Suspected Trojan / Spyware

[nochafets]

Hi,

I've recently been having some suspicious and very annoying activity on my PC (I'm running Windows XP, sp3). I'm running winpatrol, which keeps alerting me about attempts to add a startup entry called "tufolili.dll,a." I also keep getting warnings from COMODO firewall about various files and registry entries, among them "tufolili.dll." I can get more suspicious file names if you need them, as they pop up periodically.

My computer is also running more slowly and I'm periodically getting pop-up windows with advertisements (ACAI-diet-related, from Amazon.com, for anti-virus software, etc. - I just got one while I was typing this from http://www.thefutoncritic.com/tvnews.html) that look like Firefox windows, although the icon for these windows in the taskbar appears to be a slightly off imitation of the Firefox icon.

I'm not attaching a gmer log because gmer keeps giving me error messages when I run a scan (along the lines of "gmer can't open file [or directory] X at the moment because it is being used by another process"). But I have DSS logs and a hijackthis log, if you need it.

Thanks,
Noah



DDS (Ver_09-10-26.01) - NTFSx86
Run by Noah1 at 23:43:17.95 on Wed 11/04/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.481 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Outpost Firewall Pro *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Noah1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Dictionary.com: {11359f4a-b191-42d7-905a-594f8cf0387b} - c:\windows\downloaded program files\conflict.1\lexbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Dictionary.com: {11359f4a-b191-42d7-905a-594f8cf0387b} - c:\windows\downloaded program files\conflict.1\lexbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program files\google\google notebook\gnotes1.0.2.19-1072469450.dll
EB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program files\google\google notebook\gnotes1.0.2.19-1072469450.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\noah1\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [leyekakud] Rundll32.exe "c:\windows\system32\tufolili.dll",a
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "c:\program files\google\gmail notifier\gnotify.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -s
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\noah1\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Note this (Google Notebook) - c:\program files\google\google notebook\gnotes1.0.2.19-1072469450.dll/gn_menu1.html
IE: Note this item (Google Notebook) - c:\program files\google\google notebook\gnotes1.0.2.19-1072469450.dll/gn_menu2.html
IE: Search &Dictionary - c:\program files\lexico\toolbar\dictionary.htm
IE: Search &Thesaurus - c:\program files\lexico\toolbar\thesaurus.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: aol.com\free
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176606719375
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://152.1.131.130/activex/AMC.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://bardcam.colorado.edu/activex/AMC.cab
DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - hxxp://dictionary.reference.com/tools/toolbar/lexico.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\tufolili.dll,zogadeli.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: wurarazop - {a36c5885-141e-4717-b918-a385cb253428} - No File
SSODL: sigisigus - {38b3602b-6dd8-4745-a53f-289054c2d7a4} - c:\windows\system32\tufolili.dll
STS: {a36c5885-141e-4717-b918-a385cb253428} - No File
STS: gahurihor: {38b3602b-6dd8-4745-a53f-289054c2d7a4} - c:\windows\system32\tufolili.dll
LSA: Notification Packages = scecli sasagasu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\noah1\applic~1\mozilla\firefox\profiles\jcriig4g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\documents and settings\noah1\application data\mozilla\firefox\profiles\jcriig4g.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\noah1\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\noah1\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-3 207280]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-23 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-23 108552]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2007-12-4 79096]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2007-12-4 23672]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-23 297752]
S3 IndieVolume;IndieVolume Service;\??\c:\program files\indievolume\indievolume.sys --> c:\program files\indievolume\IndieVolume.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-17 908056]
S4 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-11-3 112592]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-3 358600]

=============== Created Last 30 ================

2009-11-04 01:37:12 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-04 01:37:11 882 ----a-w- c:\windows\RegSDImport.xml
2009-11-04 01:37:11 880 ----a-w- c:\windows\RegISSImport.xml
2009-11-04 01:37:11 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-04 01:37:11 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-11-04 01:37:11 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-04 01:37:11 131 ----a-w- c:\windows\IDB.zip
2009-11-04 01:37:11 1152470 ----a-w- c:\windows\UDB.zip
2009-11-04 01:28:50 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-11-04 01:28:50 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-04 01:26:53 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-04 01:26:53 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-11-04 01:26:53 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-11-04 01:26:53 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-04 01:26:30 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-11-04 01:26:30 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-04 01:26:16 0 d-----w- c:\program files\Spyware Doctor
2009-11-04 01:26:16 0 d-----w- c:\program files\common files\PC Tools
2009-11-04 01:26:16 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-11-04 00:48:31 380416 ----a-w- c:\windows\system32\winsc.exe
2009-11-04 00:48:30 51197 ----a-w- c:\windows\spoov.exe
2009-11-04 00:48:30 47872 ----a-w- c:\windows\certsystem.exe
2009-11-04 00:48:30 38352 ----a-w- c:\windows\regred.exe
2009-11-04 00:48:30 33149 ----a-w- c:\windows\usexplorer.exe
2009-11-04 00:48:30 28320 ----a-w- c:\windows\securits.com
2009-11-04 00:48:30 18941 ----a-w- c:\windows\microsoftdef.dll
2009-11-04 00:47:51 0 d-----w- c:\documents and settings\all users\Microsoft AData
2009-11-04 00:46:47 30724 ----a-w- c:\windows\system32\logon.exe

