Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo virus infection, multiple scanners cannot fully remove


  • This topic is locked This topic is locked
7 replies to this topic

#1 blotsome

blotsome

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 18 January 2009 - 07:01 PM

I was referred to this forum from http://www.bleepingcomputer.com/forums/t/196183/vundofbw-virus-remains-even-after-multiple-scanscleanings/ This is my roommate's computer. She was having issues with popups and such. Scanned using MBAM, SASW, etc multiple times. They are scanning clean now, except f-secure online finds one trace of Vundo.FBW virus. It cleans it, but when I restart the computer and rescan with f-secure online it comes up again. More info at the above link.





DDS (Ver_09-01-18.01) - NTFSx86
Run by Jane at 18:52:12.12 on Sun 01/18/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.470 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jane\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/&s=b5c6H0MALJqwb7A6GI0SD_B0SdM
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jane\applic~1\mozilla\firefox\profiles\cs4nh96e.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\jane\application data\mozilla\firefox\profiles\cs4nh96e.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-16 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-16 26824]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-16 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-16 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-16 76040]
R4 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2003-4-4 30336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-9-15 280344]

=============== Created Last 30 ================

2009-01-18 00:12 --d----- C:\VundoFix Backups
2009-01-17 20:11 --d----- c:\program files\Trend Micro
2009-01-17 18:28 --d----- C:\fsaua.data
2009-01-17 14:07 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-17 14:06 --d----- c:\program files\SUPERAntiSpyware
2009-01-17 14:06 --d----- c:\docume~1\jane\applic~1\SUPERAntiSpyware.com
2009-01-17 14:06 --d----- c:\program files\common files\Wise Installation Wizard
2009-01-17 13:44 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-01-17 13:41 --d----- c:\windows\ERUNT
2009-01-17 13:37 --d----- C:\SDFix
2009-01-17 13:01 --d----- c:\docume~1\jane\applic~1\Malwarebytes
2009-01-17 13:01 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-17 13:01 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-17 13:01 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-17 13:01 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-16 22:29 137,400 a--sh--- c:\windows\system32\rrorlv.dll
2009-01-16 18:08 --d-h--- C:\$AVG8.VAULT$
2009-01-16 17:42 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-16 17:42 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-16 17:42 --d----- c:\windows\system32\drivers\Avg
2009-01-16 17:42 --d----- c:\docume~1\jane\applic~1\AVGTOOLBAR
2009-01-16 17:42 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-16 17:42 --d----- c:\program files\AVG
2009-01-16 17:42 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-16 09:56 137,539 a--sh--- c:\windows\system32\bbwucl.dll
2009-01-16 09:56 1,344,189 ---sh--- c:\windows\system32\igiwojek.ini

==================== Find3M ====================

2009-01-16 22:29 137,400 a--sh--- c:\windows\system32\gawajaso.dll
2009-01-16 09:56 102,683 a--sh--- c:\windows\system32\ruhopama.dll
2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-08 12:33 87,699 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-20 16:48 61,224 a------- c:\documents and settings\jane\GoToAssistDownloadHelper.exe
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2007-02-02 14:10 16,752 a------- c:\docume~1\jane\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 18:52:40.14 ===============

Attached Files


Edited by Orange Blossom, 18 January 2009 - 09:57 PM.
Fix link. ~ OB


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:49 AM

Posted 29 January 2009 - 05:01 PM

Hello Blotsome and welcome to Bleeping Computer,

Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 blotsome

blotsome
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 31 January 2009 - 03:27 PM

No can do. When I attempt to run the installer, I get a "prep.com has enbleepered a problem and needs to close. " error report window and the installation stops.

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:49 AM

Posted 02 February 2009 - 10:04 AM

Hello Blotsome,

That's probably because you didn't follow the directions provided in the tutorial,
and didn't temporarily disable your security programs (some of them give a false positive for some of the components of ComboFix !). :thumbup2:

Please open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar.
  • Click on Tools.
  • Select Advanced.
  • In the left hand pane, scroll down to "Resident Shield".
  • In the main pane, deselect the option to "Enable Resident Shield."
    To re-enable AVG 8, please select "Enable Resident Shield" again.
Now try downloading and running ComboFix again. :)

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 blotsome

blotsome
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 02 February 2009 - 12:57 PM

Ok. Sorry about that. Didn't realize the anti-virus was running as there was no tray icon at the time (and this isn't my computer).

Here is the log. And thanks for the time and help you've put into my case. I do appreciate it!


ComboFix 09-01-31.01 - Jane 2009-02-02 12:43:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.533 [GMT -5:00]
Running from: c:\documents and settings\Jane\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\npf.sys
c:\windows\system32\igiwojek.ini
c:\windows\system32\packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_NPF
-------\Service_Iprip
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-01-02 to 2009-02-02 )))))))))))))))))))))))))))))))
.

2009-01-23 15:38 . 2009-01-23 15:38 <DIR> d-------- c:\documents and settings\Jane\Application Data\Image Zone Express
2009-01-18 00:12 . 2009-01-18 00:12 <DIR> d-------- C:\VundoFix Backups
2009-01-17 20:11 . 2009-01-17 20:11 <DIR> d-------- c:\program files\Trend Micro
2009-01-17 18:28 . 2009-01-17 18:28 <DIR> d-------- C:\fsaua.data
2009-01-17 14:07 . 2009-01-17 14:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-17 14:06 . 2009-01-17 14:16 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-17 14:06 . 2009-01-17 14:06 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-17 14:06 . 2009-01-17 14:06 <DIR> d-------- c:\documents and settings\Jane\Application Data\SUPERAntiSpyware.com
2009-01-17 13:44 . 2009-01-17 13:44 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-01-17 13:41 . 2009-01-17 13:41 <DIR> d-------- c:\windows\ERUNT
2009-01-17 13:37 . 2009-01-17 13:55 <DIR> d-------- C:\SDFix
2009-01-17 13:01 . 2009-01-17 13:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-17 13:01 . 2009-01-17 13:01 <DIR> d-------- c:\documents and settings\Jane\Application Data\Malwarebytes
2009-01-17 13:01 . 2009-01-17 13:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-17 13:01 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-17 13:01 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-16 18:08 . 2009-02-01 12:11 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-16 17:42 . 2009-02-02 12:47 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-16 17:42 . 2009-01-16 17:42 <DIR> d-------- c:\program files\AVG
2009-01-16 17:42 . 2009-01-16 17:42 <DIR> d-------- c:\documents and settings\Jane\Application Data\AVGTOOLBAR
2009-01-16 17:42 . 2009-01-30 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-16 17:42 . 2009-01-30 15:33 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-16 17:42 . 2009-01-30 15:33 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-16 17:42 . 2009-01-30 15:33 10,520 --a------ c:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-26 04:17 --------- d-----w c:\documents and settings\Jane\Application Data\uTorrent
2009-01-24 19:44 --------- d--h--w c:\documents and settings\Jane\Application Data\Move Networks
2009-01-23 19:04 --------- d-----w c:\documents and settings\Jane\Application Data\DNA
2009-01-23 16:20 --------- d-----w c:\program files\DivX
2009-01-18 15:34 --------- d-----w c:\program files\DNA
2009-01-16 22:38 --------- d-----w c:\program files\Symantec
2009-01-16 22:38 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-16 22:38 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-07 23:51 --------- d-----w c:\documents and settings\Jane\Application Data\BitTorrent
2008-12-07 14:23 --------- d-----w c:\program files\BitTorrent
2008-11-20 21:48 61,224 ----a-w c:\documents and settings\Jane\GoToAssistDownloadHelper.exe
2007-02-02 19:10 16,752 ----a-w c:\documents and settings\Jane\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-11-20 16:48 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-30 15:33 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBASSY Trust Suite Secure Update.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk
backup=c:\windows\pss\EMBASSY Trust Suite Secure Update.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
-ra------ 2005-10-07 19:13 176128 c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2008-09-26 18:44 634672 c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2007-10-09 19:17 2183168 c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-04-06 14:58 1032192 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Document Manager]
--a------ 2006-05-16 12:35 102400 c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 20:29 49152 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-12-13 23:41 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-12-13 23:45 118784 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-13 23:44 98304 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2005-03-23 18:26 217088 c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-14 18:05 257088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 02:24 20480 c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 09:54 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 10:43 2097488 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-08-20 08:41 185632 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-13 17:06 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 17:54 37376 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2007-11-15 21:51 166304 c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
--a------ 2005-07-15 16:48 479232 c:\program files\Google\Gmail Notifier\gnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-24 23:30 282624 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=3 (0x3)
"wltrysvc"=2 (0x2)
"tcsd_win32.exe"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SavRoam"=3 (0x3)
"rpcapd"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"NICCONFIGSVC"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPod Service"=3 (0x3)
"GoToAssist"=3 (0x3)
"DefWatch"=2 (0x2)
"DataSvr2"=2 (0x2)
"CVPND"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-16 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-16 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-16 903960]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-16 298264]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-vptray - c:\progra~1\SYMANT~1\VPTray.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/&s=b5c6H0MALJqwb7A6GI0SD_B0SdM
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Jane\Application Data\Mozilla\Firefox\Profiles\cs4nh96e.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Jane\Application Data\Mozilla\Firefox\Profiles\cs4nh96e.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-02 12:53:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1432)
c:\windows\system32\BCMLogon.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(1488)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-02 12:55:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-02 17:55:22

Pre-Run: 34,937,884,672 bytes free
Post-Run: 34,987,061,248 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

264 --- E O F --- 2009-01-14 08:02:46

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:49 AM

Posted 03 February 2009 - 04:13 AM

Hello Blotsome,

That log looks quite fine now. :thumbup2:

Navigate, using Windows Explorer, to and delete the following folders and files if still present:C:\fsaua.data <== folder
If you're having problems removing a file/folder, reboot your Computer once again and try to remove it after reboot.

Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 12.
  • Click the Download button to the right of Java SE Runtime Environment (JRE) 6 Update 12 (first option).
  • Select your Platform (Windows version) and check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
  • Click "Continue" and the page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u12-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windowsi586-p.exe to install the newest version.
Still having problems ?

Greetings,
Thunder

Edited by Thunder, 03 February 2009 - 04:23 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 blotsome

blotsome
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 03 February 2009 - 01:45 PM

Great! The F-Secure online scan is now clear. I appreciate your time! Here is the log:

Scanning Report
Tuesday, February 03, 2009 12:17:27 - 13:23:49

Computer name: SLOTH
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 0 malware found
Statistics
Scanned:

* Files: 27931
* System: 4155
* Not scanned: 9

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 0
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\JANE\MY DOCUMENTS\DOWNLOADS\THE ULTIMATE BEATLES TORRENT (COMPLETE DISCOGRAPHY - MP3)\BEATLES
* C:\DOCUMENTS AND SETTINGS\JANE\LOCAL SETTINGS\TEMP\ETILQS_GB2YZDVW5P84YIP7QNCJ

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Blacklight: 0.0.0
* F-Secure Hydra: 3.6.8511, 2009-02-03
* F-Secure Pegasus: 1.20.0, 1969-11-31
* F-Secure AVP: 7.0.171, 2009-02-03

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:49 AM

Posted 03 February 2009 - 05:37 PM

Glad we could help, Blotsome :thumbup2:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users