Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help To Remove Malware


  • Please log in to reply
8 replies to this topic

#1 teachtom

teachtom

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 14 May 2007 - 07:23 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:10:16 PM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Documents and Settings\Tom\Desktop\merijn.exe\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\Internet Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applicatio...torLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9EBDCD6-0446-4573-A938-8B92568D2151}: NameServer = 208.10.145.10 208.6.232.10
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:18 PM

Posted 19 May 2007 - 08:55 AM

Hello teachtom and welcome to the BC HijackThis forum. I do not see any signs of viruses or malware in the log. It is clean.

There is a little housekeeping that we can do so let's do that while you are here.

Note: the 08 item below is an ad-supported toolbar and can cause advertising popups. It is the user's choice as to whether or not to keep it but we normally suggest its removal. If you want to keep it then do not select it for fixing.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Other than that the log looks good. If you have the report from BitDefender then you can post that here and I will take a look. My guess is that it is a .cab or other installation file which has a suspicious file inside it. These types of files cannot be cleaned through anti-virus or anti-spyware programs and the installation file itself needs to be deleted (if it is infected).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 teachtom

teachtom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 19 May 2007 - 12:25 PM

Dear OT, Thanks for looking through HJ log. I checked the items you noted and ran HJ again and they were removed. Here is the virus report from BDv10 . I did a deep scan last week, it is able to clean/remove everything but the altnetbd.exe. Thank you for your help. I did a copy/paste of my virus report. teachtom
//-----------------------------------------------------------------
//
// Product BitDefender Antivirus v10
// Product 10.2
//
// Created on: 13/05/2007 06:58:23
//
//-----------------------------------------------------------------


Virus Statistics

Scan path : C:\
D:\
E:\
Folders : 3771
Files : 304125
Memory processes scanned : 9
Archives : 28383
Runtime packers : 20007
Identified viruses : 1
Infected files : 1
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 0
Moved files : 0
I/O errors : 27
Scan time : 00:45:38
Scan speed (files/sec) : 111

Spyware Statistics

Registry keys scanned : 1562
Registry keys infected : 0
Cookies scanned : 203
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0


Virus definitions : 553375
Scan plugins : 16
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Memory Processes
[X] Scan archives
[X] Scan runtime packers
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user

Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1179057503.log

Spyware scan options

[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies


Summary:

C:\RECYCLER\S-1-5-21-3171037022-2198987764-1268631836-1007\Dc1.cab=>asm.exe Detected: Adware.Altnetbde.A
C:\RECYCLER\S-1-5-21-3171037022-2198987764-1268631836-1007\Dc1.cab=>asm.exe Disinfection failed
C:\RECYCLER\S-1-5-21-3171037022-2198987764-1268631836-1007\Dc1.cab=>asm.exe Move failed

#4 teachtom

teachtom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 19 May 2007 - 04:49 PM

May 19, 2007 OT I just completed a new virus scan. I found something new . See attached report.. Thanks again teachtom
//-----------------------------------------------------------------
//
// Product BitDefender Antivirus v10
// Product 10.2
//
// Created on: 19/05/2007 15:36:46
//
//-----------------------------------------------------------------


Virus Statistics

Scan path : C:\
D:\
Folders : 3796
Files : 249222
Memory processes scanned : 9
Archives : 15892
Runtime packers : 18010
Identified viruses : 1
Infected files : 2
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 2
Moved files : 1
I/O errors : 26
Scan time : 00:35:30
Scan speed (files/sec) : 117

Spyware Statistics

Registry keys scanned : 1560
Registry keys infected : 2
Cookies scanned : 218
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 2


Virus definitions : 554722
Scan plugins : 16
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Memory Processes
[X] Scan archives
[X] Scan runtime packers
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user

Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1179607006.log

Spyware scan options

[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies


Summary:

<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MAGNET Detected: magne3t
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MAGNET Deleted
<System> Archive repacking successfully completed (actions successfully applied)
<System>=>HKEY_CLASSES_ROOT\MAGNET Detected: magne2t
<System>=>HKEY_CLASSES_ROOT\MAGNET Deleted
<System> Archive repacking successfully completed (actions successfully applied)
C:\Documents and Settings\Tom\Local Settings\Temp\AAWTMP\C8431281\26B651\asm.exe Detected: Adware.Altnetbde.A
C:\Documents and Settings\Tom\Local Settings\Temp\AAWTMP\C8431281\26B651\asm.exe Disinfection failed
C:\Documents and Settings\Tom\Local Settings\Temp\AAWTMP\C8431281\26B651\asm.exe Moved
C:\RECYCLER\S-1-5-21-3171037022-2198987764-1268631836-1007\Dc1.cab=>asm.exe Detected: Adware.Altnetbde.A
C:\RECYCLER\S-1-5-21-3171037022-2198987764-1268631836-1007\Dc1.cab=>asm.exe Disinfection failed
C:\RECYCLER\S-1-5-21-3171037022-2198987764-1268631836-1007\Dc1.cab=>asm.exe Move faile

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:18 PM

Posted 19 May 2007 - 05:58 PM

Hi teachtom. What is being found is either in the Recycle Bin or the temp folders. To clean them out you can use the following tool.

Download ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

That should do it :thumbsup:

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 teachtom

teachtom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 20 May 2007 - 03:25 PM

Dear OT, I ran the ATF Cleaner from your last post. This morning 5-20-07 I did update on my BitDefenderv10 and did a deep system scan. Guess what ? It is still there. Here is what it said C:\RECYCLER\S-1-5-21-3171037022-2198987764-1268631836-10
Detected Adware.Altnetbde.A
Disinfection failed
Move failed
What do you think I should do next? Thanks for your help,
Teachtom

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:18 PM

Posted 20 May 2007 - 03:57 PM

Hi teachtom. It depends on what user that account is for. If there are multiple accounts you will need to be logged onto the account which that recycle bin folder is assigned to. Log on to each user account and run ATF.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 teachtom

teachtom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 20 May 2007 - 06:26 PM

Dear Old Timer, You are the tops. That was the trick. When I switched to my daughter's user account and ran ATF Cleaner my next Virus scan came back clean. If I ever meet you, I'll buy you a beer. I have been trying to remove this for about 10 months and just had about given up. Bleepingcomputer has the greatest folks. Thanks again, teachtom OldTimers ROCK!!

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:18 PM

Posted 21 May 2007 - 11:31 AM

And I'd take that beer :thumbsup: I'm glad we could be of service.

I will now close this topic. If you have any new malware related questions or issues in the future please start a new topic.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users