Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly Virtumonde


  • This topic is locked This topic is locked
5 replies to this topic

#1 HayJay

HayJay

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 25 January 2009 - 09:52 AM

I think I picked up the Virtumonde virus while browsing the internet. There were pop-ups, then I couldn't boot into normal mode, then the system would shut down in the middle of any anti-malware scans I tried running.
After reading posts on this site (using another computer), I installed as many anti-malware tools as I could including MBAM, Spybot, SAS and Ad-aware (I already had AVG installed) and did several scans. Several files were detected including 'trojan.vundo', 'trojan.agent' and 'trojan horse generic12.ajrv'. I also manually found prunnet.exe and uninstalled it.

After all this the computer is back to some degree of normality. However, performance is slow, I get error noises without any messages appearing on-screen, and am quite frequently re-directed to pctools.com when clicking a link from google.

Below is the DDS log. I would be grateful if you could take a look and check whether I have missed any malicious files,
Thanks


DDS (Ver_09-01-18.01) - NTFSx86
Run by Harry at 13:02:42.44 on 25/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.599 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\AOL\1162839299\ee\AOLSoftware.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\program files\common files\aol\1162839299\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1162839299\ee\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Harry\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5061024
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [HostManager] c:\program files\common files\aol\1162839299\ee\AOLSoftware.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: Download all links using BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Download link using &BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
Notify: pmnooPjh - pmnooPjh.dll
AppInit_DLLs: avgrsstx.dll c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\harry\applic~1\mozilla\firefox\profiles\27q0qeyp.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {B866600C-4B77-4996-8A47-E1E3D40BE4E8} - c:\documents and settings\harry\local settings\application data\{B866600C-4B77-4996-8A47-E1E3D40BE4E8}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-6 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-6 26824]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-1-7 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-1-7 31504]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-3-27 167808]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-6 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-6 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-6 76040]
R4 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-1-7 618232]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2007-3-19 1527900]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-9-14 13352]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [2008-9-14 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [2008-9-14 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [2008-9-14 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [2008-9-14 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [2008-9-14 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [2008-9-14 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [2008-9-14 110120]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]

=============== Created Last 30 ================


==================== Find3M ====================

2008-12-13 06:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2007-01-01 16:19 88 ---shr-- c:\windows\system32\76D24246BB.sys
2008-07-31 20:09 56 ---shr-- c:\windows\system32\BB4642D276.sys
2008-07-31 20:09 6,580 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-26 21:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092620080927\index.dat

============= FINISH: 13:03:42.89 ===============

Attached Files


Edited by HayJay, 25 January 2009 - 09:58 AM.


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:36 AM

Posted 26 January 2009 - 09:57 AM

Hello HayJay and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 HayJay

HayJay
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 27 January 2009 - 01:58 PM

Hi, thanks for the quick reply. Ran the scans as you advised in your last post, and have posted the logs below.

Thanks again,
Harry

GooredFix v1.83 by jpshortstuff
Log created at 18:18 on 27/01/2009 running Option #2 (Harry)
Firefox version 3.0.5 (en-GB)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B866600C-4B77-4996-8A47-E1E3D40BE4E8}"="C:\Documents and Settings\Harry\Local Settings\Application Data\{B866600C-4B77-4996-8A47-E1E3D40BE4E8}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Harry\Local Settings\Application Data\{B866600C-4B77-4996-8A47-E1E3D40BE4E8}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord"



And the ComboFix log:



ComboFix 09-01-21.04 - Harry 2009-01-27 18:47:43.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.559 [GMT 0:00]
Running from: c:\documents and settings\Harry\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*
.

((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))
.

