Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Problem.


  • Please log in to reply
9 replies to this topic

#1 tequila_stealer

tequila_stealer

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 PM

Posted 09 August 2007 - 11:01 AM

I have been having trouble with the Virtumonde virus.
I have ran VundoFix and VirtumondeBeGone but with no effect.
Can Anybody with a bit more know how than me have a look at this. i have already removed some google toolbar helper and windows live toolber helper files which i know are associated with the virtumonde virus.
windows defender is also flagging up the virus but is unable to remove the files.
the files that it says are infected do not exists and may be hidden, however AVG rootkit doesnt discover anything.

Here is the Hijackthis Log.

i was going to attach a GMER log too, but didnt.


Logfile of HijackThis v1.99.1
Scan saved at 16:13:23, on 09/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Last.fm\LastFM.exe
D:\Programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {78731E75-720D-42E9-AD38-286E1234EEE5} - C:\WINDOWS\system32\ylhffcss.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {808E09C6-927A-4C20-8F2D-4645AC8399Db} - C:\WINDOWS\system32\ylhffcss.dll (file missing)
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?a373fa45812c4a7bb25b13fb1fdbf04c
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?a373fa45812c4a7bb25b13fb1fdbf04c
O8 - Extra context menu item: Search with Wanadoo - res://C:\WINDOWS\system32\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{67CC2B94-0BAF-45B3-9354-787807EC1E40}: NameServer = 193.36.79.101 193.36.79.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{67CC2B94-0BAF-45B3-9354-787807EC1E40}: NameServer = 193.36.79.100 193.36.79.101
O17 - HKLM\System\CS3\Services\Tcpip\..\{67CC2B94-0BAF-45B3-9354-787807EC1E40}: NameServer = 193.36.79.101 193.36.79.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: opnkhii - opnkhii.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 09 August 2007 - 01:54 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum tequila_stealer :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log.
Posted Image
Posted Image

#3 tequila_stealer

tequila_stealer
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 PM

Posted 09 August 2007 - 04:15 PM

here is the ComboFix and Hijack this file.
As Attachments.

thankyou for your help so far.

windows defender keeps flagging up firewall exceptions and IE home page changes, which have all been denied as they looked dodgy. could this be to do with the virus?

Attached Files



#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 09 August 2007 - 05:13 PM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {78731E75-720D-42E9-AD38-286E1234EEE5} - C:\WINDOWS\system32\ylhffcss.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {808E09C6-927A-4C20-8F2D-4645AC8399Db} - C:\WINDOWS\system32\ylhffcss.dll (file missing)
O20 - Winlogon Notify: opnkhii - opnkhii.dll (file missing)

Exit Hijackthis.

Find and delete:
C:\WINDOWS\system32\cxdgmfbs.ini2

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.


Note
Copy then paste all logs/reports directly into this topic,not as attachments,thanks.
Posted Image
Posted Image

#5 tequila_stealer

tequila_stealer
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 PM

Posted 10 August 2007 - 10:10 AM

Thankyou again for your time. I will be making a donation when this problem is gone.

there was no file named cxdgmfbs.ini2 in the System32 folder.

i ran SUPERAntispyware and competed the hijack this stuff.

Windows defender flagged some files and windows defender is unable to remove them.

here is the list of files.

