Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Doublechecking Malware Removal


  • This topic is locked This topic is locked
9 replies to this topic

#1 rexmundi

rexmundi

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 18 January 2008 - 07:12 PM

Hello and thanks for the help i received from reading your forums recently. This is my first post. I have been removing trojans and adware for about 3 days straight now with online scaners and ad-aware. I have encountered Vundo, Zlob Clickspring, PE_Trats.A, PurityScan .ed and .cd, webbuying, antileech, trojan-do, rbot-YB, Smitfraud, zapchast.dt, sinowal.gd and .ge, downloader agent, clicker, virtumonde. dlm and dnm, dropper agent dgo.

I've used :
panda activescan
bitdefender online scan
trend micro houscall
mcafee stinger
vundofix
smitfraudfix
eset online scan
trend micro sysclean
mcaffee rootkit detective
microsoft malware remover
kaspersky SOS

I think most of the programs have been removed and windows seems to be running ok there is something weird in explorer still which seems like a refresh period that's unusual .
Online scans from eset, micro trend, and panda have all been clean of the listed programs at this point.
I'm attaching combofix log and hijackthis log as of now. Seems there maybe a couple things i've missed in the combofix log so I'm asking the experts.
thanks a bunch.

Attached Files


Edited by rexmundi, 18 January 2008 - 07:17 PM.


BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:59 PM

Posted 19 January 2008 - 10:32 AM

Hi,

Please do not attach your logs, but copy and paste them in the thread instead.
* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\Tasks\B169D7FD95224C2D.job

Folder::
c:\docume~1\rex\applic~1\batdas~1
C:\WINDOWS\cmV4
C:\WINDOWS\system32\edcA01
C:\VundoFix Backups

RENV::
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
C:\Program Files\Microsoft IntelliPoint\point32 .exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe

Driver::
mnmddd

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=-
"Network Monitor"=-
"DomainService"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e719613-120e-41cd-a4c2-cd0a5aaeca8e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4B88BDF-CE08-41EA-A8A8-6616A880A95F}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\288129e2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BoobNurb]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetPumper]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSNetMon_egcffjdbjafabcfd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Oqssxnx]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sscn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 rexmundi

rexmundi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 20 January 2008 - 09:35 AM

hi again I ran the script. Still wondering how to find the directory c:/windows/cmV4/ but appaqrently it really is there. thanks
here are my new logs

combofix :

ComboFix 08-01-17.3 - rex 2008-01-20 9:15:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.664 [GMT -5:00]
Running from: C:\Documents and Settings\rex\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\rex\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\Tasks\B169D7FD95224C2D.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\cmV4
C:\WINDOWS\cmV4\wApb.vbs
C:\WINDOWS\system32\edcA01
C:\WINDOWS\Tasks\B169D7FD95224C2D.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MNMDDD
-------\mnmddd


((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-18 21:43 . 2008-01-18 22:35 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-18 18:00 . 2002-08-29 01:05 245,920 --a------ C:\cmldr
2008-01-18 18:00 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-18 18:00 . 2008-01-18 03:31 304 --a------ C:\Boot.bak
2008-01-17 04:13 . 2008-01-17 04:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-16 06:44 . 2008-01-17 01:44 3,234,592 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-16 06:44 . 2008-01-17 01:44 45,440 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-16 06:44 . 2008-01-17 01:44 2,080 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-16 06:44 . 2008-01-17 01:44 1,244 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-16 06:43 . 2008-01-16 06:43 <DIR> d-------- C:\KAV
2008-01-16 06:20 . 2008-01-16 06:22 1,962 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-15 18:48 . 2008-01-20 04:41 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-15 18:28 . 2008-01-17 04:15 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-15 18:23 . 2008-01-15 18:23 145,408 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2008-01-15 01:03 . 2008-01-20 02:53 2,184 --a------ C:\WINDOWS\system32\wpa.dbl
2008-01-13 15:02 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-13 15:01 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\lsahxyovdfni.sys
2008-01-13 03:26 . 2008-01-18 18:03 <DIR> d-------- C:\Temp
2008-01-09 19:28 . 2008-01-13 22:53 <DIR> d-------- C:\Program Files\MySpace
2008-01-09 19:28 . 2008-01-09 19:28 <DIR> d-------- C:\Documents and Settings\rex\Application Data\MySpace
2008-01-09 18:36 . 2008-01-12 04:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-09 18:36 . 2008-01-09 18:36 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-31 15:44 . 2007-12-30 15:22 2,240 --a------ C:\wpa.dbl
2007-12-30 14:57 . 2007-12-30 14:57 <DIR> d-------- C:\Program Files\Frets on Fire
2007-12-30 14:57 . 2007-12-30 14:58 <DIR> d-------- C:\Documents and Settings\rex\Application Data\fretsonfire
2007-12-30 14:20 . 2007-12-30 14:20 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-12-30 06:09 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-12-30 06:09 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-12-24 11:58 . 2007-12-24 11:58 <DIR> d-------- C:\Documents and Settings\dennis\Application Data\Talkback

