Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, sagipsul infection


  • This topic is locked This topic is locked
22 replies to this topic

#1 deadfrog

deadfrog

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 10 January 2009 - 04:27 PM

Original symptomatology: random pop up ads began appearing yesterday inside Firefox.

Steps taken so far:
1. Ran my own virus/spyware software which is SystemSuite 9. It reported:
virtumonde
rootkit.win32.clbd.hf
trojan-downloader.win32.murlo.vn
Using the software, I deleted these files. A subsequent scan showed me to be clean. Apparently, this was not the case.
2. Discovered a randomly named DLL called "hlsdyuwb" in the Schedule Tasks area of control panel and disabled and deleted it. Success unknown, although nothing illegitimate is there at the moment of this writing.
3. Downloaded (but have not run) ComboFix and its associated instructions. Downloaded preparation instructions for this forum. Downloaded, ran and uploaded DDS output.


Current symptomatology: Firefox becoming INCREDIBLY slow. Occasionally a webpage rooted at "sagipsul.com" is popping up. Firefox is occasionally crashing. Seems to run faster restarting right after a crash.

Other notes: I almost exclusively use Firefox. I only occasionally use Internet Explorer and only on those sites that specifically require it.
My antivirus system is SystemSuite 9. My firewall is Zone Alarm, free version.
Quad processor machine, 4 GB of memory, 1.5 TB disk space, collectively. Slightly over one million files.
My machine has three hard drives internally (and a couple of external USB drives). One of the internal drives has the occasional hardware fault. Why I don't remove it from the system is complicated. No files are on it and I don't use it for storage. Any error messages you see related to this in any logs are very likely NOT related to this virus infection problem.


DDS listing:

DDS (Ver_09-01-07.01) - NTFSx86
Run by MonkeyBoy at 12:59:35.14 on Sat 01/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.1974 [GMT -8:00]

AV: Avanquest SystemSuite *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ZyXEL\AG-225H\NICServ.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\BurnQuick\BQTray.exe
C:\Program Files\Monsters\PowerGramo\PowerGramo.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\x886Mbgnd.exe
C:\Program Files\Xerox\Scan_Utility\xrxzipui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Contour Shuttle\ShuttleHelper.exe
C:\Program Files\Raxco\PerfectDisk\PD91Agent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Clipdiary\clipdiary.exe
C:\WINDOWS\system32\xrxbeacn.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Contour Shuttle\ShuttleEngine.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\East-Tec Eraser 2008\etRiskMon.exe
C:\Program Files\ScanSoft\PaperPort\xdcla.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
C:\Program Files\ZyXEL\AG-225H\AG-225H.exe
C:\Program Files\Kuma Games\hcsystray\hc_tray.exe
C:\GRPREADY\psserver.EXE
C:\Sun\SDK\jdk\bin\javaw.exe
C:\DOCUME~1\MONKEY~1\LOCALS~1\Temp\tlx_app\_PSWIN32.EXE
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\WINDOWS\system32\xnetsrvc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\GPSoftware\Directory Opus\dopus.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\ScanSoft\PDF Professional 4.0\PdfPro4Hook.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
C:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.nwmls.com/login/index.cfm
uInternet Settings,ProxyOverride = *.local
BHO: XPL LinkScannerIE: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avanquest\systemsuite\LinkScannerIE.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: TweakMASTER Component: {7daac7de-9ef0-4ff0-bfa5-aff3e899054c} - c:\progra~1\tweakm~1\TweakBHO.dll
BHO: DataVault Object: {8373adc0-6330-11dd-9d77-22c856d89593} - c:\program files\avanquest\systemsuite\IE_ContextMenu_Vault.dll
BHO: {4183e1c7-64a8-03a8-95e4-4f3790c0c65a}: {a56c0c09-73f4-4e59-8a30-8a467c1e3814} - c:\windows\system32\nseqhi.dll
BHO: {d243d9f7-9ed4-4db0-9e79-9fce59d03684} - c:\windows\system32\awtsRlLC.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: iOpus iMacros: {0483894e-2422-45e0-8384-021aff1af3cd} - c:\program files\imacros\imacros.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Directory Opus Desktop Dblclk] "c:\program files\gpsoftware\directory opus\dopusrt.exe" /dblclk
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Livehelper] c:\program files\livehelper.com llc\livehelper operator services\operator.exe /s
uRun: [Eraser RiskMonitor] "c:\program files\east-tec eraser 2008\launch.exe" "c:\program files\east-tec eraser 2008\etRiskMon.exe"
uRun: [Clipdiary] c:\program files\clipdiary\clipdiary.exe
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking9\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking9\Ereg.ini
mRun: [PDF4 Registry Controller] "c:\program files\scansoft\pdf professional 4.0\\RegistryController.exe"
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [masqform.exe] c:\program files\pureedge\viewer 6.1\masqform.exe /RegServer -UpdateCurrentUser
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [LiveMonitor] c:\program files\msi\live update 3\LMonitor.exe
mRun: [BurnQuick Queue] c:\program files\burnquick\BQTray.exe
mRun: [PowerGramo] c:\program files\monsters\powergramo\PowerGramo.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [Xerox886MBgTask] c:\windows\system32\x886Mbgnd.exe 1
mRun: [XeroxRegistation] "c:\docume~1\monkey~1\locals~1\temp\xerox\ereg\EReg.exe" /Startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TweakMASTER] "c:\program files\tweakmaster\TMTray.exe"
mRun: [Contour Shuttle Device Helper] c:\program files\contour shuttle\ShuttleHelper.exe
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [a8c877a6] rundll32.exe "c:\windows\system32\fjmrvxya.dll",b
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\monkey~1\startm~1\programs\startup\groupr~1.lnk - c:\grpready\pswin32.exe
StartupFolder: c:\docume~1\monkey~1\startm~1\programs\startup\hc_tray.lnk - c:\program files\kuma games\hcsystray\hc_tray.exe
StartupFolder: c:\docume~1\monkey~1\startm~1\programs\startup\psserver.lnk - c:\grpready\psserver.EXE
StartupFolder: c:\docume~1\monkey~1\startm~1\programs\startup\sdktra~1.lnk - c:\sun\sdk\jdk\bin\javaw.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imager~1.lnk - c:\program files\scansoft\paperport\xdcla.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zyxela~1.lnk - c:\program files\zyxel\ag-225h\AG-225H.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Open with ScanSoft PDF Converter 4.0 - c:\program files\scansoft\pdf professional 4.0\cnvres_eng.dll /100
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD} - c:\program files\imacros\imacros.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: mlJApPFx - mlJApPFx.dll
AppInit_DLLs: nseqhi.dll
SEH: Directory Opus Shell Execute Hook: {3cf9ece0-1a9f-11d2-8c73-00c06c2005de} - c:\program files\gpsoftware\directory opus\dopuslib.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\awtsRlLC

