PDA

View Full Version : Windefence32



Pinstripes
2010-05-18, 12:11
Hey everyone. I have been having a hell of a time trying to get this thing off my computer. Nothing I do seems to work. I found one old post about it on these forums. Spybot SD was not able to detect it. And RootAlyzer doesn't even load its scans for me. Malwarebytes is able to pick it up along with things that google tells me are associated with Windefence32, but removal is never permanent. Not sure what else I can say about it. Here's the DDS log. Thanks in advance for any assistance.


DDS (Ver_10-03-17.01) - NTFSX64
Run by Mimi at 23:45:02.07 on Mon 05/17/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3070.1339 [GMT -5:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\SysWOW64\vmnat.exe
C:\Windows\SysWOW64\vmnetdhcp.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\AIM\aim.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\VMware\VMware Player\hqtray.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\CCleaner\CCleaner.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Mimi\Desktop\RootAlyzer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Mimi\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mLocal Page = c:\windows\syswow64\blank.htm
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~2\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files (x86)\daemon tools toolbar\DTToolbar.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Steam] "c:\program files (x86)\steam\steam.exe" -silent
uRun: [Aim] "c:\program files (x86)\aim\aim.exe" /d locale=en-US
uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files (x86)\spybot - search & destroy\TeaTimer.exe
uRun: [WinDefence32] c:\users\mimi\appdata\roaming\windefence\windefence32.exe
mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun: [hpqSRMon] c:\program files (x86)\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files (x86)\hp\hp software update\HPWuSchd2.exe
mRun: [VMware hqtray] "c:\program files (x86)\vmware\vmware player\hqtray.exe"
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files (x86)\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~2\spybot~1\SDHelper.dll
LSP: c:\program files (x86)\vmware\vmware player\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TB-X64: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - c:\program files (x86)\daemon tools toolbar\DTToolbar64.dll
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)

================= FIREFOX ===================

FF - ProfilePath - c:\users\mimi\appdata\roaming\mozilla\firefox\profiles\rsiic039.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 173984]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\common files\vmware\usb\vmware-usbarbitrator.exe [2010-1-22 563760]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 40832]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-3-2 187392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\spybot - search & destroy\SDWinSec.exe [2010-5-17 1153368]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\drivers\athrxusb.sys [2010-2-26 1021440]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\common files\creative labs shared\service\CTAELicensing.exe [2010-1-13 79360]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-27 1255736]

=============== Created Last 30 ================

2010-05-18 04:02:09 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-18 04:02:09 0 d-----w- c:\program files (x86)\Spybot - Search & Destroy
2010-05-17 03:32:04 0 d-----w- c:\users\mimi\appdata\roaming\Malwarebytes
2010-05-17 03:31:58 0 d-----w- c:\programdata\Malwarebytes
2010-05-17 03:31:57 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-17 03:31:57 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-05-12 17:11:58 976896 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-12 17:11:57 740864 ----a-w- c:\windows\syswow64\inetcomm.dll
2010-05-08 22:35:04 0 d-----w- C:\Python26
2010-05-08 22:07:40 0 d-----w- c:\users\mimi\.idlerc
2010-05-06 20:59:00 14336 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-05-02 20:58:53 0 d-----w- C:\Fraps
2010-04-29 03:07:43 0 d-----w- c:\program files (x86)\DAEMON Tools Toolbar
2010-04-29 03:04:49 0 d-----w- c:\program files (x86)\DAEMON Tools Lite
2010-04-29 03:04:35 0 d-----w- c:\users\mimi\appdata\roaming\DAEMON Tools Lite
2010-04-29 03:04:33 0 d-----w- c:\programdata\DAEMON Tools Lite
2010-04-29 02:02:59 1024 ----a-w- C:\.rnd
2010-04-29 02:02:52 730638 ----a-w- c:\windows\syswow64\PerfStringBackup.INI
2010-04-29 02:02:40 0 d-----w- c:\program files (x86)\common files\VMware
2010-04-29 02:02:35 0 d-----w- c:\programdata\VMware
2010-04-29 02:02:28 0 d-----w- c:\program files (x86)\VMware
2010-04-29 00:45:56 0 d-----w- c:\program files (x86)\Datel
2010-04-28 14:31:26 96768 ----a-w- c:\windows\syswow64\sspicli.dll
2010-04-28 14:31:26 22016 ----a-w- c:\windows\syswow64\secur32.dll
2010-04-28 14:31:26 153160 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 14:31:26 1446912 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-28 14:31:26 12867072 ----a-w- c:\windows\syswow64\shell32.dll
2010-04-28 14:31:20 223448 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-25 04:40:51 0 d-----w- c:\windows\pss
2010-04-22 23:23:18 23141 ----a-w- c:\windows\hpqins15.dat

