Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Win32.monder.oea


  • Please log in to reply
11 replies to this topic

#1 parinari66

parinari66

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 16 September 2008 - 06:32 PM

Initially my laptop was badly affected by all sorts of Trojans and viruses it was almost impossible to go internet and when I did it was very slow. Kaspersky 2009 antivirus could not handle it. In the end I dowloaded and ran Combofix that managed to clear a lot of the infections. I can get toi internet now, there are pop ups now but the machine is still slow.
What remains is this trojan Kaspersky cant remove. Please help. On start up, a message appears:
C\:Windows\system 32\MSLTST-EXE
The NTVDM CPU has encountered an illegal instruction
CS:0f97IP0202 OP.......choose "Close" to terminate the application. Please help
Please find the HighThisLog .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:23 AM, on 16/Sep/08
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5061101
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&...amp;ibd=5061101
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\WINDOWS\system32\msltstsoft_updt.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10295 bytes

Thanks

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 17 September 2008 - 03:11 PM

Hi

Please post the Combofix log :thumbsup:

Then ... run these programs & post the logs ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 parinari66

parinari66
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 17 September 2008 - 06:14 PM

Hi

Thanks for the response. Will run MalwarebytesAM. In the mean time, please find the Combofix log that I ran earlier.

ComboFix 08-09-14.01 - AG 2008-09-15 3:32:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1392 [GMT 1:00]
Running from: C:\Documents and Settings\A G\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\A G\Cookies\a_g@cleanuptool[3].txt
C:\Documents and Settings\A G\Cookies\a_g@hits.gureport.co[1].txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\abpwqmvh.dll
C:\WINDOWS\system32\eOWxGfhk.ini
C:\WINDOWS\system32\eOWxGfhk.ini2
C:\WINDOWS\system32\fatyenwi.dll
C:\WINDOWS\system32\hdsxpvey.dll
C:\WINDOWS\system32\iexwzk.dll
C:\WINDOWS\system32\iifgHYOI.dll
C:\WINDOWS\system32\jgowdqeg.ini
C:\WINDOWS\system32\jyvxdv.dll
C:\WINDOWS\system32\khfGxWOe.dll
C:\WINDOWS\system32\lotajjns.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ngoxtm.dll
C:\WINDOWS\system32\pavvhb.dll
C:\WINDOWS\system32\qifesqvf.dll
C:\WINDOWS\system32\qlakegtk.ini
C:\WINDOWS\system32\rofoqwnq.dll
C:\WINDOWS\system32\rtihwyeo.ini
C:\WINDOWS\system32\uxopdz.dll
C:\WINDOWS\system32\vncglg.dll
C:\WINDOWS\system32\wtebbwqn.dll
C:\WINDOWS\system32\xcnxgyof.dll
C:\WINDOWS\system32\zfolqs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CBEVTSVC
-------\Legacy_PACKET
-------\Service_CbEvtSvc
-------\Service_Packet


((((((((((((((((((((((((( Files Created from 2008-08-15 to 2008-09-15 )))))))))))))))))))))))))))))))
.

