Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: New Technique Recycles Exploit Chain to Keep Antivirus Silent

Featured Deal: Get The Pay What You Want: AWS Cloud Development Bundle Deal

Virtumoned.prx

Started by wilbrian , Jan 05 2009 09:45 AM

This topic is locked

9 replies to this topic

#1 wilbrian

Members
9 posts
OFFLINE

Local time:12:08 AM

Posted 05 January 2009 - 09:45 AM

Hello. Please help if possible. I've been cleaning and scanning for three days now. I've used Malwarebytes, Spybot S&D and the latest version of Webroot Spysweeper, yet still get hits on "Virtumonde" and/or "Virtumonde.prx" every time I run Spybot S&D. I guess I need a new level of help with this. Thank you all for being willing to be on the front lines in the war against malware!

Below is my DDS.txt

DDS (Version 1.1.0) - NTFSx86
Run by Administrator at 9:31:15.25 on Mon 01/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1517 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: {ff39f73b-c664-42f9-a310-7a890a3a8a15} - c:\windows\system32\zehigipu.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [gudimoheji] Rundll32.exe "c:\windows\system32\dimanovu.dll",s
mRun: [CPM5f60de68] Rundll32.exe "c:\windows\system32\fizelugo.dll",a
StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\Shortcut to Res.bat.lnk.disabled
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
Handler: ActLink - {2A0C35F4-82A3-4C80-919D-7879FEE79DF6} - c:\progra~1\act\actfor~1\plugins\actlink.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: avgrsstx.dll c:\windows\system32\bonafanu.dll c:\windows\system32\ c:\windows\system32\visegobu.dll c:\windows\system32\ c:\windows\system32\ranuvozo.dll c:\windows\system32\ c:\windows\system32\moriwami.dll c:\windows\system32\ c:\windows\system32\ c:\windows\system32\fidebage.dll c:\windows\system32\fizelugo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fizelugo.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\fizelugo.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli c:\windows\system32\bonafanu.dll

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-28 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-28 26824]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-5 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-5 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-28 76040]
R4 MSSQL$ACT7;MSSQL$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sact7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sACT7 [?]
R4 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2008-11-12 3667312]
R4 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-1-3 1086840]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-2 38496]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.exe -i act7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.EXE -i ACT7 [?]

=============== Created Last 30 ================

==================== Find3M ====================

2009-01-05 09:22 101,484 a--sh--- c:\windows\system32\fizelugo.dll
2009-01-02 09:20 66,302 a--sh--- c:\windows\system32\nafazoye.dll
2009-01-01 09:22 96,862 a--sh--- c:\windows\system32\tokivafa.dll
2008-12-31 04:32 96,973 a--sh--- c:\windows\system32\peluloge.dll
2008-12-30 16:33 95,881 a--sh--- c:\windows\system32\vegozadi.dll
2008-11-12 16:02 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2006-02-11 09:57 56 ---shr-- c:\windows\system32\7C4D4A0E60.sys
0000-00-00 00:00 66,302 a--sh--- c:\windows\system32\bonafanu.dll
2008-08-20 10:10 1,890 a--sh--- c:\windows\system32\KGyGaAvL.sys
0000-00-00 00:00 89,088 a--sh--- c:\windows\system32\misoselo.dll
2008-09-06 13:23 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 9:33:29.03 ===============

Attached Files

Attach.txt 12.55KB 1 downloads

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 fenzodahl512

Members
6,738 posts
OFFLINE

Local time:12:08 PM

Posted 05 January 2009 - 10:48 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#3 wilbrian

Topic Starter

Members
9 posts
OFFLINE

Local time:12:08 AM

Posted 05 January 2009 - 07:04 PM

Thanks for such a quick response. Below is a paste of the HijackThis log and attached is the log.txt file from the ComboFix run. I hope these are helpful.

I know that the instructions said to disable all Anti Virus and Anti Spyware apps before running ComboFix. I tried to do this and I think I was successful in stopping all of the Webroot services. I could not get rid of all of the AVG services, though. There was no AVG icon in my System Notification Area but ComboFix bonked and told me it still found AVG running. I went into Task Manager and tried to stop everything that began with "avg..." but ComboFix bonked again and then warned me to proceed at my own risk, which I did in order to get these results.

If I need to repeat the steps in order to get better data, I can uninstall AVG (and even Spysweeper) first.

