Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virtumonde/trojan.vundo


  • This topic is locked This topic is locked
5 replies to this topic

#1 wbmc

wbmc

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 04 January 2009 - 08:10 PM

Thank you in advance for your help. I hope I am posting according to the guidelines. I have a basic knowledge of computers (enough to get into trouble, probably), but I can generally follow directions well. I began having pop-ups and getting security notifications from Norton two days ago regarding a zlob.p0rn infection. I have run Trojan Remover, Malwarebyte's anti-malware, Spybot, Adaware and Superantispyware. SB, Trojan Remover and Malwarebyte all picked up virtumonde and trojan.vundo (they might be the same - I'm not sure). I am no longer having pop-ups and shortcuts added to my desktop, but I get an error message for explorer.exe on shut down and also get a Not Responding message when I try to access the Desktop and screensaver settings. The message says that rundll32.exe is not responding. I am not sure if I have removed all of virtumonde and/or trojan.vundo. Norton is no longer giving me security warnings, and Spybot, Malwarebytes and Trojan Remover are all clean (except for some tracking cookies found by Spybot). I do not know enough to fix the hijackthis log - I'm liable to fix the wrong thing. I did run the anti-spyware and anti-malware programs with System Restore turned off. Please review my log and tell me what to do to fix my computer. Thank you!


DDS (Version 1.1.0) - NTFSx86
Run by Leister at 19:53:58.81 on Sun 01/04/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.526 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Leister\Local Settings\Temporary Internet Files\Content.IE5\4W6UC8BR\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.usatoday.com/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
StartupFolder: c:\docume~1\leister\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq a3000\CPQA3000.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Gish It! - http://www.gishpuppy.com/menugpext.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-2 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090104.003\NAVENG.SYS [2009-1-4 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090104.003\NAVEX15.SYS [2009-1-4 876112]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R4 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-15 1245064]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-12-14 33752]
S3 SQTECH907B;EZCam(PID_907B_00);c:\windows\system32\drivers\Capt907B.sys [2006-12-27 61643]
S4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]

=============== Created Last 30 ================

2009-01-04 11:18 <DIR> --d----- c:\program files\Trend Micro
2009-01-03 21:50 <DIR> --d----- c:\windows\pss
2009-01-03 21:28 <DIR> --d----- C:\VundoFix Backups
2009-01-03 20:37 79,769,710 a------- C:\SYM_REGISTRY_BACKUP.reg
2009-01-03 18:52 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-03 17:06 130 a------- c:\windows\wininit.ini
2009-01-03 12:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-03 11:15 40,256 a------- c:\windows\system32\drivers\senekaxxdxncps.sys.vir
2009-01-03 11:11 162,304 a------- c:\windows\system32\ztvunrar36.dll
2009-01-03 11:11 153,088 a------- c:\windows\system32\UNRAR3.dll
2009-01-03 11:11 77,312 a------- c:\windows\system32\ztvunace26.dll
2009-01-03 11:11 75,264 a------- c:\windows\system32\unacev2.dll
2009-01-03 11:11 69,632 a------- c:\windows\system32\ztvcabinet.dll
2009-01-03 11:11 <DIR> --d----- c:\program files\Trojan Remover
2009-01-03 11:11 <DIR> --d----- c:\docume~1\leister\applic~1\Simply Super Software
2009-01-03 11:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-01-03 10:47 <DIR> --d----- c:\docume~1\leister\applic~1\Malwarebytes
2009-01-03 10:47 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-03 10:47 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 10:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 10:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-03 08:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-03 08:04 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-03 08:04 <DIR> --d----- c:\docume~1\leister\applic~1\SUPERAntiSpyware.com
2009-01-02 23:20 15,083,520 a------- C:\spybotsd160.exe
2009-01-02 22:46 0 a------- c:\windows\system32\drivers\seneka.sys

==================== Find3M ====================

2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 09:25 3,932 a------- c:\windows\system32\CTLayout.dat
2008-11-05 07:45 88,843 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-07 08:31 118,784 a------- c:\windows\web\wallpaper\Herbie Desktop.exe

============= FINISH: 19:54:30.67 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:50 PM

Posted 11 January 2009 - 06:59 AM

Hello Wbmc and welcome to Bleeping Computer,

Sorry for the delay, but the forum really has been swamped lately.

Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 wbmc

wbmc
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 11 January 2009 - 09:13 AM

Thank you so much for your help! I know a lot of people have needed help this week.

I ran Combofix and it asked that I disable virus scanning and intrusion protection. I disabled Norton until system restart. Combofix rebooted my system and SuperAntiSpyware started a fast scan (linked to the start-up menu, I guess). I manually closed the scan and Combofix generated a log. It didn't seem to interfere with Combofix, but I can re-run it if you don't see what you are looking for. Here is the log:



