?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 sparrow76

sparrow76
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 16 February 2011 - 09:48 AM

It seems to be running normal, but it's old and was slow before the virus, so it was hard to tell a difference at any point. Should I run the HijackThis logfile and see if the Ro0 missing file entry is still there? I appreciate all your help. :)

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:49 PM

Posted 16 February 2011 - 06:39 PM

Hello, sparrow76.


Step 1

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 23 and save it to your desktop.
  • Scroll down to where it says "JDK 6 Update 23 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version(s) shown below:
    Java 6 Update 3
    Java 6 Update 5
    Java 6 Update 7
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586-p.exe to install the newest version.




Step 2


No need for a HJT log. OTL is HJT on steroids. :) It would have appeared in this log if it was still there. In fact...it was there in the original OTL log. Inactive, but some leftover registry entries were there.

Please run one final OTL Quick Scan and post the log in your reply after updating Java in Step 1.

Also...when is your computer slow? To boot up? Watching video? All the time? We may be able to slightly improve the speed. This computer only has 256MB of RAM memory. That is extremely small. A very cost effective upgrade would be to install more RAM. Of course, if this computer is older, it may be worth even an entry level new computer if performance is important.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 sparrow76

sparrow76
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 17 February 2011 - 09:54 PM

I'm confused on the Java download. I clicked your link, but am not sure which to download from there. There are a couple that say "JDK6 Update 23" and I don't see either saying "allows end-users to run Java applications." There is also a Update 24. Which do I want?

As for the slowness, we are actually saving to get a newer computer with more RAM. :)

Thanks,
sparrow76

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:49 PM

Posted 18 February 2011 - 06:54 PM

It literally just updated in the past couple of days to version 24. I need to update mine as well. Time to update my standard Java update speech. :)

You'll want the Download JRE button for Update 24 in the top table. Sorry for the confusion.

And nice work on the plan to upgrade. Take your time...every day you wait means more performance for the same money. :)


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 sparrow76

sparrow76
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 18 February 2011 - 09:58 PM

I updated the Java. By the way, how would you recommend I best avoid these nasty backdoor viruses in the future - for as cheap as possible? :)

#14 sparrow76

sparrow76
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 18 February 2011 - 10:30 PM

Oh, and here's the OTL log. :)

Attached File  OTL.Txt   50.49KB   1 downloads

#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:49 PM

Posted 19 February 2011 - 11:16 AM

Hello, sparrow76.

There's some tips below to avoid reinfection. I use only free protection (Avast, MBAM, Windows Firewall). Most viruses can be avoided by modifying your behavior. Don't download cracked software or keygens, avoid getting anything via P2P/torrents unless you know the user you're downloading it from, etc.




Ok, good news. Your log appears clean. Let's clean up our mess. If your computer is running well; please do the steps listed below. At the end, I've also listed a few completely optional things you can do to further secure your computer. Safe surfing!



Step 1

Next, we need to remove the other tools we have used.
  • Please download OTC by OldTimer and save it to you desktop
  • If that link doesn't work, try this one.
  • Doubleclick the Posted Image icon to start the program.
  • Then, click the big Posted Image button.
  • You will get a prompt saying Begin Cleanup Process. Click Yes.
  • Restart your computer when prompted.



Step 2

We need to purge your system restore so malware is not accidently restored. First, let's create a new restore point.
  • Go to Start --> All Programs --> Accessories --> System Tools --> System Restore.
  • Select Create a Restore Point and click Next.
  • Give the restore point a name and press create.
  • You'll see it work, then say that it was created sucessfully. Click Close.


Now, we need to remove the old, infected points using DiskCleanup.
  • Click on Start --> Run.
  • Type in cleanmgr into the run box and hit OK.
  • Select C: and press OK
  • Select the More Options tab.
  • Click on Clean up in the System Restore section..
  • Click OK.
  • You'll get a couple of prompts asking if you're sure you want do to this, select Yes and OK for them.
  • Disk cleanup will remove the old restore points that included the malware.

If you ran Defogger and disabled your emulator, please don't forget to run it again and reenable it. See the instructions here to do so.


Optional Items

Please take the time to read below to secure your machine and take the necessary steps to keep it that way.


System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance. If you are running Windows Vista or Windows 7, please right-click on the icon, and select "Run As Administrator"; otherwise it won't work.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware

Protect yourself from malicious sites

The HOSTS file can protect you from connecting to bad sites. See The Hosts File and what it can do for you for more background.

Please download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Keep Windows Up to Date
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Install an AntiSpyware Program

A highly recommended AntiSpyware program isMalwarebytes Anti-Malware. You can download the free version..

Installing this program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Update all these programs regularly
Make sure you update all your programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. You can use Secunia PSI to keep track of necessary updates. It can run in the background and constantly monitor your software; although I just run it once a week manually. It will alert you when an update is available for a variety of software. It is very useful.

Follow this list and your potential for being infected again will reduce dramatically.

Good luck!

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users