 Infected with Malware.Trace and Trojan.Vundo, Do not know how to remove them |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
 Jan 12 2009, 05:39 AM
Post
#1
|
|
|
New Member  Group: Members Posts: 6 Joined: 12-January 09 Member No.: 281,525  |
I was working on my XP installed Dell laptop a week ago - when all of a sudden I got hit with pop-ups and a security alert. Computer stopped working properly right after - and the next day I took it to my computer guy. He was not very knowledgeable and appears to have installed CyberDefender - he said he was able to clean it - but later when he connected it back to the internet the spyware instantly popped right back up. I took the machine off his hands went home and turned off the wireless card/via the switch and started reading up on Vundo before I found this great website. Using my Mac, I downloaded and installed via CD-Rom both SuperAntiSpy and MalwareBytes (in regular and safe mode) - which both got rid of most viruses - but when I restarted both Vundo and Trace came right back every time I ran a scan and their logs showed that I cleaned it up - so I am concerned that these bugs keep regenerating and I am afraid that they will grow worse if I reconnect my laptop to the internet. I am not very savvy but I read that turning off the restore point was essential to cleaning vundo out so I turned that off during my latest cleaning - and it didn't seem to work. Also I have turned on the firewall as recommended in the posting guide. Would kindly appreciate any experienced thoughts on how to get these last two Vundo and Trace bugs out of my system. Thanks! Posting requested DDS log below: DDS (Ver_09-01-07.01) - NTFSx86 Run by Teymy.Bahmani at 2:05:05.56 on Mon 01/12/2009 Internet Explorer: 6.0.2900.2180 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1572 [GMT -8:00] AV: CyberDefender Internet Security *On-access scanning enabled* (Updated) ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe C:\WINDOWS\system32\StacSV.exe C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\stsystra.exe C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe C:\Program Files\Apoint\ApMsgFwd.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\System32\igfxpers.exe C:\WINDOWS\System32\igfxsrvc.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\teymy.bahmani\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://my.thomson.com/ uWindow Title = Microsoft Internet Explorer provided by The Thomson Corporation uInternet Connection Wizard,ShellNext = hxxp://my.thomson.com/ uInternet Settings,ProxyOverride = *.local;<local> uInternet Settings,ProxyServer = webproxy.int.westgroup.com:80 BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: NoExplorer - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [RMC] c:\program files\reuters\rmc\rmc.exe uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe" uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe mRun: [Apoint] c:\program files\apoint\Apoint.exe mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe mRun: [SigmatelSysTrayApp] stsystra.exe mRun: [<NO NAME>] mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe" mRun: [iPCCheck] "c:\program files\ipass\ipassconnect\downloader\ipccheck.exe" /startup mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [CyberDefender Early Detection Center] "c:\program files\cyberdefender\antispyware\ISSIntro.exe" mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll Notify: ckpNotify - ckpNotify.dll Notify: igfxcui - igfxdev.dll Notify: PCANotify - PCANotify.dll AppInit_DLLs: nnhbxn.dll ykazlb.