Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vundo type annoyance


  • This topic is locked This topic is locked
28 replies to this topic

#1 shassber

shassber

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 08 January 2009 - 09:04 PM

Hello,

I have a vundo type virus. It started as Rapid Antivirus, now I don't see that, but am left with a program(s) that opens IE multiple times, switches my home page and gives me lots of lovely popups. MBAM removes some stuff, but on reboot it freezes. I can start in safemode, mess with it and eventually get back to normal mode, but the problem remains.

Please tell me what to remove. Here are my files that were requested in your posting document.


Thank you very much

Ed.



DDS (Ver_09-01-07.01) - NTFSx86 NETWORK
Run by at 20:35:23.71 on Thu 01/08/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.794 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\ed\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_08\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Auto EPSON Stylus CX6400 on ed] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2l1.exe /p32 "auto epson stylus cx6400 on ed" /o14 "\\ed\Printer" /M "Stylus CX6400"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ViewMgr] c:\program files\viewpoint\viewpoint manager\ViewMgr.exe
mRun: [Auto EPSON Stylus CX6400 on ed (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2l1.exe /p42 "auto epson stylus cx6400 on ed (copy 1)" /o18 "\\ed\EPSONed" /M "Stylus CX6400"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRun: [msiexec.exe] msiconf.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

S0 ffipy;ffipy;c:\windows\system32\drivers\gudda.sys --> c:\windows\system32\drivers\gudda.sys [?]
S0 vlqc;vlqc;c:\windows\system32\drivers\nyvumlfu.sys --> c:\windows\system32\drivers\nyvumlfu.sys [?]
S4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-9-25 607576]

=============== Created Last 30 ================

2009-01-07 22:23 73,216 a------- c:\windows\system32\ffkuz.dll
2009-01-07 22:09 491 a------- c:\windows\system32\win32hlp.cnf
2009-01-06 02:52 111,616 a------- c:\windows\system32\dllcache\userinit.exe
2009-01-06 02:22 1 a------- c:\windows\system32\uniq.tll
2009-01-06 02:21 24,576 a------- c:\windows\system32\pcload.exe
2009-01-02 21:29 <DIR> --d----- C:\6a8984ca11b299416444e6
2009-01-02 16:08 <DIR> --d----- c:\docume~1\ed~1\applic~1\Malwarebytes
2009-01-02 16:08 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-02 16:08 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 16:08 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 16:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-02 15:08 268 a---h--- C:\sqmdata01.sqm
2009-01-02 15:08 244 a---h--- C:\sqmnoopt01.sqm
2009-01-01 21:55 82,944 a------- c:\windows\system32\bgl.exe
2008-12-27 22:03 <DIR> --d----- C:\509f944aa6280eb05f
2008-12-25 16:22 <DIR> --d----- c:\program files\Bonjour
2008-12-25 16:21 <DIR> --d----- c:\program files\iPod
2008-12-25 16:21 <DIR> --d----- c:\program files\iTunes
2008-12-25 16:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 16:03 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-25 16:03 1,409 a------- c:\windows\QTFont.for
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll

==================== Find3M ====================

2009-01-06 02:52 111,616 a------- c:\windows\system32\userinit.exe
2008-12-12 12:33 3,060,224 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-18 19:16 8,216 a------- c:\windows\system32\mst120.dll
2008-11-13 10:26 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-11-13 10:26 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-11-13 10:25 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 04:45 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2008-08-17 16:33 61,224 a------- c:\documents and settings\ed\GoToAssistDownloadHelper.exe

============= FINISH: 20:35:57.57 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:02:25 AM

Posted 22 January 2009 - 04:06 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma. I appologize for the delay in getting you help.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

Uninstall Malwarebytes' Anti-Malware and then re download it and reinstall it, it has been updated.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

It has been a while since you posted your log, if you still want help could you please post a new one?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#3 shassber

shassber
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 22 January 2009 - 09:36 PM

Hello Hoov,

THank you for offering to help me.

Since this began the first part of January, I have run spinrite, MBAM and superantispyware. I have not run combofix due to all the warnings on your website.

I will reinstall MBAM and post what you requested.


Ed.