Category:
Trojan
Description:
This program displays advertisements and may be difficult to remove.
Advice:
Remove this software immediately.
Resources:
file:
C:\WINDOWS\system32\bfbtbnlf.dll
file:
C:\WINDOWS\system32\gomyqjph.dll
file:
C:\WINDOWS\system32\hqgboypo.dll
file:
C:\WINDOWS\system32\gjnxjoyg.dll
file:
C:\WINDOWS\system32\qvycniye.dll
file:
C:\WINDOWS\system32\farltdwt.dll
file:
C:\WINDOWS\system32\vchiaekd.dll
file:
C:\WINDOWS\system32\pymvteyu.dll
file:
C:\WINDOWS\system32\pcovkwrd.dll
file:
C:\WINDOWS\system32\rctmkrml.dll
file:
C:\WINDOWS\system32\tdoprsek.dll
file:
C:\WINDOWS\system32\fjcbxgbx.dll
file:
C:\WINDOWS\system32\fghfjgxv.dll
file:
C:\WINDOWS\system32\ufxwwnru.dll
file:
C:\WINDOWS\system32\fnsybtjd.dll
file:
C:\WINDOWS\system32\pxduqjql.dll
file:
C:\WINDOWS\system32\guaprago.dll
file:
C:\WINDOWS\system32\elnyaban.dll
file:
C:\WINDOWS\system32\tvthhjuv.dll
file:
C:\WINDOWS\system32\upnkuauh.dll
file:
C:\WINDOWS\system32\efipxoly.dll
file:
C:\WINDOWS\system32\wodowcem.dll
file:
C:\WINDOWS\system32\adeiqrxg.dll
file:
C:\WINDOWS\system32\efdsaqbl.dll
file:
C:\WINDOWS\system32\rqurrcem.dll
file:
C:\WINDOWS\system32\npdokkrl.dll
file:
C:\WINDOWS\system32\hsybndbi.dll
file:
C:\WINDOWS\system32\odsvqmhs.dll
file:
C:\WINDOWS\system32\hjrhdjva.dll
file:
C:\WINDOWS\system32\ktyenxdo.dll
file:
C:\WINDOWS\system32\vqlrtnwp.dll
file:
C:\WINDOWS\system32\bmfggudq.dll
file:
C:\WINDOWS\system32\phqepcix.dll
file:
C:\WINDOWS\system32\huhbsgse.dll
file:
C:\WINDOWS\system32\ycygkowm.dll
file:
C:\WINDOWS\system32\ortxitcy.dll
file:
C:\WINDOWS\system32\cvortfog.dll
file:
C:\WINDOWS\system32\nggserew.dll
file:
C:\WINDOWS\system32\tyfnycay.dll
file:
C:\WINDOWS\system32\cwiaxdjt.dll
file:
C:\WINDOWS\system32\qustygja.dll





here is the Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 15:57:05, on 10/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Programs\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?a373fa45812c4a7bb25b13fb1fdbf04c
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?a373fa45812c4a7bb25b13fb1fdbf04c
O8 - Extra context menu item: Search with Wanadoo - res://C:\WINDOWS\system32\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{67CC2B94-0BAF-45B3-9354-787807EC1E40}: NameServer = 193.36.79.101 193.36.79.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{67CC2B94-0BAF-45B3-9354-787807EC1E40}: NameServer = 193.36.79.100 193.36.79.101
O17 - HKLM\System\CS3\Services\Tcpip\..\{67CC2B94-0BAF-45B3-9354-787807EC1E40}: NameServer = 193.36.79.101 193.36.79.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe





here is the superantispyware log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/10/2007 at 02:15 PM

Application Version : 3.9.1008

Core Rules Database Version : 3283
Trace Rules Database Version: 1294

Scan type : Complete Scan
Total Scan Time : 01:20:30

Memory items scanned : 378
Memory threats detected : 0
Registry items scanned : 4676
Registry threats detected : 0
File items scanned : 33676
File threats detected : 99

Adware.Tracking Cookie
C:\Documents and Settings\Gemma\Cookies\gemma@bs.serving-sys[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@atdmt[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@advertising[2].txt
C:\Documents and Settings\Gemma\Cookies\gemma@media.adrevolver[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@adrevolver[2].txt
C:\Documents and Settings\Gemma\Cookies\gemma@cpvfeed[4].txt
C:\Documents and Settings\Gemma\Cookies\gemma@tradedoubler[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@ad.uk.tangozebra[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@campaign.indieclick[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@www.clash-media[2].txt
C:\Documents and Settings\Gemma\Cookies\gemma@revsci[2].txt
C:\Documents and Settings\Gemma\Cookies\gemma@perf.overture[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@azjmp[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@www.yourtracking[2].txt
C:\Documents and Settings\Gemma\Cookies\gemma@msnportal.112.2o7[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@stats1.reliablestats[2].txt
C:\Documents and Settings\Gemma\Cookies\gemma@serving-sys[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@adtech[2].txt
C:\Documents and Settings\Gemma\Cookies\gemma@ad.zanox[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@www.zanox-affiliate[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@questionmarket[2].txt
C:\Documents and Settings\Gemma\Cookies\gemma@statcounter[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@www.cybersexent[2].txt
C:\Documents and Settings\Gemma\Cookies\gemma@imrworldwide[2].txt
C:\Documents and Settings\Gemma\Cookies\gemma@mediaservices.myspace[2].txt
C:\Documents and Settings\Gemma\Cookies\gemma@indiads[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@saletrack.co[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@doubleclick[2].txt
C:\Documents and Settings\Gemma\Cookies\gemma@www.burstnet[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@a.websponsors[2].txt
C:\Documents and Settings\Gemma\Cookies\gemma@mediaplex[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@precisionclick[2].txt
C:\Documents and Settings\Gemma\Cookies\gemma@nextag[2].txt
C:\Documents and Settings\Gemma\Cookies\gemma@amsterdamlivexxx[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@smileymedia[1].txt
C:\Documents and Settings\Gemma\Cookies\gemma@www.everyclick[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ad.zanox[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ad.uk.tangozebra[1].txt
C:\Documents and Settings\Mike\Cookies\mike@adserving.cpxinteractive[1].txt
C:\Documents and Settings\Mike\Cookies\mike@nextag.co[1].txt
C:\Documents and Settings\Mike\Cookies\mike@www.clash-media[2].txt
C:\Documents and Settings\Mike\Cookies\mike@media.adrevolver[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ad.accelerator-media[1].txt
C:\Documents and Settings\Mike\Cookies\mike@zbox.zanox[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ad.accelerator-media[2].txt
C:\Documents and Settings\Mike\Cookies\mike@precisionclick[1].txt
C:\Documents and Settings\Mike\Cookies\mike@www.googleadservices[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ad.uk.tangozebra[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ad.accelerator-media[3].txt
C:\Documents and Settings\Mike\Cookies\mike@ad1.emediate[2].txt
C:\Documents and Settings\Mike\Cookies\mike@adultfriendfinder[2].txt
C:\Documents and Settings\Mike\Cookies\mike@adserving.cpxinteractive[3].txt