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ============= SERVICES / DRIVERS =============== R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2007-3-30 17848] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024] R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2007-5-24 2234800] R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408] R3 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2007-5-24 110032] R4 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2007-5-24 36368] R4 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;c:\windows\system32\drivers\mdc80211.sys [2007-10-3 15793] R4 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2003-7-18 205328] R4 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2003-7-18 36368] R4 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2007-5-24 673456] S3 awhost32;Symantec pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2007-5-11 132728] S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2009-1-5 67424] S3 EL3C574;FE574B-3Com 10/100 LAN PCCard Device Driver;c:\windows\system32\drivers\el574nd4.sys --> c:\windows\system32\drivers\el574nd4.sys [?] S4 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2007-3-30 18232] =============== Created Last 30 ================ 2009-01-07 05:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2009-01-07 04:59 <DIR> --d----- c:\program files\SUPERAntiSpyware 2009-01-07 04:59 <DIR> --d----- c:\docume~1\teymy~2.bah\applic~1\SUPERAntiSpyware.com 2009-01-07 04:20 <DIR> --d----- c:\docume~1\teymy~2.bah\applic~1\Malwarebytes 2009-01-07 00:33 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-01-07 00:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-07 00:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-01-07 00:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-01-06 23:53 <DIR> --d----- c:\program files\Yahoo! 2009-01-06 23:53 <DIR> --d----- c:\program files\CCleaner 2009-01-06 13:10 172,032 a------- c:\windows\system32\igfxres.dll 2009-01-06 11:05 <DIR> --d----- c:\windows\system32\CatRoot_bak 2009-01-06 10:52 101,376 ac------ c:\windows\system32\dllcache\srusbusd.dll 2009-01-06 10:51 1,158,818 ac------ c:\windows\system32\dllcache\korwbrkr.lex 2009-01-06 10:50 57,399 ac------ c:\windows\system32\dllcache\cplexe.exe 2009-01-06 10:49 68,608 ac------ c:\windows\system32\dllcache\iisext51.dll 2009-01-06 10:44 488 a---hr-- c:\windows\system32\logonui.exe.manifest 2009-01-06 10:44 749 a---hr-- c:\windows\WindowsShell.Manifest 2009-01-06 10:44 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest 2009-01-06 10:44 749 a---hr-- c:\windows\system32\sapi.cpl.manifest 2009-01-06 10:44 749 a---hr-- c:\windows\system32\nwc.cpl.manifest 2009-01-06 10:44 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest 2009-01-06 10:43 16,384 ac------ c:\windows\system32\dllcache\isignup.exe 2009-01-06 10:42 32,768 ac------ c:\windows\system32\dllcache\icwdl.dll 2009-01-06 10:30 10,559 a----r-- c:\windows\SET99.tmp 2009-01-06 10:30 22,339 a----r-- c:\windows\SET97.tmp 2009-01-06 10:30 13,753 a----r-- c:\windows\SET5B.tmp 2009-01-06 10:30 1,086,058 a----r-- c:\windows\SET4F.tmp 2009-01-06 10:30 1,042,903 a----r-- c:\windows\SET4C.tmp 2009-01-06 10:16 22,339 a----r-- c:\windows\SET95.tmp 2009-01-06 10:16 10,559 a----r-- c:\windows\SET96.tmp 2009-01-06 10:16 13,753 a----r-- c:\windows\SET5A.tmp 2009-01-06 10:16 1,086,058 a----r-- c:\windows\SET4E.tmp 2009-01-06 10:16 1,042,903 a----r-- c:\windows\SET4B.tmp 2009-01-06 09:57 24,661 ac------ c:\windows\system32\dllcache\spxcoins.dll 2009-01-06 09:57 13,312 ac------ c:\windows\system32\dllcache\irclass.dll 2009-01-06 09:57 24,661 a------- c:\windows\system32\spxcoins.dll 2009-01-06 09:57 13,312 a------- c:\windows\system32\irclass.dll 2009-01-06 09:09 137,728 a------- c:\windows\system32\ykazlb.dll 2009-01-06 09:09 137,728 a------- c:\windows\system32\ucmnlofj.dll 2009-01-06 08:19 24 a------- c:\windows\pccntmon.INI 2009-01-06 01:45 <DIR> --d----- c:\windows\dell 2009-01-05 23:17 <DIR> --dsh--- C:\found.000 2009-01-05 14:45 43 a------- c:\windows\av_affiliate.ini 2009-01-05 14:45 43 a------- c:\windows\as_affiliate.ini 2009-01-05 14:39 67,424 a------- c:\windows\system32\drivers\CDAVFS.sys 2009-01-05 14:39 <DIR> --d----- c:\program files\CyberDefender 2009-01-05 00:58 1,307,356 ---sh--- c:\windows\system32\mgnvqpnl.ini 2009-01-05 00:56 133,632 a------- c:\windows\system32\nnhbxn.dll 2009-01-05 00:56 133,632 