Free Malware Removal Forum

[Sharagoz]

Hi
Are you still with us?
It's been a few days since your last reponse.

[Eddie]

Hi. Sorry about the delay. I'm absolutely still here and am glad you guys are too - especially because these last scans uncovered some infections. . . Here are the 3 logs you need:

1) MBAM log

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 6.0.6001 Service Pack 1

2/11/2009 2:35:37 PM
mbam-log-2009-02-11 (14-35-37).txt

Scan type: Quick Scan
Objects scanned: 65758
Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\extravideo\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.

2) ESET log

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3846 (20090211)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=8cf495a18ff0f040b82bed5507adf591
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2009-02-11 08:46:31
# local_time=2009-02-11 03:46:31 (-0500, Eastern Standard Time)
# country="United States"
# osver=6.0.6001 NT Service Pack 1
# scanned=485102
# found=2
# scan_time=3917
C:\Qoobox\Quarantine\C\Windows\System32\msqpdxmewtfbso.dll.vir a variant of Win32/Kryptik.DJ trojan 1191374317DFC03F54123B95EAB870DE
C:\Qoobox\Quarantine\D\autorun.inf.vir INF/Autorun virus 00000000000000000000000000000000

3) New HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:25 PM, on 2/11/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\AirPort\APAgent.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\test\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 7070 bytes

[Sharagoz]

Hi
I'm dropping in real quick just to let you know that there's gonna be a delay before Im back with a response.
Im hoping I'll get back to you in about 24hr.

[Sharagoz]

especially because these last scans uncovered some infections

What MBAM detected was a couple of minor leftovers. The ESET detections were related to files already put in quarantine by ComboFix.

That means that your logs are now clean. Well done!
Unless you have discovered new problems its time to do the final steps.

Cleaning up after the removal procedures

• 1) Uninstall through Add/Remove Programs
  
  • Uninstall the below programs unless you want to keep some of them for future usage:
    CCleaner
    Malwarebytes' Anti-Malware
    ESET Online Scanner
    
• 2) Uninstall ComboFix
  • Press the windows key and the R key at the same time to open the Run dialog box
  • Copy the command below into it and press Enter
    

    Code: Select all

    combofix /u

• 3) Other deletions
  • You can delete the files and folders below
    DDS (on your desktop)
    
  • Delete any other logs that remain on your desktop.

You can now enable Windows Defender again, using similar steps as when you disabled it. See step 2 of this post

Taking measures to prevent your computer from being infected again

Now that your computer is free from malware you may want to know how you can prevent this from happening again.
Below I'm quoting a tutorial I've written which I post to everybody I help here at MWR.
It covers the key parts of the software side of computer security. What steps you take or dont take to increase your own computers security is of course up to you.
The tutorial will take a little while to get through, but I hope you find it to be worth your time.
If you have any questions beyond this, feel free to ask.



How to protect yourself from malware
Over the last few years there has been a dramatic increase in the number of infected computers online.
If everybody using the internet knew what Im about to go through, this number would be significantly reduced.
I dont have all the answers, and I cant go through every detail if the size of the tutorial is to be kept fairly short, but I'll do my best to explain the most important parts.



1) Keeping your operating system up to date (windows updates)
This is the most important security measure. With an unpatched operating system you will be defenseless even with top-notch security software.
Malware often exploit security holes in your operating system to install itself, and keeping your OS up to date at all times will make sure this risk is at a minimum.
Visit http://update.microsoft.com/ using Internet Explorer, and get all critical updates.
You may have to repeat the update procedure several times before you get all updates. Repeat it until there are no more critical updates showing as missing.
Also, I recommend you turn on automatic updates if you havent already.



2) Keeping applications up to date
Keeping your operating system up to date is critical, but its also important to keep your applications up to date.
If security holes are discovered in common applications that most people use, malware writers are sure to try and exploit them to install their malicious content.
Many applications have automatic updates. If you are asked about installing an update you should do so unless you got a good reason not to.
There are also several online sites that offer to scan your computer for outdated software.
One of them is provided by Secunia. This one is quick and easy to use, and will provide links to updates if outdated software is discovered.
I recommend you go there once in a while and make sure you got your software up to date.
Secunias Software Inspector is located here:
http://secunia.com/vulnerability_scanning/online/
Visit that page, click Start Scanner and the rest should be fairly easy to figure out.



