neoanderson Posted October 31, 2010 ID:337394 Share Posted October 31, 2010 Hello,My PC running Windows XP Pro SP3 has been infected off and on this last year, but most recently on September 30th. That is the datestamp on the file C:\Windows\System32\dlo8CE.dll. However I believe this file is part of a complex of changes made to my system by some unknown, unnamed virus or viruses.To the user, the virus messes with Outlook.exe and explorer.exe. Google searches get redirected. System services like Windows Audio, Windows Time, Shell Hardware Detection, and several others get stopped. Logging out is always a pain because every process has to be killed manually.I found the file dlo8CE.dll on my computer when I ran CCleaner and it found this file with an associated registry key. I tried to clean it with CCleaner, and it thought it was successful only to find it again after reboot. I tried deleting the file and the key myself but was prohibited. I googled the filename, and got only 3 hits: at prevx.com, in which they are listing malware that is missed by Symantec products.http://www.prevx.com/avgraph/3_1/Symantec.htmlSo at least one security product out there recognizes this file as malware. However, I have the free evaluation version of Prevx on my computer. Currently it does not pick up this file, but it does pick up three other security threats:1. serial.sys in c:\windows\system32\drivers\2. \REGISTRY\Machine\system\ControlSet004\Services\Serial3. \REGISTRY\Machine\system\CurrentControlSet\Services\SerialMBAM does not find any infection. The log is included below.I also tried HiJackThis and MBAM FileAssassin to delete the file but they couldn't.So I logged into this forum and followed the instructions:1. After the MBAM scan I installed Symantec Endpoint. Even though it wasn't likely to find the virus, it is the antivirus package that I have a license for through my University (I'm a student). Symantec actually found and quarantined a different virus! nrgpack.dll. But it did not find dlo8CE.dll. In fact, the virus disabled Symantec by overwriting this registry key:HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp.Instead of the correct path it put "-". I found an entry in the Symantec website where a Vundo virus did a similar thing:http://www.symantec.com/connect/forums/sep...c-event-managerHowever the solution on that web site didn't work for me! I tried replacing the registry key and rebooting, but it always reverted to "-".2. I ran Defogger and then DDS.scr successfully, the log is included at the end of this message.3. I downloaded GMER and tried running it in Windows Safe Mode - but the PC kept rebooting before the scan could complete! I have attached the zip file with the "ark.txt" and "attach.txt" files, where the "ark.txt" file was obtained by stopping the GMER scan before the PC could reboot and saving what it found. Sometimes it would run for minutes, other times not even 10 seconds before rebooting.Please help! Thanks.P.S. FYI, I also have Bsecure Internet Protection services running.Here's the MBAM log:======================================Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 5005Windows 5.1.2600 Service Pack 3 (Safe Mode)Internet Explorer 8.0.6001.1870210/31/2010 2:17:16 PMmbam-log-2010-10-31 (14-17-16).txtScan type: Quick scanObjects scanned: 179794Time elapsed: 16 minute(s), 39 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)======================================Here's the DDS.txt:======================================DDS (Ver_10-10-21.02) - NTFSx86 NETWORK Run by Administrator at 13:31:18.62 on Sun 10/31/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1017 [GMT 1:00]AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchC:\WINDOWS\system32\svchost -k rpcssC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\System32\svchost.exe -k NetworkServiceC:\WINDOWS\System32\svchost.exe -k LocalServiceC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\InetCntrl\Maint\ControlCenter.exeC:\WINDOWS\system32\InetCntrl\InetCntrl.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Apps\dds.scrC:\WINDOWS\system32\wbem\wmiprvse.exe============== Pseudo HJT Report ===============uStart Page = hxxp://www.dell4me.com/mywayuDefault_Page_URL = hxxp://www.dell4me.com/mywaymDefault_Search_URL = hxxp://my.juno.com/s/search?r=minisearchmSearch Page = hxxp://my.juno.com/s/search?r=minisearchmSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.htmluInternet Connection Wizard,ShellNext = hxxp://login.usfamily.net/cgi-bin/home.cgimSearchAssistant = hxxp://my.juno.com/s/search?r=minisearchBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dllBHO: Pop-up Blocker: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\juno\qsacc\X1IEBHO.dllBHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dllBHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dllBHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} - c:\windows\system32\PxSecure.dllBHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: Bsecure Popup Blocker: {e0019445-4c1f-414d-a70e-ad80f231c584} - c:\windows\system32\inetcntrl\popupkil\BsafeBHO.