a------- c:\windows\system32\ncumlphc.dll ==================== Find3M ==================== 2009-01-08 17:47 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2009-01-06 10:41 22,720 a------- c:\windows\system32\emptyregdb.dat 2008-12-12 14:56 65,744 a---h--- c:\windows\system32\mlfcache.dat 2008-12-12 14:47 410,984 a------- c:\windows\system32\deploytk.dll 2008-12-12 10:21 75,350 a------- c:\windows\system32\z98.bin 2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll 2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll 2008-01-30 12:09 651,348 a------- c:\program files\cltracker.zip ============= FINISH: 2:05:52.98 ===============
Attached File(s)
|
 |
 
|
 |
Replies
(1 - 9)
|
Jan 22 2009, 05:25 PM
Post
#2
|
|
 Forum Addict Group: HJT Team Posts: 3,294 Joined: 12-December 05 From: Belgium Member No.: 44,294 |
Hello BobsBigBoy,
Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop. Double click the ComboFix icon to run it. If ComboFix askes you to install the Recovery Console, please do so.. The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. Once the Recovery Console is installed, continue with the malware scan. Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze. Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply.  If you have any questions along the way, STOP and ask them before proceeding !! Please post back with the ComboFix log. Greetings, Thunder -------------------- Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------  - If I have helped you in any way, please consider a donation to help me continue the fight against malware.----------------------------------------------------------------------- Stand Up & Be Counted -->  <-- And make a difference |
|
|
|
|
Jan 22 2009, 06:53 PM
Post
#3
|
|
|
New Member Group: Members Posts: 6 Joined: 12-January 09 Member No.: 281,525 |
Thunder,
Thanks for your reply. Before I run ComboFix - I thought you would want to know that I tinkered with the computer since I first posted my DDS log. I deleted a few files that looked infected - and since then when I run MalwareBytes or SuperAntiSpyware - my scans show up clean. My concern however is that the virus is still lurking around in the background somewhere. If you don't mind - I'd like to run DDS one more time - and show you the new report? or would you prefer that I go down the ComboFix path right away? Thanks I know you are busy. |
|
|
|
|
Jan 23 2009, 05:16 AM
Post
#4
|
|
|
Forum Addict Group: HJT Team Posts: 3,294 Joined: 12-December 05 From: Belgium Member No.: 44,294 |
Hello BobsBigBoy,
Yes, please run ComboFix, it will provide an equally detailed log file, remove any known malware in the process, and provide the necessary tool to remove leftovers in the next steps. Greetings, Thunder -------------------- Whatever happens, make believe it was intended to ...
----------------------------------------------------------------------- - If I have helped you in any way, please consider a donation to help me continue the fight against malware.----------------------------------------------------------------------- Stand Up & Be Counted --> <-- And make a difference |
|
|
|
|
Jan 25 2009, 04:28 AM
Post
#5
|
|
|
New Member Group: Members Posts: 6 Joined: 12-January 09 Member No.: 281,525 |
will do .
|
|
|
|
|
Jan 25 2009, 06:39 AM
Post
#6
|
|
|
Forum Addict Group: HJT Team Posts: 3,294 Joined: 12-December 05 From: Belgium Member No.: 44,294 |
Fine, BobsBigBoy,
I'll await your log. Greetings, Thunder -------------------- Whatever happens, make believe it was intended to ...
----------------------------------------------------------------------- - If I have helped you in any way, please consider a donation to help me continue the fight against malware.----------------------------------------------------------------------- Stand Up & Be Counted --> <-- And make a difference |
|
|
|
|
Jan 28 2009, 12:18 AM
Post
#7
|
|
|
New Member Group: Members Posts: 6 Joined: 12-January 09 Member No.: 281,525 |
OK THUNDER - here is the ComboFix log.
