Think I'm clean now,check please?

UK Dave · #1 (**permalink**) 06-05-2009, 01:55 PM

Hey all,
Had problems with my new PC. Had trojans etc and the PC at one point kept randomly rebooting,over and over.Wouldn't let me on windows update,something changed a setting.
Done a few scans now with Spybot, MalwareBytes,AVG 8.5.325 and CCleaner.
Did look like this:
AVG:
"Scan ""Scan whole computer"" was finished."
"Infections";"16";"16";"0"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"05 May 2009, 19:27:21"
"Scan finished:";"05 May 2009, 19:40:02 (12 minute(s) 41 second(s))"
"Total object scanned:";"133375"
"User who launched the scan:";"D"

"Infections"
"File";"Infection";"Result"
"C:\Documents and Settings\D\Local Settings\Temp\732.exe";"Trojan horse Generic13.JJK";"Moved to Virus Vault"
"C:\Documents and Settings\D\Local Settings\Temp\803.exe";"Trojan horse SHeur2.UCF";"Moved to Virus Vault"
"C:\RECYCLER\S-1-5-21-8017068216-2990302639-183907024-9212\winIgn.exe";"Virus identified Worm/Generic_r.EC";"Moved to Virus Vault"
"C:\WINDOWS\system32\bufwvr.exe";"Trojan horse BackDoor.RBot.KB";"Moved to Virus Vault"
"C:\WINDOWS\system32\dbazqgj.exe";"Trojan horse BackDoor.RBot.KB";"Moved to Virus Vault"
"C:\WINDOWS\system32\ehfxkjhs.exe";"Virus identified Worm/Generic_r.EC";"Moved to Virus Vault"
"C:\WINDOWS\system32\fjxvxcjg.exe";"Trojan horse BackDoor.RBot.KB";"Moved to Virus Vault"
"C:\WINDOWS\system32\gkgt.exe";"Virus identified Worm/Generic_r.EC";"Moved to Virus Vault"
"C:\WINDOWS\system32\kefnd.exe";"Virus identified Worm/Generic_r.EC";"Moved to Virus Vault"
"C:\WINDOWS\system32\myaet.exe";"Trojan horse BackDoor.RBot.KB";"Moved to Virus Vault"
"C:\WINDOWS\system32\mzdqaqmz.exe";"Trojan horse SHeur2.KDG";"Moved to Virus Vault"
"C:\WINDOWS\system32\nwew.exe";"Trojan horse SHeur2.KDG";"Moved to Virus Vault"
"C:\WINDOWS\system32\pdpayo.exe";"Trojan horse SHeur2.KDG";"Moved to Virus Vault"
"C:\WINDOWS\system32\TFTP1428";"Trojan horse Injector.AL";"Moved to Virus Vault"
"C:\WINDOWS\system32\vfeeuid.exe";"Virus identified Worm/Generic_r.EC";"Moved to Virus Vault"
"C:\WINDOWS\system32\wftu.exe";"Trojan horse BackDoor.RBot.KB";"Moved to Virus Vault"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\D\Cookies\d@doubleclick[2].txt";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\D\Cookies\d@doubleclick[2].txt:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\D\Cookies\d@overture[2].txt";"Found Tracking cookie.Overture";"Moved to Virus Vault"
"C:\Documents and Settings\D\Cookies\d@overture[2].txt:\overture.com.52ca467a";"Found Tracking cookie.Overture";"Moved to Virus Vault"
"C:\Documents and Settings\D\Cookies\d@overture[2].txt:\overture.com.d727de6f";"Found Tracking cookie.Overture";"Moved to Virus Vault"

Mbam:
Malwarebytes' Anti-Malware 1.36
Database version: 2077
Windows 5.1.2600

05/05/2009 14:17:59
mbam-log-2009-05-05 (14-17-36).txt

Scan type: Quick Scan
Objects scanned: 65875
Time elapsed: 50 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 8
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 12

Memory Processes Infected:
C:\WINDOWS\system32\algs.exe (Backdoor.Bot) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\12cfg515-k641-55sf-n66p (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\12cfg515-k641-55sf-n55p (Trojan.Backdoor) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\32nfg94-h61-2sf-n1p-5m1erh6l6 (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\Windows Update (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Spooler SubSystem App (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Windows Explorer (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\microsoft internet explorer (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\application layer gateway service (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556 (Backdoor.Bot) -> No action taken.
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0850 (Trojan.Agent) -> No action taken.

Files Infected:
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe (Trojan.Agent) -> No action taken.
C:\RECYCLER\S-1-5-21-0243336035-3055115375-381863305-1553\vslmq.exe (Trojan.Backdoor) -> No action taken.
C:\Documents and Settings\D\Local Settings\Temp\002.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\D\Local Settings\Temp\466.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\D\Local Settings\Temp\489.exe (Trojan.Backdoor) -> No action taken.
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\Desktop.ini (Backdoor.Bot) -> No action taken.
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0850\Desktop.ini (Trojan.Agent) -> No action taken.
C:\RECYCLER\S-1-5-21-9140808955-6121809174-222351416-4818\winIgn.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\spooIsv.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\explorer.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\iexplore.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\algs.exe (Backdoor.Bot) -> No action taken.