#4 shassber

shassber
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 22 January 2009 - 10:30 PM

Hoov,

Here are the logs you requested:

MBAM:
Malwarebytes' Anti-Malware 1.33
Database version: 1673
Windows 5.1.2600 Service Pack 2

1/22/2009 10:12:48 PM
mbam-log-2009-01-22 (22-12-48).txt

Scan type: Quick Scan
Objects scanned: 91607
Time elapsed: 12 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\holiwaga.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pcload.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nasikaje.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bgl.exe (Trojan.akeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\zerakede.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\senekabcowdclb.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\senekaelpqqycb.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\senekakiisccqo.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\senekanpupepcs.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\senekavtnvsidl.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\senekawrxmwiem.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\~rt28.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ed\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\senekacqfgogar.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\senekafjpwivrt.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\senekaqduyplwi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\senekautimrbvs.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\senekaxyqmhtvs.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\senekatkiqvmpx.sys (Trojan.Agent) -> Quarantined and deleted successfully.


DDS:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Ed at 22:22:36.96 on Thu 01/22/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.709 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\rsvp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\imapi.exe
C:\Documents and Settings\Ed\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_08\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Auto EPSON Stylus CX6400 on LORI] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2l1.exe /p32 "auto epson stylus cx6400 on lori" /o14 "\\lori\Printer" /M "Stylus CX6400"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ViewMgr] c:\program files\viewpoint\viewpoint manager\ViewMgr.exe
mRun: [Auto EPSON Stylus CX6400 on STEVE (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2l1.exe /p42 "auto epson stylus cx6400 on steve (copy 1)" /o18 "\\steve\EPSONSteve" /M "Stylus CX6400"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRun: [msiexec.exe] msiconf.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\docume~1\kids\locals~1\temp\ntdll64.dll
Trusted Zone: musicmatch.com\online
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
S0 ffipy;ffipy;c:\windows\system32\drivers\gudda.sys --> c:\windows\system32\drivers\gudda.sys [?]
S0 vlqc;vlqc;c:\windows\system32\drivers\nyvumlfu.sys --> c:\windows\system32\drivers\nyvumlfu.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-9-25 607576]

=============== Created Last 30 ================

2009-01-22 22:19 268 a---h--- C:\sqmdata06.sqm
2009-01-22 22:19 244 a---h--- C:\sqmnoopt06.sqm
2009-01-22 22:15 0 a------- c:\windows\system32\drivers\seneka.sys
2009-01-22 21:50 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-22 21:50 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-22 21:50 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-22 21:49 268 a---h--- C:\sqmdata05.sqm
2009-01-22 21:49 244 a---h--- C:\sqmnoopt05.sqm
2009-01-17 21:02 268 a---h--- C:\sqmdata04.sqm
2009-01-17 21:02 244 a---h--- C:\sqmnoopt04.sqm
2009-01-12 21:29 268 a---h--- C:\sqmdata03.sqm
2009-01-12 21:29 244 a---h--- C:\sqmnoopt03.sqm
2009-01-12 21:15 268 a---h--- C:\sqmdata02.sqm
2009-01-12 21:15 244 a---h--- C:\sqmnoopt02.sqm
2009-01-09 23:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-09 23:34 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-09 23:34 <DIR> --d----- c:\docume~1\lorish~1\applic~1\SUPERAntiSpyware.com
2009-01-07 22:09 491 a------- c:\windows\system32\win32hlp.cnf
2009-01-06 02:52 111,616 a------- c:\windows\system32\dllcache\userinit.exe
2009-01-06 02:22 1 a------- c:\windows\system32\uniq.tll
2009-01-02 21:29 <DIR> --d----- C:\6a8984ca11b299416444e6
2009-01-02 16:08 <DIR> --d----- c:\docume~1\lorish~1\applic~1\Malwarebytes
2009-01-02 16:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-02 15:08 268 a---h--- C:\sqmdata01.sqm
2009-01-02 15:08 244 a---h--- C:\sqmnoopt01.sqm
2008-12-27 22:03 <DIR> --d----- C:\509f944aa6280eb05f
2008-12-25 16:22 <DIR> --d----- c:\program files\Bonjour
2008-12-25 16:21 <DIR> --d----- c:\program files\iPod
2008-12-25 16:21 <DIR> --d----- c:\program files\iTunes
2008-12-25 16:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 16:03 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-25 16:03 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-01-06 02:52 111,616 a------- c:\windows\system32\userinit.exe
2008-12-12 12:33 3,060,224 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-11-18 19:16 8,216 a------- c:\windows\system32\mst120.dll
2008-08-17 16:33 61,224 a------- c:\documents and settings\Ed\GoToAssistDownloadHelper.exe

============= FINISH: 22:22:59.04 ===============


Thank you,

Ed.