2008-09-15 03:47 . 2008-09-15 03:47 294 ---hs---- C:\WINDOWS\system32\rtihwyeo.ini
2008-09-11 21:44 . 2008-09-11 21:44 97,156 --a------ C:\WINDOWS\system32\oeywhitr.dll
2008-09-08 22:01 . 2008-09-08 22:01 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-08 22:01 . 2008-09-08 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-07 17:08 . 2006-11-01 07:01 <DIR> d-------- C:\Documents and Settings\Administrator\Bluetooth Software
2008-09-07 17:08 . 2006-11-01 07:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-09-07 17:08 . 2006-11-01 07:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-09-07 17:08 . 2006-11-01 07:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-09-07 17:08 . 2006-11-01 07:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-09-07 17:08 . 2006-11-01 07:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-09-07 17:08 . 2006-11-01 07:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-09-07 17:08 . 2008-09-07 17:08 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-05 20:51 . 2008-09-05 20:51 324,166 --a------ C:\WINDOWS\system32\ddcAsqOI.dll
2008-09-04 18:51 . 2008-09-04 18:51 2 --a------ C:\WINDOWS\msoffice.ini
2008-09-04 01:41 . 2008-09-04 02:18 3,494 --a------ C:\WINDOWS\system32\msltstsoft_updt.exe
2008-09-04 01:24 . 2008-09-04 03:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-09-02 17:26 . 2008-09-15 03:47 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-01 13:28 . 2008-09-01 13:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SingleClick Systems
2008-08-31 17:35 . 2008-08-31 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GLS
2008-08-31 17:34 . 2008-08-31 17:34 <DIR> d-------- C:\Program Files\Common Files\GLS Shared
2008-08-31 17:34 . 2008-08-31 17:35 <DIR> d-------- C:\Documents and Settings\A G\Application Data\WADISO5
2008-08-31 17:34 . 2008-08-31 17:35 <DIR> d-------- C:\Documents and Settings\A G\Application Data\GLS
2008-08-31 17:33 . 2008-08-31 17:33 <DIR> d-------- C:\Program Files\GLS
2008-08-31 17:33 . 2008-08-31 17:33 <DIR> d-------- C:\Program Files\Common Files\Borland Shared
2008-08-31 17:33 . 2006-11-22 10:01 693,760 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
2008-08-31 17:23 . 2008-08-31 17:24 <DIR> d-------- C:\Documents and Settings\A G\Application Data\EPANET
2008-08-31 16:25 . 2008-08-31 16:25 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2008-08-31 16:24 . 2008-08-31 16:26 <DIR> d-------- C:\Program Files\AutoCAD 2006
2008-08-31 16:22 . 2008-08-31 16:26 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-08-31 16:22 . 2008-08-31 16:22 <DIR> d-------- C:\Program Files\Autodesk
2008-08-29 18:36 . 2008-08-29 18:36 <DIR> d-------- C:\Documents and Settings\A G\Application Data\CyberLink
2008-08-29 18:35 . 2008-08-29 18:35 <DIR> d-------- C:\Documents and Settings\A G\Application Data\dvdcss
2008-08-27 21:18 . 2008-08-27 21:18 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-26 21:21 . 2008-08-26 21:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-08-26 21:21 . 2008-08-26 21:21 1,024 --a------ C:\.rnd
2008-08-21 14:59 . 2000-12-08 21:59 122,880 --a------ C:\WINDOWS\UnGins.exe
2008-08-15 12:22 . 2008-08-15 12:22 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-15 12:20 . 2008-08-15 12:21 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-15 02:44 573,472 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-09-15 02:44 3,040 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-09-15 02:44 22,652 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-15 02:44 2,627,104 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-14 20:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-09-08 20:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-05 22:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-05 22:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-05 16:44 --------- d-----w C:\Documents and Settings\A G\Application Data\Symantec
2008-09-04 17:51 --------- d-----w C:\Program Files\Common Files\AOL
2008-09-04 13:21 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-04 00:33 --------- d-----w C:\Documents and Settings\A G\Application Data\skypePM
2008-09-02 18:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-01 12:34 --------- d-----w C:\Program Files\Modem Helper
2008-09-01 12:34 --------- d-----w C:\Program Files\MapWindow
2008-09-01 12:34 --------- d-----w C:\Program Files\Google
2008-09-01 12:34 --------- d-----w C:\Program Files\Dell
2008-09-01 12:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-09-01 12:28 --------- d-----w C:\Program Files\Dell Network Assistant
2008-08-31 15:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-08-31 15:20 --------- d-----w C:\Program Files\Alcohol Soft
2008-08-14 00:40 --------- d-----w C:\Documents and Settings\A G\Application Data\MapWindow
2008-08-13 02:23 --------- d-----w C:\Documents and Settings\A G\Application Data\RETScreen
2008-08-13 02:22 --------- d-----w C:\Program Files\RETScreen
2008-08-13 01:53 --------- d-----w C:\Program Files\NREL
2008-08-13 00:44 796,672 ----a-w C:\WINDOWS\GPInstall.exe
2008-08-10 17:57 --------- d-----w C:\Documents and Settings\A G\Application Data\vlc
2008-08-10 17:56 --------- d-----w C:\Program Files\VideoLAN
2008-08-10 14:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-10 02:30 --------- d-----w C:\Program Files\Java
2008-08-09 02:46 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-08 22:24 --------- d-----w C:\Documents and Settings\A G\Application Data\Corel Photo Album
2008-08-07 16:30 --------- d-----w C:\Program Files\EPANET2
2008-08-07 16:06 --------- d-----w C:\Program Files\MSBuild
2008-08-07 16:06 --------- d-----w C:\Program Files\Microsoft Works
2008-08-07 16:05 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-07 15:51 --------- d-----w C:\Documents and Settings\A G\Application Data\Autodesk
2008-08-07 15:29 --------- d-----w C:\Documents and Settings\A G\Application Data\AdobeUM
2008-08-07 15:01 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-08-07 14:20 128 ----a-w C:\Documents and Settings\A G\Application Data\wklnhst.dat
2008-08-07 14:15 --------- d-----w C:\Documents and Settings\A G\Application Data\Template
2008-08-07 02:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2008-08-07 02:03 --------- d-----w C:\Documents and Settings\A G\Application Data\McAfee.com Personal Firewall
2008-08-07 01:06 96,976 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-08-07 00:50 87,855 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-08-07 00:50 --------- d-----w C:\Program Files\Kaspersky Lab
2008-08-07 00:41 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2008-08-07 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-29 19:20 24,774 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-07-21 17:34 121,872 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 216520]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"CTSVolFE.exe"="C:\Program Files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-11-10 497240]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-11-01 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-01 98304]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 51048]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 1537696]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Microsoft WinUpdate"="C:\WINDOWS\system32\msltstsoft_updt.exe" [2008-09-04 3494]
"d801cc34"="C:\WINDOWS\system32\oeywhitr.dll" [2008-09-11 97156]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 C:\WINDOWS\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-11-01 7168]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-01 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\english\\setup.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 32784]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 24592]
.
- - - - ORPHANS REMOVED - - - -

