Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Agent


  • This topic is locked This topic is locked
10 replies to this topic

#1 savebandit09

savebandit09

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 02 February 2009 - 12:05 PM

Hi, and thanks in advance to whoever will help me!

I got infected with a trojan (vundo?) yesterday, and I have done everything that I can think of but just can't completely get rid of it. I've attached the DDS logs, plus the last Malwarebytes-antimalware scan that I ran. After looking around the website, I also ran SDFix, which seemed to help a lot, but I've still got these last two trojans that seem to regenerate themselves. I keep running MBAM, and they just keep reappearing. It claims that it deletes them, but I guess that's a lie.

I'm in safe mode for now.

Here's the MBAM log:

mbam-log-2009-02-02 (11-41-45).txt

Scan type: Quick Scan
Objects scanned: 57101
Time elapsed: 13 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getmodule36 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cogad (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I have superantispyware as well as spybot search and destroy but I think I last ran those before I did SDFix, so they wouldn't be current. I can, of course, run them again.


Thank you so much in advance for all your help! I am going to class now so I won't be back for several hours, but I'll check this as soon as I get back.

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:50 PM

Posted 03 February 2009 - 04:27 AM

Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 savebandit09

savebandit09
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 03 February 2009 - 09:59 AM

Hi,

Thanks so much for responding!

Just so you know, the the link you gave me to ResetTeaTimer.bat is a .txt file, so I was not able to run it. Also, only Viewpoint Manager and Viewpoint Media Player were listed on the Add/Remove programs list. I did delete those two, though. I'm attaching the ComboFix log.

Let me know if I need to do anything else!

Thanks!

Attached Files



#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:50 PM

Posted 03 February 2009 - 10:09 AM

Hi,

Please do not attach the logs, but copy and paste them in the thread instead. Thanks.

the the link you gave me to ResetTeaTimer.bat is a .txt file

Did you click the link and choose save as?
If it's downloaded as a txt file, so ResetTeatimer.bat.txt, then you'll have to rename it to Resetteatimer.bat

Anyway, as long as Teatimer is disabled, it's ok. When you enable it again afterwards, make sure you know how to use this program and don't let it block everything it displays.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\program files\Common Files\ufifat.dll
c:\program files\Common Files\omudorete.lib
c:\program files\Common Files\motugekeko._dl
c:\documents and settings\Kati\Application Data\oxiqiberil.bat
Folder::
c:\program files\WebShow
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 savebandit09

savebandit09
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 03 February 2009 - 10:49 AM

Hi,

To be honest, I really don't know how to use the TeaTimer- I never know what to allow or deny- it just installed when I did the most recent update of Spybot S&D. Maybe I'll just leave it disabled.

Here's the new ComboFix log:

ComboFix 09-02-02.04 - Kati 2009-02-03 10:27:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.238 [GMT -5:00]
Running from: c:\documents and settings\Kati\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kati\Desktop\CFScript.txt
FW: *disabled*
* Created a new restore point

FILE ::
c:\documents and settings\Kati\Application Data\oxiqiberil.bat
c:\program files\Common Files\motugekeko._dl
c:\program files\Common Files\omudorete.lib
c:\program files\Common Files\ufifat.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kati\Application Data\oxiqiberil.bat
c:\program files\Common Files\motugekeko._dl
c:\program files\Common Files\omudorete.lib
c:\program files\Common Files\ufifat.dll
c:\program files\WebShow
c:\program files\WebShow\WebShow.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.