==================== Find3M ====================

2032-01-01 10:14:40 54776 ----a-w- c:\windows\fonts\BLOCKED.TTF
2010-05-18 04:42:39 7903 ---ha-w- c:\users\mimi\appdata\roaming\logs.dat
2010-05-06 15:36:38 270208 ------w- c:\windows\system32\MpSigStub.exe
2010-04-03 23:42:00 159336 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 23:42:00 14828648 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 23:42:00 116328 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 23:42:00 1067624 ----a-w- c:\windows\system32\nvsvc64.dll
2010-03-19 23:03:20 2770432 ----a-w- c:\windows\system32\python26.dll
2010-03-08 21:59:59 612352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 21:33:56 427520 ----a-w- c:\windows\syswow64\vbscript.dll
2010-03-03 01:17:42 153376 ----a-w- c:\windows\syswow64\javaws.exe
2010-03-03 01:17:42 145184 ----a-w- c:\windows\syswow64\javaw.exe
2010-03-03 01:17:42 145184 ----a-w- c:\windows\syswow64\java.exe
2010-03-03 01:17:41 411368 ----a-w- c:\windows\syswow64\deploytk.dll
2010-02-27 15:17:00 5509008 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-27 12:07:48 3954568 ----a-w- c:\windows\syswow64\ntkrnlpa.exe
2010-02-27 12:07:48 3899280 ----a-w- c:\windows\syswow64\ntoskrnl.exe
2010-02-23 08:22:50 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 07:56:00 977920 ----a-w- c:\windows\syswow64\wininet.dll
2010-02-23 07:55:56 1225216 ----a-w- c:\windows\syswow64\urlmon.dll
2010-02-23 07:55:45 606208 ----a-w- c:\windows\syswow64\mstime.dll
2010-02-23 07:55:43 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-02-23 07:55:43 5964800 ----a-w- c:\windows\syswow64\mshtml.dll
2010-02-23 07:55:24 10978816 ----a-w- c:\windows\syswow64\ieframe.dll
2010-02-23 07:55:20 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-23 02:26:25 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-23 02:26:38 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 23:45:23.02 ===============

Just for clarification, here is what Malwarebytes has been picking up and deleting. These items always reappear:

Files Infected:
C:\Users\Mimi\AppData\Local\Temp\xxxyyyzzz.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Mimi\AppData\Local\Temp\MSN.abc (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Mimi\AppData\Roaming\WinDefence\windefence32.exe (Backdoor.Bifrose) -> Quarantined and deleted successfully.
C:\Users\Mimi\AppData\Local\Temp\SlyFly.exe (Backdoor.Bifrose) -> Quarantined and deleted successfully.
C:\Users\Mimi\AppData\Local\Temp\SamFly.exe (Backdoor.Bifrose) -> Quarantined and deleted successfully.
C:\Users\Mimi\AppData\Roaming\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully.
C:\Users\Mimi\AppData\Local\Temp\UuU.uUu (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Mimi\AppData\Local\Temp\XxX.xXx (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Mimi\AppData\Roaming\addons.dat (Bifrose.Trace) -> Quarantined and deleted successfully.

Oh, and this too:

HKEY_CURRENT_USER\SOFTWARE\SlysBitch (Bifrose.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windefence32 (Backdoor.Bifrose) -> Quarantined and deleted successfully.