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142301.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142302.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142303.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142304.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142305.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142306.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142307.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142308.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142309.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142310.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142311.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142312.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142313.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142314.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142315.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142316.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142317.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142318.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142319.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142320.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142321.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142322.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142323.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142324.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142325.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142326.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142327.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142328.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142329.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142330.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142331.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142332.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142333.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142334.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142335.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142336.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142337.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142338.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142339.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142340.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142341.DLL

Trojan.Downloader-CREW
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142352.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142353.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C068D27-C8BA-487E-A578-335D52E6B1C9}\RP255\A0142356.DLL
C:\VUNDOFIX BACKUPS\ANFXBJPY.DLL.BAD
C:\VUNDOFIX BACKUPS\BSHRVBUX.DLL.BAD
C:\VUNDOFIX BACKUPS\YJXTSXLM.DLL.BAD

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 10 August 2007 - 11:33 AM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\cxdgmfbs.ini2

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image.

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

-----------------------------------------------------------

Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#7 tequila_stealer

tequila_stealer
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 PM

Posted 10 August 2007 - 02:08 PM

Done.

Windows defender is still flagging up the virus.

here is the OTMove Result

C:\WINDOWS\system32\cxdgmfbs.ini2 moved successfully.

Created on 08/10/2007 19:52:41

could i possibly try putting the files that windows defender is flagging up into OTmove ?




here is the combofix log.

ComboFix 07-08-10 - "Gemma" 2007-08-10 19:54:59.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.118 [GMT 1:00]


((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 )))))))))))))))))))))))))))))))


2007-08-10 12:41 <DIR> d-------- C:\DOCUME~1\Gemma\APPLIC~1\SUPERAntiSpyware.com
2007-08-10 12:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-10 12:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-09 21:24 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 22:44 <DIR> d-------- C:\VundoFix Backups
2007-08-08 20:52 <DIR> d-------- C:\WINDOWS\Broken Sword
2007-08-08 16:27 92,160 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2007-08-08 16:27 <DIR> d-------- C:\Program Files\MagicDisc
2007-08-08 16:23 <DIR> d-------- C:\Program Files\MagicISO
2007-08-07 08:36 <DIR> d--hs---- C:\FOUND.024
2007-08-06 22:32 <DIR> d-------- C:\WINDOWS\pss
2007-08-06 22:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NVIDIA
2007-08-06 22:23 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-08-06 22:23 <DIR> d-------- C:\WINDOWS\nview
2007-08-06 22:22 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-08-06 22:21 <DIR> d-------- C:\NVIDIA
2007-07-31 21:27 <DIR> d--hs---- C:\FOUND.023
2007-07-29 21:13 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-07-29 21:12 <DIR> d-------- C:\DOCUME~1\Gemma\APPLIC~1\SecondLife
2007-07-28 23:39 1,706,800 --a------ C:\WINDOWS\system32\gdiplus.dll
2007-07-28 23:07 <DIR> d-------- C:\Program Files\Common Files\element5 Shared
2007-07-28 23:07 <DIR> d-------- C:\DOCUME~1\Gemma\APPLIC~1\ArcSoft
2007-07-28 23:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\element5
2007-07-28 23:05 9,856 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2007-07-28 23:03 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-07-28 17:36 <DIR> d-------- C:\Program Files\themexp
2007-07-28 17:36 <DIR> d-------- C:\Program Files\OneStepSearch
2007-07-28 17:25 <DIR> d-------- C:\Program Files\TGTSoft
2007-07-28 16:38 <DIR> d--hs---- C:\FOUND.022
2007-07-27 17:44 <DIR> d--hs---- C:\FOUND.021
2007-07-26 20:50 <DIR> d--hs---- C:\FOUND.020
2007-07-19 19:26 <DIR> d--hs---- C:\FOUND.019
2007-07-17 11:18 <DIR> d-------- C:\WINDOWS\NKCCDViewerSetting
2007-07-15 21:42 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-07-15 15:12 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-15 14:48 <DIR> d--hs---- C:\FOUND.018