==================== Find3M ====================

2009-09-27 12:50:38 360580 ----a-w- c:\windows\eSellerateEngine.dll
2009-09-27 12:50:38 130 ---ha-w- c:\docume~1\noah1\applic~1\lakerda1967.sys
2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:11 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-09-25 05:37:11 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-09-25 05:37:10 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-25 05:37:10 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-25 05:37:09 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-27 14:42:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-26 16:56:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-20 20:09:06 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-13 15:16:05 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2009-08-12 21:43:37 21424 ----a-w- c:\docume~1\noah1\applic~1\GDIPFONTCACHEV1.DAT
2004-07-02 17:19:02 40960 ----a-w- c:\windows\inf\wg311v2\imdinst.exe
2004-06-18 04:41:16 386688 ----a-w- c:\windows\inf\wg311v2\netwg311_XP.sys
2004-04-04 18:07:40 84912 ----a-w- c:\windows\inf\wg311v2\FwRad17.bin
2004-04-04 18:07:36 83320 ----a-w- c:\windows\inf\wg311v2\FwRad16.bin
2004-02-04 17:53:26 62865 ----a-w- c:\windows\inf\wg311v2\odysseyIM3.sys
2004-02-04 17:53:22 12739 ----a-w- c:\windows\inf\wg311v2\odNetInstall.dll
2009-08-04 00:51:04 91648 --sha-w- c:\windows\system32\tufolili.dll
2009-08-04 00:51:04 39424 --sha-w- c:\windows\system32\zoweduda.dll

============= FINISH: 23:44:21.67 ===============


Update:

AVG Anti-virus keeps giving me the following messages about the following files

C:\\WINDOWS\system32\tufolili.dll - Virus identified Win32/Cryptor - Process name: C:\\WINDOWS\system32\imapi.exe

C:\System Volume Information\_restore{B970A531-5DE64045-986D-CB9E1BCC3425}\RP667/A0357075.dll - Infection: Trojan horse SHeur2.BPTP - Process name: C:\\WINDOWS\system32\svchost.exe

[extremeboy]

Hello and welcome to TSF.

I Apologize for the late response.

If you still require assistance, we would like to see the latest state of your system. So, please post a fresh DDS log and a new GMER log as described in this topic. In your reply, I would also like to know any symptoms you may still have and how your computer is running at the moment.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please note that the forum is very busy and if I don’t hear from you in three-five days this thread will be closed.

With Regards,
Extremeboy

[nochafets]

Latest update -

I have run 2 programs recommended by another website since I last posted: Malwarebytes' Anti-Malware and SUPER Anti-spyware.

I'm no longer getting persistent attempts to register tufolili.dll,a as a startup item. The pop-up windows have also stopped. And my computer seems to be running at a normal speed.

But AVG is still picking up an infection that it does not seem to be able to fix. It describes the infection as a virus called "Win32/Cryptor" and says that the infected file is C:\System Volume Information\_restore{B970A531-5DE6-4045-986D-CB9E1BCC3425}\RP669\A0360766.exe.

Thanks,
Noah

[extremeboy]

Thanks for those logs and the update.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

[nochafets]

Please find my combofix log attached.

Thanks,
Noah

[extremeboy]

Hello.

What AVG detected is a system restore point. We can deal with that problem later once we are done and flush the system restore points.

Submit File to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN

• Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
• At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  1. c:\documents and settings\Noah1\Application Data\lakerda1967.sys

• Click Submit.
• Wait for the scan to finish.
• Copy Scanner Results into your next reply.
• If more than one file was listed, repeat for each of them.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1

• Make sure you are connected to the Internet.
• Double-click on Download_mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy

[nochafets]

Hi again,

Virus Total Online Scanner found no malware.

I also ran MBAM, which found 2 infected files - the logfile is below.

The computer seems to be running fine now.

Thanks again for your help.

