Howdy,
MBAM has pulled my feet out of the fire plenty of times, so I got the full version. This time, it cannot seem to remove this nasty redirect thingy (virus?). I was really tempted to try to follow the instructions you gave to other users with similar problems, but since all your solutions state that they are computer-specific, I will be patient and wait for the experts' advice.
PS: I use Firefox, so I have no interest in upgrading or using IE.
Here is the MBAM log:
Malwarebytes' Anti-Malware 1.38
Database version: 2310
Windows 5.1.2600 Service Pack 3
6/19/2009 8:20:11 PM
mbam-log-2009-06-19 (20-20-11).txt
Scan type: Quick Scan
Objects scanned: 92547
Time elapsed: 4 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Here is the HiJackThis log (which I could NOT download from this computer and had to grab from a different comp and put on a USB drive - PS: No items were checked by HTS):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:29 PM, on 6/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\rtmservice.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\X1\X1FileMonitor.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\X1\X1Systray.exe
C:\Program Files\X1\X1.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\X1\X1Service.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\tonif\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 antivirsystem.com
O1 - Hosts: 94.232.248.66 www.antivirsystem.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ShoreTel Personal Call Manager] C:\Program Files\Shoreline Communications\ShoreWare Client\StartCli.exe
O4 - HKCU\..\Run: [X1FileMonitor.exe] C:\Program Files\X1\X1FileMonitor.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - Startup: X1 System Tray.lnk = C:\Program Files\X1\X1Systray.exe
O4 - Startup: X1.lnk = C:\Program Files\X1\X1.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.mdsinc.com
O15 - Trusted Zone: *.windowsupdate.microsoft.com
O15 - Trusted Zone: *.moldev.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1240765266718
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {e79bc654-8fc6-4bb9-bfb8-8860779ae213} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = unioncity.moldev.com
O17 - HKLM\Software\..\Telephony: DomainName = unioncity.moldev.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = unioncity.moldev.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = unioncity.moldev.com
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Remote Task Manager Service (RTM) - Unknown owner - C:\WINDOWS\System32\rtmservice.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
--
End of file - 7579 bytes
Full Version: Google links redirects often to overclicks.cn
Hi,
* Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Post the log from ComboFix in your next reply.
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
* Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Post the log from ComboFix in your next reply.
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
Thanks. There is a small problem. This computer is an older corporate computer that I inherited when we upgraded our computers at my company. It has a password-protected version of Symantec Antivirus on it. No one seems to remember the password to get rid of the thing.
Can I still run ComboFix?
Toni
Can I still run ComboFix?
Toni
QUOTE (miekiemoes @ Jun 20 2009, 04:11 AM) 
Hi,
* Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Post the log from ComboFix in your next reply.
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
* Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Post the log from ComboFix in your next reply.
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
Hi,
You need to disable Norton, not delete it
If you don't know how, run Combofix from Windows Safe mode, but choose safe mode with network support (internet access), because Combofix needs internet connection to install the Recovery Console.
You need to disable Norton, not delete it
If you don't know how, run Combofix from Windows Safe mode, but choose safe mode with network support (internet access), because Combofix needs internet connection to install the Recovery Console.
Mieke,
unfortunately those options are 'locked' and password-protected (in other words, I cannot disable them). I really have been trying to get rid of it for months, hence the reason for my deleting comment. I guess that I will have to run this in Safe mode.
PS: In the meantime, I have been running BitDefender's online scan, and it detected a few nasties that MBAM did not (see attached file)
unfortunately those options are 'locked' and password-protected (in other words, I cannot disable them). I really have been trying to get rid of it for months, hence the reason for my deleting comment. I guess that I will have to run this in Safe mode.
PS: In the meantime, I have been running BitDefender's online scan, and it detected a few nasties that MBAM did not (see attached file)
Hi,
I suggest you use the Norton removal tool from Windows safe mode as well.
* To fully remove Norton AntiVirus or other Symantec related products, select the product you want to uninstall from this list in order to download the removal tool.
Please read the instructions first before you use it.
For older versions of Norton (2000, 2001, 2002), choose this link.
Also read the next article in case you're having problems with uninstalling Norton if above instructions didn't work, or noticed problems after uninstalling Norton: http://basconotw.mvps.org/SymRem.htm
I suggest you use the Norton removal tool from Windows safe mode as well.
* To fully remove Norton AntiVirus or other Symantec related products, select the product you want to uninstall from this list in order to download the removal tool.
Please read the instructions first before you use it.
For older versions of Norton (2000, 2001, 2002), choose this link.