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: : {ff24517b-ffd2-4002-8834-7d6f280c9224} - c:\windows\system32\dlo8ce.dllTB: Bsecure Popup Blocker: {e0019445-4c1f-414d-a70e-ad80f231c584} - c:\windows\system32\inetcntrl\popupkil\BsafeBHO.dllTB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No FileTB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No FileEB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No FileEB: {32683183-48a0-441b-a342-7c2a440a9478} - No FileuRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /backgrounduRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startupmRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16mRun: [inetCntrl] c:\windows\system32\inetcntrl\InetCntrl.exemRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscriptmRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hidemRun: [DropBoxUtility] "c:\program files\dropbox\dropbox\DropBox.exe" /smRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcentermRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osbootmRun: [ccApp] -mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kdRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exeIE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLLIE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dllLSP: InetCntrl0014.dllDPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CABDPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CABDPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} - hxxp://www.costcophotocenter.com/CostcoOutlookImport.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\yinsthelper.dllDPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CABDPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cabDPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cabDPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/20b15f5449824a8d9b06/netzip/RdxIE601.cabDPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096847556109DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cabDPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178209334687DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cabDPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://www.imgag.com/cp/install/Crusher.cabDPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cabDPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabDPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} - hxxp://www.zoomify.com/download/zoomify214.cabDPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dllHandler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno5\bin\jmsgpph.dllHandler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dllHandler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dllHandler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLLSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll================= FIREFOX ===================FF - ProfilePath - FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}---- FIREFOX POLICIES ----c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditionalc:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplifiedc:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditionalc:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified============= SERVICES / DRIVERS ===============R0 khuykkkj;khuykkkj;c:\windows\system32\drivers\khuykkkj.sys [2004-3-19 23424]R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-10-8 32008]R1 bsofrwl;bsofrwl;c:\windows\system32\drivers\bsofrwl.sys [2010-6-10 29024]R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-24 108392]R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-10-8 26096]S0 ejmhfgwgfcjpw;ejmhfgwgfcjpw;c:\windows\system32\drivers\dmfqefxjum.sys [2010-10-18 44544]S1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-10-8 76440]S2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-10-8 6415608]S2 epijwgxy;IPv6 Windows Firewall Controller;c:\windows\system32\svchost.exe -k netsvcs [2004-3-19 14336]S2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-8-24 1822296]S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-31 102448]S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-7-9 38224]S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101030.003\NAVENG.SYS [2010-10-31 86064]S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101030.003\NAVEX15.SYS [2010-10-31 1371184]S4 ccEvtMgr;Symantec Event Manager;- --> - [?]=============== Created Last 30 ================2010-10-31 00:46:02 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL2010-10-31 00:46:02 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS2010-10-30 15:15:07 1409 ----a-w- c:\windows\QTFont.for2010-10-18 13:15:09 44544 ----a-w- c:\windows\system32\drivers\dmfqefxjum.sys2010-10-14 08:11:43 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE2010-10-08 06:18:51 76440 ----a-w- c:\windows\system32\drivers\pxrts.sys2010-10-08 06:18:51 71880 ----a-w- c:\windows\system32\PxSecure.dll2010-10-08 06:18:51 32008 ----a-w- c:\windows\system32\drivers\pxscan.sys2010-10-08 06:18:50 26096 ----a-w- c:\windows\system32\drivers\pxkbf.sys2010-10-08 06:18:50 -------- d-----w- c:\program files\Prevx2010-10-08 06:18:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI==================== Find3M ====================2010-09-30 07:58:14 729600 ----a-w- c:\windows\system32\dlo8CE.dll2010-08-24 06:47:18 89600 ----a-w- c:\windows\system32\atl71.dll2010-08-24 06:47:18 87368 ----a-w- c:\windows\system32\FwsVpn.dll2010-08-24 06:47:18 625032 ----a-w- c:\windows\system32\SymNeti.dll2010-08-24 06:47:18 242056 ----a-w- c:\windows\system32\SymRedir.dll2010-08-24 06:47:18 107848 ----a-w- c:\windows\system32\SymVPN.dll2004-10-01 21:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe============= FINISH: 13:33:14.34 ===============Attach.zip Link to post Share on other sites More sharing options...