Attached Files



#5 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:02:25 AM

Posted 23 January 2009 - 02:11 AM

First download and run Symantec's Hotbar Removal Tool Then Update Malwarebytes' Anti-Malware and run it again, this time do a FULL scan not a quick one, and then post the log. There are still some Trojans left. Reboot then post a new DDS log after you are done. Also let me know about the Symantec tool, post the log if it creates one.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#6 shassber

shassber
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 23 January 2009 - 11:49 PM

Hoov,

I downloaded the symantec tool and ran it. It gave no log at the end, just remarked that it did not find anything.
Do any of these logs suggest a bug that prevents my accessing the internet on the affected machine?

Thanks for your help

Steve


Here is the new MBAM log:

Malwarebytes' Anti-Malware 1.33
Database version: 1685
Windows 5.1.2600 Service Pack 2

1/23/2009 11:21:32 PM
mbam-log-2009-01-23 (23-21-32).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 199927
Time elapsed: 1 hour(s), 12 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\DLLCACHE\userinit.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.


and DDS:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Ed at 23:29:09.87 on Fri 01/23/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.716 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\rsvp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Ed\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_08\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Auto EPSON Stylus CX6400 on Ed] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2l1.exe /p32 "auto epson stylus cx6400 on Ed" /o14 "\\Ed\Printer" /M "Stylus CX6400"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ViewMgr] c:\program files\viewpoint\viewpoint manager\ViewMgr.exe
mRun: [Auto EPSON Stylus CX6400 on Ed (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2l1.exe /p42 "auto epson stylus cx6400 on Ed (copy 1)" /o18 "\\Ed\EPSONEd" /M "Stylus CX6400"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRun: [msiexec.exe] msiconf.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\docume~1\kids\locals~1\temp\ntdll64.dll
Trusted Zone: musicmatch.com\online
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
S0 ffipy;ffipy;c:\windows\system32\drivers\gudda.sys --> c:\windows\system32\drivers\gudda.sys [?]
S0 vlqc;vlqc;c:\windows\system32\drivers\nyvumlfu.sys --> c:\windows\system32\drivers\nyvumlfu.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-9-25 607576]

=============== Created Last 30 ================

2009-01-22 22:19 268 a---h--- C:\sqmdata06.sqm
2009-01-22 22:19 244 a---h--- C:\sqmnoopt06.sqm
2009-01-22 21:50 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-22 21:50 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-22 21:50 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-22 21:49 268 a---h--- C:\sqmdata05.sqm
2009-01-22 21:49 244 a---h--- C:\sqmnoopt05.sqm
2009-01-17 21:02 268 a---h--- C:\sqmdata04.sqm
2009-01-17 21:02 244 a---h--- C:\sqmnoopt04.sqm
2009-01-12 21:29 268 a---h--- C:\sqmdata03.sqm
2009-01-12 21:29 244 a---h--- C:\sqmnoopt03.sqm
2009-01-12 21:15 268 a---h--- C:\sqmdata02.sqm
2009-01-12 21:15 244 a---h--- C:\sqmnoopt02.sqm
2009-01-09 23:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-09 23:34 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-09 23:34 <DIR> --d----- c:\docume~1\Ed~1\applic~1\SUPERAntiSpyware.com
2009-01-07 22:09 491 a------- c:\windows\system32\win32hlp.cnf
2009-01-06 02:22 1 a------- c:\windows\system32\uniq.tll
2009-01-02 21:29 <DIR> --d----- C:\6a8984ca11b299416444e6
2009-01-02 16:08 <DIR> --d----- c:\docume~1\Ed~1\applic~1\Malwarebytes
2009-01-02 16:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-02 15:08 268 a---h--- C:\sqmdata01.sqm
2009-01-02 15:08 244 a---h--- C:\sqmnoopt01.sqm
2008-12-27 22:03 <DIR> --d----- C:\509f944aa6280eb05f
2008-12-25 16:22 <DIR> --d----- c:\program files\Bonjour
2008-12-25 16:21 <DIR> --d----- c:\program files\iPod
2008-12-25 16:21 <DIR> --d----- c:\program files\iTunes
2008-12-25 16:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 16:03 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-25 16:03 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-01-06 02:52 111,616 a------- c:\windows\system32\userinit.exe
2008-12-12 12:33 3,060,224 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-11-18 19:16 8,216 a------- c:\windows\system32\mst120.dll
2008-08-17 16:33 61,224 a------- c:\documents and settings\Ed\GoToAssistDownloadHelper.exe

============= FINISH: 23:29:32.39 ===============

Thank you.

