Got bit bad - now still have something I can't get rid of :-(

LuigiVercotti · February 24, 2010

One of my PCs got bit by some kind of multi-whammy malware "fun" after trying some kind of PDF converter a friend sent me last night. It obviously was infected with malware, but I did scan it before installing it and nothing was found (?). I can't think what else could've caused this though.

It has taken me all day to get things back in order and thought I everything licked but I noticed some things odd and the PC is still "sick", no matter how many times I scan and fix things.

Without going through the whole long story I will just summarize it as this, and ask for some help where I am now:

- Malwarebytes had been able to find and supposedly fix some things. Avast anti-virus and spybot also found/fixed things. Drwebcureit gave the PC a clean bill of health. I have been running most of the scans in safe mode. I repaired a lot of crazy damage to the PC where Restorepoints were erased and disabled, new firewall exceptions allowing access were created to previously unheard of programs, all kinds of crazy stuff.

- But every time I boot back into regular startup I get crap placed into my TEMP folder and processes running like "setupv.exe" and "Lsass.exe" which are coming from there, consuming almost all the CPU, making connections to the 'net etc.

- Booting back into safe mode and scanning again with Malwarebytes it keeps finding registry keys and files for "Worm.Koobface", "adware.agent", and "adware.BHO", even after it has already cleaned them.

- I've attached some logs as per the "what do I do now" thread. I greatly appreciate any advice I can get for how to fully eradicate this crap.

DDS log:

DDS (Ver_09-12-01.01) - NTFSx86

Run by luigi at 23:30:31.29 on Tue 02/23/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.687 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100223-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

e:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

e:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

E:\Program Files\Java\jre6\bin\jqs.exe

E:\Program Files\Java\jre6\bin\jusched.exe

E:\Program Files\Macrium\Reflect\ReflectService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

e:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

G:\TEMP\setupv.exe

G:\TEMP\ldm1.exe

F:\luigi\My Documents\diag tools for forum\DDS.SCR

============== Pseudo HJT Report ===============

uStart Page = hxxp://bing.zugo.com/?cfg=2-80-0-r4My

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: H - No File

BHO: gwprimawega: {69e26dcf-60b3-f075-facc-288ac43d12c4} - c:\windows\system32\O3GvSlh.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll

TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - e:\program files\orbitdownloader\GrabPro.dll

TB: Search Toolbar: {0c8413c1-fad1-446c-8584-be50576f863e} - c:\program files\search toolbar\tbcore3.dll

mRun: [NWEReboot]

mRun: [avast!] e:\progra~1\alwils~1\avast4\ashDisp.exe

mRun: [sunJavaUpdateSched] "e:\program files\java\jre6\bin\jusched.exe"

mRun: [brStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun

StartupFolder: c:\documents and settings\luigi\start menu\programs\startup\esport2.exe * I JUST DELETED THIS*

IE: &Download by Orbit - e:\program files\orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - e:\program files\orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - e:\program files\orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - e:\program files\orbitdownloader\orbitmxt.dll/202

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264023056359

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264023047984

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: {BD9DAB68-4262-4B7E-85C9-BEC5698A7083} = 71.242.0.14,71.250.0.14

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

AppInit_DLLs: nunupofa.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\luigi\applic~1\mozilla\firefox\profiles\b5v8s6w7.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: browser.search.selectedEngine - Bing

FF - component: e:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll

FF - plugin: e:\program files\java\jre6\bin\new_plugin\npdeploytk.dll

FF - plugin: e:\program files\java\jre6\bin\new_plugin\npjp2.dll

FF - plugin: e:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll

FF - plugin: e:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

FF - plugin: e:\program files\mozilla firefox\plugins\npDimdimControl.dll

FF - plugin: e:\program files\real alternative\browser\plugins\nppl3260.dll

FF - plugin: e:\program files\real alternative\browser\plugins\nprpjplug.dll

FF - HiddenExtension: LoudMo Contextual Ad Assistant: No Registry Reference - e:\program files\mozilla

firefox\extensions\{7a366b93-f7f0-661e-5855-89aaa8e957b4}

FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2007-8-3 110360]

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-4 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-4 20560]

R2 avast! Antivirus;avast! Antivirus;e:\program files\alwil software\avast4\ashServ.exe [2008-4-4 138680]

R2 ReflectService;Macrium Reflect Image Mounting Service;e:\program files\macrium\reflect\ReflectService.exe [2009-8-25 220128]

R3 avast! Mail Scanner;avast! Mail Scanner;e:\program files\alwil software\avast4\ashMaiSv.exe [2008-4-4 254040]

R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2009-3-28 31896]

R3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2001-1-8 15576]

S3 avast! Web Scanner;avast! Web Scanner;e:\program files\alwil software\avast4\ashWebSv.exe [2008-4-4 352920]

S3 CPjdmN;CPjdmN;e:\program files\cpuid\pc wizard 2009\data\pcwizntl.exe -s --> e:\program files\cpuid\pc wizard

2009\data\pcwizntl.exe -s [?]

