Infected with something. Help, Please and Thanks.

[Invalid-input]

My comp was infected with trogen in Jan and I took it to a comp techie to fix it. But now when I select a link off my Favourites, I some times get direct to the ' you computer is infected' site. It has maybe happed 3-4 times since. I know there is something wrong but the scans produced no results. I use Eset 3.0. Thanks you so very much for your generous help.

I am not very good with computers so I hope I have followed the instructions correctly.

Here is the dds.txt

DDS (Ver_09-12-01.01) - NTFSx86

Run by Sarah at 23:19:19.62 on 11/03/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.703.375 [GMT -8:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

svchost.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Sarah\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer

uStart Page = hxxp://ca.search.yahoo.com/web/advanced?ei=UTF-8&fr=yfp-t-501

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [ssAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263694369483

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263694357776

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sarah\applic~1\mozilla\firefox\profiles\xc93xfwc.default\

FF - prefs.js: browser.startup.homepage - hxxp://hk.yahoo.com/

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]

R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

=============== Created Last 30 ================

2010-03-12 07:15:21 0 ----a-w- c:\documents and settings\sarah\defogger_reenable

2010-03-09 07:24:24 3245 ----a-w- c:\windows\system32\wbem\Outlook_01cabf598b4dae70.mof

2010-03-07 23:08:11 0 d-----w- c:\windows\system32\NtmsData

2010-02-22 05:59:29 398 ----a-w- c:\windows\NJCOM.INI

2010-02-22 05:59:23 0 d-----w- c:\docume~1\sarah\applic~1\NJStar

2010-02-22 05:59:05 0 d-----w- c:\program files\NJStar Communicator

==================== Find3M ====================

2010-01-17 06:39:48 390240 ----a-w- c:\windows\system32\mkdriver.dll

2010-01-17 06:39:48 292696 ----a-w- c:\windows\system32\XceedFtp.dll

2010-01-16 16:53:17 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll

2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll

2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

============= FINISH: 23:19:48.37 ===============

Malwarebytes log

Malwarebytes' Anti-Malware 1.44

Database version: 3857

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

11/03/2010 11:11:31 PM

mbam-log-2010-03-11 (23-11-31).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)

Objects scanned: 141053

Time elapsed: 36 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Gmer log

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-03-11 23:49:40

Windows 5.1.2600 Service Pack 3

Running: wu5x6g84.exe; Driver: C:\DOCUME~1\Sarah\LOCALS~1\Temp\kxtdapob.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs InCDrec.SYS (InCD File System Recognizer/Nero AG)

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Nero AG)

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- EOF - GMER 1.0.15 ----

Please let me know what I should do next. Thanks again for all the help.

ark.zip

Attach.zip

[Blade81]

Hi,

BitComet

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.

But now when I select a link off my Favourites, I some times get direct to the ' you computer is infected' site.

Does this happen with some specific links?

[Invalid-input]

Hi,

BitComet

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.

Does this happen with some specific links?

How I got my first virus/ trogen was when I selected the link of excite.com off my favourites list, I was redirected to that 'your comp is infected' site. i tried to close it but I guess I accidentially hit inside the window. It caused malware from running/ updating and every antivirus thing stopped working. So I took it to the techie.

Now when i hit another link (where I get my torrents) it sometimes redirects me to that site. I know the site where I get my torrents are safe. Then should I install older p2p programs or none at all?? suggestions for d/l torrent programs?

[Invalid-input]

Oh, BTW thanks so much for your help. Just thought I should mention that.

Please let me know if I am infected with something/ or not and what I should do next.

Cheers

[Blade81]

Hi,

My recommendation is to not use p2p software at all. It's possible that torrent site in your favourites list is exploited.

Logs themselves look ok and that's why I requested for more information about the link.

[Invalid-input]

Hi,

My recommendation is to not use p2p software at all. It's possible that torrent site in your favourites list is exploited.

Logs themselves look ok and that's why I requested for more information about the link.

Thanks for the quick response.

Humm. now that I think about it it could be that site that's causing the problem. The reason I said that is that the last 2 occurances happened with the same link. I guess I'll be careful with that site. Thanks.

Oh, one more question, which online scans would you recommend for a really good deep scanning for viruses/ malwares?

So what should I do now? Uninstall the programs I've d/l for the scans?? How??

[Blade81]

Hi,

Of online scanners I recommend either ESET online scanner (you have to remember to uncheck Remove found threats option) or Kaspersky Online Scanner.

So what should I do now? Uninstall the programs I've d/l for the scans?? How??

Please download OTC and save it to desktop.

• Double-click OTC.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the
  Begin cleanup Process?
  prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it by yourself.
  

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

That should remove the tools we used.

[Invalid-input]

Thanks so much for your help (time and effort). I am glad to know that my computer is not infected and it was the internet site. Phew I'll try your sugggestions.

Thanks so so much. Keep up the good work.

[Blade81]

You're welcome