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\monkey~1\applic~1\mozilla\firefox\profiles\8bo8ip0j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search?hl=en
FF - component: c:\program files\avanquest\systemsuite\firefox3dv\components\VaultComponent.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - HiddenExtension: XUL Cache: {A550D8DE-DD35-4275-B31D-07D891672360} - c:\windows\system32\config\systemprofile\local settings\application data\{a550d8de-dd35-4275-b31d-07d891672360}\

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-1-9 127768]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-1-9 202928]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-15 394952]
R3 CXFALCON;PCDVR3101_3104 Video/Audio Card;c:\windows\system32\drivers\TD3101_3104AV.sys [2008-12-6 78592]
R3 XnetSrvc;XnetSrvc;c:\windows\system32\xnetsrvc.exe [2008-5-30 128512]
R4 NICSer_AG225H;NICSer_AG225H;c:\program files\zyxel\ag-225h\NICServ.exe [2007-11-15 529920]
R4 PD91Agent;PD91Agent;c:\program files\raxco\perfectdisk\PD91Agent.exe [2008-9-9 693512]
R4 SBAMSvc;SystemSuite;c:\program files\common files\antivirus\SBAMSvc.exe [2008-10-28 886056]
R4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 FMS;Flash Media Server (FMS);c:\program files\adobe\flash media server 3\FMSMaster.exe [2008-8-27 2281472]
S3 FMSAdmin;Flash Media Administration Server;c:\program files\adobe\flash media server 3\FMSAdmin.exe [2008-8-27 2453504]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S3 PD91Engine;PD91Engine;c:\program files\raxco\perfectdisk\PD91Engine.exe [2008-9-9 906504]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
S3 ZDA211U(ZyXEL);ZyXEL AG-225H 802.11a/b/g Wi-Fi Finder & USB Adapter Driver(ZyXEL);c:\windows\system32\drivers\ZDA211U.sys [2007-11-15 290304]