2009-02-02 10:46 . 2009-02-02 10:46 <DIR> d-------- c:\windows\ERUNT
2009-02-02 10:33 . 2009-02-02 11:26 <DIR> d-------- C:\SDFix
2009-02-01 21:26 . 2009-02-01 21:24 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-08 23:09 . 2009-01-08 23:09 <DIR> d-------- c:\program files\iTunes
2009-01-08 23:09 . 2009-01-08 23:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-08 23:04 . 2009-01-08 23:05 <DIR> d-------- c:\program files\QuickTime
2009-01-04 16:12 . 2009-01-04 16:12 <DIR> d-------- C:\Nancy Drew

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 14:08 --------- d-----w c:\program files\Viewpoint
2009-02-03 14:08 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-02 16:42 --------- d-----w c:\documents and settings\Kati\Application Data\tunebite
2009-02-02 16:35 --------- d-----w c:\program files\Java
2009-02-02 13:12 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-01 17:21 --------- d-----w c:\documents and settings\Kati\Application Data\Ruckus Network
2009-02-01 16:49 46,348 ----a-w c:\documents and settings\Kati\Application Data\wklnhst.dat
2009-02-01 00:07 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-29 21:04 --------- d--h--w c:\documents and settings\Kati\Application Data\Move Networks
2009-01-19 05:03 --------- d-----w c:\program files\Shockwave.com
2009-01-18 22:34 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-18 21:36 --------- d-----w c:\documents and settings\Kati\Application Data\Valusoft
2009-01-18 21:36 --------- d-----w c:\documents and settings\All Users\Application Data\Valusoft
2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-09 04:09 --------- d-----w c:\program files\iPod
2009-01-09 04:03 --------- d-----w c:\program files\Common Files\Apple
2008-12-29 20:47 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-29 20:38 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-29 20:19 --------- d-----w c:\documents and settings\Kati\Application Data\Skype
2008-12-29 20:18 --------- d-----w c:\documents and settings\Kati\Application Data\skypePM
2008-12-19 03:25 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-19 03:23 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-18 22:45 --------- d-----w c:\program files\temp
2008-12-18 20:40 --------- d-----w c:\documents and settings\Kati\Application Data\SUPERAntiSpyware.com
2008-12-13 16:38 --------- d-----w c:\documents and settings\Kati\Application Data\Unity
2008-12-13 16:32 --------- d-----w c:\program files\Unity
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-06 15:27 --------- d-----w c:\documents and settings\Kati\Application Data\ZoomBrowser EX
2008-12-06 15:27 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2007-11-26 09:53 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2005-09-17 22:54 70,040 ----a-w c:\documents and settings\Kati\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2009-02-03_ 9.46.39.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-03 14:37:15 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_23c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"tunebite.exe"="c:\program files\tunebite\tunebite.exe" [2005-09-20 1192017]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-08 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-08 77824]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-08 114688]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-01 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-06-15 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-08-28 58464]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S3 PCD5SRVC{FBEA8B78-1B22F121-05040000};PCD5SRVC{FBEA8B78-1B22F121-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~2\HWDiag\bin\PCD5SRVC.pkms [2007-09-06 25760]
S3 V3CB0109;FinePix F601 ZOOM;c:\windows\system32\drivers\V3CB0109.SYS [2005-10-28 81796]
S3 V3CB010B;FinePix Digital Camera;c:\windows\system32\drivers\V3CB010B.SYS [2005-10-28 81924]
S3 V3CB010F;FinePix Digital Camera 020906;c:\windows\system32\drivers\V3CB010F.SYS [2005-10-28 81700]
S3 V3CB0111;FinePix Digital Camera 020823;c:\windows\system32\drivers\V3CB0111.SYS [2005-10-28 81700]
S3 V3CB0113;FinePix Digital Camera 020715;c:\windows\system32\drivers\V3CB0113.SYS [2005-10-28 81924]
S3 V3CB0115;FinePix Digital Camera 020523;c:\windows\system32\drivers\V3CB0115.SYS [2005-10-28 81924]
S3 V3CB0117;FinePix Digital Camera 020716;c:\windows\system32\drivers\V3CB0117.SYS [2005-10-28 81700]
S3 V3CB0119;FinePix Digital Camera 020815;c:\windows\system32\drivers\V3CB0119.SYS [2005-10-28 81700]
S3 V3CB011B;FinePix Digital Camera 020724;c:\windows\system32\drivers\V3CB011B.SYS [2005-10-28 81700]
S3 V3CB011D;FinePix Digital Camera 020717;c:\windows\system32\drivers\V3CB011D.SYS [2005-10-28 81700]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b964219-a8fb-11dd-b50d-00123fd6af03}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bcb6f74-9b96-11dd-b4f9-00123fd6af03}]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d4bda025-bba4-11dc-b380-00123fd6af03}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local.,;*.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\Hot Dish\Images\stg_drm.ocx
DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} - hxxp://www.shockwave.com/content/bigcityadventuresf/sis/JBGamePlayer.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab
FF - ProfilePath - c:\documents and settings\Kati\Application Data\Mozilla\Firefox\Profiles\gbnioeuj.Default User\
FF - prefs.js: browser.startup.homepage - www.rhodeisland.cox.net
FF - plugin: c:\documents and settings\Kati\Application Data\Mozilla\Firefox\Profiles\gbnioeuj.Default User\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 10:31:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC{FBEA8B78-1B22F121-05040000}]
"ImagePath"="\??\c:\progra~1\DELLSU~2\HWDiag\bin\PCD5SRVC.pkms"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\EntApi.dll
.
Completion time: 2009-02-03 10:35:44
ComboFix-quarantined-files.txt 2009-02-03 15:34:52
ComboFix2.txt 2009-02-03 14:50:41

