Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser hijack / Virtumonde / Trojan.Vundo / Random shutdown / Antivirus 2009


  • This topic is locked This topic is locked
5 replies to this topic

#1 VikingKnud

VikingKnud

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:San Francisco
  • Local time:01:08 AM

Posted 03 January 2009 - 05:24 AM

Hello

After a couple of days with trying to fix a virus infection which I believe was started by accidental accept to download Antivirus 2009 two days ago, I have made progress but need help. The original Virus 2009 has been removed but other virus have been detected and remain active!
PC is as follows: Dell Dimension / Win XP sp3 / Wireless to HighSpeed Internet service (Comcast) / multiple users on this family computer

1. InternetExplorer (and Safari) is being hijacked so while I can search with Google/Yahoo problems start when clicking on any search result or download related to virus or malware: A "fake standard message" appears with the text "..link appears to be broken.."
The workaround currently is to use my MacBook for download of antivirus programs and then copy to Dell PC via USB drive and report/log-files the other way. :thumbsup:

2. There are system shutdowns every 1hour or so: "This system is shutting down. Please save work... Initiated by DCOM server Process l...... Terminated". Often this is preceeded by message window: "Generic Host Process for Windows32 Server has encountered problems and need to close. Tell MS send/DontSend"

3. SpyBot Search and Destroy (in safe Mode) found 20 problems which were all fixed except 3: Virtumonde.Generic and Virtumonde + Microsoft.WindowsSecurityCenter_Disabled which all 3 reappear with a couple of entries after having been removed. :)

4. MalwareBytes Anti-Malware (in SafeMode) found 46 problems of which many seemed relatively benign. THey were all removed but unfortunately a few remain/recreate themselves: Trojan.agent + Trojan.Vundo + Malware.trace. The last looks like it is something from Malware.....

5. I cleaned out all cookies, temp internet files and uninstalled several programs not currently in use.. "System Restore" is turned off as it would include virus.

6. A prior installation of "HijackThis" seems to have been "sabotaged" as there were no files left but title was still in the install/remove programs part of control panel. This has been downloaded via MacBook/USB again and is ready for use.

7. Ran the DDS utility as requested and output is included below.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 2/14/2006 9:39:44 PM
System Uptime: 1/3/2009 1:11:22 AM (0 hours ago)

Motherboard: Dell Inc. | | 0WG261
Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 146 GiB total, 125.334 GiB free.
D: is CDROM ()
E: is Removable
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

23_24_2500Tour
2400
2400_2500Help
2400_2500trb
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe Shockwave Player
Advertisement Service
AiO_Scan
AIOMinimal
AiOSoftware
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
AVG Free 8.0
Belkin 11Mbps Wireless USB Network Adapter
Bonjour
CinepPlayer 30 Update
Copy
CounterSpy
Creative MediaSource
CreativeProjects
del.icio.us Buttons for Internet Explorer
Dell CinePlayer
Dell Driver Reset Tool
Dell Media Experience
Dell System Restore
Director
DocProc
Fax
Google Earth
Google Toolbar for Internet Explorer
Google Updater
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
HP Image Zone 3.5
HP Photo and Imaging 2.0 - Photosmart Cameras
HP PSC & OfficeJet 3.5
HP Software Update
hpmdtab
HPSystemDiagnostics
InstantShare
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Linksys Wireless-G USB Network Adapter
Malwarebytes' Anti-Malware
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MyRegistryCleaner v2.1
Overland
PhotoGallery
PrintScreen
QFolder
QuickProjects
QuickTime
Readme
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Safari
Scan
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SkinsHP1
SkinsHP2
Skype 3.0
Skype add-on for IE
Skype Plugin Manager
Sonic Activation Module
Sonic Advanced Decoder
Sonic Update Manager
Sound Blaster Audigy ADVANCED MB
Sound Blaster Audigy ADVANCED MB Product Registration
Spybot - Search & Destroy
StumbleUpon IE Toolbar
Symantec KB-DocID:2003093015493306
TrayApp
Unload
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