Also read the next article in case you're having problems with uninstalling Norton if above instructions didn't work, or noticed problems after uninstalling Norton: http://basconotw.mvps.org/SymRem.htm
Mieke,
another hurdle. I am in Safe mode, start the Norton Removal Tool - which tells me I need to get rid of Norton AV through the Add/Remove Programs first! So I back to square one in trying to get rid of it.
a) Can I try to run ComboFix with Norton AV running?
I need to find another way to disable Norton AV...
Toni
another hurdle. I am in Safe mode, start the Norton Removal Tool - which tells me I need to get rid of Norton AV through the Add/Remove Programs first! So I back to square one in trying to get rid of it.
a) Can I try to run ComboFix with Norton AV running?
I need to find another way to disable Norton AV...Toni
Hi,
Since you can't modify anything in Norton, it recommend anyway you delete Norton because of that. The tool will get rid of it without using the add&remove option normally.
Or try this method: http://www.raymond.cc/blog/archives/2006/1...tivirus-client/
Since you can't modify anything in Norton, it recommend anyway you delete Norton because of that. The tool will get rid of it without using the add&remove option normally.
Or try this method: http://www.raymond.cc/blog/archives/2006/1...tivirus-client/
Mike,
that's the thing. The Removal Tool does not allow me to do anything unless I use the Add/Remove Programs first. It will simply not give me any option.
I will read through the link you posted.
Toni
that's the thing. The Removal Tool does not allow me to do anything unless I use the Add/Remove Programs first. It will simply not give me any option.
I will read through the link you posted.
Toni
Yes, the link I posted should work
Mieke,
it did! Simple regedit change and voila, Norton AV Corporate Edition is a thing of the past, hallelujah!
PS:
It seems that after BitDefender's online scan was done cleaning the items I posted above, my system is back to normal. Now I will clearly be a very strong supporter of BitDefender and I must ask why the normally super-reliable MBAM did not detect those Trojans...=)?
it did! Simple regedit change and voila, Norton AV Corporate Edition is a thing of the past, hallelujah!
PS:
It seems that after BitDefender's online scan was done cleaning the items I posted above, my system is back to normal. Now I will clearly be a very strong supporter of BitDefender and I must ask why the normally super-reliable MBAM did not detect those Trojans...=)?
Hi,
Does the bitdefender online scan has a backup/quarantine option? Was there a bitdefender Online scan folder created somewhere where the files it deleted are present? This so I can have some samples to have a look at so I can add them to the detection in malwarebytes as well. Without samples, we can't add detection either.
If no backups are present, don't worry then - I'll search for them somewhere else then
By the way, please start HijackThis and check the following entries in it if still present:
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 antivirsystem.com
O1 - Hosts: 94.232.248.66 www.antivirsystem.com
Then click the fix checked button below.
Does the bitdefender online scan has a backup/quarantine option? Was there a bitdefender Online scan folder created somewhere where the files it deleted are present? This so I can have some samples to have a look at so I can add them to the detection in malwarebytes as well. Without samples, we can't add detection either.
If no backups are present, don't worry then - I'll search for them somewhere else then
By the way, please start HijackThis and check the following entries in it if still present:
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 antivirsystem.com
O1 - Hosts: 94.232.248.66 www.antivirsystem.com
Then click the fix checked button below.
Mieke,
sorry, don't know if there were any backups. I will look.
Those items were still listed by HJT and I Fix Checked the items.
Thanks for your assistance,
Toni
sorry, don't know if there were any backups. I will look.
Those items were still listed by HJT and I Fix Checked the items.
Thanks for your assistance,
Toni
Can you do one little thing please so I can have an extra look? Maybe there are still inactive leftovers present, so I can analyse them instead.
Please download DDS and save it to your desktop.
Copy and paste the contents of DDS.txt in your next reply. Do not copy and paste the contents of Attach.txt, but attach it to your reply instead.
Please download DDS and save it to your desktop.
- Disable any script blocking protection
- Double click dds.scr to run the tool.
- When done, DDS.txt will open.
- Click Yes at the next prompt for Optional Scan.
- Save both reports to your desktop.
Copy and paste the contents of DDS.txt in your next reply. Do not copy and paste the contents of Attach.txt, but attach it to your reply instead.
Mieke,
below is the DDS.txt file, but I did not get an Optional Scan option.