3) Immunization software
This section covers security measures which doesn't do any realtime scanning. All they do is block sites that hosts malware, sites that advertises for malware, malicious ActiveX objects, malicious browser helpers, and cookies that have been identified as bad.
These protection measures have proven very effective against "internet related" threats and require virtually no computer resources.
I recommend you install all of the below, regardless of what real-time scanners you use (i.e anti-virus and such).
- MVP hosts

Blocks rougly 25k online domains that hosts or advertises malicious content.
Will significantly reduce the chance of getting in trouble by accidently visiting the wrong page.

• Download hosts.zip from here and save the file to your desktop
• Open hosts.zip and extract the file called HOSTS to the folder C:\windows\system32\drivers\etc
• Answer Yes if asked about overwriting an existing file
• Delete hosts.zip

Notes:
If you have previously added custom entries to your own hosts file, these will have to be re-added after the new hosts file is installed.
The MVP hosts file should be downloaded and re-installed every now and then to keep it up to date.
If you install MVP Hosts you should disable a service called "DNS client".
If you dont, your browser(s) will use 10-60 seconds longer to start than what you are used to.
Disabling this service will have no side-effects. Its purpose is to put domains in cache, but there is no noticeable increase in browsing speed.
To disable the "DNS Client" service, do the following:

• Press the windows key and the R key at the same time to open the run dialog box
• Type in services.msc and press Enter to open the control panel for services
• Right-click on "DNS client" and chose "Stop".
• After the service has stopped, right-click on it again, chose "Properties" and set "startup type" to "disabled, press "Apply" and "OK".


- Javacool Spywareblaster

Multi-purpose blocker of activeX objects, browser helpers and unwanted cookies.

• Download Spywareblaster from here and install it using default settings
• Launch Spywareblaster
• Click "manual updating" (automatic require a subscription)
• Click "updates"->"check for updates"
• When the updates are finished downloading, click "protection status" -> "enable all protection"

Note:
The last two steps should be repeated from time to time to keep the protection up to date.

- Spybot immunization

Multi-purpose blocker of domains, activeX objects, browsers helpers and unwanted cookies.

• Download Spybot from here
• When installing spybot, be sure to uncheck "Security center integration", "Separate secure shredder application" and "use system settings protection (teatimer)".
  These features have more cons than pros.
• Launch Spybot
• Click "update" -> "check for updates" and install all available updates.
• Click "Immunize" in the left menu and then "immunize" in the right-hand window to enable the protection. (this may take a couple of minutes to finish)

Note:
The last two steps should be repeated from time to time to keep the protection up to date.

After immunization you will start to notice that on some web sites advertisements are not displayed, instead it shows an icon indicating that an image couldnt be loaded or a small frame saying "the web page could not be displayed".
The reason for this is that the immunization is blocking the site that are hosting the ads because it has been found to advertise for malicious software.
If you try to enter a website that is being blocked, the browser will simply say "the web page could not be displayed".

4) Real-time protection
This section covers security measures that work in real time and scans computer activity as it is happening (anti-virus/anti-malware scans a file before it allows it to be opened, a firewall controls network traffic and blocks it unless you have allowed it to happen).
This requires a lot of system resources, so what we are looking for is applications with good detection rate, low resource usage, that dont cause problems for legitimate applications.
I have divided the real-timer scanners into sub-catergories and listed my recommendation for each catergory.

- Anti-virus

Anti-virus software are mainly ment to detect worms and files infected with viruses, but also have anti-spy/adware capabilities.
Here are three good, free alternatives (only free for non-comercial use).

• Avira AntiVir
• Alwil Avast
• AVG Anti-virus
  Here are two great professional (pay-for) alternatives:
• Avira AntiVir Premium
• ESET Nod32

Note:
Never have more than one Anti-virus application installed. Installing a second one is likely to cause conflicts between the two and apart from making your system unstable it will reduce your security rather than increase it.

- Anti-malware

These applications are ment to supplement your antivirus as they are aimed spesifically at detecting malicious programs.
This can be programs designed to display advertisements (adware), track your internet surfing (spyware), give other people control over your computer (backdoors) and the likes.
Unfortuntly, in the anti-malware department there arent any great free alternatives like there are in the anti-virus department.
If you want an anti-malware application worth using you'll need to purchase one. Here are three good alternatives:

• Malwarebytes' Anti-Malware
• SUPERAntiSpyware (can be tried for 14 days for free)
• A-squared Anti-Malware (can be tried for 30 days for free)

Note:
You can have more than one of these running at the same time, but I don't recommend it because it only gives a small increase in security while a big increase in usage of system resources.
These can also be run alongside a security suite.