S3 cpuz132;cpuz132;e:\program files\cpuid\pc wizard 2009\pcwiz32.sys [2009-7-13 12672]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]

S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2009-7-9 37440]

S3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2010-1-27 38976]

S3 zFajeM;zFajeM;e:\program files\cpuid\pc wizard 2009\data\pcwizntl.exe -s --> e:\program files\cpuid\pc wizard

2009\data\pcwizntl.exe -s [?]

=============== Created Last 30 ================

2010-02-24 04:30:04 0 ----a-w- c:\documents and settings\luigi\defogger_reenable

2010-02-23 18:46:19 118375 ----a-w- c:\windows\system32\-3-80k-EcKUL.exe

2010-02-23 18:45:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Toolbar4

2010-02-23 18:45:23 0 d-----w- c:\program files\Search Toolbar

2010-02-23 18:03:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-23 18:03:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-23 15:22:37 142592 ----a-w- c:\windows\system32\drivers\OLD9.tmp

2010-02-23 15:22:37 142592 ----a-w- c:\windows\system32\drivers\aec.sys

2010-02-23 15:22:33 0 ----a-w- c:\windows\system32\drivers\kgpvxb.sys

2010-02-23 06:37:54 0 d-----w- c:\windows\system32\wbem\Repository

2010-02-23 06:26:44 0 d-----w- c:\docume~1\luigi\applic~1\Thinstall

2010-02-18 08:48:36 1282048 ----a-w- c:\windows\system32\O3GvSlh.dll

2010-02-16 21:19:42 0 d-----r- c:\docume~1\luigi\applic~1\Brother

2010-02-16 21:16:44 145 ----a-w- c:\windows\BRVIDEO.INI

2010-02-16 21:16:44 0 ----a-w- c:\windows\brmx2001.ini

2010-02-16 21:16:27 77824 ------w- c:\windows\system32\brlmw03a.dll

2010-02-16 21:16:27 114 ------w- c:\windows\system32\brlmw03a.ini

2010-02-16 21:16:26 9868 ----a-w- c:\windows\HL-2140.INI

2010-02-16 21:16:26 0 d-----w- c:\program files\Brownie

2010-02-16 21:16:09 426 ----a-w- c:\windows\BRWMARK.INI

2010-02-16 21:16:09 34 ----a-w- c:\windows\system32\BD2140.DAT

2010-02-16 21:14:23 94208 ----a-w- c:\windows\system32\BRRBTOOL.EXE

2010-02-16 21:14:23 176128 ------w- c:\windows\system32\BROSNMP.DLL

2010-02-16 21:14:22 24223 ----a-w- c:\windows\system32\BRLM03A.DLL

2010-02-16 21:14:22 196608 ------w- c:\windows\system32\Pdrvinst.dll

2010-02-16 21:14:22 0 d-----w- c:\program files\Brother

2010-02-16 21:13:14 224 ----a-w- c:\windows\Brownie.ini

2010-01-28 04:14:53 38976 ----a-w- c:\windows\system32\drivers\pssdk42.sys

2010-01-28 04:14:36 1024 ----a-w- C:\.rnd

==================== Find3M ====================

2010-01-25 02:44:20 100232 ----a-w- c:\documents and settings\luigi\DimdimSetup.exe

2007-08-17 02:24:16 3643424 --sh--w- c:\windows\system32\drivers\fidbox.dat

============= FINISH: 23:31:31.75 ===============

Some other observations/questions:

- I just noticed this line going through the DDS logfile so I deleted the file. Hopefully that at least gets rid of one thing:

--------------------------------------

StartupFolder: c:\documents and settings\luigi\start menu\programs\startup\esport2.exe

- What the frack are these??

--------------------------------------

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2007-8-3 110360]

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328

S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2009-7-9 37440]

S3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2010-1-27 38976]

- And how do I get rid of this garbage? (noticed it in Attach.txt)

--------------------------------------------------------------------------------

LoudMo Contextual Ad Assistant

From reading about it on the 'net I think it also has changed my search preferences in either IE, FF, or Seamonkey as well. I tried uninstalling it in Control Panel but that doesn't work. Running the "uninstaller" from CCleaner behaves the same way (does nothing). From the DDR report above I suspect my IE startup and search pages have been changed to some kind of garbage, maybe related to this (bing.zugo.com)???? I rarely use IE but I would like to fix all that.

