Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had Antivirus 360/Trojan Vundo infection?


  • This topic is locked This topic is locked
7 replies to this topic

#1 MagZness

MagZness

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 05 February 2009 - 01:51 AM

Greetings.
My computer was recently infected with a trojan. Shaw Secure said "Trojan.win32.monder" or something similar, but other programs said Vundo after scanning (is it possible that there was more than one trojan?).

I Googled and followed some instructions given to someone with a similar problem. I have scanned with Shaw Secure (did not pick anything up), used CCleaner, used Dr. Web's Cure It, MalwareBytes, and SuperAntiSpyware, and afterwards scanned once more with Trend Micro Housecall.

After deleting things with Dr. Web's Cure It, MalwareBytes, and SuperAntiSpyware, and scanning with the latter two as well as Housecall to make sure, nothing threatening is showing up anymore. However, I want to be absolutely sure my computer is clean. I will appreciate any help. A DDS log and Attach file are attached.


HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:03 PM, on 2/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
e:\mydata\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095460891873
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

--
End of file - 5885 bytes


Thank you in advance

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 13 February 2009 - 09:44 AM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Please carry out these scans in Normal Mode, if possible.

Download and Run DDS
If you already have a copy of DDS, there is no need to download a new one.

DDS is a tool that gives us a general overview of the condition of your machine.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please post back with:
-the DDS logs
-the F-Secure scan log

Please give me an update on the symptoms. Also tell me of any changes you have made to this computer.

With Regards,
The Panda

#3 MagZness

MagZness
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 14 February 2009 - 12:59 AM

My computer is not showing any symptoms, as far as I know. It does slow down after running for a while (more than one hour... I don't know exactly). Is that normal?

Here are the requested logs.


DDS log

DDS (Ver_09-02-01.01) - NTFSx86
Run by Margaret at 18:45:09.48 on Fri 02/13/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.112 [GMT -8:00]

AV: Shaw Secure 8.00 *On-access scanning enabled* (Updated)
FW: Shaw Secure 8.00 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Shaw Secure\FSGUI\scanwizard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
E:\MyData\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.neopets.com/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [F-Secure Manager] "c:\program files\shaw secure\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\shaw secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [SetDefPrt] c:\program files\brother\brmfl06a\BrStDvPt.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\margaret\startm~1\programs\startup\autoho~1.lnk - c:\program files\autohotkey\AutoHotkey.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - c:\quickenw\BILLMIND.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\shaw secure\fsps\program\FSLSP.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://go.microsoft.com/fwlink/?LinkId=82580
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095460891873
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\yayyXNEw

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\margaret\applic~1\mozilla\firefox\profiles\0p2dt7s4.default\
FF - prefs.js: browser.startup.homepage - www.neopets.com
FF - plugin: c:\documents and settings\margaret\application data\mozilla\firefox\profiles\0p2dt7s4.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07061050.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npigl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2008-11-17 33408]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2007-9-4 79904]
R1 F-Secure HIPS;F-Secure HIPS;c:\program files\shaw secure\hips\drivers\fshs.sys [2008-11-17 66720]
R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2002-8-14 5632]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2007-9-3 34916]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\shaw secure\anti-virus\minifilter\fsgk.sys [2007-9-4 84096]
R3 ICAM8USB;Intel® PC Camera CS120;c:\windows\system32\drivers\Icm8D2.SYS [2008-7-15 237504]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys --> c:\windows\system32\drivers\avgldx86.sys [?]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-9-3 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2007-9-3 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2007-9-3 39552]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2007-9-3 60416]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\shaw secure\anti-virus\win2k\fsfilter.sys [2007-9-4 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\shaw secure\anti-virus\win2k\fsrec.sys [2007-9-4 25184]

=============== Created Last 30 ================

2009-02-12 21:14 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-12 21:14 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-03 23:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-03 23:53 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-03 23:53 <DIR> --d----- c:\docume~1\margaret\applic~1\SUPERAntiSpyware.com
2009-02-03 23:53 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-03 23:53 <DIR> --d----- c:\docume~1\margaret\applic~1\Malwarebytes
2009-02-03 23:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-03 23:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-03 23:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-03 23:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-03 23:51 <DIR> --d----- c:\program files\CCleaner
2009-02-03 21:40 <DIR> --d----- c:\program files\Enigma Software Group
2009-02-03 20:51 1,556,486 ---sh--- c:\windows\system32\lfrltsle.ini
2009-02-02 23:22 120 ---sh--- c:\windows\system32\pshmthjt.ini
2009-02-02 00:03 <DIR> --d----- c:\program files\AVG
2009-02-01 17:38 1,497,619 ---sh--- c:\windows\system32\vfcqwwyk.ini
2009-02-01 17:29 37,924 a--sh--- c:\windows\system32\wENXyyay.ini2
2009-02-01 17:28 37,924 a--sh--- c:\windows\system32\wENXyyay.ini
2009-01-23 13:02 <DIR> --d----- c:\program files\Defraggler