2009-01-21 18:30 . 2001-08-17 14:56 66,048 --a------ c:\windows\system32\dllcache\s3legacy.dll
2009-01-21 18:30 . 2004-08-10 04:00 7,168 --a------ c:\windows\system32\dllcache\wamregps.dll
2009-01-21 18:29 . 2004-08-10 04:00 169,984 --a------ c:\windows\system32\dllcache\iisui.dll
2009-01-21 18:29 . 2004-08-10 04:00 94,720 --a------ c:\windows\system32\dllcache\certmap.ocx
2009-01-21 18:29 . 2004-08-10 04:00 19,968 --a------ c:\windows\system32\dllcache\inetsloc.dll
2009-01-21 18:29 . 2004-08-10 04:00 14,336 --a------ c:\windows\system32\dllcache\iisreset.exe
2009-01-21 18:29 . 2004-08-10 04:00 7,680 --a------ c:\windows\system32\dllcache\inetmgr.exe
2009-01-21 18:29 . 2004-08-10 04:00 6,144 --a------ c:\windows\system32\dllcache\ftpsapi2.dll
2009-01-21 18:29 . 2004-08-10 04:00 5,632 --a------ c:\windows\system32\dllcache\iisrstap.dll
2009-01-21 18:07 . 2009-01-21 18:07 <DIR> d-------- c:\program files\Trend Micro
2009-01-07 19:23 . 2009-01-07 19:21 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-07 19:23 . 2009-01-07 19:22 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-07 08:07 . 2009-01-07 08:07 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-07 00:08 . 2009-01-07 00:08 <DIR> d-------- c:\program files\COMODO
2009-01-07 00:08 . 2009-01-07 00:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\comodo
2009-01-07 00:08 . 2009-01-07 00:08 147,192 --a------ c:\windows\system32\guard32.dll
2009-01-07 00:08 . 2009-01-07 00:08 101,776 --a------ c:\windows\system32\drivers\cmdguard.sys
2009-01-07 00:08 . 2009-01-07 00:08 31,504 --a------ c:\windows\system32\drivers\cmdhlp.sys
2009-01-06 23:06 . 2009-01-06 23:09 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-06 23:06 . 2009-01-07 00:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-06 23:02 . 2009-01-06 23:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-06 22:31 . 2009-01-27 17:57 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-06 22:31 . 2009-01-06 22:31 <DIR> d-------- c:\program files\AVG
2009-01-06 22:31 . 2009-01-06 22:31 <DIR> d-------- c:\documents and settings\Harry\Application Data\AVGTOOLBAR
2009-01-06 22:31 . 2009-01-06 22:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-06 22:31 . 2009-01-06 22:31 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-06 22:31 . 2009-01-06 22:31 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-06 22:31 . 2009-01-06 22:31 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-05 21:26 . 2009-01-05 21:26 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-05 21:26 . 2009-01-05 21:26 <DIR> d-------- c:\documents and settings\Harry\Application Data\SUPERAntiSpyware.com
2009-01-05 21:26 . 2009-01-05 21:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-05 21:25 . 2009-01-06 23:01 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-05 20:33 . 2009-01-05 20:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-05 20:33 . 2009-01-05 20:33 <DIR> d-------- c:\documents and settings\Harry\Application Data\Malwarebytes
2009-01-05 20:33 . 2009-01-05 20:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-05 20:33 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 20:33 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-22 18:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-07 21:06 --------- d-----w c:\program files\RegistryFix
2009-01-07 19:19 --------- d-----w c:\program files\Java
2009-01-07 19:01 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-06 23:02 --------- d-----w c:\program files\Lavasoft
2009-01-06 23:02 --------- d-----w c:\documents and settings\Harry\Application Data\Lavasoft
2009-01-06 22:28 --------- d-----w c:\program files\McAfee.com
2009-01-06 22:28 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-21 19:06 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-21 18:53 --------- d-----w c:\program files\Dell
2008-12-15 22:32 --------- d-----w c:\program files\Steam
2008-12-15 21:47 --------- d-----w c:\program files\IObit
2008-12-15 21:47 --------- d-----w c:\documents and settings\Harry\Application Data\IObit
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2007-01-01 16:19 88 --sh--r c:\windows\system32\76D24246BB.sys
2008-07-31 20:09 56 --sh--r c:\windows\system32\BB4642D276.sys
2008-07-31 20:09 6,580 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-09-26 21:01 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092620080927\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-07 136600]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"HostManager"="c:\program files\Common Files\AOL\1162839299\ee\AOLSoftware.exe" [2006-11-17 50736]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-06 1261336]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-01-07 1797880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=c:\windows\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111v2 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v2 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111v2 Smart Wizard.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
--a------ 2008-11-26 16:11 2235920 c:\program files\IObit\Advanced SystemCare 3\AWC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2007-12-07 15:30 71008 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-01-02 16:41 45056 c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 19:16 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
--------- 2008-02-20 16:19 356352 c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-05-17 21:29 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-12-10 20:15 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\AOL 9.0\\aol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Sierra\\Half-Life\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\thehazman\\day of defeat\\hl.exe"=
"c:\\Program Files\\AOL 9.0a\\aol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee.com\\Shredder\\Shred32.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\AOL\\1162839299\\ee\\aolsoftware.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17332:TCP"= 17332:TCP:BitComet 17332 TCP
"17332:UDP"= 17332:UDP:BitComet 17332 UDP
"6881:TCP"= 6881:TCP:BitComet 6881 TCP
"6881:UDP"= 6881:UDP:BitComet 6881 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-06 97928]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-01-07 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-01-07 31504]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-03-27 167808]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-06 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-06 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-06 76040]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [2007-03-19 1527900]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-09-14 13352]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [2008-09-14 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [2008-09-14 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [2008-09-14 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [2008-09-14 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [2008-09-14 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [2008-09-14 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [2008-09-14 110120]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-01-27 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-01-27 c:\windows\Tasks\ftvkjtft.job
- c:\windows\system32\awttTJCT.dll []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: Download all links using BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Download link using &BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\Harry\Application Data\Mozilla\Firefox\Profiles\27q0qeyp.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 18:49:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\RtlGina2.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-27 18:51:11
ComboFix-quarantined-files.txt 2009-01-27 18:51:08
ComboFix2.txt 2009-01-27 18:44:28
ComboFix3.txt 2009-01-27 18:31:29

Pre-Run: 73,661,964,288 bytes free
Post-Run: 73,639,370,752 bytes free

233 --- E O F --- 2009-01-18 20:47:07

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:36 AM

Posted 27 January 2009 - 05:26 PM

Hello Harry,

It looks like you got lucky,
your log looks quite good now. :thumbup2:

Navigate, using Windows Explorer, to and delete the following folders and files if still present:C:\WINDOWS\Tasks\ftvkjtft.job <== file
If you're having problems removing a file/folder, reboot your Computer once again and try to remove it after reboot.

Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 HayJay

HayJay
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 28 January 2009 - 01:19 PM

Hi Thunder,

Everything seems to be acting normal now, and it's peace of mind to know you've checked the logs aswell, so thanks so much!

One last thing though...

This is the only computer I have for personal use, and in the past I have used it for all my online shopping. However, following the infection would you advise against using it for shopping again, or am I at no further risk than I was before picking up the 'virus'.

I understand it's not easy to answer this and am only asking for your opinion- I won't hold you responsible if anything should happen :thumbup2:

Thanks again!
Harry

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:36 AM

Posted 28 January 2009 - 04:44 PM

Glad we could help, Harry :thumbup2:

As for that online shopping : as far as I can tell from your logs, you were infected by a search redirector, and possibly a fake antivirus program,
both pretty annoying but rather harmless.

If however you feel unsure, then just change your sensitive passwords, since that's what more dangerous malware would target to obtain.
Once you fixed that, then nothing should hold you back from shopping again to your heart's content. :)

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users