kahdah Posted November 2, 2010 ID:338544 Share Posted November 2, 2010 Hello neoandersonWelcome to Malwarebytes.=====================Download OTL to your desktop.Double click on OTL to run it.When the window appears, underneath Output at the top change it to Minimal Output.Under the Standard Registry box change it to All.Check the boxes beside LOP Check and Purity Check.Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.====================Please download Rootkit Unhooker and save it to your desktop.Double-click RKUnhookerLE.exe to run it.Click the Report tab, then click ScanCheck Drivers, Stealth Code, Files, and Code HooksUncheck the rest, then click OKWhen prompted to Select Disks for Scan, make sure C:\ is checked and click OKWait till the scanner has finished then go File > Save ReportSave the report somewhere you can find it, typically your desktop. Click CloseCopy the entire contents of the report and paste it in your next reply.Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!It is recommended to remove parasite, okay?" Link to post Share on other sites More sharing options...
neoanderson Posted November 6, 2010 Author ID:340358 Share Posted November 6, 2010 Hello neoandersonWelcome to Malwarebytes.=====================Download OTL to your desktop.Double click on OTL to run it.When the window appears, underneath Output at the top change it to Minimal Output.Under the Standard Registry box change it to All.Check the boxes beside LOP Check and Purity Check.Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.====================Please download Rootkit Unhooker and save it to your desktop.Double-click RKUnhookerLE.exe to run it.Click the Report tab, then click ScanCheck Drivers, Stealth Code, Files, and Code HooksUncheck the rest, then click OKWhen prompted to Select Disks for Scan, make sure C:\ is checked and click OKWait till the scanner has finished then go File > Save ReportSave the report somewhere you can find it, typically your desktop. Click CloseCopy the entire contents of the report and paste it in your next reply.Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!It is recommended to remove parasite, okay?"Testing my ability to post replies, so far the web site has crapped out on me. I think it's because the reports are so long that pasting them inline creates problems, so now I'm trying to post my reply with the reports as attachments instead.UnhookerReport.txtOTL.TxtExtras.Txt Link to post Share on other sites More sharing options...
kahdah Posted November 6, 2010 ID:340463 Share Posted November 6, 2010 One or more of the identified infections is a backdoor trojan or rootkit.This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.If you still want to clean it please do the following===================Download TDSSKiller and save it to your Desktop.Extract its contents to your desktop.Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. ========Download ComboFix from one of these locations:Link 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsDouble click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Link to post Share on other sites More sharing options...
