Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Vundo, Virtumonde


  • This topic is locked This topic is locked
13 replies to this topic

#1 UCIA

UCIA

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 31 December 2008 - 10:47 PM

Happy new year! Thanks in advance for any advice / solutions. My computer has been infected with Vundo. I have tried deleting with several tools: Mcafee, counterspy, superantispyware (free), Malwarebytes (free), VundoFix (nothing found), Windows live care (free), windows malicious software removal tool, Windows Defender, ATF cleaner. Various tools find different files, registry entries, etc and indicate deleted/quaranteened but vundo keeps coming back.

System:
Windows XP service pack 3
Last Windows Update in December
McAfee Security Center
Counterspy

Problems encoutered - vundo keeps coming back on reboot, unwanted pop-ups for spyware ads, and windows updates disabled. Get error 0xddd0018 / 1058 that windows update services can't run. I've tried to start the update services based on articles from Microsoft knowsedge base, but the update service is disabled everytime I reboot.

I posted my hijack this log below. Also, here are a few of the examples of what Malwarebytes and Superantispyware have quaranteened:


MalwareBytes log
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

SuperAnti-Spyware
Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid




Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:06 PM, on 12/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Windows Defender\MsMpEng.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\ehome\ehtray.exe
I:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
I:\WINDOWS\stsystra.exe
I:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
I:\Program Files\McAfee.com\Agent\mcagent.exe
I:\Program Files\Windows Defender\MSASCui.exe
I:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
I:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
I:\Program Files\Logitech\SetPoint\SetPoint.exe
I:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Bonjour\mDNSResponder.exe
I:\WINDOWS\eHome\ehRecvr.exe
I:\WINDOWS\eHome\ehSched.exe
I:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
I:\Program Files\McAfee\SiteAdvisor\McSACore.exe
I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
i:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
i:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
I:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
I:\Program Files\McAfee\MSK\MskSrver.exe
I:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
I:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\WINDOWS\system32\dllhost.exe
I:\Program Files\McAfee\MPF\MPFSrv.exe
I:\WINDOWS\eHome\ehmsas.exe
I:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
I:\Program Files\Internet Explorer\IEXPLORE.EXE
I:\Program Files\Microsoft Office\Office10\WINWORD.EXE
I:\Program Files\Microsoft Works\WkDStore.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - I:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - i:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: {208ec048-f4d9-125a-5f34-6d254208b4cf} - {fc4b8024-52d6-43f5-a521-9d4f840ce802} - I:\WINDOWS\system32\cqrmii.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - i:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] I:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] I:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "I:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] I:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [mcagent_exe] I:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Windows Defender] "I:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ISUSPM Startup] "I:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "I:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AcronisTimounterMonitor] I:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iRiver Updater] I:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [SBAMTray] I:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
O4 - HKLM\..\Run: [StartCCC] "I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ISUSPM] "I:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [SUPERAntiSpyware] I:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [pabonatame] Rundll32.exe "I:\WINDOWS\system32\kiyajeru.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [pabonatame] Rundll32.exe "I:\WINDOWS\system32\kiyajeru.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = I:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1228963873828
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - i:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter hijack: text/html - {88779200-0195-4704-88c6-015929cf6d66} - (no file)
O20 - AppInit_DLLs: cqrmii.dll
O20 - Winlogon Notify: !SASWinLogon - I:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awtrssqR - awtrssqR.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - I:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - I:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - I:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - I:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IntelŪ Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - I:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - I:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - i:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - i:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - I:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - I:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - I:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Sunbelt Software - I:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe

--
End of file - 9029 bytes

thanks
UCIA

Edited by UCIA, 31 December 2008 - 11:13 PM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 05 January 2009 - 03:22 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 UCIA

UCIA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 05 January 2009 - 09:40 PM

Hi Fenzodahl512,

Thank you for your time. Here are the combifix and hijack this logs. I did turn off Windows restore yesterday and it seemed to help on the instances of the vundo virus. Malwarebytes picked up another Trojan.BHO.



