Am I Clean?

[Newby]

Dear All
I was recently infected by spyware/malware which caused unwanted pop-ups, system alerts and red exclamation marks on my task bar. I have followed steps 1-15 from the Viruses/Spyware/Malware, preliminary removal instructions and think its gone! No more pop-up or alets and now i have manually removed the shortcuts from my favorites the system seems clean
HJT log attached, please advise.
Also any further protection i should take to prevent other problem?

Thanks
Dan

 

[kitty500cat]

Regarding the following entry in your HJT log:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080

Did you set this proxy yourself or do you know what it is? Also, do you get your Internet from orange.co.uk? Please answer these questions in your next reply.

Please do the following.

Navigate to www.virustotal.com.

Click the Choose... button.

Navigate to the following file.

C:\WINDOWS\msole.dll

Click Open, then click Send File.

Please post the results here, as well as fresh HJT, ComboFix, and AVG Anti-Spyware logs (as per the preliminary removal instructions) as attachments into this thread.

Regards

This thread is for the use of Newby only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.

 

[almcneil]

Regular Computer Maintenance

I adivse my customers to perform regular computer maintenance. How often depends on how much you use the Internet and what kind of activities. For typical users, I'd say 40 to 60 hours of Internet use. For those who engage in high risk activities such as peer-to-peer filesharing (i.e. Limewire, Kazaa, Ares, ... ) or visiting illicit web sites (gambling, pornography, psychic, ... ) about every 10 hours.

Here are my 10 steps for regular computer maintenance:

1. Backup any important new files
2. Flush Internet caches (Internet Options)
3. Run anti-rootkit scan (AVG Anti-Rootkit)
4. Run anti-virus scan
5. Run anti-spyware scans (Ad-Aware 2007, Spybot Search & Destroy, AVG Anti-Spyware)
6. Empty recycling bin
7. Restart computer
8. Download/install any new Windows updates
9. Create system restore point
10. Defrag internal harddisk drive

 

[Newby]

Thanks for the reply

Hi kitty500cat
In answer to your query I don't know what the proxy is, sorry!
Have attached the result of the total scan (copied & pasted in to a text doc, hope that's okay), new HJT log and Combofix log. Sorry for the delay Combofix wont run unless I turn off Previx 2 as it seems to conflict. Last AVG Anti-Spyware log was clean (that's why I didn't attach it previously).
Thanks a lot for the assistance

 

[Newby]

No attachment

Just saw the virustotal log did not attach, see below:

Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.13 no virus found
AntiVir 7.4.0.39 2007.07.13 no virus found
Authentium 4.93.8 2007.07.13 no virus found
Avast 4.7.997.0 2007.07.13 Win32:Rozbonbon
AVG 7.5.0.476 2007.07.13 no virus found
BitDefender 7.2 2007.07.13 Generic.Downloader.NXM.5C8D1752
CAT-QuickHeal 9.00 2007.07.13 no virus found
ClamAV devel-20070416 2007.07.13 no virus found
DrWeb 4.33 2007.07.13 Trojan.DownLoader.25864
eSafe 7.0.15.0 2007.07.10 no virus found
eTrust-Vet 30.8.3783 2007.07.13 no virus found
Ewido 4.0 2007.07.13 no virus found
FileAdvisor 1 2007.07.14 no virus found
Fortinet 2.91.0.0 2007.07.13 no virus found
F-Prot 4.3.2.48 2007.07.13 no virus found
Ikarus T3.1.1.8 2007.07.13 Trojan.Win32.Agent.aka
Kaspersky 4.0.2.24 2007.07.14 no virus found
McAfee 5074 2007.07.13 no virus found
Microsoft 1.2704 2007.07.12 no virus found
NOD32v2 2397 2007.07.13 no virus found
Norman 5.80.02 2007.07.13 no virus found
Panda 9.0.0.4 2007.07.13 Generic Malware
Sophos 4.19.0 2007.07.06 no virus found
Sunbelt 2.2.907.0 2007.07.14 no virus found
Symantec 10 2007.07.14 no virus found
TheHacker 6.1.6.146 2007.07.13 no virus found
VBA32 3.12.0.2 2007.07.13 Trojan.DownLoader.25864
VirusBuster 4.3.23:9 2007.07.13 no virus found
Webwasher-Gateway 6.0.1 2007.07.14 Win32.UPXpacked.gen!94 (suspicious)
Aditional information
File size: 53760 bytes
MD5: 9a2872902d00b52ca4ecaddfd1bbbd4b

 

[kitty500cat]

Run HijackThis and do a system scan. Place a check in the box next to the following entries (if there):

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;localhost

Close all browser windows, including this one.