Attached Files



#7 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:02:25 AM

Posted 24 January 2009 - 07:37 PM

Hoov,

I downloaded the symantec tool and ran it. It gave no log at the end, just remarked that it did not find anything.
Do any of these logs suggest a bug that prevents my accessing the internet on the affected machine?


About the Symantec tool, no worries, Ir it didn't find anything, then a log telling me that won't help. About a bug, there are hints, but even though the scans usually find something, its not finding what I see. So I am going to have you do some online scans. Maybe they will see the files that are infected.

Please perform an AVG AS Online Malware Scan
  • When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner.
    Please click Yes to allow the download.
  • Click on Start Scan.
  • If any infections are found, Click on Remove Infections.
And then
Run an online virus scan called Kaspersky from HERE.1. At the main page. Press on "Accept". After reading the contents.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.

Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.
Also run and post a new DDS log.

Edited by Hoov, 24 January 2009 - 07:37 PM.

Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#8 shassber

shassber
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 24 January 2009 - 09:27 PM

I can't get online to run those with the affected machine.
Anything else to try?

Thank you
Ed

#9 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:02:25 AM

Posted 25 January 2009 - 03:36 AM

In safe mode, go to the run command and type in msconfig. When you get that windows to open up, select selective startup, and then underneath it uncheck everything that it will let you. Then click Apply, then reboot. Let it reboot into normal windows and see if you can get online to do the scans. Also can you get online at all with this machine?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#10 shassber

shassber
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 25 January 2009 - 07:33 PM

no I can't access the internet period. The machine is on my ethernet, which is working normally for the other machines. I can't even ping a website at the cmd prompt, nor is the machine assigned the proper IP address.

I will try what you suggest. Thank you. I noticed the AVG tool has a downloadable version on their site, perhaps that would work if transferred by SD card?

Steve

#11 shassber

shassber
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 25 January 2009 - 08:46 PM

Ok, I tried what you suggested with no luck.
I also put the ethernet cable from the infected machine into my laptop and immediately got a connection. So the ethernet is working fine up to the computer anyway.

#12 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:02:25 AM

Posted 25 January 2009 - 08:58 PM

try getting WinSockXPFix transfer it to the problem child, and run it. Click fix, then yes, and then reboot. There will be a delay between the three windows, but it shouldn't take more than a couple minutes. After rebooting, see if you can get online.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#13 shassber

shassber
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 26 January 2009 - 06:48 PM

Hoov,

The winsock tool worked, nice pick.

Here is the text of the ewido scan:
__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: TrackingCookie.Webtrends
Path: C:\Documents and Settings\Ed\Local Settings\Temp\Cookies\Ed@m.webtrends[2].txt
Risk: Medium

Name: Downloader.TSUpdate.j
Path: C:\Program Files\Common Files\muik\muikd\vocabulary
Risk: High


Here is the Kaspersky scan text, although I don't remember it saying it cleaned anything:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, January 26, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, January 26, 2009 18:49:02
Records in database: 1701953
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\

Scan statistics:
Files scanned: 157666
Threat name: 9
Infected objects: 26
Suspicious objects: 0
Duration of the scan: 02:41:49


File name / Threat name / Threats count
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-28590ead-3f78bc34.zip Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-28590ead-3f78bc34.zip Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-2afc8601-43c7d38b.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-396c70dc-5215d817.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-3f293a71.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-4941f397-4236f1ae.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-111eb1f8.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-54e206d6-5e938ac3.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-5d60549c.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-64c2c9bd.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-747ecaba.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-4c3bbeb5-5a5fc83e.zip Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-504134df-26746727.zip Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-52b9c4dc-2d8c1731.zip Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-7d3168a1-18cc2f2e.zip Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\Kids\Local Settings\Temporary Internet Files\Content.IE5\0LMJG96J\klite.ath[1] Infected: Trojan-Downloader.JS.Psyme.amg 1
C:\Documents and Settings\Kids\Local Settings\Temporary Internet Files\Content.IE5\4HYJC9Q7\klite.ath[1] Infected: Trojan-Downloader.JS.Psyme.amg 1
C:\Documents and Settings\Kids\Local Settings\Temporary Internet Files\Content.IE5\4HYJC9Q7\smain[1].htm Infected: Trojan-Downloader.JS.Psyme.amg 1
C:\Documents and Settings\Kids\Local Settings\Temporary Internet Files\Content.IE5\81M3WLYV\smain[1].htm Infected: Trojan-Downloader.JS.Psyme.amg 1
C:\Documents and Settings\Kids\Local Settings\Temporary Internet Files\Content.IE5\OL2JWXY7\klite.ath[1] Infected: Trojan-Downloader.JS.Psyme.amg 1
C:\Documents and Settings\Kids\Local Settings\Temporary Internet Files\Content.IE5\OL2JWXY7\klite.ath[2] Infected: Trojan-Downloader.JS.Psyme.amg 1
C:\Documents and Settings\Ed\Local Settings\Temp\killti.exe Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\RYMVIO41\Real[1].js Infected: Trojan-Downloader.JS.Agent.czf 1
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\WINDOWS\SYSTEM32\userinit.exe Infected: Trojan.Win32.Agent.bfsd 1

The selected area was scanned.


