possible infection

Hi, opened an email fro a friend the other day and believe it was infected with something called Trojan-Downloader.HTML.Meta.ao, I have also found lots of Funmoods after using Malware Bytes.

Have tested as per guidelines on MajorGeeks and hope I can overcome irregularities which have been occurring lately when using PC.

Please Note Trend Micro deleted PevFind.exe and gave a warning and may have stopped Steelwx ( I think it was called )

Many Thanks
Mark

 

Welcome to MajorGeeks, Mark

Please disable your anti-virus protection while you are running scans/fixes. Also dequarantine PevFind.exe as it is part of MGtools.

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• ALOT Appbar
• Ask Toolbar
• Java(TM) 6 Update 29
• Skype Toolbars
• Softonic-Eng7 Toolbar

__

http://img196.imageshack.us/img196/3557/tdsskiller.gif Please download and scan with TDSSKiller

• Do not use the Change Parameters button
• When the scan is finished, a log will be created in the root of your C: drive
• Example: C:\TDSSKiller.2.7.47.0_25.07.2012_15.06.22_log.txt
• Attach this to your next message. (How to attach)

__

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  netbt.sys
  nsiproxy.sys
  svchost.exe
  tcpip.sys
  tdx.sys
  /md5stop
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

View attachment TDSSKiller.2.7.48.0_01.08.2012_21.38.35_log.txt

View attachment OTL.Txt

Hi Thisisu,

Sincere thanks for the help

All the best
Mark

 

Sorry Thisisu,

forgot to ask
was I meant to do all the previous scans again ie RogueKiller, MGTools, HitmanPro etc

Thanks Mark

 

View attachment Extras.Txt

Hi Again,

OTL Extras.txt attached

Cheers
Mark

 

No.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2405280
IE - HKU\S-1-5-21-308105638-3991737619-1792330179-1001\..\SearchScopes\{A531D99C-5A22-449b-83DA-872725C6D0ED}: "URL" = http://search.alot.com/web?q={searchTerms}
IE - HKU\S-1-5-21-308105638-3991737619-1792330179-1001\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://int.search-results.com/web?q={SEARCHTERMS}&o=15527&l=dis&prt=NIS&chn=retail&geo=AU&ver=18
IE - HKU\S-1-5-21-308105638-3991737619-1792330179-1001\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2405280
FF - prefs.js..browser.search.defaultthis.engineName: "Softonic-Eng7 Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2405280&SearchSource=3&q={searchTerms}"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
[2011/05/11 08:32:30 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\bkj0jep6.default\extensions\engine@conduit.com
O3 - HKU\S-1-5-21-308105638-3991737619-1792330179-1001\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-308105638-3991737619-1792330179-1001\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
[2012/07/13 14:00:17 | 001,838,080 | ---- | C] (CPUID) -- C:\Users\Mark\AppData\Roaming\siw_sdk.dll
[COLOR="DarkRed"]:files[/COLOR]
C:\Users\Mark\AppData\LocalLow\alotservice /d
C:\Program Files (x86)\Funmoods /d
C:\Users\Mark\Downloads\cnet_smartdraw_setup_CNET_exe.exe /d
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A531D99C-5A22-449b-83DA-872725C6D0ED}]
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__


http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Let me know what problems remain after you have completed these steps.

 

View attachment 08022012_182226.log

View attachment MGlogs.zip

Hi, files attached, I hope

two things I have noticed in the last weeks.
a) Quite often the laptop won't allow me to access the start bar after boot up, I then have to hold the power button to force a shutdown. When it starts up the 2nd time it is ok.
b) most times when I shut the laptop down it tells me that there are still programs open.

All the best ( and thanks)
Mark

 

Hello Mark,

Your latest logs are clean and the other annoyances you mentioned are not malware related but most likely caused by the amount of programs you are running on startup and during shutdown. Reduce the amount of these if it is a problem for you. If you need help, visit the the Software forum.

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

Thanks Thanks & more thanks
I haven't had to ask for help from Major Geeks helpers for many years and once again :-o I sincerely appreciate the time you spend assisting us lesser geeks

all the best
Mark

 

You're welcome.
Be safe.