wil post in the am (if its done LOL)
still going
wil post in the am (if its done LOL)
Finally
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-11-10 10:32:08
PROTECTIONS: 1
MALWARE: 31
SUSPECTS: 6
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Symantec Antivirus Corporate Edition 10.1 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00039204 adware/cws Adware No 0 Yes No i:\documents and settings\gero\favorites\insurance
00055522 Eicar.Mod Virus No 0 No No C:\RECYCLER\S-1-5-21-854245398-2111687655-725345543-1004\Dd6\By.the.Numbers.Publications.Active.Directory.By.the.Numbers.Windows.Server.2003.eBook-LiB.chm[/9224final/LiB0056.html]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@trafficmp[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@atdmt[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@247realmedia[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@fastclick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@mediaplex[2].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@yadro[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@apmebf[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@www.burstbeacon[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@advertising[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@statse.webtrendslive[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@ads.pointroll[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@overture[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@realmedia[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@zedo[2].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@bluestreak[2].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@ads.addynamix[2].txt
01185375 Application/Psexec.A HackTools No 0 Yes No I:\System Volume Information\_restore{4585BB87-945B-4BB8-89A5-49C3FCECAB3D}\RP8\A0001662.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No I:\System Volume Information\_restore{4585BB87-945B-4BB8-89A5-49C3FCECAB3D}\RP3\A0000118.EXE
01606636 Cookie/Adserver TrackingCookie No 0 Yes No I:\Documents and Settings\Gero\Cookies\gero@adserver.easyad[1].txt
02170952 Generic Malware Virus/Trojan No 0 No No C:\Misc_Files\Windows Software\Smac 1.1\SMAC.CAB[SMAC.exe]
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No I:\System Volume Information\_restore{4585BB87-945B-4BB8-89A5-49C3FCECAB3D}\RP8\A0001646.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No I:\System Volume Information\_restore{4585BB87-945B-4BB8-89A5-49C3FCECAB3D}\RP3\A0000103.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Misc_Files\Windows Software\CYBERsitter\setup\setup2k.exe
03841591 Trj/Downloader.MDW Virus/Trojan No 1 Yes No I:\_OTMoveIt\MovedFiles\11082008_123031\documents and settings\Gero\bvxmg.exe
03863038 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B11A7DF2-B053-4417-A533-97FF37566133}\RP88\A0005113.exe
04012319 Trj/Downloader.MDW Virus/Trojan No 1 Yes No I:\System Volume Information\_restore{4585BB87-945B-4BB8-89A5-49C3FCECAB3D}\RP8\A0001655.sys
04012319 Trj/Downloader.MDW Virus/Trojan No 1 Yes No I:\Qoobox\Quarantine\[4]-Submit_2008-11-09@16.46.zip[ndisio.sys]
04012319 Trj/Downloader.MDW Virus/Trojan No 1 Yes No I:\Qoobox\Quarantine\I\WINDOWS\system32\drivers\ndisio.sys.vir
04012319 Trj/Downloader.MDW Virus/Trojan No 1 Yes No I:\System Volume Information\_restore{4585BB87-945B-4BB8-89A5-49C3FCECAB3D}\RP8\A0001639.sys
04012319 Trj/Downloader.MDW Virus/Trojan No 1 Yes No I:\_OTMoveIt\MovedFiles\11082008_123031\windows\system32\drivers\ndisio.sys
;===================================================================================================================================================================================
SUSPECTS
Sent Location OU
;===================================================================================================================================================================================
No C:\Misc_Files\Windows Software\Nvidia\NVidia DVD Decoder\en.exe OU
No C:\Misc_Files\Windows Software\Super DVD Ripper\ch.exe OU
No C:\Misc_Files\Windows Software\Super DVD Ripper\hs-sdr39.rar.exe] OU
No C:\Misc_Files\Windows Software\Super DVD Ripper\Super DVD Ripper v2.39+patch.rar[hs-sdr39.rar][ck\ch.exe]
No I:\Documents and Settings\Gero\Desktop\ComboFix.exe[32788R22FWJFW\psexec.cfexe] OU
No I:\Program Files\Super DVD Ripper\Patch.exe OU
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description OU
;===================================================================================================================================================================================
;===================================================================================================================================================================================
OTMoveIt
Please download OTMoveIt3 by OldTimer and save it to your desktop
- Double-click OTMoveIt3.exe to run it.
- Copy the lines in the codebox below. ( Make sure you include :Files )
Code::Files i:\documents and settings\gero\favorites\insurance
- Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Close OTMoveIt3
Congratulations your logs look clean
Let's see if I can help you keep it that way
First lets tidy up
- This will clear your System Volume Information restore points and remove all the infected files that were quarantined
- Click START then RUN
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
Open OTMoveIt Click Cleanup,
it will now connect to the internet and get a list of files to delete.
When a box pops up click YES.
You can also delete any logs we have produced, and empty your Recycle bin.
Enable Teatimer
- RIGHT click Link >>> HERE <<< Link and select "save as" and save it to your desktop
- Double click ResetTeaTimer.bat
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- check the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.
- You can now delete ResetTeaTimer.bat
The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/par...avwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details
AntiSpyware
- AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.- Spybot - Search & Destroy <<< A must have program
- It includes host protection and registry protection
- A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
- MalwareBytes Anti-malware <<< A New and effective program
- a-squared Free <<< A good "realtime" or "on demand" scanner
- superantispyware <<< A good "realtime" or "on demand" scanner
Prevention
- These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one- Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
- SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
- SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
- ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
- MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections
Internet Browsers
- Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialise and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
Cleaning Temporary Internet Files and Tracking Cookies
- Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program- ATF Cleaner
- Free and very simple to use
- CCleaner
- Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.....So How Did I Get Infected In The First Place
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
I am so happy!
Thank you so much. I have done everything in your last list!! Please tell me how I can help support your efforts. I can not believe how invasive and persistent this malware was. There is no way I would have succeeded without your assistance! YAY!!!!!!!!!!!!!!!!
It's a pleasure to helpOriginally Posted by gerieg
You can help support the forum by considering a small donation
http://www.spybot.info/en/donate/index.html
Unfortunately, modern malware is becoming more invasive and harder to remove.
The days when you could just run a quick scan to remove infections are long gone.
The best way to help stop this happening again is by following the steps I outlined above.
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
Happy
I made a donation. Its the least I could do for all the time, effort, and expertise you extended.
On behalf of the Safer Networking team
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm).
A valid, working link to the closed topic is required.
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
Posting Permissions