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 14:15 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-01-17 08:54 --------- d-----w C:\Program Files\QuickTime
2008-01-14 10:38 --------- d-----w C:\Program Files\Zoom Player
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2006-06-14 23:26 10,856 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-18_18.10.04.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-25 15:26:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2008-01-20 09:41:30 77,824 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
- 2008-01-18 23:00:23 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-20 14:15:41 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-18 23:00:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-20 14:15:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-18 23:00:23 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-20 14:15:41 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-18 23:00:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-20 14:15:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-18 23:00:24 4,599,808 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-20 14:15:42 4,599,808 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-18 23:00:24 16,384 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 14:15:42 16,384 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2002-08-29 07:41:26 145,408 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe
+ 2008-01-15 23:23:07 145,408 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig.exe
+ 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-08-02 23:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-02 23:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-08 21:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-13 16:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
+ 2004-12-07 16:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 17:01 68096 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-06-28 23:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-06-28 23:43 81920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [2003-06-24 01:31:35]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet T Series Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP OfficeJet T Series Startup.lnk
backup=C:\WINDOWS\pss\HP OfficeJet T Series Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
--a------ 2005-04-10 08:13 2904660 C:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2008-01-13 04:58 204800 C:\Program Files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-10-18 11:58 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-11-15 15:18 1670144 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NielsenOnline]
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
C:\Program Files\Eset\nod32kui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-17 07:57 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-08-16 02:44 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a--c--- 2004-08-06 14:33 2502656 C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLBrowser"=3 (0x3)
"Pctspk"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$SQLEXPRESS"=2 (0x2)
"helpsvc"=2 (0x2)
"BITS"=3 (0x3)
"ewido security suite control"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"wuauserv"=2 (0x2)
"NOD32krn"=2 (0x2)
"svcWRSSSDK"=2 (0x2)
"RasMan"=3 (0x3)
"iPodService"=3 (0x3)
"WebrootSpySweeperService"=2 (0x2)
"ScsiAccess"=2 (0x2)
"IDriverT"=3 (0x3)
"aspnet_admin"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"W32Time"=2 (0x2)

R0 PrtSeqRd;PrtSeqRd;C:\WINDOWS\System32\drivers\PrtSeqRd.sys [2005-01-13 04:14]
S3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\System32\drivers\bcgame.sys [2003-07-23 14:16]
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2001-08-23 07:00]
S3 pctvvbi;PCTVVBI;C:\WINDOWS\System32\DRIVERS\pctvvbi.sys [2002-04-02 15:05]
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\System32\DRIVERS\ptserlp.sys [2001-08-17 08:28]
S4 aspnet_admin;ASP.NET Admin Service;C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe []
S4 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 17:36]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 09:20:23
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 9:24:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-20 14:24:14
ComboFix2.txt 2008-01-18 23:10:17


HiJackThis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:19 AM, on 1/20/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Documents and Settings\rex\My Documents\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/contr...ate/sdkinst.cab
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 2744 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:59 PM

Posted 20 January 2008 - 09:47 AM

Hi,

Still wondering how to find the directory c:/windows/cmV4/ but appaqrently it really is there.