12/30/2008 8:01:24 PM, error: Service Control Manager [7001] - The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error: The specified module could not be found.
12/30/2008 8:01:24 PM, error: Service Control Manager [7023] - The COM+ Event System service terminated with the following error: The specified module could not be found.
12/30/2008 9:02:06 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
12/31/2008 10:42:37 AM, error: Service Control Manager [7031] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
12/31/2008 11:32:36 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
12/31/2008 11:55:05 AM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
12/31/2008 11:55:05 AM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
12/31/2008 5:00:26 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
12/31/2008 5:28:22 PM, error: Service Control Manager [7034] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 2 time(s).
1/1/2009 11:12:28 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
1/1/2009 11:15:28 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
1/1/2009 11:15:28 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/1/2009 11:15:28 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
1/1/2009 11:15:28 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/1/2009 11:15:28 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/1/2009 11:15:28 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/1/2009 11:15:28 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
1/1/2009 11:18:36 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/1/2009 11:26:15 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/2/2009 1:42:39 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 eeCtrl Fips intelppm

==== End Of File ===========================


DDS (Version 1.1.0) - NTFSx86 MINIMAL
Run by Knud at 1:13:56.96 on Sat 01/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.801 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
C:\WINDOWS\Explorer.EXE
E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.google.com/mail/
uInternet Connection Wizard,ShellNext = iexplore
BHO: del.icio.us Toolbar Helper: {7aa07ae6-01ef-44ec-93ca-9d7cd41ccdb6} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: {251c5179-62e9-3ceb-9014-b876f6ba79ec}: {ce97ab6f-678b-4109-bec3-9e269715c152} - c:\windows\system32\trcgeg.dll
TB: del.icio.us: {981fe6a8-260c-4930-960f-c3bc82746cb0} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SBAMTray] c:\program files\sunbelt software\counterspy\SBAMTray.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &Search - ?p=ZC
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {75C9223A-409A-4795-A3CA-08DE6B075B4B} - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7}
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: skhthb.dll,avgrsstx.dll trcgeg.dll

============= SERVICES / DRIVERS ===============

R4 SBAMSvc;CounterSpy Antispyware;c:\program files\sunbelt software\counterspy\SBAMSvc.exe [2008-10-28 886056]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-3 97928]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-3 26824]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
S3 SMCSMCWirelessUSB(SMC2662W)®;SMC SMCWirelessUSB(SMC2662W)® Service for SMC EZ Connect Wireless USB Adapter(SMC2662W);c:\windows\system32\drivers\Nets6251.sys [2003-1-17 93312]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-9-3 875288]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-3 231704]
S4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-3 76040]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-6 1251720]

=============== Created Last 30 ================

2009-01-03 00:38 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-03 00:38 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 00:38 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 23:32 <DIR> --d----- c:\docume~1\knud\applic~1\Sunbelt
2009-01-02 23:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-01-02 23:32 <DIR> --d----- c:\program files\Sunbelt Software
2009-01-02 19:19 <DIR> --d----- c:\program files\Trend Micro
2009-01-02 19:18 <DIR> --dsh--- c:\windows\ftpcache
2009-01-02 14:30 <DIR> --d----- c:\docume~1\knud\applic~1\Malwarebytes
2009-01-02 14:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-31 14:45 32,512 a---h--- c:\windows\system32\mlfcache.dat
2008-12-31 09:30 50,176 a------- c:\windows\system32\jkkIXrSk.dll
2008-12-31 09:27 50,176 a------- c:\windows\system32\jkkJyaba.dll
2008-12-30 21:12 126,976 a------- c:\windows\system32\trcgeg.dll
2008-12-30 21:12 126,976 a------- c:\windows\system32\isfctwbr.dll
2008-12-30 21:03 50,176 a------- c:\windows\system32\rqRJCttT.dll
2008-12-22 10:34 <DIR> --d----- c:\windows\system32\Adobe