BHO-{6ede67b5-8aaa-4a0f-a586-48da18ad5151} - C:\WINDOWS\system32\vncglg.dll
BHO-{7C4EFEA1-8412-48F9-893D-55036F1B890A} - C:\WINDOWS\system32\khfGxWOe.dll
BHO-{AA008E7C-DBD9-4DC5-B089-84FCA7F17083} - C:\WINDOWS\system32\iifgHYOI.dll
ShellExecuteHooks-{AA008E7C-DBD9-4DC5-B089-84FCA7F17083} - C:\WINDOWS\system32\iifgHYOI.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.msn.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5061101
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 -: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-15 03:46:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\rtihwyeo.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\oeywhitr.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2008-09-15 3:50:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-15 02:50:27

Pre-Run: 54,425,821,184 bytes free
Post-Run: 54,633,218,048 bytes free

261 --- E O F --- 2008-08-17 15:21:33

Thanks.

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 18 September 2008 - 02:45 PM

Hi

OK ... I see the problem in the Combofix log, but before we try a manual removal, I need you to run Malwarebytes' Anti-Malware first as it may resolve the problem for you ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 parinari66

parinari66
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 18 September 2008 - 08:40 PM

Hi Steam

I downloaded MBAM and did a quick scan as per your advice and it identified and cleaned 7 objects. I tried 3 times to sca with Kaspersky on line and 3 times I aborted the exercise when when a blue screen appeared with messages that "....windows stopped to protect your computer" This happenned even after deactivating Kaspersky that I use for protection. When I reverted to scanning with Kaspersky on the computer, it indicated that some malware were still present, mostly on the restore section. I reverted to running Combofix but got no change. I eventually did a full scan with MBAM. It identified and cleaned out 41 infected objects. Attached is the log:

Malwarebytes' Anti-Malware 1.28
Database version: 1166
Windows 5.1.2600 Service Pack 3

18/Sep/08 10:34:45 PM
mbam-log-2008-09-18 (22-34-45).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 108016
Time elapsed: 32 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 41

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\abpwqmvh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fatyenwi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hdsxpvey.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\iexwzk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jyvxdv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\lotajjns.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ngoxtm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pavvhb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rofoqwnq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\uxopdz.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vncglg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wtebbwqn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xcnxgyof.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP66\A0018943.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP80\A0032618.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP80\A0032652.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP80\A0032653.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP80\A0032665.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP80\A0032666.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP80\A0032702.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP80\A0032703.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP81\A0032833.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP81\A0032867.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP81\A0032868.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP81\A0032880.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP81\A0032881.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP81\A0032911.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP81\A0032912.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP82\A0032963.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP82\A0032964.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP82\A0032965.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP82\A0032966.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP82\A0032967.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP82\A0032968.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP82\A0032969.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP82\A0032970.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP82\A0032972.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP82\A0032973.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP82\A0032975.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP82\A0032976.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP82\A0032974.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

It looks like this did the trick and a Kaspersky scan is confirmed this. Incidentally, different software give different names; the Trojan.Vundo being referred to in this log is identified as Heur.Invader / Heur.Trojan.Generic in Kaspersky scan or are they different?

So, many, many thanks for the advice. I really appreciated your help and I hope this misery will not resurface again. Is it advisable to retain or delete Combofix and MBAM software on my machine?

Once again, many thanks.

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 19 September 2008 - 05:25 PM

Hi

One malware can have many different names, depending on which program is referring to it.

We're not done yet :thumbsup:

Everything in that MBAM log is in system restore or Combofix quarantine ... which would ALL have been removed when we uninstall Combofix the right way :)

What were the 7 items removed from the quick scan ? do you have the log ?

Run the Malwarebytes Anti-Malware from the icon on your desktop, select the Logs tab & see if you can see the log ?

I'll tell you what programs you can delete when we are sire you are clean ...

There are several malware files we shall have to delete if the MBAM log doesn't show them being deleted...

Please run Combofix again & post the new log ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 parinari66

parinari66
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 21 September 2008 - 10:25 PM

Hi

Thanks for the response.
1. The 7 items dealt with the first quick MBAM scan can be viewed from the attached log:

Malwarebytes' Anti-Malware 1.28
Database version: 1166
Windows 5.1.2600 Service Pack 3

18/Sep/08 12:51:05 AM
mbam-log-2008-09-18 (00-51-05).txt

Scan type: Quick Scan
Objects scanned: 56453
Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft WinUpdate (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ddcAsqOI.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msltstsoft_updt.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

2. Yes I can see the MBAM log listing the following log reports:
mbam-log-2008-09-18(00-51-05).txt
mbam-log-2008-09-18(02-58-15).txt
mbam-log-2008-09-18(22-34-45).txt
mbam-log-2008-09-18(:thumbsup:.txt and the last one with leter C

3. Attached is the latest Combofix log:
ComboFix 08-09-20.05 - A G 2008-09-22 3:42:53.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1479 [GMT 1:00]
Running from: C:\Documents and Settings\A G\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.