Thank you again for having a look at this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:33 PM, on 1/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Shortcut to Res.bat.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: ActLink - {2A0C35F4-82A3-4C80-919D-7879FEE79DF6} - C:\PROGRA~1\ACT\ACTFOR~1\Plugins\actlink.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 6293 bytes

Attached Files

log.txt 10.19KB 2 downloads

#4 fenzodahl512

Members
6,738 posts
OFFLINE

Local time:12:08 PM

Posted 05 January 2009 - 11:55 PM

Please show hidden files and folders
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
- c:\windows\system32\drivers\ssfs0bbc.sys
Click on the submit button
Please post the results in your next reply.

If Jotti server is too busy, please submit the file to VirusTotal instead.

NEXT

Please download FileAssassin and unzip it to your Desktop.

Double-click FileASSASSIN and tick on Attempt FileASSASSIN's method of file processing
Make sure ALL four options are selected (including "Delete file")
Copy/paste below file to the box
- c:\windows\system32\misoselo.dll
Press Execute button..

Tell me whether FileASSASSIN succeed delete the file or not..

NEXT

Please download JavaRa to your desktop and unzip it to its own folder. <<MIRROR>>

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.

Then, please download and install the latest Java from HERE

Then, run DDS again.. Post these logs in your next reply..

1. Jotti report
2. DDS.txt

#5 wilbrian

Topic Starter

Members
9 posts
OFFLINE

Local time:12:08 AM

Posted 06 January 2009 - 09:05 AM

Thanks for the reply and the additional detailed instructions. I really appreciate your help...

I ran the file you identified (ssfs0bbc.sys) through both Jotti's and VirusTotal. Jotti's gave me a "found nothing" on all scans. I could not see a way to save the results from Jotti's. I ran the same file through VirusTotal and they noticed that the file had "already been run". VirusTotal had a way to "Print Results", though, so I printed the results to a PDF and just uploaded it.

The FileAssassin delete of "misoselo.dll" reported that it worked.

I downloaded and ran JavaRa and it worked properly.

I then downloaded and installed the current version of Java as you instructed.

This is a really helpful and amazing process, how did you learn all this stuff?

Thanks again.

Here is the latest DDS.txt information.

DDS (Version 1.1.0) - NTFSx86
Run by Administrator at 8:51:45.65 on Tue 01/06/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1590 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [SpySweeper] c:\program files\webroot\spy sweeper\SpySweeperUI.exe /startintray
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\Shortcut to Res.bat.lnk.disabled
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
Handler: ActLink - {2A0C35F4-82A3-4C80-919D-7879FEE79DF6} - c:\progra~1\act\actfor~1\plugins\actlink.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-28 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-28 26824]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-5 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-28 76040]
R4 MSSQL$ACT7;MSSQL$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sact7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sACT7 [?]
R4 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2008-11-12 3667312]
R4 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-1-3 1086840]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-2 38496]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.exe -i act7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.EXE -i ACT7 [?]
S4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-5 875288]

=============== Created Last 30 ================

2009-01-06 08:50 <DIR> --d----- c:\program files\GNUGS
2009-01-06 08:49 49,152 a------- c:\windows\system32\uninscpw.exe
2009-01-06 08:49 81,920 a------- c:\windows\system32\cpwmon2k.dll
2009-01-06 08:49 221,184 a------- c:\windows\system32\cpwsave.exe
2009-01-06 08:49 <DIR> --d----- c:\program files\Acro Software
2009-01-06 08:46 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-06 08:46 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-05 18:46 <DIR> --d----- c:\program files\Trend Micro
2009-01-05 17:51 <DIR> a-dshr-- C:\cmdcons
2009-01-05 17:49 161,792 a------- c:\windows\SWREG.exe
2009-01-05 17:49 98,816 a------- c:\windows\sed.exe
2009-01-03 12:29 775,168 a------- c:\windows\isRS-000.tmp
2009-01-03 12:28 <DIR> --d----- C:\Binaries
2009-01-03 12:27 1,553,272 a------- c:\windows\WRSetup.dll
2009-01-03 10:45 170,608 a------- c:\windows\system32\drivers\ssidrv.sys
2009-01-03 10:45 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-01-03 10:45 14,848 a------- c:\windows\system32\drivers\sskbfd.sys
2009-01-03 10:45 <DIR> --d----- c:\program files\Webroot
2009-01-03 10:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-01-03 10:45 <DIR> --d----- c:\docume~1\admini~1\applic~1\Webroot
2009-01-02 23:17 443 a------- c:\windows\wininit.ini
2009-01-02 12:51 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-01-02 12:50 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-02 12:50 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 12:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-02 12:50 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-31 09:42 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-19 17:17 163,840 a------- c:\windows\system32\igfxres.dll
2008-12-19 17:10 <DIR> --d----- c:\program files\SystemRequirementsLab
2008-12-19 16:56 <DIR> --d----- c:\program files\AVIcodec
2008-12-18 17:44 <DIR> --d----- c:\program files\Windows Media Connect 2