ComboFix 09-01-05.03 - Russ 2009-01-05 18:14:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.525 [GMT -8:00]
Running from: i:\documents and settings\Russ\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

i:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
i:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
i:\program files\Common\helper.sig
i:\windows\system32\ubejiged.ini

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-04 17:51 . 2009-01-04 17:51 <DIR> d-------- i:\documents and settings\All Users\Application Data\Sunbelt
2009-01-04 16:57 . 2009-01-04 17:00 <DIR> d-a------ i:\documents and settings\All Users\Application Data\TEMP
2009-01-04 16:56 . 2009-01-04 16:57 <DIR> d-------- i:\program files\SpywareBlaster
2009-01-04 12:05 . 2009-01-04 12:05 <DIR> d-------- i:\program files\Lavasoft
2009-01-03 01:08 . 2009-01-03 01:08 95 --a------ i:\windows\wininit.ini
2009-01-03 00:22 . 2009-01-03 00:24 <DIR> d-------- i:\program files\Spybot - Search & Destroy
2009-01-03 00:22 . 2009-01-04 14:01 <DIR> d-------- i:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-31 18:24 . 2008-12-31 18:24 <DIR> d-------- i:\program files\Trend Micro
2008-12-31 17:19 . 2008-12-31 17:19 <DIR> d-------- I:\VundoFix Backups
2008-12-31 16:58 . 2008-12-31 16:58 <DIR> d-------- i:\documents and settings\Administrator
2008-12-31 00:23 . 2008-12-31 00:23 <DIR> d-------- i:\program files\Malwarebytes' Anti-Malware
2008-12-31 00:23 . 2008-12-31 00:23 <DIR> d-------- i:\documents and settings\Russ\Application Data\Malwarebytes
2008-12-31 00:23 . 2008-12-31 00:23 <DIR> d-------- i:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-31 00:23 . 2008-12-03 19:59 38,496 --a------ i:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 00:23 . 2008-12-03 19:59 15,504 --a------ i:\windows\system32\drivers\mbam.sys
2008-12-31 00:20 . 2008-12-31 00:20 <DIR> d-------- i:\program files\SUPERAntiSpyware
2008-12-31 00:20 . 2008-12-31 00:20 <DIR> d-------- i:\documents and settings\Russ\Application Data\SUPERAntiSpyware.com
2008-12-31 00:20 . 2008-12-31 00:20 <DIR> d-------- i:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-29 23:19 . 2008-12-29 23:24 <DIR> d-------- i:\program files\Windows Live Safety Center
2008-12-23 20:49 . 2008-12-23 20:51 <DIR> d-------- i:\program files\Google
2008-12-23 20:49 . 2009-01-05 15:05 <DIR> d-------- i:\documents and settings\All Users\Application Data\Google Updater
2008-12-13 20:02 . 2008-12-13 20:02 <DIR> d-------- i:\program files\iTunes
2008-12-13 20:02 . 2008-12-13 20:02 <DIR> d-------- i:\program files\iPod
2008-12-13 20:02 . 2008-12-13 20:02 <DIR> d-------- i:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-13 19:58 . 2008-12-13 19:59 <DIR> d-------- i:\program files\QuickTime
2008-12-13 16:11 . 2008-12-13 16:11 <DIR> d-------- i:\documents and settings\Russ\Application Data\Unity
2008-12-13 15:25 . 2008-12-13 15:25 <DIR> d-------- i:\program files\Unity
2008-12-10 07:40 . 2009-01-05 18:14 <DIR> d-------- i:\program files\Common
2008-12-07 23:02 . 2008-12-07 23:13 256 --a------ i:\documents and settings\Russ\pool.bin
2008-12-07 12:25 . 2008-12-07 12:25 <DIR> d-------- i:\documents and settings\Russ\Application Data\Snapfish
2008-12-06 07:20 . 2008-12-07 23:15 256 --a------ i:\windows\system32\pool.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 02:09 7,894 ----a-w i:\documents and settings\Russ\Application Data\wklnhst.dat
2009-01-05 02:37 --------- d-----w i:\documents and settings\LocalService\Application Data\SACore
2009-01-05 01:32 --------- d-----w i:\program files\MSECACHE
2009-01-04 20:05 --------- d-----w i:\documents and settings\All Users\Application Data\Lavasoft
2009-01-04 20:04 --------- d-----w i:\program files\Common Files\Wise Installation Wizard
2009-01-01 01:14 --------- d-----w i:\program files\Java
2008-12-24 16:12 --------- d-----w i:\program files\McAfee
2008-12-17 07:30 --------- d-----w i:\documents and settings\Russ\Application Data\Roxio
2008-12-14 04:02 --------- d-----w i:\program files\Common Files\Apple
2008-12-11 02:34 106 ----a-w i:\documents and settings\Russ\Application Data\netstat.bat
2008-12-10 03:33 --------- d-----w i:\program files\Common Files\Sonic Shared
2008-12-10 03:33 --------- d-----w i:\program files\Common Files\Roxio Shared
2008-12-10 03:33 --------- d-----w i:\documents and settings\All Users\Application Data\Roxio
2008-12-05 02:30 --------- d-----w i:\documents and settings\LocalService\Application Data\Roxio
2008-12-05 02:21 --------- d-----w i:\documents and settings\All Users\Application Data\Sonic
2008-12-03 05:43 --------- d-----w i:\program files\iDump
2008-11-29 02:23 --------- d-----w i:\program files\Games
2008-11-23 22:17 --------- d-----w i:\documents and settings\Russ\Application Data\ATI
2008-11-23 22:17 --------- d-----w i:\documents and settings\All Users\Application Data\ATI
2008-11-23 22:04 --------- d-----w i:\program files\ATI Technologies
2008-11-23 20:23 --------- d-----w i:\program files\Web Publish
2008-11-23 17:26 --------- d-----w i:\documents and settings\All Users\Application Data\Broderbund Software
2008-11-23 17:25 --------- d-----w i:\program files\The Print Shop 21
2008-11-23 17:23 --------- d-----w i:\program files\Common Files\Broderbund
2008-11-22 18:56 --------- d-----w i:\windows\system32\config\systemprofile\Application Data\ATI
2008-11-22 16:27 --------- d-----w i:\program files\CCleaner
2008-11-17 22:59 62,400 ----a-w i:\documents and settings\Russ\Application Data\GDIPFONTCACHEV1.DAT
2008-11-17 17:36 --------- d-----w i:\program files\Dell
2008-11-17 04:39 --------- d-----w i:\documents and settings\Russ\Application Data\Microsoft Games
2008-11-17 04:39 --------- d-----w i:\documents and settings\All Users\Application Data\Microsoft Games
2008-11-17 02:32 --------- d--h--w i:\program files\InstallShield Installation Information
2008-11-16 18:19 --------- d-----w i:\program files\WON
2008-11-16 18:19 --------- d-----w i:\program files\Sierra On-Line
2008-11-09 02:25 31,240 ----a-w i:\windows\Sysvxd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="i:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="i:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"TrueImageMonitor.exe"="i:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-11-30 1115317]
"Acronis Scheduler2 Service"="i:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-11-30 135168]
"IAAnotif"="i:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"mcagent_exe"="i:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"ISUSPM Startup"="i:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="i:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"AcronisTimounterMonitor"="i:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-12-01 1852329]
"iRiver Updater"="i:\program files\iRiver\iRiver Manager\Updater\Updater.exe" [2004-03-10 204800]
"StartCCC"="i:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"QuickTime Task"="i:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="i:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 i:\windows\stsystra.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 i:\windows\KHALMNPR.Exe]

i:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - i:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Logitech SetPoint.lnk - i:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-18 528384]
Microsoft Office.lnk - i:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "i:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 i:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKLM\~\startupfolder\I:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackBerry Desktop Redirector.lnk]
path=i:\documents and settings\All Users\Start Menu\Programs\Startup\BlackBerry Desktop Redirector.lnk
backup=i:\windows\pss\BlackBerry Desktop Redirector.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"i:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"i:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"i:\\Program Files\\Games\\Madeline\\Zoo2\\zt.exe"=
"i:\\Program Files\\Games\\Russ\\Battlefield 2\\BF2.exe"=
"i:\\Program Files\\iTunes\\iTunes.exe"=
"i:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe"=
"i:\\WINDOWS\\ehome\\ehtray.exe"=

R1 SASDIFSV;SASDIFSV;i:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;i:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;i:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-10-16 206096]
R4 WinDefend;Windows Defender;i:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 SASENUM;SASENUM;i:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
S3 SBRE;SBRE;\??\i:\windows\system32\drivers\SBREdrv.sys --> i:\windows\system32\drivers\SBREdrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 i:\windows\Tasks\Google Software Updater.job
- i:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-23 20:49]

2008-10-17 i:\windows\Tasks\McDefragTask.job
- i:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-11-01 i:\windows\Tasks\McQcTask.job
- i:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-06 i:\windows\Tasks\MP Scheduled Scan.job
- i:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