==================== Find3M ====================

2009-02-11 21:58 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-01-22 16:42 33,408 a------- c:\windows\system32\drivers\fsbts.sys
2008-12-20 15:15 826,368 a------- c:\windows\system32\wininet.dll
2007-09-15 14:39 88 ---shr-- c:\windows\system32\53C71E1E38.sys
2006-05-03 01:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 02:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2007-12-17 04:43 27,648 ---sh--- c:\windows\system32\Smab0.dll
2008-05-07 17:56 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050720080508\index.dat

============= FINISH: 18:46:55.04 ===============





F-Secure log

Scanning Report
Friday, February 13, 2009 20:27:56 - 21:34:18

Computer name: DAVID-WORK
Scanning type: Scan system for malware, rootkits
Target: C:\ E:\
Result: 4 malware found
INI/Vundo.A (virus)

* C:\WINDOWS\SYSTEM32\WENXYYAY.INI (Submitted)

Vundo.FBW (virus)

* C:\WINDOWS\SYSTEM32\LFRLTSLE.INI (Submitted)
* C:\WINDOWS\SYSTEM32\PSHMTHJT.INI (Submitted)
* C:\WINDOWS\SYSTEM32\VFCQWWYK.INI (Submitted)

Statistics
Scanned:

* Files: 28814
* System: 5560
* Not scanned: 45

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 4
* Submitted: 4

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\$NTUNINSTALLKB835732$\BROWSER.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\CMDEVTGPROV.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\EVTGPROV.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\GDI32.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\H323.TSP
* C:\WINDOWS\$NTUNINSTALLKB835732$\H323MSP.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\HELPCTR.EXE
* C:\WINDOWS\$NTUNINSTALLKB835732$\IPNATHLP.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\LSASRV.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MF3216.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MSASN1.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MSGINA.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MST120.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\NETAPI32.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\NMCOM.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\SCHANNEL.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRVUT.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATEX.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATQ.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COLBACT.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMADMIN.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMREPL.EXE
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMSVCS.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMUID.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\ES.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MIGREGDB.EXE
* C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCPRX.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCTM.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCUIU.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MTXCLU.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MTXOCI.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\OLE32.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\RPCRT4.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\RPCSS.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\TXFLOG.DLL
* C:\RECYCLER\S-1-5-21-436374069-1532298954-725345543-1004\DC3.LNK

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Hydra: 3.6.8511, 2009-02-13
* F-Secure AVP: 7.0.171, 2009-02-13
* F-Secure Pegasus: 1.20.0, 1969-11-31
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 14 February 2009 - 10:35 AM

Hello.

I see evidence of F-Secure and AVG antivirus in your logs. If you have both installed, please remove one using Add/Remove Programs.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Authentication Packages"=hex(7):"msv1_0"
    
    :files
    c:\windows\system32\lfrltsle.ini
    c:\windows\system32\pshmthjt.ini
    c:\windows\system32\vfcqwwyk.ini
    c:\windows\system32\wENXyyay.ini2
    c:\windows\system32\wENXyyay.ini
    
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Please take a new DDS.txt log too.

With Regards,
The Panda

#5 MagZness

MagZness
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 14 February 2009 - 05:53 PM

OTMoveIt3 results

========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Authentication Packages"|hex(7):"msv1_0" /E : value set successfully!
========== FILES ==========
c:\windows\system32\lfrltsle.ini moved successfully.
c:\windows\system32\pshmthjt.ini moved successfully.
c:\windows\system32\vfcqwwyk.ini moved successfully.
c:\windows\system32\wENXyyay.ini2 moved successfully.
c:\windows\system32\wENXyyay.ini moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Margaret\LOCALS~1\Temp\etilqs_jphTr1YqNxmgjzy4l2UT scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Margaret\LOCALS~1\Temp\Perflib_Perfdata_c40.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Margaret\LOCALS~1\Temp\~DF8A53.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Margaret\LOCALS~1\Temp\~DF8B4C.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Margaret\LOCALS~1\Temp\~DFAF94.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Margaret\LOCALS~1\Temp\~DFAFA4.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\nvcbin.def.76167175.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_580.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02142009_143804

Files moved on Reboot...
File C:\DOCUME~1\Margaret\LOCALS~1\Temp\etilqs_jphTr1YqNxmgjzy4l2UT not found!
File C:\DOCUME~1\Margaret\LOCALS~1\Temp\Perflib_Perfdata_c40.dat not found!
File C:\DOCUME~1\Margaret\LOCALS~1\Temp\~DF8A53.tmp not found!
File C:\DOCUME~1\Margaret\LOCALS~1\Temp\~DF8B4C.tmp not found!
File C:\DOCUME~1\Margaret\LOCALS~1\Temp\~DFAF94.tmp not found!
File C:\DOCUME~1\Margaret\LOCALS~1\Temp\~DFAFA4.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\nvcbin.def.76167175.TMP not found!
File C:\WINDOWS\temp\Perflib_Perfdata_580.dat not found!




