Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware Infection - suspect vundo


  • This topic is locked This topic is locked
11 replies to this topic

#1 sj7117

sj7117

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 08 February 2009 - 10:55 PM

Problem began with explorer.exe maxing out resources and restarting every 10 seconds or so. Icons and taskbar kept disappearing and reappearing over and over. All other functions iexplore.exe etc. appeared normal - just difficult to get to.
Tried system restore and the problem followed. Ran SUPERAntiSpyware and after several scans and a few 'crash and burn' reboots seem to be getting back to normal. Log of those actions is mysteriously absent. System is sort of stabilized, but now I have several different problems that I didn't have before. They are:

Persistent browser hijacks and popups - click a link and never know where I'll land. Fortunately most of these seem to open as separate windows, so I close them and move on.

Windows Security Center Service is disabled and won't enable. I can change it from "Disabled" to "manual" or "auto" but get a runtime error whenever I try to start the service.

I'm unsure what else I have to kill to beat this beastie or where else it is hiding. Any help is appreciated.

Here's the DDS.txt log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Steve Joy at 19:29:53.84 on Sun 02/08/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.379 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\hphmon04.exe
C:\WINDOWS\system32\taskswitch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\AutoWallpaperChanger\AWC.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mgabg.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\HPHipm11.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Documents and Settings\Steve Joy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = file:///C:/Documents%20and%20Settings/Steve%20Joy/My%20Documents/Homepage%20files/start5.htm
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
{2d857b9d-4ecd-4256-ae08-4c42f1260275}
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\avgtoolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\avgtoolbar.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100458 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [HPHmon04] c:\windows\system32\hphmon04.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\docume~1\stevej~1\startm~1\programs\startup\awc.lnk - c:\program files\autowallpaperchanger\AWC.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logitech setpoint.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: xxyyxvtU - xxyyxvtU.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\windows defender\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-6 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-6 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-6 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-6 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-5-30 141312]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-6 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-1-10 10384]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S0 ujxsefig;ujxsefig;c:\windows\system32\drivers\vcpoyimu.sys []
S2 .norton2009Reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [2008-9-17 549159]
S2 0039281233976705mcinstcleanup;McAfee Application Installer Cleanup (0039281233976705);c:\docume~1\administrator\local settings\temp\0039281233976705mcinst.exe c:\progra~1\common~1\mcafee\installer\cleanup.ini -cleanup -nolog -service --> c:\docume~1\administrator\local settings\temp\0039281233976705mcinst.exe c:\progra~1\common~1\mcafee\installer\cleanup.ini -cleanup -nolog -service [?]
S2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\mcshield.exe --> c:\program files\mcafee\virusscan\McShield.exe [?]
S3 7ByteIo;7ByteIo;c:\program files\hot cpu tester pro 4 le\SysInfo.sys [2008-2-8 9984]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;\??\c:\windows\system32\drivers\awrtpd.sys --> c:\windows\system32\drivers\AWRTPD.sys [?]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\virusscan\mcsysmon.exe --> c:\progra~1\mcafee\virusscan\mcsysmon.exe [?]

=============== Created Last 30 ================

2009-02-08 18:42 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-02-08 16:50 529 a------- c:\windows\system32\winlogon2.exe
2009-02-08 15:49 <DIR> --d----- c:\windows\SxsCaPendDel
2009-02-08 14:10 <DIR> --d----- c:\docume~1\stevej~1\applic~1\GlarySoft
2009-02-08 13:58 <DIR> --d----- c:\program files\Glary Registry Repair
2009-02-07 14:58 <DIR> --d----- c:\program files\SpywareBlaster
2009-02-07 12:23 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-06 22:29 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-06 22:21 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-06 22:19 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-06 22:03 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-06 22:03 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-06 22:03 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-06 22:03 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-02-06 22:03 <DIR> --d----- c:\docume~1\stevej~1\applic~1\AVGTOOLBAR
2009-02-06 22:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-05 21:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-05 21:33 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-05 21:33 <DIR> --d----- c:\docume~1\stevej~1\applic~1\SUPERAntiSpyware.com
2009-02-05 20:49 <DIR> --d----- c:\docume~1\stevej~1\applic~1\McAfee
2009-02-05 18:02 <DIR> --d----- c:\windows\pss
2009-02-05 08:48 1,104 a------- c:\windows\ujxsefig
2009-02-05 07:55 12,375 a--sh--- c:\windows\system32\UtEeNXyb.ini2
2009-02-05 07:55 2,816 a------- c:\windows\jnoqonlg
2009-02-05 07:55 12,604 a--sh--- c:\windows\system32\UtEeNXyb.ini
2009-01-24 18:09 <DIR> --d----- c:\program files\McAfee.com
2009-01-24 18:09 <DIR> --d----- c:\program files\common files\McAfee
2009-01-24 18:09 <DIR> --d----- c:\program files\McAfee
2009-01-10 18:04 <DIR> --d----- C:\Netgear
2009-01-10 17:43 10,384 a------- c:\windows\system32\drivers\LBeepKE.sys
2009-01-10 17:43 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-01-10 17:43 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-01-10 17:43 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-01-10 17:42 301,656 a------- c:\windows\system32\BtCoreIf.dll
2009-01-10 17:42 170,512 a------- c:\windows\system32\kemutb.dll
2009-01-10 17:42 145,936 a------- c:\windows\system32\KemUtil.dll
2009-01-10 17:42 117,264 a------- c:\windows\system32\KemWnd.dll
2009-01-10 17:42 84,496 a------- c:\windows\system32\KemXML.dll
2009-01-10 17:26 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-01-10 17:26 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-01-10 11:16 2,496 a------- c:\windows\system32\d3d8caps.dat