I deleted all the infections.
Here's todays Hijack Log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:37:09, on 06/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Searchy UK Metacrawler: Search 15 top UK Search Engines
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1234968617747
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 3445 bytes

oh and the Uninstall List:
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG Free 8.5
Belarc Advisor 7.2
CCleaner (remove only)
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Visual C++ 2005 Redistributable
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Scientific-Atlanta WebSTAR 2000 series Cable Modem
Spybot - Search & Destroy
Windows XP Service Pack 2

Also, a Belarc scan says I need loads of new critical updates,but when I go to Windows Update it just has SP 3 Update.Is SP 3 ok?

Missing Microsoft Security Hotfixes [Back to Top]
These required security hotfixes (using the 04/14/2009 Microsoft Security Bulletin Summary) were not found installed. Note: CIS benchmarks require that Critical and Important severity security hotfixes must be installed.
Q873339 - Important (details...)
Q885835 - Important (details...)
Q885836 - Important (details...)
Q887472 - Moderate (details...)
Q888302 - Important (details...)
Q890046 - Moderate (details...)
Q890859 - Important (details...)
Q891781 - Important (details...)
Q893756 - Important (details...)
Q896358 - Critical (details...)
Q896423 - Critical (details...)
Q896428 - Moderate (details...)
Q899587 - Moderate (details...)
Q899591 - Moderate (details...)
Q900725 - Important (details...)
Q901017 - Important (details...)
Q901214 - Critical (details...)
Q902400 - Important (details...)
Q905414 - Moderate (details...)
Q905749 - Important (details...)
Q908519 - Critical (details...)
Q908531 - Critical (details...)
Q911280 - Important (details...)
Q911562 - Critical (details...)
Q911564 - Important (details...)
Q911927 - Important (details...)
Q913580 - Low (details...)
Q914388 - Critical (details...)
Q914389 - Important (details...)
Q918118 - Important (details...)
Q918439 - Critical (details...)
Q920213 - Critical (details...)
Q920670 - Important (details...)
Q920683 - Critical (details...)
Q920685 - Moderate (details...)
Q923191 - Critical (details...)
Q923561 - Important (details...)
Q923980 - Important (details...)
Q924270 - Low (details...)
Q924496 - Moderate (details...)
Q924667 - Important (details...)
Q925398 - Critical (details...)
Q925902 - Critical (details...)
Q926255 - Important (details...)
Q926436 - Important (details...)
Q927779 - Critical (details...)
Q927802 - Important (details...)
Q928255 - Important (details...)
Q928365 - Critical (details...)
Q928843 - Critical (details...)
Q929123 - Important (details...)
Q930178 - Critical (details...)
Q931261 - Critical (details...)
Q932168 - Critical (details...)
Q933729 - Important (details...)
Q936782 - Important (details...)
Q937894 - Moderate (details...)
Q938127 - Critical (details...)
Q938464 - Critical (details...)
Q941569 - Critical (details...)
Q943055 - Critical (details...)
Q943460 - Critical (details...)
Q944338 - Critical (details...)
Q944653 - Important (details...)
Q945553 - Important (details...)
Q946026 - Critical (details...)
Q946648 - Important (details...)
Q950749 - Critical (details...)
Q950762 - Important (details...)
Q950974 - Important (details...)
Q951066 - Important (details...)
Q951376 - Critical (details...)
Q951748 - Important (details...)
Q952004 - Important (details...)
Q952069 - Important (details...)
Q952954 - Critical (details...)
Q954600 - Important (details...)
Q955069 - Critical (details...)
Q956572 - Important (details...)
Q956802 - Critical (details...)
Q957097 - Important (details...)
Q958644 - Critical (details...)
Q958687 - Critical (details...)
Q958690 - Critical (details...)
Q959426 - Moderate (details...)
Q960225 - Important (details...)
Q960803 - Critical (details...)
Q961373 - Critical (details...)
Q963027 - Critical (details...)

Cheers, Dave.

broni · #2 (**permalink**) 06-05-2009, 06:32 PM

HJT log looks clean.

Verify your Java version here: Verify Java Version
Update, if necessary.
Uninstall all previous Java versions, through Add\Remove.

Since the computer was infected....
1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

The computer is now clean of garbage, and malwares, so you should be OK with installing SP3.

UK Dave · #3 (**permalink**) 06-05-2009, 07:28 PM

Thanks broni,

"Since the computer was infected....
1. Turn off System Restore:"

Funny you mention that..I did an AVG screenshot but can't load it..I sent it to notepad or summat............DOH me! Anyway, it was FULL of loads of trojans,backdoorBots etc in system restore...maybe that's why they kept coming back?

I have NO java, I'll sort it now,also system restore,also SP 3, and report back.

Thankyou

broni · #4 (**permalink**) 06-05-2009, 07:30 PM

Sure thing

UK Dave · #5 (**permalink**) 06-05-2009, 07:54 PM

Hey broni,
I've downloaded java - Congratulations!
You have the recommended Java installed (Version 6 Update 13).

been asked a few times today to install Active X, but not sure which one.Could you please point me to a proper Active X download link?
sorry to sound numb!

broni · #6 (**permalink**) 06-05-2009, 07:58 PM

Quote:

been asked a few times today to install Active X

I assume, it's IE asking you, correct?
If it comes from legitimate site, usually, it's safe to install it.

To help you sort out safe sites from dagerous sites, I recommend...
Download, and install WOT (Web OF Trust): Internet Security | WOT Web of Trust. It'll warn you (in most cases) about dangerous web sites.

UK Dave · #7 (**permalink**) 06-05-2009, 08:04 PM

Yes, IE.

Cheers pal, I'll get on it later..I very much apreciate your time and help

Dave.

broni · #8 (**permalink**) 06-05-2009, 08:41 PM

You're very welcome