trying to get rid of what's left of KoobFace

[surfboarder]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, May 12, 2009 00:14:00
Records in database: 2163952
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
R:\

Scan statistics:
Files scanned: 60570
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:23:33

No malware has been detected. The scan area is clean.

The selected area was scanned.

----------------------------------------------------------------------------


DDS (Ver_09-03-16.01) - NTFSx86
Run by asmuthw at 18:47:14.82 on Mon 05/11/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.262 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
svchost.exe
C:\WINDOWS\system32\ifxspmgt.exe
C:\WINDOWS\system32\ifxtcs.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IfxPsdSv.exe
C:\Program Files\Symantec\ClientVPN\logservice.exe
C:\Program Files\Symantec\ClientVPN\emroute.exe
C:\WINDOWS\system32\spmonnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SAMSUNG\Easy Button Manager\EasyBtnMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Infineon\Security Platform Software\PSDrt.exe
C:\Program Files\Infineon\Security Platform Software\SpTna.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Symantec\ClientVPN\nsetup.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ssstars.scr
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\asmuthw\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.stb.dot.gov/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [EasyButtonManager] c:\program files\samsung\easy button manager\EasyBtnMgr.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - c:\program files\symantec\clientvpn\nsetup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: turbotax.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195060231517
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\asmuthw\applic~1\mozilla\firefox\profiles\1alkgjud.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.newyorktimes.com/
FF - plugin: c:\documents and settings\asmuthw\application data\mozilla\firefox\profiles\1alkgjud.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\asmuthw\application data\mozilla\firefox\profiles\1alkgjud.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071302000002.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-26 64160]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-2-11 160792]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-1-23 39080]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2007-11-14 4300]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-11-14 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2007-2-22 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-2-22 54872]
R2 Symantec Client VPN;Symantec Client VPN;vpnservices.exe --> vpnservices.exe [?]
R3 axtvpn;Symantec Client VPN Driver;c:\windows\system32\drivers\axtvpn.sys [2008-5-15 764592]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-11-14 36608]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-11-14 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-11-14 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-11-14 170408]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-2-11 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-2-11 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-2-11 81288]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 953168]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-11 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-11 1079176]

=============== Created Last 30 ================

2009-05-07 17:34 161,792 a------- c:\windows\SWREG.exe
2009-05-07 17:34 98,816 a------- c:\windows\sed.exe
2009-05-04 17:59 100 a--s---- c:\windows\system32\1152763595.dat
2009-04-14 18:13 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 18:13 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-14 18:13 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 18:13 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-14 18:13 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 18:13 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 18:13 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-14 18:13 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 18:13 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-14 18:12 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 18:12 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 18:12 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-04-30 22:41 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll

============= FINISH: 18:48:03.14 ===============

[Blade81]

Hi

Is that McAfee license valid? Logs still say it's definitions are out of date.

[surfboarder]

I'll check, but it should be fine.

[Blade81]

Ok. Let me know the status. Shall give final instructions when it's made sure protection is up-to-date.

[surfboarder]

I think this is the answer...I've had the machine off-line during this little escapade, so it hasn't automatically updated the files - it should have updated last night.

[Blade81]

Ok. I assume it's working properly then


Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK

dds.scr file and related logs can be deleted too.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

• hosts file:
  
  • Every version of windows has a hosts file as part of them.
  • In a very basic sense, they are used to locate webpages.
  • We can customize a hosts file so that it blocks certain webpages.
  • However, it can slow down certain computers.
  • This is why using a hosts file is optional!!
  
  Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
  If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  
  2. Click the start button (at the lower left hand corner of your screen)
  3. Click run
  4. In the dialog box, type services.msc
  5. hit enter, then locate dns client
  6. Highlight it, then double-click it.
  7. On the dropdown box, change the setting from automatic to manual.
  8. Click ok
  
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
  If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!).

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade

[surfboarder]

All done and dusted - Thanks again for your help (and I see from the other posts I'm not the only one).

Best Regards.

[Blade81]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.