Notify-awtrssqR - awtrssqR.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/flash/index.cfm?startView=NEWS
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
Trusted Zone: windowsupdate.microsoft.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 18:19:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
i:\program files\SUPERAntiSpyware\SASWINLO.dll
i:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(908)
i:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
i:\windows\system32\ati2evxx.exe
i:\windows\system32\ati2evxx.exe
i:\program files\Common Files\Acronis\Schedule2\schedul2.exe
i:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
i:\program files\Bonjour\mDNSResponder.exe
i:\windows\ehome\ehrecvr.exe
i:\windows\ehome\ehSched.exe
i:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
i:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
i:\progra~1\McAfee\MSC\mcmscsvc.exe
i:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
i:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
i:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
i:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
i:\program files\McAfee\MSK\msksrver.exe
i:\windows\ehome\mcrdsvc.exe
i:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
i:\program files\iPod\bin\iPodService.exe
i:\windows\system32\wscntfy.exe
i:\windows\system32\dllhost.exe
i:\windows\ehome\ehmsas.exe
i:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-01-05 18:21:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-06 02:21:39

Pre-Run: 203,217,108,992 bytes free
Post-Run: 203,082,203,136 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
i:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

227 --- E O F --- 2009-01-05 23:07:19



HIJACKTHIS LOG********************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:31:07 PM, on 1/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Windows Defender\MsMpEng.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Bonjour\mDNSResponder.exe
I:\WINDOWS\ehome\ehtray.exe
I:\WINDOWS\eHome\ehRecvr.exe
I:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
I:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
I:\WINDOWS\eHome\ehSched.exe
I:\WINDOWS\stsystra.exe
I:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
I:\Program Files\McAfee.com\Agent\mcagent.exe
I:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
I:\Program Files\McAfee\SiteAdvisor\McSACore.exe
I:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
I:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
i:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
I:\Program Files\Logitech\SetPoint\SetPoint.exe
i:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
I:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
I:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
I:\Program Files\McAfee\MSK\MskSrver.exe
I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\WINDOWS\system32\dllhost.exe
I:\WINDOWS\eHome\ehmsas.exe
I:\Program Files\McAfee\MPF\MPFSrv.exe
I:\WINDOWS\explorer.exe
I:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
i:\PROGRA~1\mcafee\msc\mcuimgr.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe
I:\WINDOWS\system32\wscntfy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - I:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - i:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - i:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] I:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] I:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "I:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] I:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [mcagent_exe] I:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ISUSPM Startup] "I:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "I:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AcronisTimounterMonitor] I:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iRiver Updater] I:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [StartCCC] "I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ISUSPM] "I:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = I:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1228963873828
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - i:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - I:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - I:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - I:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - I:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - I:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - I:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - I:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - i:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - i:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - I:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - I:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - I:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 8054 bytes

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 06 January 2009 - 01:11 AM

Turn on your System Restore now please.. Don't turn off your System Restore..


Please show hidden files and folders

Find and manually delete this file

i:\windows\Sysvxd.exe


Then, lets do an online scann..

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


After that run ComboFix again.. Post these logs in your next reply..


1. ESET Online report
2. ComboFix
3. Tell me, how is the computer now? :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 UCIA

UCIA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 06 January 2009 - 03:08 AM

I turned on system restore. Deleted Svsvxd.exe. Ran ESET scanner - nothing found. Ran Combofix - nothing found. Logs attached.

After this I ran Quick Scans in Malwarebytes and SuperAntiSpyware, but did NOT do any fix/clean. Malwarebytes found Trojan.BHO and SuperAntispyware found 3 items of unclassified and unknown origin. Both referred to the same key. I attached both logs. Nothing about Vundo which would seem to be positive. Haven't had any popup ads in the last hour.


ESET log
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3741 (20090105)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=16d96eb13369e64a93ba0b64a141b78b
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-06 07:27:50
# local_time=2009-01-05 11:27:50 (-0800, Pacific Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=531177
# found=0
# scan_time=2554


Combofix log
ComboFix 09-01-05.03 - Russ 2009-01-05 23:31:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.498 [GMT -8:00]
Running from: i:\documents and settings\Russ\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
.