==================== Find3M ====================

2008-12-12 22:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-07 16:45 2,174,976 -------- c:\windows\system32\dllcache\WMVCore.dll
2008-10-28 16:28 65,320 a------- c:\windows\system32\sbbd.exe
2008-10-24 03:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 04:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 05:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 05:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 08:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-14 23:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-14 23:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-09-03 15:55 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat

============= FINISH: 1:15:00.15 ===============



I have researched on the internet for more ideas but am now at the end of my own abilities.

This forum seems like a good friend who is there when you need help.
Please advice how to remove these remaining problem viruses.


Thanks In advance.

Knud

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:08 AM

Posted 05 January 2009 - 05:54 AM

Hello Knud and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 VikingKnud

VikingKnud
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:San Francisco
  • Local time:01:08 AM

Posted 07 January 2009 - 02:07 PM

Hi Thunder

Thanks for the instructions.
While waiting, I used HiJackThis to identify and remove a suspect BHO: C:\windows\system32\trcgeg.dll listed above.
I also ran Anti-Malware with updated profiles cleaning up a few other suspect files. Finally I removed a few programs which were never used. Kindly let me know if you want an updated DDS.
These actions removed the "internet-redirect/hijack" :thumbsup: and I could therefore download Combofix directly from this PC.
I followerd all the cleanup instructions. Here is the Combofix-log:

ComboFix 09-01-07.01 - Knud 2009-01-07 10:40:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.610 [GMT -8:00]
Running from: c:\documents and settings\Knud\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-05 16:40 . 2009-01-05 16:40 <DIR> d-------- c:\documents and settings\Danica\Application Data\Sunbelt
2009-01-05 13:12 . 2009-01-05 13:12 <DIR> d-------- c:\documents and settings\Lynda\Application Data\Malwarebytes
2009-01-04 20:12 . 2009-01-04 20:12 <DIR> d-------- c:\documents and settings\Lynda\Application Data\Sunbelt
2009-01-03 00:38 . 2009-01-05 13:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 00:38 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 00:38 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-02 23:32 . 2009-01-02 23:32 <DIR> d-------- c:\program files\Sunbelt Software
2009-01-02 23:32 . 2009-01-02 23:32 <DIR> d-------- c:\documents and settings\Knud\Application Data\Sunbelt
2009-01-02 23:32 . 2009-01-02 23:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sunbelt
2009-01-02 19:19 . 2009-01-02 19:19 <DIR> d-------- c:\program files\Trend Micro
2009-01-02 19:18 . 2009-01-02 19:18 <DIR> d--hs---- c:\windows\ftpcache
2009-01-02 15:47 . 2009-01-02 15:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-02 14:30 . 2009-01-02 14:30 <DIR> d-------- c:\documents and settings\Knud\Application Data\Malwarebytes
2009-01-02 14:30 . 2009-01-02 14:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-01 23:18 . 2009-01-01 23:18 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-12-31 14:45 . 2008-12-31 14:45 32,512 --ah----- c:\windows\system32\mlfcache.dat
2008-12-22 10:34 . 2008-12-24 12:31 <DIR> d-------- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 15:45 --------- d-----w c:\documents and settings\Lynda\Application Data\StumbleUpon
2009-01-07 15:44 --------- d-----w c:\documents and settings\Danica\Application Data\Skype
2009-01-07 15:44 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-07 01:15 --------- d-----w c:\documents and settings\Danica\Application Data\StumbleUpon
2009-01-06 03:55 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-06 01:48 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-06 01:36 --------- d-----w c:\program files\Google
2009-01-05 09:00 --------- d-----w c:\documents and settings\Knud\Application Data\StumbleUpon
2009-01-01 01:03 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-31 20:15 --------- d-----w c:\program files\Nick Arcade
2008-12-31 20:08 --------- d-----w c:\program files\Creative
2008-12-31 17:59 --------- d-----w c:\documents and settings\Knud\Application Data\Apple Computer
2008-12-27 08:05 --------- d-----w c:\documents and settings\Knud\Application Data\Skype
2008-11-12 20:59 --------- d-----w c:\program files\StumbleUpon
2008-11-08 01:15 --------- d-----w c:\documents and settings\Danica\Application Data\Apple Computer
2008-09-03 23:55 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-31 94208]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-07 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SBAMTray"="c:\program files\Sunbelt Software\CounterSpy\SBAMTray.exe" [2008-10-28 681256]
"MBMon"="CTMBHA.DLL" [2005-05-19 c:\windows\system32\CTMBHA.DLL]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2434:UDP"= 2434:UDP:Windows Media Format SDK (iexplore.exe)
"2435:UDP"= 2435:UDP:Windows Media Format SDK (iexplore.exe)