2008-09-19 18:00 . 2008-09-19 18:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-19 18:00 . 2008-09-19 18:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-18 00:42 . 2008-09-18 00:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-18 00:42 . 2008-09-18 00:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-18 00:42 . 2008-09-18 00:42 <DIR> d-------- C:\Documents and Settings\A G\Application Data\Malwarebytes
2008-09-18 00:42 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-18 00:42 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-16 02:26 . 2008-09-16 02:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-16 00:53 . 2008-09-16 00:53 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-08 22:01 . 2008-09-08 22:01 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-08 22:01 . 2008-09-08 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-07 17:08 . 2006-11-01 07:01 <DIR> d-------- C:\Documents and Settings\Administrator\Bluetooth Software
2008-09-07 17:08 . 2006-11-01 07:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-09-07 17:08 . 2006-11-01 07:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-09-07 17:08 . 2006-11-01 07:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-09-07 17:08 . 2006-11-01 07:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-09-07 17:08 . 2006-11-01 07:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-09-07 17:08 . 2006-11-01 07:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-09-07 17:08 . 2008-09-07 17:08 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-04 18:51 . 2008-09-04 18:51 2 --a------ C:\WINDOWS\msoffice.ini
2008-09-04 01:24 . 2008-09-04 03:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-09-02 17:26 . 2008-09-21 14:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-01 13:28 . 2008-09-01 13:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SingleClick Systems
2008-08-31 17:35 . 2008-08-31 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GLS
2008-08-31 17:34 . 2008-08-31 17:34 <DIR> d-------- C:\Program Files\Common Files\GLS Shared
2008-08-31 17:34 . 2008-08-31 17:35 <DIR> d-------- C:\Documents and Settings\A G\Application Data\WADISO5
2008-08-31 17:34 . 2008-08-31 17:35 <DIR> d-------- C:\Documents and Settings\A G\Application Data\GLS
2008-08-31 17:33 . 2008-08-31 17:33 <DIR> d-------- C:\Program Files\GLS
2008-08-31 17:33 . 2008-08-31 17:33 <DIR> d-------- C:\Program Files\Common Files\Borland Shared
2008-08-31 17:33 . 2006-11-22 10:01 693,760 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
2008-08-31 17:23 . 2008-08-31 17:24 <DIR> d-------- C:\Documents and Settings\A G\Application Data\EPANET
2008-08-31 16:25 . 2008-08-31 16:25 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2008-08-31 16:24 . 2008-08-31 16:26 <DIR> d-------- C:\Program Files\AutoCAD 2006
2008-08-31 16:22 . 2008-08-31 16:26 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-08-31 16:22 . 2008-08-31 16:22 <DIR> d-------- C:\Program Files\Autodesk
2008-08-29 18:36 . 2008-08-29 18:36 <DIR> d-------- C:\Documents and Settings\A G\Application Data\CyberLink
2008-08-29 18:35 . 2008-08-29 18:35 <DIR> d-------- C:\Documents and Settings\A G\Application Data\dvdcss
2008-08-27 21:18 . 2008-08-27 21:18 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-26 21:21 . 2008-08-26 21:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-08-26 21:21 . 2008-08-26 21:21 1,024 --a------ C:\.rnd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-21 13:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-09-21 04:01 573,472 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-09-21 04:01 3,040 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-09-21 04:01 22,652 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-21 04:01 2,627,104 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-15 11:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-15 11:01 --------- d-----w C:\Program Files\Microsoft Works
2008-09-15 03:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-05 22:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-05 22:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-05 16:44 --------- d-----w C:\Documents and Settings\A G\Application Data\Symantec
2008-09-04 17:51 --------- d-----w C:\Program Files\Common Files\AOL
2008-09-04 13:21 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-04 00:33 --------- d-----w C:\Documents and Settings\A G\Application Data\skypePM
2008-09-01 12:34 --------- d-----w C:\Program Files\Modem Helper
2008-09-01 12:34 --------- d-----w C:\Program Files\MapWindow
2008-09-01 12:34 --------- d-----w C:\Program Files\Google
2008-09-01 12:34 --------- d-----w C:\Program Files\Dell
2008-09-01 12:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-09-01 12:28 --------- d-----w C:\Program Files\Dell Network Assistant
2008-08-31 15:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-08-31 15:20 --------- d-----w C:\Program Files\Alcohol Soft
2008-08-15 11:22 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-08-14 00:40 --------- d-----w C:\Documents and Settings\A G\Application Data\MapWindow
2008-08-13 02:23 --------- d-----w C:\Documents and Settings\A G\Application Data\RETScreen
2008-08-13 02:22 --------- d-----w C:\Program Files\RETScreen
2008-08-13 01:53 --------- d-----w C:\Program Files\NREL
2008-08-13 00:44 796,672 ----a-w C:\WINDOWS\GPInstall.exe
2008-08-10 17:57 --------- d-----w C:\Documents and Settings\A G\Application Data\vlc
2008-08-10 17:56 --------- d-----w C:\Program Files\VideoLAN
2008-08-10 14:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-10 02:30 --------- d-----w C:\Program Files\Java
2008-08-09 02:46 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-08 22:31 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-08-08 22:24 --------- d-----w C:\Documents and Settings\A G\Application Data\Corel Photo Album
2008-08-07 16:30 --------- d-----w C:\Program Files\EPANET2
2008-08-07 16:06 --------- d-----w C:\Program Files\MSBuild
2008-08-07 16:05 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-07 15:51 --------- d-----w C:\Documents and Settings\A G\Application Data\Autodesk
2008-08-07 15:29 --------- d-----w C:\Documents and Settings\A G\Application Data\AdobeUM
2008-08-07 15:01 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-08-07 14:20 128 ----a-w C:\Documents and Settings\A G\Application Data\wklnhst.dat
2008-08-07 14:15 --------- d-----w C:\Documents and Settings\A G\Application Data\Template
2008-08-07 02:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2008-08-07 02:03 --------- d-----w C:\Documents and Settings\A G\Application Data\McAfee.com Personal Firewall
2008-08-07 01:06 96,976 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-08-07 00:50 87,855 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-08-07 00:50 --------- d-----w C:\Program Files\Kaspersky Lab
2008-08-07 00:41 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2008-08-07 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-29 19:21 218,376 ----a-w C:\WINDOWS\system32\klogon.dll
2008-07-29 19:20 24,774 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-26 08:15 1,499,136 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-06-24 17:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 09:57 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
.