((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-05 22:39 . 2009-01-05 23:28 <DIR> d-------- i:\program files\EsetOnlineScanner
2009-01-04 17:51 . 2009-01-04 17:51 <DIR> d-------- i:\documents and settings\All Users\Application Data\Sunbelt
2009-01-04 16:57 . 2009-01-04 17:00 <DIR> d-a------ i:\documents and settings\All Users\Application Data\TEMP
2009-01-04 16:56 . 2009-01-04 16:57 <DIR> d-------- i:\program files\SpywareBlaster
2009-01-04 12:05 . 2009-01-04 12:05 <DIR> d-------- i:\program files\Lavasoft
2009-01-03 01:08 . 2009-01-03 01:08 95 --a------ i:\windows\wininit.ini
2009-01-03 00:22 . 2009-01-03 00:24 <DIR> d-------- i:\program files\Spybot - Search & Destroy
2009-01-03 00:22 . 2009-01-04 14:01 <DIR> d-------- i:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-31 18:24 . 2008-12-31 18:24 <DIR> d-------- i:\program files\Trend Micro
2008-12-31 17:19 . 2008-12-31 17:19 <DIR> d-------- I:\VundoFix Backups
2008-12-31 16:58 . 2008-12-31 16:58 <DIR> d-------- i:\documents and settings\Administrator
2008-12-31 00:23 . 2008-12-31 00:23 <DIR> d-------- i:\program files\Malwarebytes' Anti-Malware
2008-12-31 00:23 . 2008-12-31 00:23 <DIR> d-------- i:\documents and settings\Russ\Application Data\Malwarebytes
2008-12-31 00:23 . 2008-12-31 00:23 <DIR> d-------- i:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-31 00:23 . 2008-12-03 19:59 38,496 --a------ i:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 00:23 . 2008-12-03 19:59 15,504 --a------ i:\windows\system32\drivers\mbam.sys
2008-12-31 00:20 . 2008-12-31 00:20 <DIR> d-------- i:\program files\SUPERAntiSpyware
2008-12-31 00:20 . 2008-12-31 00:20 <DIR> d-------- i:\documents and settings\Russ\Application Data\SUPERAntiSpyware.com
2008-12-31 00:20 . 2008-12-31 00:20 <DIR> d-------- i:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-29 23:19 . 2008-12-29 23:24 <DIR> d-------- i:\program files\Windows Live Safety Center
2008-12-23 20:49 . 2008-12-23 20:51 <DIR> d-------- i:\program files\Google
2008-12-23 20:49 . 2009-01-05 15:05 <DIR> d-------- i:\documents and settings\All Users\Application Data\Google Updater
2008-12-13 20:02 . 2008-12-13 20:02 <DIR> d-------- i:\program files\iTunes
2008-12-13 20:02 . 2008-12-13 20:02 <DIR> d-------- i:\program files\iPod
2008-12-13 20:02 . 2008-12-13 20:02 <DIR> d-------- i:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-13 19:58 . 2008-12-13 19:59 <DIR> d-------- i:\program files\QuickTime
2008-12-13 16:11 . 2008-12-13 16:11 <DIR> d-------- i:\documents and settings\Russ\Application Data\Unity
2008-12-13 15:25 . 2008-12-13 15:25 <DIR> d-------- i:\program files\Unity
2008-12-10 07:40 . 2009-01-05 18:14 <DIR> d-------- i:\program files\Common
2008-12-07 23:02 . 2008-12-07 23:13 256 --a------ i:\documents and settings\Russ\pool.bin
2008-12-07 12:25 . 2008-12-07 12:25 <DIR> d-------- i:\documents and settings\Russ\Application Data\Snapfish
2008-12-06 07:20 . 2008-12-07 23:15 256 --a------ i:\windows\system32\pool.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 02:28 --------- d-----w i:\documents and settings\LocalService\Application Data\SACore
2009-01-06 02:09 7,894 ----a-w i:\documents and settings\Russ\Application Data\wklnhst.dat
2009-01-05 01:32 --------- d-----w i:\program files\MSECACHE
2009-01-04 20:05 --------- d-----w i:\documents and settings\All Users\Application Data\Lavasoft
2009-01-04 20:04 --------- d-----w i:\program files\Common Files\Wise Installation Wizard
2009-01-01 01:14 --------- d-----w i:\program files\Java
2008-12-24 16:12 --------- d-----w i:\program files\McAfee
2008-12-17 07:30 --------- d-----w i:\documents and settings\Russ\Application Data\Roxio
2008-12-14 04:02 --------- d-----w i:\program files\Common Files\Apple
2008-12-11 02:34 106 ----a-w i:\documents and settings\Russ\Application Data\netstat.bat
2008-12-10 03:33 --------- d-----w i:\program files\Common Files\Sonic Shared
2008-12-10 03:33 --------- d-----w i:\program files\Common Files\Roxio Shared
2008-12-10 03:33 --------- d-----w i:\documents and settings\All Users\Application Data\Roxio
2008-12-05 02:30 --------- d-----w i:\documents and settings\LocalService\Application Data\Roxio
2008-12-05 02:21 --------- d-----w i:\documents and settings\All Users\Application Data\Sonic
2008-12-03 05:43 --------- d-----w i:\program files\iDump
2008-11-29 02:23 --------- d-----w i:\program files\Games
2008-11-23 22:17 --------- d-----w i:\documents and settings\Russ\Application Data\ATI
2008-11-23 22:17 --------- d-----w i:\documents and settings\All Users\Application Data\ATI
2008-11-23 22:04 --------- d-----w i:\program files\ATI Technologies
2008-11-23 20:23 --------- d-----w i:\program files\Web Publish
2008-11-23 17:26 --------- d-----w i:\documents and settings\All Users\Application Data\Broderbund Software
2008-11-23 17:25 --------- d-----w i:\program files\The Print Shop 21
2008-11-23 17:23 --------- d-----w i:\program files\Common Files\Broderbund
2008-11-22 18:56 --------- d-----w i:\windows\system32\config\systemprofile\Application Data\ATI
2008-11-22 16:27 --------- d-----w i:\program files\CCleaner
2008-11-17 22:59 62,400 ----a-w i:\documents and settings\Russ\Application Data\GDIPFONTCACHEV1.DAT
2008-11-17 17:36 --------- d-----w i:\program files\Dell
2008-11-17 04:39 --------- d-----w i:\documents and settings\Russ\Application Data\Microsoft Games
2008-11-17 04:39 --------- d-----w i:\documents and settings\All Users\Application Data\Microsoft Games
2008-11-17 02:32 --------- d--h--w i:\program files\InstallShield Installation Information
2008-11-16 18:19 --------- d-----w i:\program files\WON
2008-11-16 18:19 --------- d-----w i:\program files\Sierra On-Line
.