LDTate Posted November 13, 2010 ID:344399 Share Posted November 13, 2010 Topic re-opened by request of neoanderson Link to post Share on other sites More sharing options...
kahdah Posted November 15, 2010 ID:345601 Share Posted November 15, 2010 Hi neoanderson can you post the 2 requested logs please. Link to post Share on other sites More sharing options...
neoanderson Posted November 15, 2010 Author ID:345639 Share Posted November 15, 2010 Hi neoanderson can you post the 2 requested logs please.Surely, here they are.Thanks for the help,-"NA"TDSSKiller.2.4.7.0_15.11.2010_07.11.07_log.txtComboFix.txt Link to post Share on other sites More sharing options...
kahdah Posted November 15, 2010 ID:345743 Share Posted November 15, 2010 You are welcome Update Run MalwarebytesPlease update\run Malwarebytes' Anti-Malware.Double Click the Malwarebytes Anti-Malware icon to run the application.Click on the update tab then click on Check for updates.If an update is found, it will download and install the latest version.Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.=====* Go here to run an online scannner from ESET.Note: You will need to use Internet explorer for this scanTick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the activex control to installClick StartCheck next options: Remove found threats and Scan unwanted applications.Click ScanWait for the scan to finishUse notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txtCopy and paste that log as a reply to this topic Link to post Share on other sites More sharing options...
neoanderson Posted November 16, 2010 Author ID:346144 Share Posted November 16, 2010 You are welcome Update Run MalwarebytesPlease update\run Malwarebytes' Anti-Malware.Double Click the Malwarebytes Anti-Malware icon to run the application.Click on the update tab then click on Check for updates.If an update is found, it will download and install the latest version.Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.=====* Go here to run an online scannner from ESET.Note: You will need to use Internet explorer for this scanTick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the activex control to installClick StartCheck next options: Remove found threats and Scan unwanted applications.Click ScanWait for the scan to finishUse notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txtCopy and paste that log as a reply to this topicHere are the requested outputs. It looks like ESET found viruses that were already quarantined by other AV applications, and one application that I suspect was not a virus.Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 5124Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870211/16/2010 10:56:17 AMmbam-log-2010-11-16 (10-56-17).txtScan type: Quick scanObjects scanned: 183184Time elapsed: 15 minute(s), 11 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)=========================================================ESETSmartInstaller@High as downloader log:all ok# version=7# OnlineScannerApp.exe=1.0.0.1# OnlineScanner.ocx=1.0.0.6211# api_version=3.0.2# EOSSerial=dfc93be0f086c245b0d14017e53b34ab# end=finished# remove_checked=true# archives_checked=false# unwanted_checked=true# unsafe_checked=false# antistealth_checked=true# utc_time=2010-07-10 04:28:57# local_time=2010-07-10 06:28:57 (+0100, W. Europe Daylight Time)# country="United States"# lang=1033# osver=5.1.2600 NT Service Pack 3# compatibility_mode=512 16777215 100 0 112125 112125 0 0# compatibility_mode=3585 16777189 100 0 0 0 0 0# compatibility_mode=8192 67108863 100 0 841 841 0 0# scanned=119852# found=40# cleaned=40# scan_time=5989C:\Apps\WxBugManUpgrade605.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 CC:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentsvc.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentsvc1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadss.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadss1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadss2.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Program Files\Common Files\Symantec Shared\ccApp.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196045.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196072.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196074.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196075.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196076.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196077.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196078.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196079.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196080.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196081.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196082.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196083.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196084.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196085.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196086.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196087.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196088.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196089.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196090.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196091.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196092.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196276.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196277.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196278.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196279.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196292.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1551\A0196383.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1551\A0196481.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1551\A0196482.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1551\A0196484.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\WINDOWS\SYSTEM32\rstwa.bak1 Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\WINDOWS\SYSTEM32\rstwa.bak2 Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\_OTM\MovedFiles\07092010_012157\C_WINDOWS\system32\sshnas21.dll Win32/TrojanDownloader.FakeAlert.ARF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C# version=7# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)# OnlineScanner.ocx=1.0.0.6211# api_version=3.0.2# EOSSerial=dfc93be0f086c245b0d14017e53b34ab# end=finished# remove_checked=true# archives_checked=false# unwanted_checked=true# unsafe_checked=false# antistealth_checked=true# utc_time=2010-11-16 12:10:04# local_time=2010-11-16 01:10:04 (+0100, W. Europe Standard Time)# country="United States"# lang=9# osver=5.1.2600 NT Service Pack 3# compatibility_mode=512 16777215 100 0 11241728 11241728 0 0# compatibility_mode=3585 16777173 100 0 0 0 0 0# compatibility_mode=8192 67108863 100 0 11130444 11130444 0 0# scanned=126191# found=2# cleaned=2# scan_time=6451C:\Documents and Settings\Administrator\Application Data\SafeReturner\Quarantine\bxngggs.dll.vir a variant of Win32/Boaxxe.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Documents and Settings\Phil\Application Data\SafeReturner\Quarantine\bxngggs.dll.vir a variant of Win32/Boaxxe.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C Link to post Share on other sites More sharing options...