- I even noticed something called "Remote Desktop Connection" in Start Menu under Accessories which shouldn't be there. Maybe this is the standard one from Microsoft? Which I deleted years ago? Or is this malware related? It is associated with %systemroot%\system32\mstsc.exe. I have no desire to ever let anyone remotely control my PC. This was just put there by one of the viruses. Either it is enabling the std one or it is its own foul thing.

- I've attached my Malwarebytes logs, runs at various times today in SAFE mode, supposedly things being clean but then after booting normally, seeing wierdness, going back to SAFE mode, it finds more. I also wonder if somehow whatever it is that is going on has even entrenched itself into another program, thus if I run something like Spybot it inadvertantly gives birth to a bug again?? I'm grasping at straws.

- I've attached my AVAST log from today as well. I was going to try running Norman Malware cleaner as well but AVAST thinks the version I just downloaded is the "Win32:Goblin" trojan (false positive?).

Guess that about wraps it up. Appreciate any help I can get. Luckily I have multiple machines so I am keeping the infected one disconnected from the 'net for now and using this machine to post this. THANKS.

Attach.zip

mbam_log_2010_02_23__21_51_19_.txt

mbam_log_2010_02_23__20_26_29_.txt

mbam_log_2010_02_23__13_39_45_.txt

AVAST_Warning.txt

Elise · February 24, 2010

Hello , and welcome to Malwarebytes forums!

Well, we have quite some bad stuff here, so lets try to get rid of it fast Please do NOT remove any items, unless instructed so. Many legit lines may look quite weird on first sight, but need to stay where they are.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please include the following:

Combofix.txt

LuigiVercotti · February 24, 2010

Thanks for your help. I've helped others with infected PCs before but never ran into anything like this (an actual rootkit!!!). Didn't know about this combofix thing....

Have disabled Avast realtime scanner & turned off the windows firewall as per above and ran Combofix.

Am getting the logfile over to this PC for posting it.

Nosing around afterwards, Combofix appears to have created a C:\Qoobox directory with various things inside there. Has a subdir there called "Quarantine" with a few things there so maybe it fixed something (I'm not sure, I need to read up on this). The "catchme.log" file in there has no info in it but the ComboFix-quarantined-files.txt does!

G:\TEMP no longer has the crazy "setupv.exe" and "ldm1.exe" files in there so perhaps they were part of what Combofix got rid of. I don't see any runaway unknown processes in Task Manager but there are still some I don't recognize (could be valid but I'm not sure). Neither of those two are in there now. I have not rebooted the PC to see if they come back.

Also, I've done some research and one of the things I was suspicious of earlier appears to be a valid driver/file. For example "pssnap.sys" is related to my Macrium Reflect image backup software.

Let me know how I should proceed next. Maybe there is something else I need to do with Combofix? If not I'm guessing that I need to run Malwarebytes again, probably in safemode, also spybot....then try to figure out stuff like fixing my search engines, removing crappy plugins in Firefox I didn't install (I saw something in one of the logs last night that made me suspicious that my browser setting have been changed).

Thanks again for your help.

ComboFix.txt

ComboFix_quarantined_files.txt

LuigiVercotti · February 25, 2010

I think that PC is (almost) back to normal - correct me if I am wrong though!

I ran Malwarebytes again, as well as Spybot, in Safe mode, and this time nothing comes up even after going to regular bootup first then back to safemode. No more exes in TEMP getting created by themselves and consuming the CPU.

I will do some more scans tomorrow, using other tools as well.

Am nosing around, checking out programs, making sure things work, putting settings back to normal if anything changed etc...

Thanks for your help.

Elise · February 25, 2010

Hello ,

Combofix indeed creates some additional folders. As soon as I confirm the computer is clean indeed we will uninstall it and those folders will disappear.

UPDATE JAVA

------------------

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
Click the Download button to the right.
Select your Platform: "Windows".
Select your Language: "Multi-language".
Read the License Agreement, and then check the box that says: "Accept License Agreement".
Click Continue and the page will refresh.
Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.

-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.

-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Did you run MBAM in safe mode? If so, please re-run a quick scan in normal mode.

LuigiVercotti · February 26, 2010

Thanks again for the help.

I think the PC is clean now, here's what I did further last night/today b4 reading your response.

- Installed something called "Superantispyware", and ran it in SAFE mode. It found 3 registry keys left over from the previous bugs (AdwareHBHelper, BrowserHijacker, RootkitAgent/Gen4DW4R3) that it deleted but it found no infected files.

- I was able to finally uninstall the LoudMo Contextual Ad Assistant crap thing via control panel.

- I was able to remove some kind of Addon toolbar that installed itself into Firefox, plus get rid of a "bing" default search agent and set it back to Google.

- I updated Avast (my usual anti-virus) and had it scan several drives; it found "Other:Malware-gen" in a Java temp file which it deleted.