((((((((((((((((((((((((((((( snapshot@2009-01-05_18.21.18.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-05 23:10:38 32,768 ----a-w i:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-06 03:30:37 32,768 ----a-w i:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-05 23:10:38 32,768 ----a-w i:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-06 03:30:37 32,768 ----a-w i:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-07-27 23:49:02 196,683 ----a-w i:\windows\system32\lnod32apiA.dll
+ 2007-07-27 23:49:02 225,355 ----a-w i:\windows\system32\lnod32apiW.dll
+ 2005-12-06 04:25:22 139,264 ----a-w i:\windows\system32\lnod32umc.dll
+ 2005-12-05 21:37:10 106,496 ----a-w i:\windows\system32\lnod32upd.dll
+ 2007-08-03 02:11:28 253,952 ----a-w i:\windows\system32\OnlineScannerDLLA.dll
+ 2007-08-03 02:11:14 241,664 ----a-w i:\windows\system32\OnlineScannerDLLW.dll
+ 2007-08-06 21:17:40 19,456 ----a-w i:\windows\system32\OnlineScannerLang.dll
+ 2007-06-13 19:10:34 77,824 ----a-w i:\windows\system32\OnlineScannerUninstaller.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="i:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="i:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"TrueImageMonitor.exe"="i:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-11-30 1115317]
"Acronis Scheduler2 Service"="i:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-11-30 135168]
"IAAnotif"="i:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"mcagent_exe"="i:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"ISUSPM Startup"="i:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="i:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"AcronisTimounterMonitor"="i:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-12-01 1852329]
"iRiver Updater"="i:\program files\iRiver\iRiver Manager\Updater\Updater.exe" [2004-03-10 204800]
"StartCCC"="i:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"QuickTime Task"="i:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="i:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 i:\windows\stsystra.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 i:\windows\KHALMNPR.Exe]

i:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - i:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Logitech SetPoint.lnk - i:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-18 528384]
Microsoft Office.lnk - i:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "i:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 i:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKLM\~\startupfolder\I:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackBerry Desktop Redirector.lnk]
path=i:\documents and settings\All Users\Start Menu\Programs\Startup\BlackBerry Desktop Redirector.lnk
backup=i:\windows\pss\BlackBerry Desktop Redirector.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"i:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"i:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"i:\\Program Files\\Games\\Madeline\\Zoo2\\zt.exe"=
"i:\\Program Files\\Games\\Russ\\Battlefield 2\\BF2.exe"=
"i:\\Program Files\\iTunes\\iTunes.exe"=
"i:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe"=
"i:\\WINDOWS\\ehome\\ehtray.exe"=