DDS log


DDS (Ver_09-02-01.01) - NTFSx86
Run by Margaret at 14:49:11.09 on Sat 02/14/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.157 [GMT -8:00]

AV: Shaw Secure 8.00 *On-access scanning enabled* (Updated)
FW: Shaw Secure 8.00 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\MyData\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.neopets.com/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [F-Secure Manager] "c:\program files\shaw secure\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\shaw secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [SetDefPrt] c:\program files\brother\brmfl06a\BrStDvPt.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\margaret\startm~1\programs\startup\autoho~1.lnk - c:\program files\autohotkey\AutoHotkey.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - c:\quickenw\BILLMIND.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\shaw secure\fsps\program\FSLSP.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://go.microsoft.com/fwlink/?LinkId=82580
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095460891873
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\margaret\applic~1\mozilla\firefox\profiles\0p2dt7s4.default\
FF - prefs.js: browser.startup.homepage - www.neopets.com
FF - plugin: c:\documents and settings\margaret\application data\mozilla\firefox\profiles\0p2dt7s4.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07061050.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npigl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2008-11-17 33408]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2007-9-4 79904]
R1 F-Secure HIPS;F-Secure HIPS;c:\program files\shaw secure\hips\drivers\fshs.sys [2008-11-17 66720]
R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2002-8-14 5632]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\shaw secure\anti-virus\fsgk32st.exe [2007-9-4 215648]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2007-9-3 34916]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\shaw secure\anti-virus\minifilter\fsgk.sys [2007-9-4 84096]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\shaw secure\orsp client\fsorsp.exe [2008-11-17 55904]
R3 ICAM8USB;Intel® PC Camera CS120;c:\windows\system32\drivers\Icm8D2.SYS [2008-7-15 237504]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys --> c:\windows\system32\drivers\avgldx86.sys [?]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-9-3 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2007-9-3 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2007-9-3 39552]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2007-9-3 60416]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\shaw secure\anti-virus\win2k\fsfilter.sys [2007-9-4 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\shaw secure\anti-virus\win2k\fsrec.sys [2007-9-4 25184]

=============== Created Last 30 ================

2009-02-12 21:14 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-12 21:14 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-03 23:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-03 23:53 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-03 23:53 <DIR> --d----- c:\docume~1\margaret\applic~1\SUPERAntiSpyware.com
2009-02-03 23:53 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-03 23:53 <DIR> --d----- c:\docume~1\margaret\applic~1\Malwarebytes
2009-02-03 23:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-03 23:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-03 23:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-03 23:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-03 23:51 <DIR> --d----- c:\program files\CCleaner
2009-02-03 21:40 <DIR> --d----- c:\program files\Enigma Software Group
2009-01-23 13:02 <DIR> --d----- c:\program files\Defraggler

==================== Find3M ====================

2009-02-11 21:58 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-01-22 16:42 33,408 a------- c:\windows\system32\drivers\fsbts.sys
2008-12-20 15:15 826,368 a------- c:\windows\system32\wininet.dll
2007-09-15 14:39 88 ---shr-- c:\windows\system32\53C71E1E38.sys
2006-05-03 01:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 02:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2007-12-17 04:43 27,648 ---sh--- c:\windows\system32\Smab0.dll
2008-05-07 17:56 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050720080508\index.dat

============= FINISH: 14:50:25.25 ===============

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 14 February 2009 - 06:49 PM

Hello.

Looks good. Unless there are any issues, we can wrap up.

Run Cleanup! with OTMoveIt
Let's clear out the tools we've used.
  • Double click the OTMoveIt2.exe icon on your desktop to start the program.
  • Click Posted Image.
  • A pop-up box will appear asking "Begin Removal Process?". Click Yes.
  • Click Yes when asked to reboot.
Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#7 MagZness

MagZness
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 15 February 2009 - 05:48 PM

I did everything in your instructions. Everything seems good. Thank you for all your help.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 16 February 2009 - 12:56 PM

Welcome.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users