DDS (Ver_09-05-14.01) - NTFSx86
Run by ToniF at 6:22:42.76 on Sat 06/20/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.630 [GMT -7:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\rtmservice.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\X1\X1FileMonitor.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\X1\X1Systray.exe
C:\Program Files\X1\X1.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\X1\X1Service.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Installers\bitdefender_antivirus.exe
C:\DOCUME~1\tonif\LOCALS~1\Temp\IXP001.TMP\setup.exe
C:\Documents and Settings\tonif\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ShoreTel Personal Call Manager] c:\program files\shoreline communications\shoreware client\StartCli.exe
uRun: [X1FileMonitor.exe] c:\program files\x1\X1FileMonitor.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [pdfFactory Dispatcher v1] c:\windows\system32\spool\drivers\w32x86\3\fppdis1.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [wextract_cleanup0] rundll32.exe c:\windows\system32\advpack.dll,delnoderundll32 "c:\docume~1\tonif\locals~1\temp\ixp001.tmp\"
StartupFolder: c:\docume~1\tonif\startm~1\programs\startup\x1syst~1.lnk - c:\program files\x1\X1Systray.exe
StartupFolder: c:\docume~1\tonif\startm~1\programs\startup\x1.lnk - c:\program files\x1\X1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: mdsinc.com
Trusted Zone: microsoft.com \*.windowsupdate
Trusted Zone: moldev.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240765266718
DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {e79bc654-8fc6-4bb9-bfb8-8860779ae213}
Notify: igfxcui - igfxdev.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\tonif\applic~1\mozilla\firefox\profiles\u1wx072v.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
============= SERVICES / DRIVERS ===============
R0 trm3x5;trm3x5;c:\windows\system32\drivers\trm3x5.sys [2007-5-10 22016]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-4-25 195856]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-6-12 102400]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-4-25 19096]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-4-25 11520]
S3 axmd;Axon MiniDigi loader service;c:\windows\system32\drivers\axmd.sys [2005-9-7 72592]
S3 axusbio;Axon MiniDigi driver service;c:\windows\system32\drivers\axusbio.sys [2005-9-7 19645]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 qic157;qic157;c:\windows\system32\drivers\qic157.sys [2005-8-29 6016]
=============== Created Last 30 ================
2009-06-13 20:10 <DIR> --d----- c:\program files\iPod
2009-06-13 20:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-13 20:09 <DIR> --d----- c:\program files\Bonjour
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts
==================== Find3M ====================
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-15 19:44 618,798 a------- c:\windows\system32\rn.tmp
2009-04-26 11:27 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
============= FINISH: 6:24:18.04 ===============
below is the DDS.txt file, but I did not get an Optional Scan option.
DDS (Ver_09-05-14.01) - NTFSx86
Run by ToniF at 6:22:42.76 on Sat 06/20/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.630 [GMT -7:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\rtmservice.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\X1\X1FileMonitor.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\X1\X1Systray.exe
C:\Program Files\X1\X1.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\X1\X1Service.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Installers\bitdefender_antivirus.exe
C:\DOCUME~1\tonif\LOCALS~1\Temp\IXP001.TMP\setup.exe
C:\Documents and Settings\tonif\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ShoreTel Personal Call Manager] c:\program files\shoreline communications\shoreware client\StartCli.exe
uRun: [X1FileMonitor.exe] c:\program files\x1\X1FileMonitor.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [pdfFactory Dispatcher v1] c:\windows\system32\spool\drivers\w32x86\3\fppdis1.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [wextract_cleanup0] rundll32.exe c:\windows\system32\advpack.dll,delnoderundll32 "c:\docume~1\tonif\locals~1\temp\ixp001.tmp\"
StartupFolder: c:\docume~1\tonif\startm~1\programs\startup\x1syst~1.lnk - c:\program files\x1\X1Systray.exe
StartupFolder: c:\docume~1\tonif\startm~1\programs\startup\x1.lnk - c:\program files\x1\X1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: mdsinc.com
Trusted Zone: microsoft.com \*.windowsupdate
Trusted Zone: moldev.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240765266718
DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {e79bc654-8fc6-4bb9-bfb8-8860779ae213}
Notify: igfxcui - igfxdev.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\tonif\applic~1\mozilla\firefox\profiles\u1wx072v.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
============= SERVICES / DRIVERS ===============
R0 trm3x5;trm3x5;c:\windows\system32\drivers\trm3x5.sys [2007-5-10 22016]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-4-25 195856]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-6-12 102400]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-4-25 19096]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-4-25 11520]
S3 axmd;Axon MiniDigi loader service;c:\windows\system32\drivers\axmd.sys [2005-9-7 72592]
S3 axusbio;Axon MiniDigi driver service;c:\windows\system32\drivers\axusbio.sys [2005-9-7 19645]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 qic157;qic157;c:\windows\system32\drivers\qic157.sys [2005-8-29 6016]
=============== Created Last 30 ================
2009-06-13 20:10 <DIR> --d----- c:\program files\iPod
2009-06-13 20:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-13 20:09 <DIR> --d----- c:\program files\Bonjour
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts
==================== Find3M ====================
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-15 19:44 618,798 a------- c:\windows\system32\rn.tmp
2009-04-26 11:27 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
============= FINISH: 6:24:18.04 ===============
Sorry, missed the Attach.txt bit, will be up shortly.