One note - before I ran ComboFix - I enjoyed a full week of malware free computing. I ran a few scans and unlike when I first posted they showed up clean - neither SuperAnti or Malwarebytes could find the usual pesky Trace and Vundo viruses that would normally reload again upon start-up. I have since now - on your advisement run ComboFix - so I'm hoping all traces of the virus are removed and I'm good to go - let me know what you think. Am I clean? Thanks a million. ComboFix 09-01-21.04 - Teymy.Bahmani 2009-01-27 21:04:38.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1573 [GMT -8:00] Running from: c:\documents and settings\teymy.bahmani\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\windows\system32\mgnvqpnl.ini c:\windows\system32\x64 ----- BITS: Possible infected sites ----- hxxp://TCUSCTSTASMS01.na.thomsoncorporate.com:80 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_JAVA2 -------\Service_seneka ((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 ))))))))))))))))))))))))))))))) . 2009-01-26 15:39 . 2009-01-26 15:40 <DIR> d-------- c:\program files\AirPort 2009-01-26 15:29 . 2009-01-26 15:36 <DIR> d-------- c:\program files\Bonjour 2009-01-15 12:39 . 2009-01-15 12:55 <DIR> d-------- C:\6ca1fdb727b5b151f7f216ddcd 2009-01-15 12:35 . 2008-04-13 16:12 1,306,624 -----c--- c:\windows\system32\dllcache\msxml6.dll 2009-01-15 12:35 . 2008-04-13 09:27 79,872 -----c--- c:\windows\system32\dllcache\msxml6r.dll 2009-01-15 12:35 . 2006-12-28 11:01 19,569 --a------ c:\windows\003451_.tmp 2009-01-15 12:29 . 2009-01-15 13:33 2,675 --a------ c:\windows\imsins.BAK 2009-01-15 12:28 . 2008-12-11 02:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys 2009-01-13 10:40 . 2009-01-13 10:40 <DIR> d-------- C:\VundoFix Backups 2009-01-12 02:04 . 2009-01-27 01:20 4,194,394 --a------ c:\windows\pfirewall.log.old 2009-01-11 18:19 . 2009-01-11 18:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2009-01-07 05:00 . 2009-01-07 05:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-01-07 04:59 . 2009-01-07 05:00 <DIR> d-------- c:\program files\SUPERAntiSpyware 2009-01-07 04:59 . 2009-01-07 04:59 <DIR> d-------- c:\documents and settings\teymy.bahmani\Application Data\SUPERAntiSpyware.com 2009-01-07 04:20 . 2009-01-07 04:20 <DIR> d-------- c:\documents and settings\teymy.bahmani\Application Data\Malwarebytes 2009-01-07 00:34 . 2009-01-07 00:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-01-07 00:33 . 2009-01-16 10:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-07 00:33 . 2009-01-07 00:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-07 00:33 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-07 00:33 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-01-06 23:54 . 2009-01-06 23:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion 2009-01-06 23:54 . 2009-01-06 23:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Yahoo! 2009-01-06 23:53 . 2009-01-06 23:54 <DIR> d-------- c:\program files\Yahoo! 2009-01-06 23:53 . 2009-01-06 23:54 <DIR> d-------- c:\program files\CCleaner 2009-01-06 13:10 . 2007-05-18 08:45 172,032 --a------ c:\windows\system32\igfxres.dll 2009-01-06 11:04 . 2008-06-13 03:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys 2009-01-06 11:03 . 2008-12-12 09:01 3,067,904 -----c--- c:\windows\system32\dllcache\mshtml.dll 2009-01-06 11:03 . 2008-08-14 02:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe 2009-01-06 11:03 . 2008-08-14 02:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2009-01-06 11:03 . 2008-08-14 01:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2009-01-06 11:03 . 2008-08-14 01:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe 2009-01-06 11:03 . 2008-09-15 04:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys 2009-01-06 11:03 . 2008-10-15 17:00 1,499,136 -----c--- c:\windows\system32\dllcache\shdocvw.dll 2009-01-06 11:03 . 2008-10-15 17:00 666,112 -----c--- c:\windows\system32\dllcache\wininet.dll 2009-01-06 11:03 . 2008-10-15 17:00 619,520 -----c--- c:\windows\system32\dllcache\urlmon.dll 2009-01-06 11:02 . 2008-04-11 11:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll 2009-01-06 11:02 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2009-01-06 11:02 . 2008-10-15 08:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2009-01-06 11:02 . 2008-05-08 06:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys 2009-01-06 10:52 . 2004-08-04 02:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex 2009-01-06 10:51 . 2008-04-13 16:09 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll 2009-01-06 10:50 . 