R3 SMCSMCWirelessUSB(SMC2662W)®;SMC SMCWirelessUSB(SMC2662W)® Service for SMC EZ Connect Wireless USB Adapter(SMC2662W);c:\windows\system32\drivers\Nets6251.sys [2003-01-17 93312]
R4 SBAMSvc;CounterSpy Antispyware;c:\program files\Sunbelt Software\CounterSpy\SBAMSvc.exe [2008-10-28 886056]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a88900d4-67cc-11dc-8f5c-0030bd640efd}]
\Shell\AutoRun\command - e:\__stickydrive\StickyDrive.exe
\Shell\StickyDrive\Command - e:\__stickydrive\StickyDrive.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-06 c:\windows\Tasks\User_Feed_Synchronization-{20F60D7D-A068-494B-B352-B195600AA97D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]

2009-01-07 c:\windows\Tasks\ytbycdej.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.google.com/mail/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search - ?p=ZC
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 10:43:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\PAPI\DEV\W*NULL*I*NULL*N*NULL*B*NULL*O*NULL*N*NULL*D*NULL*_*NULL*C*NULL*D*NULL*-*NULL*R*NULL*O*NULL*M*NULL*_*NULL*D*NULL*R*NULL*I*NULL*V*NULL*E*NULL*:*NULL*0*NULL*0*NULL*1*NULL*_*NULL*_*NULL**NULL* ]
"Tested"=hex:00
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\docume~1\Knud\LOCALS~1\Temp\clclean.0001
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-07 10:45:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-07 18:45:46

Pre-Run: 133,652,312,064 bytes free
Post-Run: 133,780,111,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

155 --- E O F --- 2008-12-18 04:18:26

The PC appears to work normally now but slower than usual.
Please let me know what you can read from this log.

Thanks in advance and best regards.
Knud

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:08 AM

Posted 07 January 2009 - 05:22 PM

Hello Knud,

Your logs look fine now. :thumbsup:

You can remove this file : c:\windows\Tasks\ytbycdej.job using Windows Explorer.

Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

No more problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 VikingKnud

VikingKnud
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:San Francisco
  • Local time:01:08 AM

Posted 09 January 2009 - 01:00 PM

Hi Thunder

Thanks for the advice. This has been an educational experience for me - Viruses (all threats) have evolved a lot.

On the philosophical side: what a waste of resources such malware are imposing on the computing community - which today includes individuals of all generations globally. Your contribution (organizational and personal ) towards to getting back above water is appreciated. Fun that Dane living in San Francisco is helped by someone in Belgium:-) Merci/Dank ur well.

PS what is the thing with resetting the clock?

You can close this topic when you want. Have a nice weekend and a great year!

- VikingKnud

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:08 AM

Posted 09 January 2009 - 06:50 PM

Glad we could help, Knud

PS what is the thing with resetting the clock?


ComboFix sets clock settings to military notation while running.
If that isn't your standard setting, it gets restored once ComboFix is removed properly.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users