Solved Facebook virus/malware? sed.exe fdsv.exe grep.exe

[falkeri]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, April 5, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, April 04, 2010 22:48:32
Records in database: 3914064
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
L:\

Scan statistics:
Objects scanned: 273657
Threats found: 13
Infected objects found: 13
Suspicious objects found: 1
Scan duration: 04:51:38


File name / Threat / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1
H:\My Documents\Downloads\Fraps_2.7.4_Full_Version_Win_All.rar Infected: not-a-virus:RemoteAdmin.Win32.RA.3826 1
H:\My Documents\Downloads\Fraps_2.7.4_Full_Version_Win_All.rar Infected: not-a-virus:Server-FTP.Win32.Serv-U.4100 1
H:\My Documents\Downloads\Fraps_2.7.4_Full_Version_Win_All.rar Infected: Backdoor.Win32.Iroffer.1220 1
H:\My Documents\Downloads\Fraps_2.7.4_Full_Version_Win_All.rar Infected: HackTool.Win32.Clearlog.c 1
H:\Old Installs\adobephotoshopcs2tryouttofullactivationkeygenoscaria.rar Infected: Trojan-Downloader.Win32.Small.bwy 1
H:\Old Installs\adobephotoshopcs2tryouttofullactivationkeygenoscaria.rar Infected: Trojan-Downloader.Win32.Adload.cw 1
H:\Old Installs\mirc614.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 1
H:\Program Files\HLSW\update.exe Infected: Trojan-Dropper.Win32.Small.cjq 1
H:\Program Files\Image Converter and Editor\icae.dll Infected: Trojan.Win32.BHO.adww 1
H:\Program Files\xchat\xchat.exe Suspicious: Type_Win32 1
H:\Thunderbird\School\INBOX Infected: Email-Worm.Win32.Bagle.g 2
H:\Thunderbird\School\INBOX Infected: Email-Worm.Win32.Sober.p 1

Selected area has been scanned.

HLSW is a well known server browser http://www.hlsw.org/
xchat is an irc client
mirc.exe is well...mirc
that fraps file a friend sent me years ago, could be infected?

 

[Broni]

I surely don't want to remove your whole mail folder, but as you can see here:

H:\Thunderbird\School\INBOX Infected: Email-Worm.Win32.Bagle.g 2
H:\Thunderbird\School\INBOX Infected: Email-Worm.Win32.Sober.p 1

make sure, you're very careful, what you open there, especially attachments.

Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes

:Services

:Reg

:Files
H:\My Documents\Downloads\Fraps_2.7.4_Full_Version_Win_All.rar 
H:\Old Installs\adobephotoshopcs2tryouttofullactivationkeygenoscaria.rar 
H:\Old Installs\mirc614.exe 
H:\Program Files\Image Converter and Editor\icae.dll
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

[falkeri]

Been busy the last few days, here's the OTM log.

Also one more thing, ever since I ran combofix the second(?) time, Daemon Tools is giving me

"Initialization error 0
This program requires at least Windows 2000 with sptd 1.37 or higher.
Kernel debugger must be deactivated."

When windows boots. Is there an easy fix?

Thanks.

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder H:\My Documents\Downloads\Fraps_2.7.4_Full_Version_Win_All.rar moved successfully.
H:\Old Installs\adobephotoshopcs2tryouttofullactivationkeygenoscaria.rar moved successfully.
H:\Old Installs\mirc614.exe moved successfully.
H:\Program Files\Image Converter and Editor\icae.dll moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Julian
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 17307401 bytes
->Java cache emptied: 128130 bytes
->FireFox cache emptied: 77522700 bytes
->Flash cache emptied: 3090 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: postgres
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
Session Manager Temp folder emptied: 132134 bytes
Session Manager Tmp folder emptied: 132096 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 91.00 mb


OTM by OldTimer - Version 3.1.10.1 log created on 04072010_225904

Files moved on Reboot...
File H:\Temp\nv_temp\~DF3BC5.tmp not found!
File H:\Temp\nv_temp\~DF3BE1.tmp not found!
File H:\Temp\nv_temp\~DF3BFD.tmp not found!
File H:\Temp\nv_temp\~DF3C19.tmp not found!
File H:\Temp\nv_temp\~DF4205.tmp not found!
File H:\Temp\nv_temp\~DF4211.tmp not found!
File H:\Temp\nv_temp\~DF4226.tmp not found!
File H:\Temp\nv_temp\~DF4232.tmp not found!

Registry entries deleted on Reboot...

 

[Broni]

We'll try to fix that error in a moment.

Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

• Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
• Click on the CleanUp! button and follow the prompts.
• You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
• After the reboot all the tools we used should be gone.
• The tool will delete itself once it finishes.

Give me fresh HJT log, please.

 

[falkeri]

Too long to paste, attached.

 

[Broni]

Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.
NOTE. If on re-boot, Spybot inquires about registry change(s), allow it.

Alternatively, I suggest, you uninstall Spybot since it's a tool of the past.

==========================================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - blank (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - blank (file missing)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE


4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "H:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - Startup: Adobe Gamma.lnk.disabled
O4 - User Startup: Adobe Gamma.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled

5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.

 

[falkeri]

Jusched.exe and jqs.exe refuse to go away. I feel like I've found ways to disable them in the past but when I update java they become ever more persistent.

Anyways, here is the new log, I removed all of the objects you recommended.

 

[Broni]

jusched.exe and jqs.exe refuse to go away.

No big deal here


Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[falkeri]

Thanks for the help!

One more thing, did you say you knew how to get rid of that Daemon Tools error,

Initialization Error 0
Windows 2000 and SPTD 1.3 and higher or something?

 

[Broni]

Is your computer doing fine?

When does the error happen and what exactly does it say?
Do you use Daemon Tools?

 

[falkeri]

Yes, my computer is doing well, thanks.

The error happens at bootup, it says exactly

"Initialization error 0
This program requires at least Windows 2000 with sptd 1.37 or higher.
Kernel debugger must be deactivated. "

And yes I do use Daemon Tools. The error started happening after Combo-fix said something like 'drive emulators detected, combofix needs to disable them to continue' I clicked OK and it rebooted. It had done that before though and I didn't get the error, it was only after the second time that I ran it that the error started occuring.

I haven't even tried uninstalling and reinstalling Daemon Tools, figured I'd ask if you knew of a quick fix first.

 

[Broni]

Since we're done with malware removal, you may want to try to uninstall/reinstall again.
I'm not really familiar with Daemon Tools.