- I changed all the firewall, windoze updates, browser settings, all kinds of stuff like that, back to what they used to be (I can't remember everything and have not even gone through all my other software yet to verify anything else weird didn't get set. I need to look at various Windoze services, group policies, things like that, as one of the bugs did disable System Restore through a "group policy" registry entry so maybe something else like that is also affected that I don't know about).

- I ran CCleaner again and cleared out a bunch of temp files/registry keys/etc etc etc.

I then saw your note and did this:

- Updated Malwarebytes again and did a QuickScan in Normal Startup mode. Nothing found.

- Then I did a more complete scan with MBAM of my drives for my opsys, program files, the temp drive, some data drives I had referenced. It found sign of something in one of the restore points I had created while still fighting the bugs so I turned off SystemRestore to delete all the restore points and made a new one (actually several new ones as I've done a bunch of other things during the day).

- I tried to uninstall the 3 references I had to Java in my control panel but only one of them actually had a "Remove" button. Only the one called Java6 update15 would uninstall. The other 2, Java6 update 2, and JRE SE 1.42_15 had no options to do anything with in control panel. So I went to CCleaner and found I was able to use its "Tool" to give me access to an "Uninstall" option for both of those, and I successfully uninstalled them.

- I then downloaded/installed/configured the latest JRE as per your excellent instructions.

Then I switched gears and worked on my clean PC (the one I am typing this on), getting it up to snuff in some of these areas as well, installing the Recovery Console in case anything ever strikes me there, updating MBAM and scanning (all clean), updating Java, bunch of things like that.

I think I need to catch my breath now after the last 3-4 days....

I greatly appreciate your help. If you have any other followup cleanup advice, or other things I should look at on the formerly sick patient (who seems to be fully recovered now), I'm all ears!

Actually I do have a question - I remember there was a step I did not understand in getting my original logs up here, something about an application that turned off "CD Emulation drives" which I had never even heard of. I don't even know what CD Emulation drives are and never used them afaik but I did do that step; is there something I need to reverse concerning that? Or was that just something that was done prior to that part of generating the logs and doesn't persist after all the reboots/other things that I've been doing?

Thanks again.

Elise · February 26, 2010

Hello, good to hear things are running fine now

About the CD emulation drivers, the tool you were asked to run was most likely Defogger. This tool looks for running CD emulation drivers and disables them. If it doesn't find them, it does nothing.

CD emulating software is software that allows you to load an image file (for example a .iso file) to be loaded as a virtual CD. When such a program is running (for example Daemon Tools), an additional DVD drive shows on a computer.

The problem is that such programs interfere with a few of our tools (like GMER) and make it look like there is a rootkit detected. This is the reason why the CD emulation software has to be disabled.

Once again, no worries if you don't have it installed

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean

Please do the following to remove the remaining programs from your PC:

Delete the tools used during the disinfection:
- Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
- Delete DDS, GMER (this is a random named file) and OTL.

Please read these advices, in order to prevent reinfecting your PC:

Install and update the following programs regularly:
- an outbound firewall
  A comprehensive tutorial and a list of possible firewalls can be found here.
- an AntiVirus Software
  It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
- an Anti-Spyware program
  Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
  SUPERAntiSpyware is another good scanner with high detection and removal rates.
  Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
- Spyware Blaster
  A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
- MVPs hosts file
  A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing .

Some more links you might find of interest:

Miekies' prevention suggestions
So How did I get infected?
Microsoft - 'Security at home'
Calendar of Updates: See which updates have been released.
How to backup your Data with Cobian Backup:because you never know, when your harddisk might fail :wink:
Commonly UsedFreeware Replacements: a nice list of freeware programs in all categories, that are regarded as useful by the users of this forum.
osalt: Find (free) open source alternatives to known commercial software.

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

LuigiVercotti · February 27, 2010

Thanks a lot Elise.

I see I have a double post above - I can't delete the extra one so if you or an admin want to do that please go ahead.

Bugwise things look ok now. Am still slowly going through everything and reversing other changes this crap did. For instance, one of the bugs seems to have installed Adobe Flash!! Blech. Either that or it came from one of the cleaning tools. I purposely do not have that installed because I hate all the crappy ads on so many websites that assault you with via FLASH. I use Seamonkey as my primary browser, sans flash, and surfing is so much quieter without FLASH. If there is a site I need access to that uses flash (eg: youtube) then I use a different browser like Firefox where I have it enabled, and controlled.....

Anyway, thanks again, this topic can be locked.

Elise · February 27, 2010

I am happy to hear things are running fine now

About the flash, you should be able to uninstall it using add/remove programs. Without knowing Seamonkey, you ought to able to disable it for your browser I think.

I will request this topic to be closed.

Got bit bad - now still have something I can't get rid of :-(

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information