Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tried to fix a Vundo problem--is my Hijack log clean?


  • This topic is locked This topic is locked
9 replies to this topic

#1 drk

drk

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 15 January 2009 - 01:45 PM

Hello, and thank you in advance for any help you might provide.

My Dell Dimension 9100 was hit with Vundo.H last week. I followed the "8 Steps" indicated elsewhere on bleepingcomputer. When the Malwarebytes log generated, it showed 40 problems. The fix seemed to remove everything. The hijack log is something I can't begin to interpret, but I can report that Malwarebytes doesn't pick up anything now.

Would someone kindly help me by looking over this log to see if it's clean? If it isn't, any suggestions to get it clean are enormously appreciated. Thanks again!

Attached Files



BC AdBot (Login to Remove)

 


m

#2 BHowett

BHowett

    Malware Hunter


  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:26 PM

Posted 19 January 2009 - 07:20 PM

Hello and welcome to Bleeping Computer! My name is BHowett and I will be helping you to get sorted.

Sorry for the delay, as you can tell we are very busy here. If you still need help with you’re issue please post a fresh log, and we will see what we need to do to get you sorted :thumbsup:

Posted Image

Please do not PM me asking for support. Post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!
Search the Forums | Forum Help
Posted Image
My help is always free, but if you feel I have helped you and would like to make a small donation, please click ---> Posted Image


#3 drk

drk
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 19 January 2009 - 08:41 PM

Thanks so much!

Here's a Hijack log from a moment ago.

The history of the problem: I downloaded a fake flash player update, and soon started to get Sagispul.com pop-ups. The computer slowed severely, to near a stop. I shut it down, restarted, and started googling for possible causes based on the Sagispul identification. I installed Malwarebytes. This failed to run once, but on the second try marked out trojan.Vundo, trojan.Vundo.H, and trojan.BHD. Deleted these. SuperAntispyware also showed a few things; deleted these too. Since then the computer seem to be running okay. I've been using the Malware and Spyware programs every day, with clean logs.

Thanks again for your help.

Attached Files



#4 BHowett

BHowett

    Malware Hunter


  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:26 PM

Posted 20 January 2009 - 10:17 AM

Hi drk,

as we move forward, be sure to post you logs (not attach them ) unless I ask for it attached. It makes it faster and easier on the eyes.

lets get started, please do the following...


ComboFix

Please download ComboFix from Here or Here

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Do not mouse-click Combofix's window while it is running. That may cause it to stall.

Posted Image

Please do not PM me asking for support. Post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!
Search the Forums | Forum Help
Posted Image
My help is always free, but if you feel I have helped you and would like to make a small donation, please click ---> Posted Image


#5 drk

drk
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 20 January 2009 - 01:37 PM

Thanks again! Here's the log.

The program didn't give me a prompt to install the recovery console, and I hadn't checked for the console ahead of time, so it looks like ComboFix ran without it.

___

ComboFix 09-01-19.05 - ima 2009-01-20 13:17:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.487 [GMT -5:00]
Running from: c:\documents and settings\ima\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\ima\Application Data\.#
c:\documents and settings\ima\Application Data\.#\MBX@994@384170.###
c:\documents and settings\ima\Application Data\.#\MBX@994@3841A0.###
c:\documents and settings\ima\Application Data\.#\MBX@994@3841D0.###
c:\windows\system32\wDMVwGgh.ini2
c:\windows\Tasks\vhpeaagu.job