((((((((((((((((((((((((((((( snapshot_2008-09-18_20.58.02.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-18 19:32:48 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-21 13:35:11 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-18 19:32:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-21 13:35:11 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-18 19:32:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-21 13:35:11 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-18 19:37:27 65,046 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-09-21 13:39:13 65,046 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-09-18 19:37:28 406,854 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-09-21 13:39:13 406,854 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-09-21 13:35:09 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 216520]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"CTSVolFE.exe"="C:\Program Files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-11-10 497240]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-11-01 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-01 98304]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 51048]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 1537696]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 C:\WINDOWS\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-11-01 7168]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-01 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\english\\setup.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 32784]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 24592]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\A G\Application Data\Mozilla\Firefox\Profiles\t32juwo2.default\
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 03:44:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\A~1\LOCALS~1\Temp\RGI115.tmp 7075 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-09-22 3:45:54
ComboFix-quarantined-files.txt 2008-09-22 02:45:50
ComboFix2.txt 2008-09-18 20:00:14
ComboFix3.txt 2008-09-15 02:50:32

Pre-Run: 53,848,862,720 bytes free
Post-Run: 53,836,414,976 bytes free

235 --- E O F --- 2008-09-15 11:06:21

4. Many thanks

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 22 September 2008 - 10:33 AM

Hi

1. Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

3. Reboot into Safe Mode`:-

Reboot into >>>safe mode

4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 parinari66

parinari66
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 22 September 2008 - 04:46 PM

Hi

Please find attached the SDFix Report.