==================== Find3M ====================

2009-02-08 19:25 2,608 a------- c:\windows\system32\d3d9caps.dat
2008-12-12 20:24 350 a---h--- c:\documents and settings\steve joy\hpothb07.dat
2008-12-12 20:23 657 a---h--- C:\hpothb07.dat
2008-12-11 02:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-09-17 05:16 549,159 a--shr-- c:\program files\Norton2009Reset.exe
2008-07-29 19:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072920080730\index.dat

============= FINISH: 19:30:33.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:12:42 AM

Posted 20 February 2009 - 12:21 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 sj7117

sj7117
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 21 February 2009 - 12:46 PM

Thank you very much for getting back to me on this. I've survived for years without an infection of this type and this recent experience has been horrifying.
Yes, things have changed since my original post. I became locked out of task manager and services though it appears this thing was self-replicating a bogus taskmgr executable to displace the original. Anyhow, I had to continue to take action as the box was virtually unusable - and I can't live without my dose of the box.
I believe I've been fairly successful. Most, if not all, of the original symptoms are resolved. Iexplore.exe still seems a bit sluggish at times and I get more "cannot display this page" screens than I used to (most of which can be resolved with a refresh) so I suspect I was not 100% successful.
Following are new scan results. Resident Shield was disabled before running these scans. I will take no further corrective actions until I hear back from you. Thanks again.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Steve Joy at 9:24:56.78 on Sat 02/21/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.501 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mgabg.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\hphmon04.exe
C:\WINDOWS\system32\taskswitch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\AutoWallpaperChanger\AWC.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Steve Joy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = file:///C:/Documents%20and%20Settings/Steve%20Joy/My%20Documents/Homepage%20files/start5.htm
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
{2d857b9d-4ecd-4256-ae08-4c42f1260275}
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\avgtoolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\avgtoolbar.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100458 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [HPHmon04] c:\windows\system32\hphmon04.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\docume~1\stevej~1\startm~1\programs\startup\awc.lnk - c:\program files\autowallpaperchanger\AWC.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logitech setpoint.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: jkkIATnK - jkkIATnK.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: xxyyxvtU - xxyyxvtU.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\windows defender\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\byXNeEtU

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-6 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-6 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-6 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-6 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-5-30 141312]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-6 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-1-10 10384]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S2 .norton2009Reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [2008-9-17 549159]
S2 0039281233976705mcinstcleanup;McAfee Application Installer Cleanup (0039281233976705);c:\docume~1\administrator\local settings\temp\0039281233976705mcinst.exe c:\progra~1\common~1\mcafee\installer\cleanup.ini -cleanup -nolog -service --> c:\docume~1\administrator\local settings\temp\0039281233976705mcinst.exe c:\progra~1\common~1\mcafee\installer\cleanup.ini -cleanup -nolog -service [?]
S2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\mcshield.exe --> c:\program files\mcafee\virusscan\McShield.exe [?]
S3 7ByteIo;7ByteIo;c:\program files\hot cpu tester pro 4 le\SysInfo.sys [2008-2-8 9984]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;\??\c:\windows\system32\drivers\awrtpd.sys --> c:\windows\system32\drivers\AWRTPD.sys [?]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\virusscan\mcsysmon.exe --> c:\progra~1\mcafee\virusscan\mcsysmon.exe [?]