=============== Created Last 30 ================

2009-01-10 12:41 1,037,248 a------- C:\BleepingComputer.com [Power.pdf
2009-01-10 12:40 368,922 a------- C:\dds.scr
2009-01-10 12:25 2,914,743 a------- C:\ComboFix2.exe
2009-01-10 12:19 912,434 a------- C:\A guide and tutorial on usi.pdf
2009-01-09 21:35 202,928 a------- c:\windows\system32\drivers\sbtis.sys
2009-01-09 21:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avanquest
2009-01-09 21:32 <DIR> --d-h--- C:\_Backup
2009-01-09 21:32 <DIR> --d----- c:\docume~1\monkey~1\applic~1\Avanquest
2009-01-09 21:32 <DIR> --d----- c:\program files\Avanquest update
2009-01-09 21:32 <DIR> --d----- c:\program files\common files\AntiVirus
2009-01-09 21:32 <DIR> --d----- c:\program files\Avanquest
2009-01-09 21:27 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-09 21:14 118,523,248 a------- C:\SSGM9.0.3.3.exe
2009-01-09 21:14 63,391 a------- C:\Avanquest Software eStore.pdf
2009-01-09 20:35 46,829,456 a------- C:\zlsSetup_70_483_000_en.exe
2009-01-09 20:29 7,518,240 a------- C:\Firefox Setup 3.0.5.exe
2009-01-09 19:35 1,248,432 ---sh--- c:\windows\system32\ayxvrmjf.ini
2009-01-09 19:35 90,624 a------- c:\windows\system32\fjmrvxya.dll
2009-01-09 19:32 133,120 a------- c:\windows\system32\nseqhi.dll
2009-01-09 19:32 133,120 a------- c:\windows\system32\osglujbl.dll
2009-01-09 19:29 52,224 a------- c:\windows\system32\byXQICRl.dll
2009-01-09 19:26 742,560 a--sh--- c:\windows\system32\CLlRstwa.ini2
2009-01-09 19:26 742,560 a--sh--- c:\windows\system32\CLlRstwa.ini
2009-01-09 19:26 289,280 a------- c:\windows\system32\awtsRlLC.dll
2009-01-08 16:24 84,161 a------- C:\agencylaw.pdf
2009-01-08 16:17 657,573 a------- C:\reLawbook1207.pdf
2009-01-08 15:30 755,510 a------- C:\COE_2008.pdf
2009-01-07 19:13 540,765 a------- C:\M22_Challenge_home.jpg
2009-01-07 11:51 66,386 a------- C:\249916306.jpg
2009-01-07 11:44 99,826 a------- C:\1575958314.jpg
2009-01-07 08:41 <DIR> --d----- c:\program files\NinjaTrader 6.5
2009-01-06 11:18 51,129 a------- C:\Ryan.jpg
2009-01-06 11:17 11,424 a------- C:\SunSpiderJaws.jpg
2009-01-05 20:47 84,255 a------- C:\1382457571.jpg
2009-01-05 18:04 5,578,363 a------- C:\new pics 8-26-08.zip
2009-01-04 19:23 362,778 a------- C:\image.jpg
2009-01-04 17:07 21,540,547 a------- C:\step -1 try 5.psd
2009-01-03 19:23 2,404 a------- C:\ryan crap.rtf
2009-01-03 10:15 46,146 a------- C:\1295081617.jpg
2009-01-02 01:19 229,859 a------- C:\Cloned puppies.pdf
2009-01-01 15:09 31,123 a------- C:\1122651236.jpg
2009-01-01 15:07 68,189 a------- C:\379342252.jpg
2009-01-01 15:04 51,876 a------- C:\1984426699.jpg
2008-12-31 15:31 25,698 a------- C:\Business license renewal.pdf
2008-12-31 10:26 143,287 a------- C:\2131891022.jpg
2008-12-31 10:24 29,059 a------- C:\1605315062.jpg
2008-12-31 10:21 88,902 a------- C:\1277659745.jpg
2008-12-31 10:11 56,332 a------- C:\1086487941.jpg
2008-12-31 08:50 69,622 a------- C:\1652339996.jpg
2008-12-31 08:20 101,745 a------- C:\1732239739.jpg
2008-12-31 08:19 102,449 a------- C:\515207432.jpg
2008-12-31 08:14 127,452 a------- C:\2140677768.jpg
2008-12-31 08:13 84,076 a------- C:\477908383.jpg
2008-12-31 08:10 157,981 a------- C:\959459927.jpeg
2008-12-31 08:06 115,224 a------- C:\1361133807.jpg
2008-12-31 07:54 87,430 a------- C:\1248397998.jpg
2008-12-30 13:27 2,948,640 a------- C:\SetupXerox.exe
2008-12-30 10:38 181,523 a------- C:\445450095.jpg
2008-12-30 10:26 56,734 a------- C:\650042398.jpg
2008-12-30 10:19 35,256 a------- C:\1394053363.jpg
2008-12-30 10:15 24,092 a------- C:\351821061.jpg
2008-12-30 10:15 45,465 a------- C:\335009391.jpg
2008-12-30 10:14 43,993 a------- C:\1755826321.jpg
2008-12-30 07:33 306,367 a------- C:\Real Estate _ U.S. home pri.pdf
2008-12-29 14:36 228,683 a------- C:\nm9.jpeg
2008-12-29 14:30 199,263 a------- C:\1492688113.jpeg
2008-12-29 14:29 214,292 a------- C:\787015387.jpeg
2008-12-29 14:29 209,289 a------- C:\162415585.jpeg
2008-12-29 14:28 220,266 a------- C:\877518001.jpeg
2008-12-29 10:53 437,178 a------- C:\wilsons on realtor dot com.pdf