----- BITS: Possible infected sites -----

hxxp://dna65.fastaccess.com
.
((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-20 12:52 . 2009-01-20 12:52 197,976 -ra------ c:\windows\system32\cpnprt2.cid
2009-01-18 19:57 . 2009-01-18 20:46 <DIR> d-------- C:\VundoFix Backups
2009-01-16 20:57 . 2009-01-16 20:57 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-16 19:21 . 2009-01-20 08:21 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-16 19:21 . 2009-01-16 19:21 <DIR> d-------- c:\program files\AVG
2009-01-16 19:21 . 2009-01-16 19:21 <DIR> d-------- c:\documents and settings\ima\Application Data\AVGTOOLBAR
2009-01-16 19:21 . 2009-01-16 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-16 19:21 . 2009-01-16 19:21 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-16 19:21 . 2009-01-16 19:21 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-16 19:21 . 2009-01-16 19:21 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-12 23:25 . 2009-01-20 06:33 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-12 23:25 . 2009-01-12 23:25 <DIR> d-------- c:\documents and settings\ima\Application Data\SUPERAntiSpyware.com
2009-01-12 23:25 . 2009-01-12 23:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-12 20:07 . 2009-01-12 20:07 <DIR> d-------- c:\program files\Alwil Software
2009-01-12 18:48 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-01-12 18:42 . 2009-01-12 18:42 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-12 18:40 . 2009-01-12 18:40 <DIR> d-------- c:\program files\Trend Micro
2009-01-12 18:30 . 2009-01-14 20:57 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-12 18:30 . 2009-01-12 18:30 <DIR> d-------- c:\documents and settings\ima\Application Data\Malwarebytes
2009-01-12 18:30 . 2009-01-12 18:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-12 18:30 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-12 18:30 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-12 18:14 . 2009-01-12 18:14 <DIR> d-------- c:\program files\CCleaner
2008-12-28 15:55 . 1994-08-24 00:00 188,960 --------- c:\windows\system32\WINGDE.DLL
2008-12-28 15:55 . 1994-09-21 00:00 92,208 --------- c:\windows\system32\WING.DLL
2008-12-28 15:55 . 1997-07-19 17:01 75,536 --------- c:\windows\system32\PICCLP32.OCX
2008-12-28 15:55 . 1997-11-23 21:30 50,896 --------- c:\windows\system32\TEGODS.OCX
2008-12-28 15:55 . 1998-09-28 10:20 36,864 --------- c:\windows\system32\SCLVideo.ax
2008-12-28 15:55 . 1998-09-28 10:19 28,672 --------- c:\windows\system32\SCLAudio.ax
2008-12-28 15:55 . 1994-09-21 00:00 6,736 --------- c:\windows\system32\WINGDIB.DRV
2008-12-28 15:55 . 1994-09-02 00:00 5,195 --------- c:\windows\system32\DVA.386
2008-12-28 15:55 . 1994-09-21 00:00 5,024 --------- c:\windows\system32\WINGPAL.WND
2008-12-28 15:55 . 2008-12-28 16:37 253 --a------ c:\windows\Creator.INI
2008-12-23 22:33 . 2008-12-23 22:53 <DIR> d-------- c:\program files\Restaurant Empire
2008-12-20 17:12 . 2008-12-20 17:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Burger Island 2
2008-12-20 17:11 . 2008-12-20 17:11 <DIR> d-------- c:\program files\Games
2008-12-20 17:03 . 2008-12-20 17:03 <DIR> d-------- c:\program files\Formosoft
2008-12-20 17:03 . 2002-11-25 15:57 811,008 --a------ c:\windows\AquaReal.scr
2008-12-20 17:03 . 2002-11-15 17:56 131,072 --a------ c:\windows\SNVerifyDLL.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-20 18:26 --------- d-----w c:\program files\BellSouth Internet Tools
2009-01-20 18:09 --------- d-----w c:\documents and settings\ima\Application Data\uTorrent
2009-01-20 18:01 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-17 02:00 --------- d-----w c:\documents and settings\ima\Application Data\Vso
2009-01-15 21:39 --------- d-----w c:\program files\Yahoo SiteBuilder
2009-01-11 20:43 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-02 20:31 --------- d-----w c:\program files\Common Files\Adobe
2009-01-02 19:54 --------- d-----w c:\program files\NCH Swift Sound
2008-12-30 00:34 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-30 00:34 --------- d-----w c:\program files\LEGO Media
2008-12-22 20:24 --------- d-----w c:\documents and settings\ima\Application Data\dvdcss
2008-12-16 15:16 --------- d-----w c:\documents and settings\All Users\Application Data\TGHomeSoft
2008-12-15 11:54 --------- d-----w c:\program files\Java
2008-12-15 11:45 --------- d-----w c:\program files\McAfee
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-25 13:12 --------- d-----w c:\program files\Combined Community Codec Pack
2008-11-22 15:41 --------- d-----w c:\program files\MagicISO
2008-11-17 00:54 76,616 -c--a-w c:\documents and settings\ima\Application Data\GDIPFONTCACHEV1.DAT
2008-07-09 15:58 81,920 -c--a-w c:\documents and settings\ima\Application Data\ezpinst.exe
2008-07-09 15:58 47,360 -c--a-w c:\documents and settings\ima\Application Data\pcouffin.sys
2003-08-27 19:19 36,963 -c--a-r c:\program files\Common Files\SM1updtr.dll
2008-09-13 14:35 56 --sh--r c:\windows\system32\EE559DDA5C.sys
2008-09-13 14:35 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-09-12 20:32 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091220080913\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-12 1834224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"blspcloader"="c:\program files\BellSouth Internet Tools\blsloader.exe" [2006-06-26 86016]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-07 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-16 1261336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\ima\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-06-12 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-08-16 24576]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-08-28 315392]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.XVID"= mcxvidvfw.dll
"vidc.DIVX"= mcDivX.dll
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 6"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HelpCenter4.1]
--a--c--- 2007-04-12 19:59 198184 c:\program files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UMWdf"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:u2
"6882:TCP"= 6882:TCP:torrents