Best,
Noah



Malwarebytes' Anti-Malware 1.41
Database version: 3106
Windows 5.1.2600 Service Pack 3

11/8/2009 4:43:03 PM
mbam-log-2009-11-08 (16-43-03).txt

Scan type: Quick Scan
Objects scanned: 99683
Time elapsed: 4 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7aa32fc7-133b-4ae7-998e-ced0d9829b12} (Trojan.Dialer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[nochafets]

Oops - forgot the DDS files. They're attached here.

-Noah

[extremeboy]

I see an AVG7 startup key which we will remove near the end. It's not malicious though, but it's a leftover.

Let's update Java and run an online scan.

Update Java to Version 6 Update 16

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
• Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
• Click the Download button to the right.
• Select your Platform: "Windows".
• Select your Language: "Multi-language".
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
• Click Continue and the page will refresh.
• Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
• Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Run ESET Online Scan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the button.
13. Push

You can refer to this animation by neomage if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply.

Thanks.

With Regards,
Extremeboy

[nochafets]

Hi again,

I updated Java runtime environment (to version 6, update 17) and ran the ESET online scan - it found no threats, and so left behind no log.

I've attached the new DDS logs.

Thanks again,
Noah

[extremeboy]

Hello.

That looks good.

Let's remove that AVG7 run key.

Download and Run OTM

1. Please download OTM by OldTimer and save it to your desktop.
2. Double click the icon on your desktop If you are running on Vista, right click on the file and choose Run As Administrator.
3. Paste the following code under the [acronym=Paste Fix Here][/acronym] area. Do not include the word "Code".
   
   Code:

   :reg
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "AVG7_CC"=-
   :commands
   [EmptyTemp]

4. Click the large [acronym=MoveIt][/acronym] button.
5. If OTM requires are reboot, please allow it to do so.
6. Copy/Paste the contents under the [acronym=Results][/acronym] line here in your next reply.

Note: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

If it's removed then we can wrap up next post. Looks good. :)

~Extremeboy

[nochafets]

I've run OTM and the results (from the log file) are below.

Best,
Noah


All processes killed
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\AVG7_CC deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 2544895 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 65716 bytes
->Temporary Internet Files folder emptied: 16786 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Noah Chafets
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 123903 bytes
->FireFox cache emptied: 67491619 bytes
->Apple Safari cache emptied: 185218 bytes

User: Noah1
File delete failed. C:\Documents and Settings\Noah1\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Noah1\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Noah1\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 4684500 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 239019 bytes
->FireFox cache emptied: 48039069 bytes
->Google Chrome cache emptied: 285628140 bytes
->Apple Safari cache emptied: 1535732 bytes

User: Noah2
->Temp folder emptied: 34486 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 13786231 bytes
->FireFox cache emptied: 95355591 bytes
->Apple Safari cache emptied: 153692 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\00CD55D6EE5A457098758A306628C032.TMP folder deleted successfully.
%systemroot% .tmp files removed: 3358710 bytes
%systemroot%\System32 .tmp files removed: 3874833 bytes
Windows Temp folder emptied: 66756 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 502.79 mb


OTM by OldTimer - Version 3.0.0.6 log created on 11092009_160213

[extremeboy]

Okay. That's fine. Should of been deleted successfully as reported.

Let's wrap up then. :)

Let's cleanup our mess and remove the tools we have used.

Please follow/read the steps below to remove the tools we used and for some more information. :)

Uninstall ComboFix

Remove Combofix now that we're done with it.

• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  
• Please follow the prompts to uninstall Combofix.
• You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.

• Download OTC by OldTimer and save it to your desktop.
• Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
• Then Click the big button.
• You will get a prompt saying "Being Cleanup Process". Please select Yes.
• Restart your computer when prompted.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in this thread (PC running slow...?)



Congratulations! You now appear clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

• So How did I get infected?
• Miekies' prevention suggestions
• Hardening Windows Security - Part 1 & Part 2.

• Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!

• Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
• Update ALL Critical updates and any other Windows updates for services/programs that you use.
• If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
• Note that it will download them for you, but you still have to actually click install.

Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and thank you for choosing TechSupportForum as you malware removal source.
Don't forget to tell your friends about us and Good luck


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

[nochafets]

Many thanks, Extremeboy!

Best,
Noah

[extremeboy]

No problem.

Glad we could help out.

Take care and stay clean!

~Extremeboy

[extremeboy]

Hello.

Since this issue appears resolved, this topic will now be archived.
If you need continued support, please begin a new thread, and provide a link to this topic if needed.

This applies only to the original topic starter only.

Everyone else please begin a New Topic in the Virus/Trojan/Spyware Help by following the steps outlined over here

Good luck!

With Regards,
Extremeboy