Pre-Run: 15,080,955,904 bytes free
Post-Run: 15,062,761,472 bytes free

204 --- E O F --- 2009-01-14 20:28:05



Thanks again!

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:50 PM

Posted 03 February 2009 - 11:17 AM

Hi,

To be honest, I really don't know how to use the TeaTimer- I never know what to allow or deny- it just installed when I did the most recent update of Spybot S&D. Maybe I'll just leave it disabled.

Yes, if you don't know how to use it, it's better to leave it disabled. This because Teatimer doesn't know the difference between good and bad and alerts you of every startup modification. What happens then is, a lot of people let it block while it may not be blocked in a lot of cases.

Anyway, your log looks clean again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

By the way, is it possible that I don't see an Antivirus present here? If that's the case, then please install an Antivirus asap. Look in my signature below under Antivirus for the ones I recommend. Only install 1!

Let me know in your next reply how things are now.

Edited by miekiemoes, 03 February 2009 - 11:17 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 savebandit09

savebandit09
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 03 February 2009 - 12:30 PM

I have something called McAfee VirusScan Enterprise. It must have either come with my computer or it's the one that was installed when I got to college. Have you ever heard of it? If there is something better, I can always delete that and install something new. I've never questioned it.

Anyway, when I got back from class the On-Access Scan had discovered A013671.dll, which it claims is a Vundo.gen.k trojan, and deleted it.

I didn't uninstall ComboFix just in case you think I need to run it again.

Let me know!

Thanks.

Edited by savebandit09, 03 February 2009 - 12:35 PM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:50 PM

Posted 03 February 2009 - 12:38 PM

Hi,

I have something called VirusScan. It must have either come with my computer or it's the one that was installed when I got to college. Have you ever heard of it? If there is something better, I can always delete that and install something new. I've never questioned it.

Looks like the one from McAfee. Strange Combofix didn't list it as running and as a matter of fact, I don't see all components running in your log either. So, yes, it may be a good idea to uninstall it and replace it with another one. For example Avira Antivir is a great free Antivirus.

Anyway, when I got back from class the On-Access Scan had discovered A013671.dll, which it claims is a Vundo.gen.k trojan, and deleted it.

As you said - you didn't uninstall Combofix yet, and that explains why it has found this.
If you had uninstalled Combofix, it would have deleted previous system restore points. The one the scan found is actually a leftover in your system restore points.
So.. please uninstall Combofix :thumbup2:

Also,

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Edited by miekiemoes, 03 February 2009 - 12:38 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 savebandit09

savebandit09
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 03 February 2009 - 07:17 PM

Thank you so much for all your help. I deleted the McAfee and got Avira Antivir, uninstalled Combofix, and looked at all of your very helpful info and tips! :thumbup2:


THANKS!

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:50 PM

Posted 04 February 2009 - 02:16 AM

You're most welcome :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:50 PM

Posted 05 February 2009 - 07:02 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users