- 3rd party Firewall

Modern operating systems and routers have firewalls built into them that control incoming traffic so the main reason you might want to install a 3rd party firewall is to control outgoing traffic.
Firewalls are different from other security software as it really is a tool you need to learn how to use, rather than an automatic security solution. An anti-virus application for instance you usually just install and then it runs in the background and only alerts you if something is wrong.
That is not the case with firewalls. It will alert you whenever something tries to connect to the internet, whether its good or bad, and then its up to you to allow or deny the request. So ultimately you are increasing the security yourself with the help of the firewall.
If you want to have top notch security you need a 3rd party firewall and the knowledge of how to use it. This will be your last line of defense should something bad get through your immunzation, and anti-virus/anti-malware protection.
It enables you to prevent a trojan downloader from downloading malware to your computer should you end up with one, or prevent malware from sending personal information after it has collected it.
However, firewalls can be difficult to use properly. When the firewall prompts you with "should xxx be allowed to connect to the internet?" you need to be able to decide whether xxx is good or bad. Most people who use a 3rd party firewall doesnt know how to do this, and click Yes every time, hence making it fairly useless to have a 3rd party firewall.
In my opinion, firewalls are for the ones who have an above average need/interest in computer security, but nevertheless it's needed to have top-notch security.
Here are three good, free alternatives if you desire to have one. They each have their own support forum that can help you learn how setup and use their firewall.

• Comodo
  (If you chose this one, be sure to uncheck the following alternatives during installation:
  "Install Comodo SafeSurf..", "Make Comodo my default search provider" and "Make Comodo Search my homepage")
• PCTools Firewall
• Online Armor


- Winpatrol

This program is not strictly a security application, but gives you a lot more control over your computer.
Like a firewall it's a tool you need to learn how to use.
Basically it watches your system settings and alerts you if an application tries to change something. Then its up to you to accept or deny this change.
Its main purpose is to watch programs that add themselfs to auto-start, but it also watches file associations, activeX objects and Internet Explorer helpers.
Most programs do not need to be on auto-start, and the bad thing about auto-start is that it clogs down system resources.
With winpatrol you can easily detect and prevent when an unwanted auto-start entry is added, and this becomes an additional security layer because most malware will add itself to auto-start.
You can download winpatrol from here
And here's a link to a place where you can get more information on how to use it


If you managed to read through all of that you're probably asking "do I really need that much security software?".
That depends on what your computer is used for.
I'd say that everybody who uses a computer on the internet today really needs the following:
- Windows updates (having all windows updates is more important than any security software)
- The immunization software in step 3
- Anti-virus software
That's the minimum.
If you use your computer for financial transactions (online bank, web-shopping, etc) or have sensitive information stored on the computer, you should strongly consider buying an anti-malware application to supplement your anti-virus software. A 3rd party firewall should also be considered.
If you like to use your computer freely and install a lot of different programs, use file-sharing applications and surf all over the web you should also consider enhancing security as you'll be more at risk for infections.

5) Safe and sensible online practices
A book could be written on this subject, but here are some key points:
- Be carefull about what you download and which programs you install.
Dont blindly install every program that looks neat. If you're suspicious about a program, do a search online and see what others have to say about it before you install it.
Be especially cautious about programs ment to "boost" your computer in any way, or programs that claim to make your computer run better.
Any content given away for free are reason for suspicion.
- Be carefull about which links you click.
If somebody sends you a link you didnt expect, ask them about it before you click it.
Some infections are designed to send messages to everybody on a persons email/messenger contact list, and if one of your contacts are infected, you may recive such messages
- Be carefull about which email attachments you open.
Use the same caution with unexpected email attachments as with links.
- If a site looks shady, it probably is
Sites that host malicious content often look shady with all types of adds and offers. Just navigate away.

[Eddie]

Thank you for all of your help over the past couple weeks. Its difficult to understand the motivation for such senseless destruction. The web is a better place because of people like all of you. So thanks a million. Will this post be here for me to reference whenever necessary? If not, how do you recommend I preserve it?

[Sharagoz]

You're welcome

Yes, this thread will be here after it is closed, as it will be moved to the archive, not deleted.
So if you save/bookmark the link you should be able to access this thread whenever you want for the forseeable future.

[NonSuch]

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.