And the new dds:


DDS (Ver_09-01-07.01) - NTFSx86 NETWORK
Run by at 20:35:23.71 on Thu 01/08/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.794 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\ed\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_08\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Auto EPSON Stylus CX6400 on ed] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2l1.exe /p32 "auto epson stylus cx6400 on ed" /o14 "\\ed\Printer" /M "Stylus CX6400"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ViewMgr] c:\program files\viewpoint\viewpoint manager\ViewMgr.exe
mRun: [Auto EPSON Stylus CX6400 on STEVE (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2l1.exe /p42 "auto epson stylus cx6400 on steve (copy 1)" /o18 "\\steve\EPSONSteve" /M "Stylus CX6400"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRun: [msiexec.exe] msiconf.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

S0 ffipy;ffipy;c:\windows\system32\drivers\gudda.sys --> c:\windows\system32\drivers\gudda.sys [?]
S0 vlqc;vlqc;c:\windows\system32\drivers\nyvumlfu.sys --> c:\windows\system32\drivers\nyvumlfu.sys [?]
S4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-9-25 607576]

=============== Created Last 30 ================

2009-01-07 22:23 73,216 a------- c:\windows\system32\ffkuz.dll
2009-01-07 22:09 491 a------- c:\windows\system32\win32hlp.cnf
2009-01-06 02:52 111,616 a------- c:\windows\system32\dllcache\userinit.exe
2009-01-06 02:22 1 a------- c:\windows\system32\uniq.tll
2009-01-06 02:21 24,576 a------- c:\windows\system32\pcload.exe
2009-01-02 21:29 <DIR> --d----- C:\6a8984ca11b299416444e6
2009-01-02 16:08 <DIR> --d----- c:\docume~1\ed~1\applic~1\Malwarebytes
2009-01-02 16:08 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-02 16:08 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 16:08 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 16:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-02 15:08 268 a---h--- C:\sqmdata01.sqm
2009-01-02 15:08 244 a---h--- C:\sqmnoopt01.sqm
2009-01-01 21:55 82,944 a------- c:\windows\system32\bgl.exe
2008-12-27 22:03 <DIR> --d----- C:\509f944aa6280eb05f
2008-12-25 16:22 <DIR> --d----- c:\program files\Bonjour
2008-12-25 16:21 <DIR> --d----- c:\program files\iPod
2008-12-25 16:21 <DIR> --d----- c:\program files\iTunes
2008-12-25 16:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 16:03 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-25 16:03 1,409 a------- c:\windows\QTFont.for
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll

==================== Find3M ====================

2009-01-06 02:52 111,616 a------- c:\windows\system32\userinit.exe
2008-12-12 12:33 3,060,224 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-18 19:16 8,216 a------- c:\windows\system32\mst120.dll
2008-11-13 10:26 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-11-13 10:26 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-11-13 10:25 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 04:45 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2008-08-17 16:33 61,224 a------- c:\documents and settings\ed\GoToAssistDownloadHelper.exe

============= FINISH: 20:35:57.57 ===============





Thank you,

Ed

Attached Files



#14 shassber

shassber
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 26 January 2009 - 07:01 PM

Hoov,

One more thing. I have throughout this ordeal had a folder open at startup - C:\Program Files\Common, which contains _helper.sig and a helper.dll file. Both say: Broderbund Poster Type 25kb. Is this contributing to my issue?

Ed

#15 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:02:25 AM

Posted 26 January 2009 - 09:36 PM

I don't think so.

update Malwarebytes' Anti-Malware and do a full scan please.

Please follow these steps to remove older version Java components and update.

Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6.0.
Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11".
Click the "Download" button to the right.
UNCHECK the option to install Google Toolbar if you don't want it .
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
[*]Note: By default a box may be checked to install a toolbar - if you do not want to install it, then be sure to opt-out by unchecking that box.

Also if you have Adobe Acrobat reader prior to version 9, please uninstall it and install version 9

And run DDS again and post a new log.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users