==================== Find3M ====================

2008-11-12 16:02 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2006-02-11 09:57 56 ---shr-- c:\windows\system32\7C4D4A0E60.sys
2008-08-20 10:10 1,890 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-06 13:23 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 8:52:58.59 ===============

Attached Files

VirusTotal1.pdf 172.28KB 2 downloads

#6 fenzodahl512

Members
6,738 posts
OFFLINE

Local time:12:08 PM

Posted 06 January 2009 - 10:00 AM

Log looks very nice to me

how did you learn all this stuff?

Please navigate below link for answer :thumbsup:

http://www.bleepingcomputer.com/forums/ind...st&p=484908

Lets do an online scan to make sure we didn't miss any of those baddies

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Post ESET Online report and tell me, how is the computer now?

#7 wilbrian

Topic Starter

Members
9 posts
OFFLINE

Local time:12:08 AM

Posted 06 January 2009 - 06:59 PM

The machine seems fine, much better. No telling how long I neglected that infection, but the PC had been seeming so slow for months. Now it seems normal. I still don't have an icon for AVG, but I plan to just reinstall that. I also plan to remove a number of no-longer-needed programs.

Thank you very much for your help. I continue to be intrigued by the work accomplished here. I read with great interest the link that you provided for me. I may consider entering the program myself.

Below is the Eset log. The online scan found no problems.

Thanks again.

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3743 (20090106)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=50d5c46aece2a94dab1f2ddcfeb6a35a
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-06 11:13:35
# local_time=2009-01-06 06:13:35 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=340527
# found=0
# scan_time=9133

#8 fenzodahl512

Members
6,738 posts
OFFLINE

Local time:12:08 PM

Posted 07 January 2009 - 02:51 AM

Well, you can reinstall AVG as you wish.. Also get rid of some un-needed programs.. :thumbsup:

Lets do some cleanup

Please download OTCleanIt and save it to Desktop.

Make sure you have internet connection..
Double-click OTCleanIt.exe
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes

Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread

Have a safe and happy computing day!

Regards
fenzodahl512

#9 wilbrian

Topic Starter

Members
9 posts
OFFLINE

Local time:12:08 AM

Posted 07 January 2009 - 09:42 AM

Hello Again,
Things are looking good!

I ran the OTCleanIt utility and it removed some Desktop icons.

I don't want to tie you up any further than necessary on this, but just let me run this past you. After yesterday's progress, I went through my Programs List and removed more than a dozen programs that I no longer needed on this PC. I used the Revo Uninstaller to do this as I like the additional clean up it does afterward. Each Revo uninstall created a Restore Point. Today as I finally got AVG 8 straightened out and happy again, AVG found several infections but they were all in the System Restore area. I told AVG to "Heal" them and it appeared to do so. Thinking this would be the safe thing to do, I decided to temporarily turn off System Restore for a cycle or two, just to flush this area out. I'm not noticing any problems with the PC. It is running SO much better than before I got your help. Do you think I'm still safe and when do you think it will be OK to turn System Restore back on.

Again, I hate to hold you up from helping others, so hopefully this will close this case. Thank you for all you help.

#10 fenzodahl512

Members
6,738 posts
OFFLINE

Local time:12:08 PM

Posted 07 January 2009 - 10:22 AM

Do you think I'm still safe and when do you think it will be OK to turn System Restore back on.

Yup.. It is safe to turn it on.. And it is good to keep System Restore on as if anything bad happen to your computer, you will have some Restore Point to go back... :thumbsup:

I will now close this topic.. Thank you for your patience doing all necessary steps..

If you need this topic to be re-open, please pm any Moderator or HJT Team with this topic link

Regards
fenzodahl512