kahdah Posted November 16, 2010 ID:346151 Share Posted November 16, 2010 Which one do you suspect is not a virus? Link to post Share on other sites More sharing options...
neoanderson Posted November 16, 2010 Author ID:346170 Share Posted November 16, 2010 Which one do you suspect is not a virus?The "WxBugManUpdate605.exe" - not a big loss in any case. I wasn't using it.It was an old old version of WeatherBug (weatherbug.com). Link to post Share on other sites More sharing options...
kahdah Posted November 16, 2010 ID:346333 Share Posted November 16, 2010 Actually since it was an older version it did contain adware.Either way let me know how things are running open OTL once more and click on run scan at the top and post the log that opens.Also let me know of any remaining issues. Link to post Share on other sites More sharing options...
neoanderson Posted November 20, 2010 Author ID:348152 Share Posted November 20, 2010 Actually since it was an older version it did contain adware.Either way let me know how things are running open OTL once more and click on run scan at the top and post the log that opens.Also let me know of any remaining issues.Here is the log. The PC has finally come back to normal, more or less, whichis good. No known issues at this time.Thanks again,NAOTL.Txt Link to post Share on other sites More sharing options...
kahdah Posted November 20, 2010 ID:348313 Share Posted November 20, 2010 You are welcome Please uninstall this version of adobe reader > Adobe Reader 8.2.3You can get the newest version from here> http://get.adobe.com/reader/=======Cleanup======= Click START then RUN Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.======Next======Double click on OTL to run it.Click on the Cleanup button at the top.You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.This will remove itself and other tools we may have used.===============Update Java===============Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.Scroll down to where it says "(JRE) then click on itClick the "Download" button to the right.Select your Platform: "Windows".Select your Language: "Multi-language".Read the License Agreement, and then check the box that says: "Accept License Agreement".Click Continue and the page will refresh.Click on the link to download Windows Offline Installation and save the file to your desktop.Close any programs you may have running - especially your web browser.Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.Click the Remove or Change/Remove button.Repeat as many times as necessary to remove each Java versions.Reboot your computer once all Java components are removed.Then from your desktop double-click on jre-6u22-windows-i586.exe to install the newest version.======================Clear out infected System Restore points======================Then we need to reset your System Restore points.The link below shows how to do this.How to Turn On and Turn Off System Restore in Windows XPhttp://support.microsoft.com/kb/310405/en-usIf you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual Delete\uninstall anything else that we have used that is leftover.After that your all set. ===The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance===Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.Prevention article Some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes."How did I get infected in the first place?" Also this one by Tony Klein.If your computer is slow Is a tutorial on what you can do if your computer is slow.File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent etc...===Free antimalware tools used for on demand scanning and cleaning no real time unless purchased===Malwarebytes Antimalwaresuperantispyware===Free antivirus links===This is antivirus and antispyware. Microsoft Security EssentialsThis is free antispyware protection and Antivirus protection. AVG freeThis is just antivirus protection. AntivirThis is antivirus and antispyware protection.Avast Link to post Share on other sites More sharing options...
LDTate Posted November 22, 2010 ID:349293 Share Posted November 22, 2010 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts