Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Malware.Trace and Trojan.Vundo


  • This topic is locked This topic is locked
9 replies to this topic

#1 BobsBigBoy

BobsBigBoy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 12 January 2009 - 05:39 AM

Hello,

I was working on my XP installed Dell laptop a week ago - when all of a sudden I got hit with pop-ups and a security alert.

Computer stopped working properly right after - and the next day I took it to my computer guy.

He was not very knowledgeable and appears to have installed CyberDefender - he said he was able to clean it - but later when he connected it back to the internet the spyware instantly popped right back up.

I took the machine off his hands went home and turned off the wireless card/via the switch and started reading up on Vundo before I found this great website.

Using my Mac, I downloaded and installed via CD-Rom both SuperAntiSpy and MalwareBytes (in regular and safe mode) - which both got rid of most viruses - but when I restarted both Vundo and Trace came right back every time I ran a scan and their logs showed that I cleaned it up - so I am concerned that these bugs keep regenerating and I am afraid that they will grow worse if I reconnect my laptop to the internet.

I am not very savvy but I read that turning off the restore point was essential to cleaning vundo out so I turned that off during my latest cleaning - and it didn't seem to work.

Also I have turned on the firewall as recommended in the posting guide.

Would kindly appreciate any experienced thoughts on how to get these last two Vundo and Trace bugs out of my system.

Thanks!

Posting requested DDS log below:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Teymy.Bahmani at 2:05:05.56 on Mon 01/12/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1572 [GMT -8:00]

AV: CyberDefender Internet Security *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\teymy.bahmani\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.thomson.com/
uWindow Title = Microsoft Internet Explorer provided by The Thomson Corporation
uInternet Connection Wizard,ShellNext = hxxp://my.thomson.com/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = webproxy.int.westgroup.com:80
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RMC] c:\program files\reuters\rmc\rmc.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [iPCCheck] "c:\program files\ipass\ipassconnect\downloader\ipccheck.exe" /startup
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CyberDefender Early Detection Center] "c:\program files\cyberdefender\antispyware\ISSIntro.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ckpNotify - ckpNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: PCANotify - PCANotify.dll
AppInit_DLLs: nnhbxn.dll ykazlb.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2007-3-30 17848]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2007-5-24 2234800]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
R3 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2007-5-24 110032]
R4 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2007-5-24 36368]
R4 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;c:\windows\system32\drivers\mdc80211.sys [2007-10-3 15793]
R4 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2003-7-18 205328]
R4 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2003-7-18 36368]
R4 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2007-5-24 673456]
S3 awhost32;Symantec pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2007-5-11 132728]
S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2009-1-5 67424]
S3 EL3C574;FE574B-3Com 10/100 LAN PCCard Device Driver;c:\windows\system32\drivers\el574nd4.sys --> c:\windows\system32\drivers\el574nd4.sys [?]
S4 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2007-3-30 18232]

=============== Created Last 30 ================

2009-01-07 05:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-07 04:59 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-07 04:59 <DIR> --d----- c:\docume~1\teymy~2.bah\applic~1\SUPERAntiSpyware.com
2009-01-07 04:20 <DIR> --d----- c:\docume~1\teymy~2.bah\applic~1\Malwarebytes
2009-01-07 00:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 00:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 00:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-07 00:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-06 23:53 <DIR> --d----- c:\program files\Yahoo!
2009-01-06 23:53 <DIR> --d----- c:\program files\CCleaner
2009-01-06 13:10 172,032 a------- c:\windows\system32\igfxres.dll
2009-01-06 11:05 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-01-06 10:52 101,376 ac------ c:\windows\system32\dllcache\srusbusd.dll
2009-01-06 10:51 1,158,818 ac------ c:\windows\system32\dllcache\korwbrkr.lex
2009-01-06 10:50 57,399 ac------ c:\windows\system32\dllcache\cplexe.exe
2009-01-06 10:49 68,608 ac------ c:\windows\system32\dllcache\iisext51.dll
2009-01-06 10:44 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-01-06 10:44 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-01-06 10:44 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-01-06 10:44 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-01-06 10:44 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-01-06 10:44 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-01-06 10:43 16,384 ac------ c:\windows\system32\dllcache\isignup.exe
2009-01-06 10:42 32,768 ac------ c:\windows\system32\dllcache\icwdl.dll
2009-01-06 10:30 10,559 a----r-- c:\windows\SET99.tmp
2009-01-06 10:30 22,339 a----r-- c:\windows\SET97.tmp
2009-01-06 10:30 13,753 a----r-- c:\windows\SET5B.tmp
2009-01-06 10:30 1,086,058 a----r-- c:\windows\SET4F.tmp
2009-01-06 10:30 1,042,903 a----r-- c:\windows\SET4C.tmp
2009-01-06 10:16 22,339 a----r-- c:\windows\SET95.tmp
2009-01-06 10:16 10,559 a----r-- c:\windows\SET96.tmp
2009-01-06 10:16 13,753 a----r-- c:\windows\SET5A.tmp
2009-01-06 10:16 1,086,058 a----r-- c:\windows\SET4E.tmp
2009-01-06 10:16 1,042,903 a----r-- c:\windows\SET4B.tmp
2009-01-06 09:57 24,661 ac------ c:\windows\system32\dllcache\spxcoins.dll
2009-01-06 09:57 13,312 ac------ c:\windows\system32\dllcache\irclass.dll
2009-01-06 09:57 24,661 a------- c:\windows\system32\spxcoins.dll
2009-01-06 09:57 13,312 a------- c:\windows\system32\irclass.dll
2009-01-06 09:09 137,728 a------- c:\windows\system32\ykazlb.dll
2009-01-06 09:09 137,728 a------- c:\windows\system32\ucmnlofj.dll
2009-01-06 08:19 24 a------- c:\windows\pccntmon.INI
2009-01-06 01:45 <DIR> --d----- c:\windows\dell
2009-01-05 23:17 <DIR> --dsh--- C:\found.000
2009-01-05 14:45 43 a------- c:\windows\av_affiliate.ini
2009-01-05 14:45 43 a------- c:\windows\as_affiliate.ini
2009-01-05 14:39 67,424 a------- c:\windows\system32\drivers\CDAVFS.sys
2009-01-05 14:39 <DIR> --d----- c:\program files\CyberDefender
2009-01-05 00:58 1,307,356 ---sh--- c:\windows\system32\mgnvqpnl.ini
2009-01-05 00:56 133,632 a------- c:\windows\system32\nnhbxn.dll
2009-01-05 00:56 133,632 a------- c:\windows\system32\ncumlphc.dll

==================== Find3M ====================

2009-01-08 17:47 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-06 10:41 22,720 a------- c:\windows\system32\emptyregdb.dat
2008-12-12 14:56 65,744 a---h--- c:\windows\system32\mlfcache.dat
2008-12-12 14:47 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 10:21 75,350 a------- c:\windows\system32\z98.bin
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-01-30 12:09 651,348 a------- c:\program files\cltracker.zip

============= FINISH: 2:05:52.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:26 PM

Posted 22 January 2009 - 05:25 PM

Hello BobsBigBoy,

Please read [url="http://"http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]this tutorial[/url] carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Please post back with the ComboFix log.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 BobsBigBoy

BobsBigBoy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 22 January 2009 - 06:53 PM

Thunder,

Thanks for your reply.

Before I run ComboFix - I thought you would want to know that I tinkered with the computer since I first posted my DDS log.

I deleted a few files that looked infected - and since then when I run MalwareBytes or SuperAntiSpyware - my scans show up clean.

My concern however is that the virus is still lurking around in the background somewhere.

If you don't mind - I'd like to run DDS one more time - and show you the new report?

or would you prefer that I go down the ComboFix path right away?

Thanks I know you are busy.

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:26 PM

Posted 23 January 2009 - 05:16 AM

Hello BobsBigBoy,

Yes, please run ComboFix,
it will provide an equally detailed log file, remove any known malware in the process,
and provide the necessary tool to remove leftovers in the next steps. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 BobsBigBoy

BobsBigBoy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 25 January 2009 - 04:28 AM

will do .

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:26 PM

Posted 25 January 2009 - 06:39 AM

Fine, BobsBigBoy,

I'll await your log.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 BobsBigBoy

BobsBigBoy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 28 January 2009 - 12:18 AM

OK THUNDER - here is the ComboFix log.

One note - before I ran ComboFix - I enjoyed a full week of malware free computing.

I ran a few scans and unlike when I first posted they showed up clean - neither SuperAnti or Malwarebytes could find the usual pesky Trace and Vundo viruses that would normally reload again upon start-up.

I have since now - on your advisement run ComboFix - so I'm hoping all traces of the virus are removed and I'm good to go - let me know what you think.

Am I clean?

Thanks a million.


ComboFix 09-01-21.04 - Teymy.Bahmani 2009-01-27 21:04:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1573 [GMT -8:00]
Running from: c:\documents and settings\teymy.bahmani\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\mgnvqpnl.ini
c:\windows\system32\x64

----- BITS: Possible infected sites -----

hxxp://TCUSCTSTASMS01.na.thomsoncorporate.com:80
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JAVA2
-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-26 15:39 . 2009-01-26 15:40 <DIR> d-------- c:\program files\AirPort
2009-01-26 15:29 . 2009-01-26 15:36 <DIR> d-------- c:\program files\Bonjour
2009-01-15 12:39 . 2009-01-15 12:55 <DIR> d-------- C:\6ca1fdb727b5b151f7f216ddcd
2009-01-15 12:35 . 2008-04-13 16:12 1,306,624 -----c--- c:\windows\system32\dllcache\msxml6.dll
2009-01-15 12:35 . 2008-04-13 09:27 79,872 -----c--- c:\windows\system32\dllcache\msxml6r.dll
2009-01-15 12:35 . 2006-12-28 11:01 19,569 --a------ c:\windows\003451_.tmp
2009-01-15 12:29 . 2009-01-15 13:33 2,675 --a------ c:\windows\imsins.BAK
2009-01-15 12:28 . 2008-12-11 02:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-01-13 10:40 . 2009-01-13 10:40 <DIR> d-------- C:\VundoFix Backups
2009-01-12 02:04 . 2009-01-27 01:20 4,194,394 --a------ c:\windows\pfirewall.log.old
2009-01-11 18:19 . 2009-01-11 18:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-01-07 05:00 . 2009-01-07 05:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-07 04:59 . 2009-01-07 05:00 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-07 04:59 . 2009-01-07 04:59 <DIR> d-------- c:\documents and settings\teymy.bahmani\Application Data\SUPERAntiSpyware.com
2009-01-07 04:20 . 2009-01-07 04:20 <DIR> d-------- c:\documents and settings\teymy.bahmani\Application Data\Malwarebytes
2009-01-07 00:34 . 2009-01-07 00:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-07 00:33 . 2009-01-16 10:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-07 00:33 . 2009-01-07 00:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-07 00:33 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 00:33 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 23:54 . 2009-01-06 23:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-01-06 23:54 . 2009-01-06 23:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-01-06 23:53 . 2009-01-06 23:54 <DIR> d-------- c:\program files\Yahoo!
2009-01-06 23:53 . 2009-01-06 23:54 <DIR> d-------- c:\program files\CCleaner
2009-01-06 13:10 . 2007-05-18 08:45 172,032 --a------ c:\windows\system32\igfxres.dll
2009-01-06 11:04 . 2008-06-13 03:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-01-06 11:03 . 2008-12-12 09:01 3,067,904 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-01-06 11:03 . 2008-08-14 02:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-06 11:03 . 2008-08-14 02:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-06 11:03 . 2008-08-14 01:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-06 11:03 . 2008-08-14 01:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-06 11:03 . 2008-09-15 04:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-01-06 11:03 . 2008-10-15 17:00 1,499,136 -----c--- c:\windows\system32\dllcache\shdocvw.dll
2009-01-06 11:03 . 2008-10-15 17:00 666,112 -----c--- c:\windows\system32\dllcache\wininet.dll
2009-01-06 11:03 . 2008-10-15 17:00 619,520 -----c--- c:\windows\system32\dllcache\urlmon.dll
2009-01-06 11:02 . 2008-04-11 11:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-01-06 11:02 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-06 11:02 . 2008-10-15 08:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-01-06 11:02 . 2008-05-08 06:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-01-06 10:52 . 2004-08-04 02:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2009-01-06 10:51 . 2008-04-13 16:09 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-01-06 10:50 . 2004-08-04 02:00 1,677,824 --a--c--- c:\windows\system32\dllcache\chsbrkr.dll
2009-01-06 10:49 . 2004-08-04 02:00 94,720 --a--c--- c:\windows\system32\dllcache\certmap.ocx
2009-01-06 10:49 . 2004-08-04 02:00 14,336 --a--c--- c:\windows\system32\dllcache\iisreset.exe
2009-01-06 10:49 . 2004-08-04 02:00 6,144 --a--c--- c:\windows\system32\dllcache\ftpsapi2.dll
2009-01-06 10:49 . 2004-08-04 02:00 5,632 --a--c--- c:\windows\system32\dllcache\iisrstap.dll
2009-01-06 10:44 . 2009-01-06 10:44 749 -rah----- c:\windows\WindowsShell.Manifest
2009-01-06 10:44 . 2009-01-06 10:44 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2009-01-06 10:44 . 2009-01-06 10:44 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2009-01-06 10:44 . 2009-01-06 10:44 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2009-01-06 10:44 . 2009-01-06 10:44 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2009-01-06 10:44 . 2009-01-06 10:44 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-01-06 10:43 . 2004-08-04 02:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
2009-01-06 10:30 . 2004-08-04 02:00 1,086,058 -ra------ c:\windows\SET4F.tmp
2009-01-06 10:30 . 2004-08-04 02:00 1,042,903 -ra------ c:\windows\SET4C.tmp
2009-01-06 10:30 . 2006-03-30 02:03 22,339 -ra------ c:\windows\SET97.tmp
2009-01-06 10:30 . 2004-08-04 02:00 13,753 -ra------ c:\windows\SET5B.tmp
2009-01-06 10:30 . 2005-03-30 09:54 10,559 -ra------ c:\windows\SET99.tmp
2009-01-06 10:16 . 2004-08-04 02:00 1,086,058 -ra------ c:\windows\SET4E.tmp
2009-01-06 10:16 . 2004-08-04 02:00 1,042,903 -ra------ c:\windows\SET4B.tmp
2009-01-06 10:16 . 2006-03-30 02:03 22,339 -ra------ c:\windows\SET95.tmp
2009-01-06 10:16 . 2004-08-04 02:00 13,753 -ra------ c:\windows\SET5A.tmp
2009-01-06 10:16 . 2005-03-30 09:54 10,559 -ra------ c:\windows\SET96.tmp
2009-01-06 09:57 . 2004-08-04 02:00 24,661 --a------ c:\windows\system32\spxcoins.dll
2009-01-06 09:57 . 2004-08-04 02:00 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll
2009-01-06 09:57 . 2004-08-04 02:00 13,312 --a------ c:\windows\system32\irclass.dll
2009-01-06 09:57 . 2004-08-04 02:00 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll
2009-01-06 08:19 . 2009-01-16 12:03 24 --a------ c:\windows\pccntmon.INI
2009-01-06 01:45 . 2009-01-06 01:45 <DIR> d-------- c:\windows\dell
2009-01-05 23:17 . 2009-01-05 23:17 <DIR> d--hs---- C:\found.000
2009-01-05 14:39 . 2009-01-27 20:59 <DIR> d-------- c:\program files\CyberDefender
2009-01-05 14:29 . 2009-01-05 14:29 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Xcelsius