2008-12-29 10:51 106,436 a------- C:\wilsons on mls.pdf
2008-12-29 10:50 302,259 a------- C:\wilsons on JLS.pdf
2008-12-28 22:03 116,420 a------- C:\Pay Bill - AT&T(10).pdf
2008-12-28 20:48 76,601 a------- C:\directv Pay your Bill(1).pdf
2008-12-28 20:21 28,649 a------- C:\2089458282.jpg
2008-12-28 20:19 44,791 a------- C:\2058589933.jpg
2008-12-28 11:42 207,176 a------- C:\jobacct.dat
2008-12-27 10:26 57,306 a------- C:\1568960384.jpg
2008-12-27 10:01 27,805 a------- C:\739440726.jpg
2008-12-26 20:19 511,656 a------- C:\JNY 12_26_2008 (250 Tick).jpg
2008-12-26 20:18 251,638 a------- C:\JNY 12_26_2008 (50 Tick).jpg
2008-12-23 23:13 14,900 a------- C:\glacial newpaper argument.odt
2008-12-23 21:42 135,856 a------- C:\christmas light order.pdf
2008-12-23 14:08 2,731,928 a------- C:\HDsetup.exe
2008-12-23 13:06 46,000 a------- C:\1917818402.jpg
2008-12-23 13:05 48,635 a------- C:\1099701377.jpg
2008-12-23 13:01 222,884 a------- C:\1123256289.jpg
2008-12-23 12:34 90,507 a------- C:\1223357244.jpg
2008-12-23 11:25 77,228 a------- C:\1189536516.jpg
2008-12-23 11:24 92,110 a------- C:\1835686075.jpg
2008-12-23 11:24 90,020 a------- C:\1121967894.jpg
2008-12-23 11:23 86,070 a------- C:\1539278205.jpg
2008-12-23 11:23 97,668 a------- C:\819438385.jpg
2008-12-23 11:22 104,601 a------- C:\12263494.jpg
2008-12-23 11:22 115,134 a------- C:\1472017276.jpg
2008-12-23 11:21 95,169 a------- C:\1864814951.jpg
2008-12-23 11:05 36,528 a------- C:\876741466.jpg
2008-12-22 12:44 1,455,262 a------- C:\maype question.psd
2008-12-21 15:58 152,454 a------- C:\Bamboo9.jpg
2008-12-21 15:57 195,480 a------- C:\Bamboo6.jpg
2008-12-21 15:18 25,977 a------- C:\Resume_Donovan_Penaluna.pdf
2008-12-21 12:47 217,953 a------- C:\216516964_40b66d5e15_o.jpg
2008-12-21 12:37 25,239 a------- C:\Top Hat.jpg
2008-12-21 11:39 <DIR> --d----- C:\####Roofus
2008-12-20 16:09 7,472 a------- C:\tempsavethingy.rtf
2008-12-19 20:34 94,154 a------- C:\court cancellation.pdf
2008-12-18 14:05 507 a------- c:\windows\WinSig.Ini
2008-12-18 14:05 144 a------- c:\windows\Reader.Ini
2008-12-18 14:05 28,672 a------- c:\windows\system32\proxydll.dll
2008-12-18 14:05 17,920 a------- c:\windows\system32\Implode.dll
2008-12-18 14:05 <DIR> --d----- c:\program files\eSignal
2008-12-18 14:05 2,524 a------- c:\windows\WinRos.Ini
2008-12-18 14:03 4,190,216 a------- C:\DM_Client_8.1_R2.exe
2008-12-18 14:00 19,956 a------- C:\https___secure.esignal.com_.pdf
2008-12-18 11:40 <DIR> --d----- C:\###
2008-12-18 00:11 <DIR> --d----- C:\########crap jr likes
2008-12-17 22:29 986,778 a------- C:\first model2.psd
2008-12-17 21:03 906,468 a------- C:\first model.psd
2008-12-17 12:40 1,950 a------- C:\ninja trader email.rtf
2008-12-17 11:57 228,424 a------- C:\setup_ninjatrader.exe
2008-12-17 00:33 93,881 a------- C:\1902714562.jpg
2008-12-16 18:45 23,345 a------- C:\ford manual F550 receipt.pdf
2008-12-16 13:53 <DIR> --d----- c:\program files\Free Extended Task Manager
2008-12-16 13:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TaskManager
2008-12-16 13:50 26,884,384 a------- C:\FreeVideoConverter.exe
2008-12-16 13:49 11,714,981 a------- C:\FreeTaskManager.exe
2008-12-16 13:48 13,259,428 a------- C:\FreeScreenCapturer.exe
2008-12-15 18:42 122,765 a------- C:\Clipboard Image.jpg
2008-12-15 17:39 176,854 a------- C:\betts presence on MLS.pdf
2008-12-15 17:36 1,049,745 a------- C:\betts presence on JLS.pdf
2008-12-15 17:34 574,259 a------- C:\betts presence on Realtor dot com.pdf
2008-12-15 11:28 85,540 a------- C:\BOHCodeTitleR14.pdf
2008-12-15 01:03 7,432 a------- C:\Pivot Points.ods
2008-12-13 12:36 804,841 a------- C:\PN40manual.pdf
2008-12-13 12:36 7,105,105 a------- C:\PN40_GettingStarted.pdf
2008-12-13 10:37 162,304 a------- c:\windows\UNWISE.EXE
2008-12-13 10:37 <DIR> --d----- c:\program files\TV4 STUDIOS
2008-12-13 10:36 469,341 a------- C:\MIProLive.exe
2008-12-11 15:33 10,702 a------- C:\accounting sheet.ods
2008-12-11 15:33 8,547 a------- C:\blank accounting sheet.ods