ComboFix 09-01-10.03 - Leister 2009-01-11 8:54:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.553 [GMT -5:00]
Running from: c:\documents and settings\Leister\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bszip.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\mfcans32.DLL
c:\windows\system32\mfcuia32.dll
c:\windows\system32\msrdo20.dll
c:\windows\system32\rdocurs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-09 16:01 . 2009-01-09 16:01 <DIR> d-------- c:\documents and settings\Leister\Application Data\SupportSoft
2009-01-09 15:46 . 2009-01-09 15:46 <DIR> d-------- c:\program files\Common Files\Supportsoft
2009-01-04 11:18 . 2009-01-04 11:18 <DIR> d-------- c:\program files\Trend Micro
2009-01-03 21:28 . 2009-01-03 21:28 <DIR> d-------- C:\VundoFix Backups
2009-01-03 20:37 . 2009-01-03 20:37 79,769,710 --a------ C:\SYM_REGISTRY_BACKUP.reg
2009-01-03 18:52 . 2009-01-03 18:55 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-03 17:06 . 2009-01-03 17:06 130 --a------ c:\windows\wininit.ini
2009-01-03 12:13 . 2009-01-03 19:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-03 11:15 . 2009-01-03 11:15 40,256 --a------ c:\windows\SYSTEM32\DRIVERS\senekaxxdxncps.sys.vir
2009-01-03 11:11 . 2009-01-03 11:11 <DIR> d-------- c:\program files\Trojan Remover
2009-01-03 11:11 . 2009-01-03 11:11 <DIR> d-------- c:\documents and settings\Leister\Application Data\Simply Super Software
2009-01-03 11:11 . 2009-01-04 13:00 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-03 11:11 . 2009-01-03 11:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-01-03 11:11 . 2006-05-25 14:52 162,304 --a------ c:\windows\SYSTEM32\ztvunrar36.dll
2009-01-03 11:11 . 2003-02-02 19:06 153,088 --a------ c:\windows\SYSTEM32\UNRAR3.dll
2009-01-03 11:11 . 2005-08-26 00:50 77,312 --a------ c:\windows\SYSTEM32\ztvunace26.dll
2009-01-03 11:11 . 2002-03-06 00:00 75,264 --a------ c:\windows\SYSTEM32\unacev2.dll
2009-01-03 11:11 . 2006-06-19 12:01 69,632 --a------ c:\windows\SYSTEM32\ztvcabinet.dll
2009-01-03 10:47 . 2009-01-03 10:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 10:47 . 2009-01-03 10:47 <DIR> d-------- c:\documents and settings\Leister\Application Data\Malwarebytes
2009-01-03 10:47 . 2009-01-03 10:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-03 10:47 . 2008-12-03 19:52 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-03 10:47 . 2008-12-03 19:52 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-03 09:35 . 2009-01-03 09:37 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-01-03 08:05 . 2009-01-03 08:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-03 08:04 . 2009-01-03 08:04 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-03 08:04 . 2009-01-03 08:04 <DIR> d-------- c:\documents and settings\Leister\Application Data\SUPERAntiSpyware.com
2009-01-02 23:20 . 2009-01-02 23:20 15,083,520 --a------ C:\spybotsd160.exe
2008-12-14 13:41 . 2008-12-14 13:41 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-14 13:36 . 2008-12-14 13:36 <DIR> d-------- c:\program files\NOS
2008-12-14 13:36 . 2008-12-14 13:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 13:59 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-03 13:04 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-03 03:56 --------- d-----w c:\program files\QuickTime
2008-12-14 18:40 --------- d-----w c:\program files\Common Files\Adobe
2008-12-08 17:27 --------- d-----w c:\program files\Lavasoft
2008-12-08 17:26 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 392832]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-01-01 1231752]

c:\documents and settings\Leister\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-06-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-05-09 156784]
Compaq A3000 Settings Utility.lnk - c:\program files\Compaq A3000\CPQA3000.exe [2007-11-17 1142784]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-10-16 69891]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\CTpdpsrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
R4 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-10 14336]
S3 COH_Mon;COH_Mon;c:\windows\SYSTEM32\DRIVERS\COH_Mon.sys [2008-01-12 23888]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-14 33752]
S3 SQTECH907B;EZCam(PID_907B_00);c:\windows\SYSTEM32\DRIVERS\Capt907B.sys [2006-12-27 61643]
S4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-01-25 149352]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4029261-c14c-11db-b6c5-00038a000015}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-01-11 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-01-05 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Leister.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 09:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.usatoday.com/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Gish It! - http://www.gishpuppy.com/menugpext.html
Trusted Zone: *.turbotax.com

c:\windows\Downloaded Program Files\WMDownload.dll - O16 -: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9}
hxxps://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
c:\windows\Downloaded Program Files\WMDL.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 08:59:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\documents and settings\Leister\Application Data\Gtek\GTUpdate\AUpdate\EasyLinkAdvisor\DB\{10066626-CD09-4A90-9165-21A71D49FE5B}.xml 1505 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1132)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\VAScanner\comHost.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\windows\EHOME\ehRecvr.exe
c:\windows\EHOME\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\windows\SYSTEM32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-01-11 9:02:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-11 14:02:31

Pre-Run: 134,858,838,016 bytes free
Post-Run: 134,968,774,656 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

190 --- E O F --- 2008-12-19 03:04:09

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:50 PM

Posted 11 January 2009 - 12:36 PM

Hello Wbmc,

It ran just fine. :thumbsup:

Open Notepad and copy and paste the bold, blue text below in it:@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
"c:\windows\SYSTEM32\DRIVERS\senekaxxdxncps.sys.vir") DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt

Save this as del.bat Choose to save as "all files" and place it on your Desktop.
It should look like this: Posted Image
Doubleclick on it and post the content of the log fole that opens in your next reply.

Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 wbmc

wbmc
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 11 January 2009 - 12:59 PM

I ran del.bat and got this log:

Deleting files
"c:\windows\SYSTEM32\DRIVERS\senekaxxdxncps.sys.vir" deleted

Glad to see that file is gone - I knew it shouldn't be there!

I uninstalled Combofix as instructed. Computer seems to be running normally. Do you think I am safe to start paying bills online now? :thumbsup:

Anything else I should do?

Thanks so much for all your help. I had posted in the "five days" thread a couple of days ago and don't know how to edit that post to say that I am receiving help. I'm currently #13 if you'd like to delete that, or I can edit it if you let me know how to do that.

Thank you!

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:50 PM

Posted 11 January 2009 - 01:31 PM

Glad we could help, Wbmc :thumbsup:

Your system should be safe to use again.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users