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-23 18:19 --------- d-----w c:\documents and settings\teymy.bahmani\Application Data\webex
2009-01-16 23:41 --------- d-----w c:\program files\Java
2009-01-15 21:03 --------- d-----w c:\program files\Common Files\Adobe
2009-01-07 12:59 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-01 23:07 --------- d-----w c:\program files\IKEA HomePlanner
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-01-30 20:09 651,348 ----a-w c:\program files\cltracker.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"RMC"="c:\program files\reuters\rmc\rmc.exe" [2008-01-29 4145237]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-24 159744]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"iPCCheck"="c:\program files\iPass\iPassConnect\downloader\ipccheck.exe" [2004-05-11 282624]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-06-04 458752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2007-05-18 138008]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2007-05-18 162584]
"Persistence"="c:\windows\System32\igfxpers.exe" [2007-05-18 138008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-16 136600]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2008-05-20 737280]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-02 50688]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-08-11 66864]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-10-03 122880]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2007-05-24 06:13 24665 c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2007-04-27 08:10 18744 c:\windows\system32\PCANotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Reuters\\RMC\\RMC.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2007-05-24 2234800]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
R3 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2007-05-24 110032]
R4 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2007-05-24 36368]
R4 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;c:\windows\system32\drivers\mdc80211.sys [2007-10-03 15793]
R4 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [2003-07-18 205328]
R4 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [2003-07-18 36368]
R4 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2007-05-24 673456]
S3 EL3C574;FE574B-3Com 10/100 LAN PCCard Device Driver;c:\windows\system32\DRIVERS\el574nd4.sys --> c:\windows\system32\DRIVERS\el574nd4.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.thomson.com/
uInternet Connection Wizard,ShellNext = hxxp://my.thomson.com/
uInternet Settings,ProxyOverride = ;*.local;<local>
uInternet Settings,ProxyServer = webproxy.int.westgroup.com:80
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 21:08:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\PCANotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\windows\system32\stacsv.exe
c:\program files\Trend Micro\OfficeScan Client\OfcDog.exe
c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe
c:\windows\system32\CCM\clicomp\RemCtrl\Wuser32.exe
c:\windows\system32\CCM\CcmExec.exe
c:\windows\system32\msiexec.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-27 21:12:01 - machine was rebooted [Teymy.Bahmani]
ComboFix-quarantined-files.txt 2009-01-28 05:11:58

Pre-Run: 27,004,977,152 bytes free
Post-Run: 27,718,139,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

235 --- E O F --- 2009-01-20 20:05:20

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:26 PM

Posted 28 January 2009 - 08:49 AM

Hello BobsBigBoy,

Your log looks quite good now. :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 BobsBigBoy

BobsBigBoy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 28 January 2009 - 11:40 AM

Dude - thanks so much for helping me.

I know I'm not the first or last person to say this - but you are awesome.

Thanks for sharing your time/insights - you set a great example!

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:26 PM

Posted 28 January 2009 - 04:29 PM

Glad we could help, BobsBigBoy :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users