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-16 97928]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-12 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-12 55024]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-12 7408]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-16 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-16 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-16 76040]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV
.
Contents of the 'Scheduled Tasks' folder

2009-01-16 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (NONAME-ira wesley).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.bellsouth.net/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\ima\Application Data\Mozilla\Firefox\Profiles\sdgyz9fh.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.bellsouth.net/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 13:25:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\mcmsc_hzs2gCWeWiUoXVK-journal 512 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1003045392-1187685017-3586016071-1011\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1003045392-1187685017-3586016071-1011\ *]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1003045392-1187685017-3586016071-1011\ *\Preferences]
"ResampleFilter2"=dword:00000006
"DigicamPictureThreshold"=dword:000f4240
"DigicamPictureThreshold2"=dword:00030d40
"Use Hardware Scroll"=dword:00000001
"UITransitions"=dword:00000001
"Debug Blt"=dword:00000000
"SizeDots"=dword:00000000
"ShowHidden"=dword:00000000
"Show only big images"=dword:00000001
"BigPictureThreshold"=dword:0000ea60
"Picasa Notifier"="rect(1259 401 1280 450)"
"mainwinismax"=dword:00000000
"mainwinpos"="rect(196 20 1267 972)"
"Hide filtered albums"=dword:00000001
"ShowAlbumThumbnails"=dword:00000001
"Thumbscale"=dword:00000200
"CaptionState"=dword:00000001
"ytHLocal::lang"=dword:00000000
"EnablePrefetch"=dword:00000001
"ShowTooltips"=dword:00000001
"Do unreasonably slow consistency checks"=dword:00000000
"WriteDirscannerCSV"=dword:00000000
"CarefulEnhance"=dword:00000000
"DoNotAskOnEndEditModality"=dword:00000000
"SearchAlbum"=dword:ffffffff
"LastNerdView"=dword:00000000
"LastCaptionButton"=dword:00000000
"LastAlbumSelected"="3c42a0f6076c8bf4d961e308e74b5038"
"Always Compact"=dword:00000000
"ytHLocal::langchange"=dword:00000000
"datesort"=dword:00000000
"Write index CSV"=dword:00000000
"Write blockfile CSV"=dword:00000000