R1 SASDIFSV;SASDIFSV;i:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;i:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;i:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-10-16 206096]
R4 WinDefend;Windows Defender;i:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 SASENUM;SASENUM;i:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
S3 SBRE;SBRE;\??\i:\windows\system32\drivers\SBREdrv.sys --> i:\windows\system32\drivers\SBREdrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 i:\windows\Tasks\Google Software Updater.job
- i:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-23 20:49]

2008-10-17 i:\windows\Tasks\McDefragTask.job
- i:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-11-01 i:\windows\Tasks\McQcTask.job
- i:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-06 i:\windows\Tasks\MP Scheduled Scan.job
- i:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/flash/index.cfm?startView=NEWS
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
Trusted Zone: windowsupdate.microsoft.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 23:35:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
i:\program files\SUPERAntiSpyware\SASWINLO.dll
i:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(900)
i:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
i:\windows\system32\ati2evxx.exe
i:\windows\system32\ati2evxx.exe
i:\program files\Lavasoft\Ad-Aware\aawservice.exe
i:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
i:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
i:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
i:\program files\Common Files\Acronis\Schedule2\schedul2.exe
i:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
i:\program files\Bonjour\mDNSResponder.exe
i:\windows\ehome\ehrecvr.exe
i:\windows\ehome\ehSched.exe
i:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
i:\progra~1\McAfee\MSC\mcmscsvc.exe
i:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
i:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
i:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
i:\program files\McAfee\MSK\msksrver.exe
i:\windows\ehome\mcrdsvc.exe
i:\program files\iPod\bin\iPodService.exe
i:\windows\system32\wscntfy.exe
i:\windows\system32\dllhost.exe
i:\windows\ehome\ehmsas.exe
i:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-01-05 23:37:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-06 07:36:57
ComboFix2.txt 2009-01-06 02:21:44

Pre-Run: 203,081,592,832 bytes free
Post-Run: 203,030,302,720 bytes free

221 --- E O F --- 2009-01-05 23:07:19

****malwarebytes log*******************************************
Malwarebytes' Anti-Malware 1.31
Database version: 1581
Windows 5.1.2600 Service Pack 3

1/5/2009 11:42:42 PM
mbam-log.txt

Scan type: Quick Scan
Objects scanned: 54116
Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

****SuperAntiSpyware log*************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/05/2009 at 11:50 PM

Application Version : 4.24.1004

Core Rules Database Version : 3696
Trace Rules Database Version: 1672

Scan type : Quick Scan
Total Scan Time : 00:06:58

Memory items scanned : 573
Memory threats detected : 0
Registry items scanned : 442
Registry threats detected : 3
File items scanned : 6351
File threats detected : 31

Adware.Tracking Cookie
I:\Documents and Settings\Russ\Cookies\russ@collective-media[1].txt
I:\Documents and Settings\Russ\Cookies\russ@ads.bleepingcomputer[2].txt
I:\Documents and Settings\Russ\Cookies\russ@media.mtvnservices[1].txt
I:\Documents and Settings\Russ\Cookies\russ@2o7[2].txt
I:\Documents and Settings\Russ\Cookies\russ@revsci[1].txt
I:\Documents and Settings\Russ\Cookies\russ@videoegg.adbureau[2].txt
I:\Documents and Settings\Russ\Cookies\russ@statse.webtrendslive[1].txt
I:\Documents and Settings\Russ\Cookies\russ@fastclick[2].txt
I:\Documents and Settings\Russ\Cookies\russ@ads.pointroll[1].txt
I:\Documents and Settings\Russ\Cookies\russ@mediaplex[2].txt
I:\Documents and Settings\Russ\Cookies\russ@insightexpressai[2].txt
I:\Documents and Settings\Russ\Cookies\russ@realmedia[1].txt
I:\Documents and Settings\Russ\Cookies\russ@tribalfusion[2].txt
I:\Documents and Settings\Russ\Cookies\russ@viacom.adbureau[2].txt
I:\Documents and Settings\Russ\Cookies\russ@atdmt[2].txt
I:\Documents and Settings\Russ\Cookies\russ@ad.yieldmanager[1].txt
I:\Documents and Settings\Russ\Cookies\russ@questionmarket[2].txt
I:\Documents and Settings\Russ\Cookies\russ@247realmedia[1].txt
I:\Documents and Settings\Russ\Cookies\russ@doubleclick[1].txt
I:\Documents and Settings\Russ\Cookies\russ@advertising[1].txt
I:\Documents and Settings\Russ\Cookies\russ@apmebf[2].txt
I:\Documents and Settings\Russ\Cookies\russ@burstnet[2].txt
I:\Documents and Settings\Russ\Cookies\russ@adbrite[1].txt
I:\Documents and Settings\Russ\Cookies\russ@socialmedia[2].txt
I:\Documents and Settings\Russ\Cookies\russ@www.burstnet[1].txt
I:\Documents and Settings\Russ\Cookies\russ@zedo[1].txt
I:\Documents and Settings\Russ\Cookies\russ@bluestreak[2].txt
I:\Documents and Settings\Russ\Cookies\russ@imrworldwide[2].txt
I:\Documents and Settings\Russ\Cookies\russ@ehg-myspaceinc.hitbox[2].txt
I:\Documents and Settings\Russ\Cookies\russ@hitbox[2].txt
I:\Documents and Settings\Russ\Cookies\russ@media6degrees[1].txt