=============== Created Last 30 ================

2009-02-11 13:40 0 a------- c:\windows\system32\drivers\senekarumejwbo.sys
2009-02-11 13:40 0 a------- c:\windows\system32\drivers\seneka.sys
2009-02-11 13:40 118 a------- c:\windows\system32\MRT.INI
2009-02-11 10:26 35,328 a------- c:\windows\system32\jkkiatnk.dll.ren
2009-02-10 07:42 1 a------- c:\windows\system32\uniq.tll
2009-02-08 16:50 529 a------- c:\windows\system32\winlogon2.exe
2009-02-08 15:49 <DIR> --d----- c:\windows\SxsCaPendDel
2009-02-08 14:10 <DIR> --d----- c:\docume~1\stevej~1\applic~1\GlarySoft
2009-02-08 13:58 <DIR> --d----- c:\program files\Glary Registry Repair
2009-02-07 14:58 <DIR> --d----- c:\program files\SpywareBlaster
2009-02-07 12:23 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-06 22:29 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-06 22:21 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-06 22:19 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-06 22:03 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-06 22:03 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-06 22:03 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-06 22:03 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-02-06 22:03 <DIR> --d----- c:\docume~1\stevej~1\applic~1\AVGTOOLBAR
2009-02-06 22:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-05 21:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-05 21:33 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-05 21:33 <DIR> --d----- c:\docume~1\stevej~1\applic~1\SUPERAntiSpyware.com
2009-02-05 20:49 <DIR> --d----- c:\docume~1\stevej~1\applic~1\McAfee
2009-02-05 18:02 <DIR> --d----- c:\windows\pss
2009-02-05 08:48 1,104 a------- c:\windows\ujxsefig
2009-02-05 07:55 12,375 a--sh--- c:\windows\system32\UtEeNXyb.ini2
2009-02-05 07:55 2,816 a------- c:\windows\jnoqonlg
2009-02-05 07:55 12,604 a--sh--- c:\windows\system32\UtEeNXyb.ini
2009-02-05 07:55 59 a------- c:\windows\system32\senekanykmovns.dat
2009-02-04 18:34 0 a------- c:\windows\system32\drivers\senekaohgnqlti.sys
2009-02-04 18:33 80,197 a------- c:\windows\system32\senekabvdovsns.dat
2009-01-24 18:09 <DIR> --d----- c:\program files\McAfee.com
2009-01-24 18:09 <DIR> --d----- c:\program files\common files\McAfee
2009-01-24 18:09 <DIR> --d----- c:\program files\McAfee

==================== Find3M ====================

2009-02-16 11:44 2,608 a------- c:\windows\system32\d3d9caps.dat
2009-01-10 17:43 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-01-10 17:43 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-01-10 17:43 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-01-10 11:18 2,496 a------- c:\windows\system32\d3d8caps.dat
2008-12-20 15:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-12 20:24 350 a---h--- c:\documents and settings\steve joy\hpothb07.dat
2008-12-12 20:23 657 a---h--- C:\hpothb07.dat
2008-09-17 05:16 549,159 a--shr-- c:\program files\Norton2009Reset.exe
2008-07-29 19:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072920080730\index.dat

============= FINISH: 9:25:21.85 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 21 February 2009 - 12:54 PM

Hello.

You have some nasty infections going on here. One of those infections contains a backdoor/rootkit. These infections are very dangerous and nasty.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy anymore. Tell me what you want to do and let me know if you want to continue or not.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 sj7117

sj7117
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 21 February 2009 - 03:49 PM

Is there any accurate way to date the infection? I have Acronis archival images of various vintages that I'd like to be able to use if possible.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 21 February 2009 - 03:51 PM

Hello.

I do not know when you got this infection and therefore I do not know when this infection dated. If you wish to continue let me know, if not you can reinstall/format.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 sj7117

sj7117
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 21 February 2009 - 08:23 PM

Let me see if I can find my disk. This box was built in 01 and I've moved numerous times since then. I've no idea where it might be. If I can't locate, we'll have to try cleaning. I'll let you know, and thanks.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 21 February 2009 - 08:45 PM

Okay.

Thanks for letting me know. :thumbup2:

Tell me how it goes.

With Regards,
Extremeboy

Okay.

Thanks for letting me know. :)

Tell me how it goes.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 24 February 2009 - 05:12 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 sj7117

sj7117
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 25 February 2009 - 12:56 PM

Sorry to have not gotten back to you sooner. The problem has progressed and the box is now virtually dead. Some process is tying up resources nearly 100%. It takes 1/2 hour to boot into safe mode and display a desktop. Clicking any icon takes minutes to generate a response and I'm locked out of services. I can get to task manager, but it won't allow me to terminate the process. I haven't located my original disk but at least I have extracted my original product key and I still have several disk image backups. If I can convince it to boot from CD (I'll borrow an SP3 slipstreamed disk if necessary) I might still be able to extract recent non-system personal files (pictures, etc.) before I wipe it to start over. My bad - I never should have stored them on this drive. I still plan on restoring from my most recent acronis image but I'll need an assist in verifying it is clean. I hope to have it back on life support by the weekend.

I appreciate your patience as I know you are busy. Sorry I can't get to it sooner. I completely understand if you need to drop this thread and move on before the weekend.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 25 February 2009 - 04:12 PM

Hello.

As long as they are not any executables or any html files you will be fine. This infection does not infect any of those types of files.

2 guidelines:

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 27 February 2009 - 04:13 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users