That one is already deleted with Combofix.

I see you have been disabling a lot of programs and services via msconfig... including your Antivirus.
Any reason why you disabled them? How are you supposed to prevent malware if you disable your Antivirus?
Please enable NOD32 again.

Also, you disabled a lot of necessary services. Are you aware what you exactly disabled and why? Keep in mind, if you leave them disabled, you may have problems in the future.

Anyway, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, as a final check.. Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 rexmundi

rexmundi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 24 January 2008 - 04:57 PM

Sorry for taking so long on the reply I missed the part save as txt took me a while to notice that. I havent uninstaled combo fix yet but i did the kapersky scan and seem to have another virus in a restore volume it seems. other scanners didnt seem to spot this Im not sure how to delete it. I have shut off a couple services but i really didnt think that many like auto update there was only 1 that i shut down when i had virus activity thinking it didnt belong, I was playing with them because my computers becoming antique in gaming terms I now bual boot though with a very service lite system for vanguard it helped game play a bit. As far as the virus scanner i always shut those of because of games aswell. I do not actually own est, yet so I'm just curious between kaspersky and nod32 is it just personal preference?

kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 24, 2008 4:41:42 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/01/2008
Kaspersky Anti-Virus database records: 530110
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 108336
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 02:29:49

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\rex\Application Data\Opera\Opera\mail\indexer\indexer.dat Object is locked skipped
C:\Documents and Settings\rex\Application Data\Opera\Opera\mail\lexicon\lexicon.dat Object is locked skipped
C:\Documents and Settings\rex\Application Data\Opera\Opera\mail\mailbase.dat Object is locked skipped
C:\Documents and Settings\rex\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\rex\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\rex\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\rex\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\rex\Local Settings\History\History.IE5\MSHist012008012420080125\index.dat Object is locked skipped
C:\Documents and Settings\rex\Local Settings\Temp\hsperfdata_rex\256 Object is locked skipped
C:\Documents and Settings\rex\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\rex\My Documents\B19-Nagy-1.mpg.001 Object is locked skipped
C:\Documents and Settings\rex\My Documents\KACB-S1.rar Object is locked skipped
C:\Documents and Settings\rex\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\rex\NTUSER.DAT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{12A90F32-982F-40A8-87F4-B419BAC9F1B9}\RP5\A0000562.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\System Volume Information\_restore{12A90F32-982F-40A8-87F4-B419BAC9F1B9}\RP7\A0000652.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\System Volume Information\_restore{12A90F32-982F-40A8-87F4-B419BAC9F1B9}\RP7\A0000652.exe mIRC: infected - 1 skipped
C:\System Volume Information\_restore{12A90F32-982F-40A8-87F4-B419BAC9F1B9}\RP7\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
J:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
J:\System Volume Information\_restore{12A90F32-982F-40A8-87F4-B419BAC9F1B9}\RP7\change.log Object is locked skipped
J:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB839645$\shell32.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB839645$\shlwapi.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB839645$\sxs.dll Object is locked skipped

Scan process completed.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:59 PM

Posted 24 January 2008 - 05:10 PM

Hi,

It looks like we cleaned up pretty well :wacko:
The only remaining infected files are present in your system restore points, which is actually no issue since it can't do anything there.
But we rather see them removed, so do next to remove them:

Flush your system restore points:
To do this, you have to disable systemrestore and enable it afterwards again.
(note: this will delete all your system restore points and malware that were present in it).

How to disable system restore in XP <= click me for instructions with screenshots
After you disabled System Restore.... Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now! :thumbsup:

Let me know in your next reply how things are now :blink:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:59 PM

Posted 30 January 2008 - 08:12 AM

Let me know in your next reply how things are now

Still with us?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 rexmundi

rexmundi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 31 January 2008 - 10:25 PM

yes and thanks for the help all of the online scans came back clean

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:59 PM

Posted 01 February 2008 - 01:49 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:59 PM

Posted 05 February 2008 - 03:34 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users