2004-08-04 02:00 1,677,824 --a--c--- c:\windows\system32\dllcache\chsbrkr.dll 2009-01-06 10:49 . 2004-08-04 02:00 94,720 --a--c--- c:\windows\system32\dllcache\certmap.ocx 2009-01-06 10:49 . 2004-08-04 02:00 14,336 --a--c--- c:\windows\system32\dllcache\iisreset.exe 2009-01-06 10:49 . 2004-08-04 02:00 6,144 --a--c--- c:\windows\system32\dllcache\ftpsapi2.dll 2009-01-06 10:49 . 2004-08-04 02:00 5,632 --a--c--- c:\windows\system32\dllcache\iisrstap.dll 2009-01-06 10:44 . 2009-01-06 10:44 749 -rah----- c:\windows\WindowsShell.Manifest 2009-01-06 10:44 . 2009-01-06 10:44 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest 2009-01-06 10:44 . 2009-01-06 10:44 749 -rah----- c:\windows\system32\sapi.cpl.manifest 2009-01-06 10:44 . 2009-01-06 10:44 749 -rah----- c:\windows\system32\nwc.cpl.manifest 2009-01-06 10:44 . 2009-01-06 10:44 749 -rah----- c:\windows\system32\ncpa.cpl.manifest 2009-01-06 10:44 . 2009-01-06 10:44 488 -rah----- c:\windows\system32\logonui.exe.manifest 2009-01-06 10:43 . 2004-08-04 02:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe 2009-01-06 10:30 . 2004-08-04 02:00 1,086,058 -ra------ c:\windows\SET4F.tmp 2009-01-06 10:30 . 2004-08-04 02:00 1,042,903 -ra------ c:\windows\SET4C.tmp 2009-01-06 10:30 . 2006-03-30 02:03 22,339 -ra------ c:\windows\SET97.tmp 2009-01-06 10:30 . 2004-08-04 02:00 13,753 -ra------ c:\windows\SET5B.tmp 2009-01-06 10:30 . 2005-03-30 09:54 10,559 -ra------ c:\windows\SET99.tmp 2009-01-06 10:16 . 2004-08-04 02:00 1,086,058 -ra------ c:\windows\SET4E.tmp 2009-01-06 10:16 . 2004-08-04 02:00 1,042,903 -ra------ c:\windows\SET4B.tmp 2009-01-06 10:16 . 2006-03-30 02:03 22,339 -ra------ c:\windows\SET95.tmp 2009-01-06 10:16 . 2004-08-04 02:00 13,753 -ra------ c:\windows\SET5A.tmp 2009-01-06 10:16 . 2005-03-30 09:54 10,559 -ra------ c:\windows\SET96.tmp 2009-01-06 09:57 . 2004-08-04 02:00 24,661 --a------ c:\windows\system32\spxcoins.dll 2009-01-06 09:57 . 2004-08-04 02:00 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll 2009-01-06 09:57 . 2004-08-04 02:00 13,312 --a------ c:\windows\system32\irclass.dll 2009-01-06 09:57 . 2004-08-04 02:00 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll 2009-01-06 08:19 . 2009-01-16 12:03 24 --a------ c:\windows\pccntmon.INI 2009-01-06 01:45 . 2009-01-06 01:45 <DIR> d-------- c:\windows\dell 2009-01-05 23:17 . 2009-01-05 23:17 <DIR> d--hs---- C:\found.000 2009-01-05 14:39 . 2009-01-27 20:59 <DIR> d-------- c:\program files\CyberDefender 2009-01-05 14:29 . 2009-01-05 14:29 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Xcelsius . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-23 18:19 --------- d-----w c:\documents and settings\teymy.bahmani\Application Data\webex 2009-01-16 23:41 --------- d-----w c:\program files\Java 2009-01-15 21:03 --------- d-----w c:\program files\Common Files\Adobe 2009-01-07 12:59 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-01-01 23:07 --------- d-----w c:\program files\IKEA HomePlanner 2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys 2008-01-30 20:09 651,348 ----a-w c:\program files\cltracker.zip . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "RMC"="c:\program files\reuters\rmc\rmc.exe" [2008-01-29 4145237] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-24 159744] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088] "iPCCheck"="c:\program files\iPass\iPassConnect\downloader\ipccheck.exe" [2004-05-11 282624] "OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-06-04 458752] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064] "IgfxTray"="c:\windows\System32\igfxtray.exe" [2007-05-18 138008] "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2007-05-18 162584] "Persistence"="c:\windows\System32\igfxpers.exe" [2007-05-18 138008] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-16 136600] "AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2008-05-20 737280] "SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 c:\windows\stsystra.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-02 50688] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-08-11 66864] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-10-03 122880] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify] 2007-05-24 06:13 24665 c:\windows\system32\ckpNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] 2007-04-27 08:10 18744 c:\windows\system32\PCANotify.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Reuters\\RMC\\RMC.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\Program Files\\AirPort\\APAgent.