[HKEY_USERS\S-1-5-21-1003045392-1187685017-3586016071-1011\ *\resvars]
"HLISTOFFSET"="220.000000"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\UAService7.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\program files\Real\RealPlayer\realplay.exe
c:\program files\Real\RealPlayer\realplay.exe
.
**************************************************************************
.
Completion time: 2009-01-20 13:30:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-20 18:30:56

Pre-Run: 21,236,404,224 bytes free
Post-Run: 21,472,587,776 bytes free

285 --- E O F --- 2009-01-19 22:01:03

#6 BHowett

BHowett

    Malware Hunter


  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:26 PM

Posted 24 January 2009 - 05:26 PM

Hi drk,

sorry for the delay, for some reason I didn't get the email that you replied. Please do the following.


ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

===============================================

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
===============================================

Kaspersky WebScanner
please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
===============================================

Needed in your next reply:

Malwarebytes log
Kaspersky WebScanner results

And let me know how everything is running :thumbsup:

Posted Image

Please do not PM me asking for support. Post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!
Search the Forums | Forum Help
Posted Image
My help is always free, but if you feel I have helped you and would like to make a small donation, please click ---> Posted Image


#7 drk

drk
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 25 January 2009 - 05:50 PM

Things seem to be running pretty smoothly, but the Kaspersky scan picked up something. Thanks again for your help.

MALWAREBYTES LOG

Malwarebytes' Anti-Malware 1.33
Database version: 1691
Windows 5.1.2600 Service Pack 3

1/25/2009 9:28:26 AM
mbam-log-2009-01-25 (09-28-26).txt

Scan type: Quick Scan
Objects scanned: 68209
Time elapsed: 5 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cpnprt2.cid (Adware.Agent) -> Quarantined and deleted successfully.

KASPERSKY SCAN

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, January 25, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 25, 2009 16:04:09
Records in database: 1694764
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 119523
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:08:07


File name / Threat name / Threats count
C:\i386\BSZIP.DLL Infected: Trojan.Win32.Obfuscated.aack 1
C:\Program Files\Microsoft Works Suite 2002\Setup\launcher.exe Infected: Email-Worm.Win32.Ridnu.g 1

The selected area was scanned.

#8 BHowett

BHowett

    Malware Hunter


  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:26 PM

Posted 26 January 2009 - 10:16 AM

Things seem to be running pretty smoothly, but the Kaspersky scan picked up something. Thanks again for your help.


Hi drk,

Well done, your log appears clean, what the Kaspersky scan found are legit unless they are found in the system32 folder witch in this case they are not. They are where they should be. :thumbsup:

Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /u, it needs to be there.
    Posted Image
===============================================

Click Here to download OTCleanIt
Double-click OTCleanIt.exe to run it.
Click the Clean up button
Click Yes to the reboot.

Now delete any logs that you have left over on your desktop.

===============================================

For some useful tips on staying clean, along with links to some freeware to help, have a look at this page.

To find out more information about how you got infected in the first place, you can read this article.

===============================================

Follow this list and your potential for being infected again will reduce dramatically.

Thanks for letting us help you!

Posted Image

Please do not PM me asking for support. Post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!
Search the Forums | Forum Help
Posted Image
My help is always free, but if you feel I have helped you and would like to make a small donation, please click ---> Posted Image


#9 drk

drk
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 26 January 2009 - 07:32 PM

Super!

Thanks very much for your quick and handy support. Really appreciate all of your help.

Best wishes!

#10 BHowett

BHowett

    Malware Hunter


  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:26 PM

Posted 27 January 2009 - 10:24 AM

your very welcome :thumbsup:


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Posted Image

Please do not PM me asking for support. Post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!
Search the Forums | Forum Help
Posted Image
My help is always free, but if you feel I have helped you and would like to make a small donation, please click ---> Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users