Sorry for so many posts. :sad:

Last edited by tashi (http://forums.spybot.info/posthistory.php?p=371420); Yesterday at 11:15 PM. Reason: Merged three posts ;-)
-------------------------------------
I see a lot of recommendations to run Kaspersky, so I went ahead and did that. It identified my problem as:

Net-Worm.Win32.Kolab.fca
------------------------------
FAQ: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

shelf life
2010-05-22, 15:00
Running Windows 7 may limit what tools you can use. You can try DrWeb:

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit icon to start the program.
* press start
* Allow the program to run the initial express scan
* This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
* Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
* Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
* During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
* Once the scan is complete, on the menu bar, click file and choose report list.
* Save the report to your desktop. The report will be called DrWeb.csv
* Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
* Close Dr.Web Cureit.
* Please post the Dr.Web.txt report in your next reply

Pinstripes
2010-05-23, 09:58
I have been trying all day to run the program you suggested, but it keeps freezing on a particularly large file I have on my computer. I have told it to ignore the folder the file is in, but complete scan seems to ignore any stipulations I have set up for not checking a folder. Is there something else I can try?

shelf life
2010-05-23, 15:06
there are some other on-line scanners you could try. Is that a 64bit version of Windows your running? You might try running Malwarebytes in safe mode. To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list: safe mode. Dr Web then is scanning the excluded folder anyway?

A online scanner;

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

Pinstripes
2010-05-23, 22:05
Yes it's 64-bit. I spoke too soon on the Dr. Web. I left it running all night and it finally powered through that large file. However it hasn't gotten much farther since then. It seems to me to be moving absurdly slow, and if this is unusual I will switch to MalwareBytes in safe mode. Otherwise it looks like I won't have a log to post until very late tonight or probably tomorrow.

shelf life
2010-05-24, 02:54
ok thanks for the info. A 64bit machine rules out running Combofix. DrWeb could take a long time to finish. Hard to say how long, based on your HD size and CPU it could take several hours. You could also try it in safe mode if it seems to be getting nowhere.

Pinstripes
2010-05-24, 03:46
DrWeb is definitely not doing anything but making my CPU drag. Just want a confirmation on trying MalwareBytes in safemode and I'll go along with that.

shelf life
2010-05-24, 04:41
Yes give Malwarebytes a shot in safe mode. To reach safe mode you would tap the f8 key during a computer restart. Chose the first option from the list; safe mode

Pinstripes
2010-05-24, 09:05
Well this is frustrating. I ran the ESET scanner but I cannot find a log for it. Searching my computer for ESET brings up nothing, in fact. However I can tell you that the scan didn't find anything. My next post should be the safe mode MB log.

Pinstripes
2010-05-24, 09:08
Welp. Scratch that. Turns out I am just dumb. :D: However, this is all the log says:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

shelf life
2010-05-25, 01:03
Looks like we arent making much progress. lets try this based on the malwarebytes log. First you can create a reg file to use then boot into safe mode. there are some files you well be looking for in safe that you might want to copy/paste into notepad so you can read it in safe mode
Also check MBAM for any updates to run in safe mode.

to help show all files view this link:
http://www.bleepingcomputer.com/tutorials/tutorial151.html

Next we will make a reg file to use:
First back up the registry:

Go to start and type in regedit in the search window. Windows registry will open.
In the left hand pane click on HKEY CURRENT USER then on Software so its highlighted. Now at the top go to file>export. Name it bckup.reg and save it to your desktop

copy whats below in the code box into notepad



Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\SOFTWARE\SlysBitch]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windefence32]


At the top go to File>save as> and change 'Save as type' to all files
You can name it fixit.reg
and save it to your desktop

Now right click on the fixit.reg on your desktop and select merge and yes if prompted.