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-04 18:09 284248 --a------ C:\Program Files\npmusicn.dll
2007-07-04 14:07 --------- d-------- C:\Program Files\Enigma Software Group
2007-07-01 21:50 --------- d-------- C:\Program Files\DSA Theory Test
2007-06-19 21:50 --------- d-------- C:\Program Files\Lavasoft
2007-05-16 16:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 16:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 16:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 16:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 16:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 16:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-11 18:48 233472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2007-05-11 18:48 225280 --a------ C:\WINDOWS\system32\ReWire.dll
1998-12-09 03:53 99840 --a------ C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 03:53 70144 --a------ C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 03:53 48640 --a------ C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 03:53 31744 --a------ C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 03:53 186368 --a------ C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 03:53 17920 --a------ C:\Program Files\Common Files\IRASRIAL.DLL


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-15 17:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-07-15 16:22]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-15 21:20]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 19:31]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Gemma\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-08-08 16:27:47]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PI Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PI Monitor.lnk
backup=C:\WINDOWS\pss\PI Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
"C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
rundll32.exe "C:\WINDOWS\system32\qustygja.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j7231639]
rundll32 C:\WINDOWS\system32\j7231639.dll sook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R1 SASDIFSV;SASDIFSV;\??\D:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\D:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R3 alcan5wn;SpeedTouch USB ADSL PPP Networking Driver (NDISWAN);C:\WINDOWS\system32\DRIVERS\alcan5wn.sys
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys
R3 ltmodem5;LT Modem Driver;C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
R3 mcdbus;Driver for MagicISO SCSI Host Controller;C:\WINDOWS\system32\DRIVERS\mcdbus.sys
R3 SASENUM;SASENUM;\??\D:\Program Files\SUPERAntiSpyware\SASENUM.SYS


Contents of the 'Scheduled Tasks' folder
2007-08-10 13:22:04 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
2007-08-10 18:45:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 19:59:59
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-10 20:03:33
C:\ComboFix-quarantined-files.txt ... 2007-08-10 20:03
C:\ComboFix2.txt ... 2007-08-09 22:07

--- E O F ---


here is the New Hijack This Log.

Logfile of HijackThis v1.99.1
Scan saved at 20:06:49, on 10/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Syncrosoft\POS\H2O\cledx.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
D:\Programs\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?a373fa45812c4a7bb25b13fb1fdbf04c
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?a373fa45812c4a7bb25b13fb1fdbf04c
O8 - Extra context menu item: Search with Wanadoo - res://C:\WINDOWS\system32\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{67CC2B94-0BAF-45B3-9354-787807EC1E40}: NameServer = 193.36.79.101 193.36.79.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{67CC2B94-0BAF-45B3-9354-787807EC1E40}: NameServer = 193.36.79.100 193.36.79.101
O17 - HKLM\System\CS3\Services\Tcpip\..\{67CC2B94-0BAF-45B3-9354-787807EC1E40}: NameServer = 193.36.79.101 193.36.79.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



thankyou.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 10 August 2007 - 03:24 PM

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j7231639]


Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

Also post a new Hijackthis log.

Edited by RichieUK, 10 August 2007 - 05:08 PM.

Posted Image
Posted Image

#9 tequila_stealer

tequila_stealer
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 PM

Posted 10 August 2007 - 04:28 PM

what do you want me to do to the registry keys in the quote marks?

was the start of that post missing ?

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 10 August 2007 - 05:09 PM

Sorry about that,i've edited my instructions :thumbsup:
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users