==================== Find3M ====================

2009-01-10 12:36 2,034 a------- c:\docume~1\monkey~1\applic~1\SAS7_000.DAT
2009-01-09 20:46 4,212 ----h--- c:\windows\system32\zllictbl.dat
2008-12-11 10:32 98,304 a------- c:\windows\system32\NtDirect.dll
2008-12-06 11:13 78,592 a------- c:\windows\system32\drivers\TD3101_3104AV.sys
2008-12-06 11:04 21,941,515 a------- C:\pcdvr5.4.0.3.exe
2008-12-06 00:40 1,479,736 a------- C:\DxO_Optics_Pro_Download_Manager.exe
2008-12-05 08:08 13,178,521 a------- C:\myWind_assets.zip
2008-12-02 14:25 1,851,544 a------- C:\install_flash_player.exe
2008-11-29 21:39 9,870,080 a------- C:\flashdecompiler.exe
2008-11-29 20:53 17,767,173 a------- C:\FFSetup1.61.zip
2008-11-27 21:47 2,315,800 a------- C:\divx680vfw.exe
2008-11-27 21:45 84,680 a------- C:\PANADV.zip
2008-11-27 16:15 38,528 a------- C:\steve_handwriting.zip
2008-11-23 15:13 9,092,976 a------- C:\kitd.exe
2008-11-23 15:11 857,357 a------- C:\rarkeyd.exe
2008-11-17 13:48 989,696 a------- C:\freepcaudit.exe
2008-11-13 12:53 1,085,826 a------- C:\clipdiary_1.97_Free_Beta.exe
2008-10-30 08:27 1,728,160 a------- C:\TweakMASTER-Install.exe
2008-10-28 16:28 65,320 a------- c:\windows\system32\sbbd.exe
2008-10-28 09:31 512,392 a------- C:\WindowsXP-KB931836-x86-ENU.exe
2008-10-28 09:30 1,478,696 a------- C:\GenuineCheck.exe
2008-10-28 09:29 894,504 a------- C:\WGAPluginInstall.exe
2008-10-23 16:45 4,010,648 a------- C:\reachamailpro.exe
2008-10-23 08:55 1,021,130 a------- C:\clipdiary_1.95_Free_Beta.exe
2008-10-22 17:46 2,458,565 a------- C:\Weinbaum.zip
2008-10-21 20:00 520,192 a------- C:\WinDjView-0.5.exe
2008-10-21 19:48 3,079,604 a------- C:\Setup_MagicISO.exe
2008-10-21 08:33 6,706,104 a------- C:\eteraser_licensed_8_9_7_100.exe
2008-10-20 18:19 9,422,264 a------- C:\SetupRegexBuddy3SteveAmos_update.exe
2008-08-26 23:05 13 ----h--- c:\docume~1\alluse~1\applic~1\ę3113.sys
2008-07-28 16:44 6,832 a------- c:\program files\KLF2.5GPU.log
2008-06-11 08:24 60,744 a------- c:\documents and settings\monkeyboy\g2mdlhlpx.exe
2007-12-20 13:50 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-03-09 00:12 27,648 a--sh--- c:\windows\system32\AVSredirect.dll

============= FINISH: 12:59:58.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:18 AM

Posted 10 January 2009 - 09:11 PM

Hi, deadfrog :thumbsup:

Welcome.

Posted ImageClick here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Do not run it yet
Posted Image Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Run HijackThis and save the report
  • Please post the "C:\ComboFix.txt" along with a HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 deadfrog

deadfrog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 10 January 2009 - 10:20 PM

HJTInstall.exe has been downloaded and installed to the desktop, but not run.

Malwarebytes' Anti-Malware has been downloaded and "Perform Quick Scan" has been run, MANY items found and deleted; a reboot and final cleanup was required as per Malwarebytes screen instructions. A log file was generated prior to reboot, the text of which is inserted below these comments.

ComboFix has been downloaded. I will now disable all of my protection systems (firewall, AV, etc.), and perform the balance of your instructions and post the results as directed.

Thank you in excess for your time and trouble. I don't know the reward that awaits you, but if there is balance in the universe, it should be good.


Malwarebytes' Anti-Malware 1.32
Database version: 1640
Windows 5.1.2600 Service Pack 2

1/10/2009 5:43:59 PM
mbam-log-2009-01-10 (17-43-48)

Scan type: Quick Scan
Objects scanned: 66284
Time elapsed: 7 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 15
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\awtsRlLC.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\fjmrvxya.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\nseqhi.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a56c0c09-73f4-4e59-8a30-8a467c1e3814} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a56c0c09-73f4-4e59-8a30-8a467c1e3814} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d243d9f7-9ed4-4db0-9e79-9fce59d03684} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d243d9f7-9ed4-4db0-9e79-9fce59d03684} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a56c0c09-73f4-4e59-8a30-8a467c1e3814} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d243d9f7-9ed4-4db0-9e79-9fce59d03684} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a8c877a6 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\awtsrllc -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\awtsrllc -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\nseqhi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\awtsRlLC.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\CLlRstwa.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\CLlRstwa.ini2 (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\fjmrvxya.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ayxvrmjf.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\osglujbl.dll (Trojan.Vundo) -> No action taken.
C:\RECYCLER\S-1-5-21-1708537768-2052111302-839522115-1003\Dc1856.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\senekaoshslaom.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekaugsxorat.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\senekarnvkqrrs.sys (Trojan.Agent) -> No action taken.
C:\winxpvirtualcdcontrolpanel_21.exe (Trojan.Agent) -> No action taken.

#4 deadfrog

deadfrog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 10 January 2009 - 10:54 PM

combofix.exe has been run. Recovery Console was installed during the process.

ComboFix did shutdown and reboot my machine in an orderly fashion, but did not give me a chance to write anything down; there were no prompts prior to the reboot, just an announcement of rebooting and off we went. My apologies. On the good side, the reboot went smoothly, which it has not been the case as of late. Encouraging.

HijackThis was run and a log file saved.

hijackthis.txt and ComboFix.txt were packed into a zipfile, "hijackthis_combofix.zip", which has been attached to this reply.

I await your next instructions.

Attached Files



#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:18 AM

Posted 11 January 2009 - 01:59 AM

Hi, deadfrog :thumbsup:
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::C:\WINDOWS\system32\awtsRlLC.dllC:\WINDOWS\system32\fjmrvxya.dllC:\WINDOWS\system32\nseqhi.dllC:\WINDOWS\system32\nseqhi.dllC:\WINDOWS\system32\awtsRlLC.dllC:\WINDOWS\system32\CLlRstwa.iniC:\WINDOWS\system32\CLlRstwa.ini2C:\WINDOWS\system32\fjmrvxya.dllC:\WINDOWS\system32\ayxvrmjf.iniC:\WINDOWS\system32\osglujbl.dll C:\RECYCLER\S-1-5-21-1708537768-2052111302-839522115-1003\Dc1856.exe C:\WINDOWS\system32\senekaoshslaom.dll C:\WINDOWS\system32\senekaugsxorat.dllC:\WINDOWS\system32\senekadf.datC:\WINDOWS\system32\seneka.datC:\WINDOWS\system32\senekalog.datC:\WINDOWS\system32\drivers\seneka.sysC:\WINDOWS\system32\drivers\senekarnvkqrrs.sysC:\winxpvirtualcdcontrolpanel_21.exeRegistry::[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{58172624-85DD-4482-9E64-02ADCA637E96}][-HKEY_CLASSES_ROOT\CLSID\{58172624-85DD-4482-9E64-02ADCA637E96}][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a56c0c09-73f4-4e59-8a30-8a467c1e3814}][-HKEY_CLASSES_ROOT\CLSID\{a56c0c09-73f4-4e59-8a30-8a467c1e3814}][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d243d9f7-9ed4-4db0-9e79-9fce59d03684}][-HKEY_CLASSES_ROOT\CLSID\{d243d9f7-9ed4-4db0-9e79-9fce59d03684}][-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a56c0c09-73f4-4e59-8a30-8a467c1e3814}][-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d243d9f7-9ed4-4db0-9e79-9fce59d03684}][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet][-HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim][-HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP]