SDFix: Version 1.228
Run by AG on 22/Sep/08 at 09:53 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 22:14:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:3f,35,04,47,ba,b3,a9,e4,b8,d2,89,60,63,b0,af,35,15,72,ca,96,e2,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 52\"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:3f,35,04,47,ba,b3,a9,e4,b8,d2,89,60,63,b0,af,35,15,72,ca,96,e2,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 52\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:3a,8d,51,c8,86,d8,47,6c,cf,42,9b,56,55,b9,ed,a6,10,e9,03,d5,0d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:3f,35,04,47,ba,b3,a9,e4,b8,d2,89,60,63,b0,af,35,15,72,ca,96,e2,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 52\"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\english\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\english\\setup.exe:*:Enabled:Kaspersky Internet Security 2009 Setup"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Fri 8 Aug 2008 88 ..SHR --- "C:\WINDOWS\system32\D7A1CD746C.sys"
Fri 8 Aug 2008 3,766 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Wed 22 Dec 2004 76,568 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Thu 13 Jan 2005 11,360 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Fri 15 Aug 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 23 Nov 2003 51,200 A..H. --- "C:\Documents and Settings\A G\My Documents\My Documents\Old Usb documents\RTTP Study\~WRL0621.tmp"
Tue 18 Nov 2003 28,672 A..H. --- "C:\Documents and Settings\A G\My Documents\My Documents\Old Usb documents\RTTP Study\~WRL0694.tmp"
Mon 17 Nov 2003 22,016 A..H. --- "C:\Documents and Settings\A G\My Documents\My Documents\Old Usb documents\RTTP Study\~WRL1629.tmp"
Sun 16 Nov 2003 36,352 A..H. --- "C:\Documents and Settings\A G\My Documents\My Documents\Old Usb documents\RTTP Study\~WRL1878.tmp"
Fri 14 Nov 2003 45,056 A..H. --- "C:\Documents and Settings\A G\My Documents\My Documents\Old Usb documents\RTTP Study\~WRL3280.tmp"
Tue 1 Jul 2003 31,744 A..H. --- "C:\Documents and Settings\A G\My Documents\My Documents\Old Usb documents\Work In Progress\~WRL0005.tmp"
Mon 28 Feb 2000 645,120 A..H. --- "C:\Documents and Settings\A G\My Documents\My Documents\Old Usb documents\Executive\Endeavours\~WRL3673.tmp"
Mon 10 Jan 2000 278,528 A..H. --- "C:\Documents and Settings\A Gi\My Documents\My Documents\Old Usb documents\Executive\MBA\~WRL2814.tmp"
Wed 1 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Wed 1 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Wed 1 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Wed 1 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Wed 1 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"

Finished!


I hope it is all clean now. Will apprecaite to learn the next step. Many thanks.

Pari

#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 23 September 2008 - 01:16 PM

HI

Yes ... the SDFix Report is clean :thumbsup:

You can delete the SDFix.exe from your desktop & the C:\SDFix folder

You can delete MBAM as well if you want to, but it is not running or using any resources unless you run a scan, so you may want to keep it & occasionaly update it & rin a scan ... it's up to you.

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

This will uninstall Combofix, delete any of its related folders and files (Qoobox, VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

THEN ...

Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's
(leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's
(leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm

...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

how's the computer running now ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 parinari66

parinari66
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 27 September 2008 - 09:37 PM

Hi Steam

The machine is running well. I have not had any problem after the clean up. There was only one small glitch when it failed to complete the start up process. It happenned once before the clean up. I simply restarted it again and it responded. At the moment it is running well. Many thanks for all the help.

Pari

#12 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 28 September 2008 - 01:40 PM

HI

Glad to hear the computer's running OK now :thumbsup:

From what you say about the occasional failure to boot, that sounds like a possible hardware issue, power supply, RAM, bad sectors on the hard-drive, it's hard to say, it could be none of these ... if it starts happening more frequently, then we can troubleshoot it for you, but when it's only occasionally, it's almost impossible to troubleshoot, but it's not malware related, so you will need to post in a hardware forum about it :)

Before you leave the site ...

Please Have a look here at ways to keep your computer safe :-

Simple steps to keep your computer secure! By Grinler > http://www.bleepingcomputer.com/forums/t/1628/simple-steps-to-keep-your-computer-secure/

& here :-

So how did I get infected in the first place? By TonyKlein > http://forums.spybot.info/showthread.php?t=279

Happy surfing :)

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users