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5353:UDP"= 5353:UDP:Bonjour R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024] R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2007-05-24 2234800] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408] R3 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2007-05-24 110032] R4 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2007-05-24 36368] R4 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;c:\windows\system32\drivers\mdc80211.sys [2007-10-03 15793] R4 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [2003-07-18 205328] R4 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [2003-07-18 36368] R4 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2007-05-24 673456] S3 EL3C574;FE574B-3Com 10/100 LAN PCCard Device Driver;c:\windows\system32\DRIVERS\el574nd4.sys --> c:\windows\system32\DRIVERS\el574nd4.sys [?] . Contents of the 'Scheduled Tasks' folder 2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://my.thomson.com/ uInternet Connection Wizard,ShellNext = hxxp://my.thomson.com/ uInternet Settings,ProxyOverride = ;*.local;<local> uInternet Settings,ProxyServer = webproxy.int.westgroup.com:80 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-27 21:08:42 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(940) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\PCANotify.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe c:\windows\system32\scardsvr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Dell\QuickSet\NicConfigSvc.exe c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe c:\windows\system32\stacsv.exe c:\program files\Trend Micro\OfficeScan Client\OfcDog.exe c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe c:\windows\system32\CCM\clicomp\RemCtrl\Wuser32.exe c:\windows\system32\CCM\CcmExec.exe c:\windows\system32\msiexec.exe c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe c:\program files\Apoint\ApMsgFwd.exe c:\program files\Apoint\hidfind.exe c:\program files\Apoint\ApntEx.exe c:\windows\system32\igfxsrvc.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-01-27 21:12:01 - machine was rebooted [Teymy.Bahmani] ComboFix-quarantined-files.txt 2009-01-28 05:11:58 Pre-Run: 27,004,977,152 bytes free Post-Run: 27,718,139,904 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin 235 --- E O F --- 2009-01-20 20:05:20 |
|
|
|
|
Jan 28 2009, 08:49 AM
Post
#8
|
|
|
Forum Addict Group: HJT Team Posts: 3,294 Joined: 12-December 05 From: Belgium Member No.: 44,294 |
Hello BobsBigBoy,
Your log looks quite good now. You can remove all used tools and folders created in the process. To remove ComboFix : Go to Start > Run, and copy and paste next command in the field:
Then press Enter. Still having problems ? Greetings, Thunder -------------------- Whatever happens, make believe it was intended to ...
----------------------------------------------------------------------- - If I have helped you in any way, please consider a donation to help me continue the fight against malware.----------------------------------------------------------------------- Stand Up & Be Counted --> <-- And make a difference |
|
|
|
|
Jan 28 2009, 11:40 AM
Post
#9
|
|
|
New Member Group: Members Posts: 6 Joined: 12-January 09 Member No.: 281,525 |
Dude - thanks so much for helping me.
I know I'm not the first or last person to say this - but you are awesome. Thanks for sharing your time/insights - you set a great example! |
|
|
|
|
Jan 28 2009, 04:29 PM
Post
#10
|
|
|
Forum Addict Group: HJT Team Posts: 3,294 Joined: 12-December 05 From: Belgium Member No.: 44,294 |
Glad we could help, BobsBigBoy
Please read this Prevention page with lots of info and tips how to prevent this in the future. And if you want to improve speed/system performance after malware removal, take a look here. Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. Please also read Tony Klein's excellent article: How I got Infected in the First Place and/or Grinlers tutorial on how malware is hidden and installed Since this issue appears resolved ... this Topic is closed. If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic. -------------------- Whatever happens, make believe it was intended to ...
----------------------------------------------------------------------- - If I have helped you in any way, please consider a donation to help me continue the fight against malware.----------------------------------------------------------------------- Stand Up & Be Counted --> <-- And make a difference |
|
|
|
 |
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 26th November 2009 - 11:58 AM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.