Click the Fix Checked button in HJT. Once it's done fixing, close HJT.

Please reopen the browser window and follow the rest of these instructions.

Navigate to the file C:\WINDOWS\msole.dll (if there). Rename it to msole.dll.bak

Follow the instructions for VirusTotal again, except scan the following files instead:

C:\WINDOWS\system32\VchReg.dll
C:\WINDOWS\ua2.dll

Please post the results here.

Regards

This thread is for the use of Newby only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.

 

[Newby]

Thank You

Hi Again
Sorry for the delay, these different time zones make it hard to communicate (i'm in the UK).
Ran Hijack This and checked the boxes as recommended. Found C:\WINDOWS\msole.dll (but it had the prefix msole.dll.vir) and changed it to msole.dll.bak.
Used VirusTotal, logs attached, both were clean:approve:
Did you want another HJT log?
Thanks again for your help!
Dan

 

[Newby]

Now No DVD/CD ROM

Hello Again
System seems to be running fine, the only problem now is the computer dosn't seem to see the DVD/CD ROM!
In Device manager the properties for the two Drives I have (Pioneer DVD WR DVR -108 &IDE DVD-ROM 16x) has the following message in the device status: "Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)"
I have tried uninstalling and reinstalling, but no joy, can you help?

Thanks Again!

 

[kitty500cat]

Please post one more HJT log.

As for your problem with the optical drives, you should open a new thread in our Device Drivers forum.

Regards

This thread is for the use of Newby only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.

 

[Newby]

Log attached, hopefully for the last time.
I wasn't sure if the corrections made might have influenced the drivers?
Will post thread in appropriate forum.
Really appreciate all your support.
Dan:grinthumb

 

[kitty500cat]

Have HJT fix this inactive entry yet:

O21 - SSODL: msole - {B84C6E99-0933-463B-A2FB-1AD892FF143D} - C:\WINDOWS\msole.dll (file missing)


I believe your system is clean now.

Please do the following yet.

Delete all files in AVG Anti-Spyware Quarantine folder (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine).

Turn off system restore (XP/ME only). See how HERE
This will remove all your old system restore points and any malware hiding in them.

After that turn system restore back on.
This will create a new, clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article. This can help to prevent future infections.

Should you have further virus/spyware problems, please post in this thread.

Regards

This thread is for the use of Newby only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.

 

[Newby]

Have Removed recomended File

Hi kitty500cat
Have Removed recomended File, new log attached.
I did turn off system restore previously, then turned back on...
Will follow rec and also read article.
Can't thank you enough, you are a star!
Fingers crossed i can get my drives back now!
Newby (Dan)

 

[kitty500cat]

HJT log looks good.

As for the optical drives, have you tried visiting Windows Update (http://update.microsoft.com/)? That might detect the driver problem and offer a new driver for download.

If that doesn't work, go to start->run, and type in devmgmt.msc. Press Enter.

See if the drives are listed there at all.

Regards

 

[Newby]

All Good!!

Dear Kitty500cat & all at Techspot
System now back to normal, no more spyware and my drives are working again!!:grinthumb
I ended up following some advise from Microsoft; had to remove upper & lower registry filters and hey presto after a restart the drives reappeared.

Just wanted to say thanks to anyone who assisted me, especially Kitty500cat.

Best wishes
Dan

 

[kitty500cat]

You're welcome. I'm glad to know it worked out for you.

If you have any further virus/spyware problems, please post in this thread.

Regards