Here is Attach.txt
Hi,
Did you set these policies?
This because normally Malwarebytes should detect these and restore them to the default settings, unless you ignored these in malwarebytes because you have set those.
The rest of your log looks ok
Did you set these policies?
QUOTE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
This because normally Malwarebytes should detect these and restore them to the default settings, unless you ignored these in malwarebytes because you have set those.
The rest of your log looks ok
Mieke,
as I said, this is an old-ish (P4, 3 GHz) corporate computer, and I was not its original user. But I am the one who installed MBAM on it. I do not recall ever allowing any potential threats to go unnoticed. Something I need to worry about?
Toni
as I said, this is an old-ish (P4, 3 GHz) corporate computer, and I was not its original user. But I am the one who installed MBAM on it. I do not recall ever allowing any potential threats to go unnoticed. Something I need to worry about?
Toni
Hi,
Those are no real threats, but policies set. For example your taskmanager disabled and no changes to active desktop etc.
But I just noticed in your log that it's a disabled policy so you should be OK here - nothing to worry
Also,
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
Happy Surfing again!
Those are no real threats, but policies set. For example your taskmanager disabled and no changes to active desktop etc.
But I just noticed in your log that it's a disabled policy so you should be OK here - nothing to worry
Also,
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
Happy Surfing again!
Mieke,
yes, I saw those topics earlier. But Happy Surfing unfortunately does involve some risks =) I am glad that there are guys like you out there with the dedication to stomp these out.
One last thing in case others are using Google to search for similar topics.
The site was actually overclick.cn, not overclicks.cn
Cookies could not be saved during the infection.
I have external mirrored HDs (mostly the Western Digital Mirror Edition 2 TB models) to save my downloads and I noticed that during the infection, some files and directories became invisible. Also, one the external HDs (the one being used for downloads) would become disconnected from the USB port for no apparent reason quite frequently.
Toni
yes, I saw those topics earlier. But Happy Surfing unfortunately does involve some risks =) I am glad that there are guys like you out there with the dedication to stomp these out.
One last thing in case others are using Google to search for similar topics.
The site was actually overclick.cn, not overclicks.cn
Cookies could not be saved during the infection.
I have external mirrored HDs (mostly the Western Digital Mirror Edition 2 TB models) to save my downloads and I noticed that during the infection, some files and directories became invisible. Also, one the external HDs (the one being used for downloads) would become disconnected from the USB port for no apparent reason quite frequently.
Toni
The disconnected USB ports aren't always a result of malware being present though - I have the same frequently as well.
Yes, it is possible that malware sets hidden files and folders back to hidden again in case you had revealed them previously. Combofix and other tools actually do the same and hides the hidden files and folders again since that's actually the default setting in Windows
Yes, it is possible that malware sets hidden files and folders back to hidden again in case you had revealed them previously. Combofix and other tools actually do the same and hides the hidden files and folders again since that's actually the default setting in Windows
Mieke,
but these were not hidden files. They were regular downloaded files and directories I created. To give you a specific example, during the infection, the size of one directory was 65 GB. After getting rid of the infection, it became >190 GB (what is should have been). About a third of the files simply disappeared.
But I am a risky surfer, so you'll probably need to help me out again the future...
but these were not hidden files. They were regular downloaded files and directories I created. To give you a specific example, during the infection, the size of one directory was 65 GB. After getting rid of the infection, it became >190 GB (what is should have been). About a third of the files simply disappeared.
But I am a risky surfer, so you'll probably need to help me out again the future...
Ah now i understand.
That's why it is important that you read my prevention page
QUOTE
But I am a risky surfer, so you'll probably need to help me out again the future...
Well, I hope not and hope you'll be more careful from now on That's why it is important that you read my prevention page
Right on, I clearly get your point, but you don't have too much fun if you play it too safe (bungie-jumping? parachuting, etc.?)...
you can close the topic.
you can close the topic.
I rather prefer to play it safe than all my passwords and other personal info being collected
Anyway.. Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
Anyway.. Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.