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u11-windows-i586-p.exe) and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 deadfrog

deadfrog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 11 January 2009 - 01:16 PM

In this order:
1. All JAVA (and variants) in Add/Remove Programs were removed.
2. Rebooted in an orderly fashion.
3. Installed jre-6u11-windows-i586-p.exe from the desktop. Went smoothly.
4. Dragged CFScript.txt into ComboFix.exe. Received a notice that a new version of ComboFixe.exe was available, did I want to download? I aborted the entire operation at this point because A) I need to know if you want me to use the updated ComboFix.exe and :thumbsup: I was not told to disable AV and firewalls and such prior to running ComboFix as I have been told to in previous steps. I'm biasing my activities to the literal side for obvious reasons. Am I to disable firewalls and AV and such EACH TIME I run ComboFix, even if I'm not told to do so specifically?


Some additional questions unrelated to this step in the process:
1. I sometimes use the Eclipse development environment. Is the Jave RE varient satisfactory, or do I need to install the development platform environment after all this is done and is that safe to do/advisable?
2. Do you believe the source of my original infection was an exploit in Java 5?

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:18 AM

Posted 11 January 2009 - 04:23 PM

In this order:
1. All JAVA (and variants) in Add/Remove Programs were removed.
2. Rebooted in an orderly fashion.
3. Installed jre-6u11-windows-i586-p.exe from the desktop. Went smoothly.
4. Dragged CFScript.txt into ComboFix.exe. Received a notice that a new version of ComboFixe.exe was available, did I want to download? I aborted the entire operation at this point because A) I need to know if you want me to use the updated ComboFix.exe and :thumbsup: I was not told to disable AV and firewalls and such prior to running ComboFix as I have been told to in previous steps. I'm biasing my activities to the literal side for obvious reasons. Am I to disable firewalls and AV and such EACH TIME I run ComboFix, even if I'm not told to do so specifically?


Some additional questions unrelated to this step in the process:
1. I sometimes use the Eclipse development environment. Is the Jave RE varient satisfactory, or do I need to install the development platform environment after all this is done and is that safe to do/advisable?
2. Do you believe the source of my original infection was an exploit in Java 5?

There was a bug in Combofix and now older versions will ask for the download of the latest version. Nothing to worry about. Remove the copy you have on the desktop and download the latest from the same link.

In regard to the JAVA exploit, we will know throughout the Kaspersky scan.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 deadfrog

deadfrog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 11 January 2009 - 04:40 PM

There is still that one unanswered question: do I disable AV and firewall EACH TIME I run ComboFix even if I'm not told to do so each time? In other words, is disabling AV and firewall et. al. implied every time one runs ComboFix?

Thanks in advance.

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:18 AM

Posted 11 January 2009 - 07:05 PM

There is still that one unanswered question: do I disable AV and firewall EACH TIME I run ComboFix even if I'm not told to do so each time? In other words, is disabling AV and firewall et. al. implied every time one runs ComboFix?

Thanks in advance.

It is advisable that you disable all realtime protection before running Combofix at all times.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 deadfrog

deadfrog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 11 January 2009 - 07:15 PM

ComboFix and Hijackthis have both been run (ComboFix with the CFScript.txt, as directed). The resultant logs have been zipped into a file "hijackthis2_ComboFix2.zip", which is attached.

I'll now download Kaspersky WebScanner and run as per your instructions.

Attached Files



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:18 AM

Posted 11 January 2009 - 09:14 PM

Hi, deadfrog

There are so many files in the root directory that I do not recognize. After running Kaspersky please do the following:
  • Copy the entire contents of the Quote Box below to Notepad.
  • Leave an empty line at the end of the script.
  • Name the file as File.bat
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Once saved, double click on the File.batg file and post the resulting report.
Echo Offcd /d %~dp0Dir /a C:\*.exe C:\*.bmp C:\*.pdf C:\*.zip C:\*.jpg C:\*.rtf C:\*.psd C:\*.odt C:\*.odS >Report.txtStart Report.txtDel %0

Do you recognize these folders?

C:\####Roofus
C:\###
C:\########crap jr likes

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 deadfrog

deadfrog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 12 January 2009 - 12:48 AM

Following my comments here is the text of the Kaspersky WebScanner report.

My comments:
I am familiar with all the folders about which you inquired; I created them. I have over 1 million files collectively on my machine, including thousands of JPG's and Photoshop files, not to mention countless thousands of other files associated with a real estate practice and software development.