Next:
Time to boot into safe mode and try and find some files to manually delete, we will use the MBAM list: Navigate to each of these and see if you can find and delete any of these .exe

C:\Users\Mimi\AppData\Local\Temp\xxxyyyzzz.dat
C:\Users\Mimi\AppData\Local\Temp\MSN.abc
C:\Users\Mimi\AppData\Roaming\WinDefence\windefence32.exe
C:\Users\Mimi\AppData\Local\Temp\SlyFly.exe
C:\Users\Mimi\AppData\Local\Temp\SamFly.exe
C:\Users\Mimi\AppData\Roaming\logs.dat
C:\Users\Mimi\AppData\Local\Temp\UuU.uUu
C:\Users\Mimi\AppData\Local\Temp\XxX.xXx
C:\Users\Mimi\AppData\Roaming\addons.dat

If you go to start and type in the search window: %temp%
you may find them faster. Just get what you can.
Most likely if there is something else 'protecting' them they will be there on re-boot. That seems to be why MBAM isnt removing them.
Try running MBAM in safe mode also after or before the above.

Pinstripes
2010-05-25, 21:51
I ran MalwareBytes in Safe Mode and it found and deleted the same things. I ran it again after rebooting and it found nothing. My question now is, how do I know for sure that I've gotten everything? Oh, and here's the log of the initial safe mode scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4108

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

5/25/2010 1:02:35 PM
mbam-log-2010-05-25 (13-02-35).txt

Scan type: Full scan (C:\|)
Objects scanned: 313090
Time elapsed: 30 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\SlysBitch (Bifrose.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Mimi\AppData\Local\Temp\xxxyyyzzz.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Mimi\AppData\Local\Temp\MSN.abc (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Mimi\AppData\Roaming\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully.
C:\Users\Mimi\AppData\Local\Temp\UuU.uUu (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Mimi\AppData\Local\Temp\XxX.xXx (Malware.Trace) -> Quarantined and deleted successfully.

shelf life
2010-05-26, 01:25
how do I know for sure that I've gotten everything?

MBAM is a excellent malware remover. Have you noticed anything before that is not there now? What tipped you off that you had malware. Most malware usually produces signs, did you notice any and are they gone now?
You could try a on line scan ( a different one than ESET) or another Malware scanner like SuperantiSpyware, not sure about 64bit support for it.

F-secure scan:
http://support.f-secure.com/enu/home/ols.shtml

uses Internet Explorer only

click on the "start scanning button" near bottom of page.
click to accept/install the ActiveX applet
"accept" the License Agreement, click "full system scan"
Once the download of files completes,the scan will begin automatically.
The scan may take some time to finish.
When the scan completes, click the Automatic cleaning (recommended) button.

Panda ActiveScan

http://www.pandasoftware.com/products/activescan.htm

* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send (use a fake e-mail)
* Select either Home User or Company
* Click the big Scan Now button
* If it wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on My Computer to start the scan
* When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Pinstripes
2010-05-27, 08:09
The problem is that I didn't experience any symptoms. The worm was on my aunt's computer and I networked to it without realizing it was infected. It never really affected my performance much but it was a real performance-killer on the source computer.

I will try one of your suggested scanners.

Pinstripes
2010-05-28, 01:56
I ran F-Secure and all it found was a couple tracking cookies. So I guess I'm clean?

2 malware found
TrackingCookie.Atdmt (spyware)

* System (Disinfected)

TrackingCookie.Atwola (spyware)

* System (Disinfected)

Statistics
Scanned:

* Files: 93469
* System: 6119
* Not scanned: 445

Actions:

* Disinfected: 2
* Renamed: 0
* Deleted: 0
* Not cleaned: 0
* Submitted: 0

shelf life
2010-05-28, 02:44
Well that looks encouraging .
There is one more tool you can run. MS malicious software removal tool. It is actually downloaded via Windows updates automatically. Its updated monthly(?) and runs once after downloading in the background. I dont think it would alert you unless it found something on your machine. It only targets and removes certain malware.
You can invoke it by typing mrt in the run window on the start menu. I think its all good on your machine the mrt was a after thought really, up to you if you want to run it.

http://www.microsoft.com/security/malwareremove/default.aspx