Unclassified.Unknown Origin
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32#ThreadingModel

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 06 January 2009 - 05:40 AM

Well, first of all, your logs look very nice to me..

Secondly, why you don't remove what Malwarebytes' and SUPERAntiSpyware found?.. :) :thumbsup: Just remove them....


Lets do some clean-up...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 UCIA

UCIA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 06 January 2009 - 10:21 AM

Hello, thanks for the quick replies. I should have been more clear why I didn't delete those items from my previous post....I didn't want to change anything without your review. Also this Trojan.BHO keeps coming back even after I clean with SuperAnitSpyware and Malwarebytes.
They say they quaranteen and then to reboot. I rebooted, then scanned again and they are back.

Here are the two logs again after cleaning and rebooting using SuperAntiSpyware and Malwarebytes. The same entries show up again.

As far as my computer it doesn't appear to be running slow and no popups.

Is the Trojan.BHO anything to worry about?

thanks

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/06/2009 at 07:09 AM

Application Version : 4.24.1004

Core Rules Database Version : 3696
Trace Rules Database Version: 1672

Scan type : Quick Scan
Total Scan Time : 00:01:01

Memory items scanned : 576
Memory threats detected : 0
Registry items scanned : 443
Registry threats detected : 3
File items scanned : 0
File threats detected : 0

Unclassified.Unknown Origin
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32#ThreadingModel



Malwarebytes' Anti-Malware 1.31
Database version: 1581
Windows 5.1.2600 Service Pack 3

1/6/2009 6:55:22 AM
mbam-log-2009-01-06 (06-55-22).txt

Scan type: Quick Scan
Objects scanned: 15428
Time elapsed: 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 06 January 2009 - 11:11 AM

Uninstall Spybot S&D and then scan again with Malwarebytes'.. Reboot your pc and do another scan.. Does the same entry appear at the second Malwarebytes' scan? :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 UCIA

UCIA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 07 January 2009 - 10:37 PM

Hi - I uninstalled Spybot, ran Malwarebytes to remove trojan.bho, rebooted, scanned again and the entry is still there. Here is the log file:

Malwarebytes' Anti-Malware 1.32
Database version: 1629
Windows 5.1.2600 Service Pack 3

1/7/2009 7:35:55 PM
mbam-log-2009-01-07 (19-35-55).txt

Scan type: Quick Scan
Objects scanned: 55130
Time elapsed: 5 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 08 January 2009 - 02:09 AM

The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go HERE and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
For detailed instruction on how to back-up registry via ERUNT, please visit HERE





NEXT



Please download and unzip Icesword to its own folder.

Open the Icesword folder, locate Icesword.exe and double click it to run the program
Posted Image

Click the Registry tab in the bottom right corner of the Icesword window.
Posted Image

Navigate to HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}
Posted Image

Right click on {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} and choose Delete
Posted Image

Click Yes to confirm the deletion, then close Icesword by clicking the red X
Posted Image



reboot your computer and tell me more about it :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 UCIA

UCIA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 09 January 2009 - 01:52 AM

That took care of it!!!! Had a detection for bifrost.backdoor in Counterspy, but quaranteed okay and it hasn't came back. Ran Mcafee, counterspy, Superantispyware, defender, and malwarebytes with no further detections.

Looks good unless any other recommendations?


thanks
UCIA

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 09 January 2009 - 10:06 AM

Great!.. Just read the miekiemoes article that I gave to you earlier...


How is the computer now?.. Can we close this topic?:thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 UCIA

UCIA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 09 January 2009 - 10:30 PM

Working good! Thank you for your patience, time, and expertise.

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 10 January 2009 - 04:07 PM

You are very welcome, I'm glad that we could help.

I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users