If you are concerned about the odd naming conventions of the folders in question (and many others), its deliberate; these naming conventions force these directories to appear FIRST in sort order in the tree display of folders.

Reading, but not running, the batch file you requested I run, I see that it creates a listing of all the files I have in my root directory that are:
EXE - executable files
BMP - bitmap graphics files
PDF - Adobe Portable Document files
ZIP - Zip (or archive) files
JPG - Joint Photographic Experts Group files (probably the most common graphics file format there is as I'm sure you are aware)
RTF - universal Rich Text Format files
PSD - Photoshop data files
ODT - Open Office.org word processing files; my alternative to Microsoft Word, since I don't use Microsoft products other than the OS and IE when I have to
ODS - Open Office.org spreadsheet files; my alternative to Microsoft Excel, since I don't use Microsoft products other than the OS and IE when I have to

The batch file would then open the Report.txt dump into notepad, and then delete itself.

The proliferation of files in the root of the c: drive is a personal decision of my own. Some people object to this on principle (or the directory scanning cost at boot). As far as this infection issue is concerned, the presence of these files in the root directory is not related to the problem; I put them there myself. I would consider posting this listing of files to this public forum an unwise dissemination of proprietary information, so I cannot comply. I would be happy, however, to answer any questions you might have regarding these files, or to move them elsewhere if you think that's necessary for some reason related to this problem.

I will now perform your instructions related to GooredFix and post the results.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, January 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 11, 2009 23:55:27
Records in database: 1604898
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 253778
Threat name: 4
Infected objects: 4
Suspicious objects: 2
Duration of the scan: 03:04:25


File name / Threat name / Threats count
C:\#tc1100\bsplayer142.833.zip Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
C:\#tc1100\GoogleHacksPortable1.6Setup.exe Infected: Hoax.Win32.Renos.vber 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\byXQICRl.dll.vir Infected: Trojan.Win32.Monderb.adqt 1
C:\System Volume Information\_restore{DEDBF488-52EA-47FD-9337-D9BA77871D30}\RP492\A0189125.dll Infected: Trojan.Win32.Monderb.adqt 1
D:\PocoMail PE\Mail\Holding Tank\Opus.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
D:\PocoMail PE\Mail\Holding Tank\Opus.~mbx Suspicious: Exploit.HTML.Iframe.FileDownload 1

The selected area was scanned.

#13 deadfrog

deadfrog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 12 January 2009 - 12:53 AM

Following is the GooredFix report.



GooredFix v1.8 by jpshortstuff
Log created at 21:50 on 11/01/2009 running Option #1 (MonkeyBoy)
Firefox version 3.0.5 (en-US)

=====Suspect Goored Entries=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{A550D8DE-DD35-4275-B31D-07D891672360}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{A550D8DE-DD35-4275-B31D-07D891672360}\"

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\Avanquest\SystemSuite\Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{4d855a8a-1536-4aa8-bf99-da2362910205}"="C:\Program Files\Avanquest\SystemSuite\Firefox3DV"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{A550D8DE-DD35-4275-B31D-07D891672360}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{A550D8DE-DD35-4275-B31D-07D891672360}\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:18 AM

Posted 12 January 2009 - 03:40 PM

Hi, deadfrog :thumbsup:

It is unusual and unadviseable to see these files in the root directory.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\#tc1100\bsplayer142.833.zip
C:\#tc1100\GoogleHacksPortable1.6Setup.exe


Please double-click GooredFix.exe on your Desktop to run it.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 deadfrog

deadfrog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 12 January 2009 - 05:36 PM

The files:
C:\#tc1100\bsplayer142.833.zip
C:\#tc1100\GoogleHacksPortable1.6Setup.exe
have been removed.

In an effort to make your work easier, I have moved the following fileset permanently into a subdirectory:


*.(exe|bmp|pdf|zip|jpg|rtf|psd|odt|odS|png|csv|php|jpeg|mp3|mov|txt|wav|avi|rm|mpg|ram|wmv|rar|xls|doc|xfd)

This subdirectory is named: C:\##################OldRoot

Since this changed the directory structure, and I don't know the effect that would have on running GooredFix.exe, I have not run GooredFix.exe with option 2 as directed. Having moved these files, is it safe to run GooredFix.exe with option 2 as directed?

How is the computer doing?: In general, it runs fine. Firefox, however, is still exceedingly strange. I haven't had a sagipsul.com popup in a very long time, but Firefox quickly bogs down and, on opening new web pages, generally consumes about 25% of my overall quad-cpu bandwidth, which is VERY suspect, and things in Firefox go VERY slowly then; this is uncharacteristic of my machine until this infection.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users