Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

On the brink of infection.


  • This topic is locked This topic is locked
14 replies to this topic

#1 Primantis

Primantis

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 11 March 2009 - 01:54 AM

Hi there folks,

I recently came across a Trojan (or two) at least I think I did. It's a long story so I'll try to keep it short yet detailed.

The other day I was working on my computer when AVG pops up with a warning saying that it found a security risk ect. I used the option to clean it. The trojan was Vundo FJ.

Now up to this point my computer was acting completely normal, no abnormal popups, slowdowns, my internet worked fine, and I had total access to my hard drive. However, I was going to take the safe route and try to remove it before it infected me further (or at all). Doing some research I downloaded 2 programs. Malware Remover from Malwarebytes and Vundofix.

So I disabled System Restore, rebooted in Safe Mode, and did a complete scan and deletion using these 3 programs. AVG and Malware Remover both found various nasties and deleted them all successfully, but vundofix said I had no active Vundo infection.

After I rebooted back into the normal mode there were no threat detections for a good few hours, then all of a sudden I get bombarded with several at once. They had different names this time, one was Trojan Horse Clicker, Trojan Horse Sheur2, and Agent APAO. So I repeated the process again figuring maybe I missed something, with the same results.

Now, my computer is still working fine as far as I know, there is no abnormal popups ect and I have full control.

So I ask you all, any idea what I should do?

Thank you


*EDIT*

I'd like to also mention that I enabled the "Show all hidden folders" and Disabled "Hide system Files" options before I did the scans.

Edited by Primantis, 11 March 2009 - 02:17 AM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:03 PM

Posted 11 March 2009 - 03:02 AM

Hi,

Can you post the log from MalwareBytes and a DDS log in your next reply? Because without any logs, it's impossible to tell you what's still present or not.

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Copy and paste the contents of DDS.txt in your next reply. Do not copy and paste the contents of Attach.txt, but attach it to your reply instead.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Primantis

Primantis
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 11 March 2009 - 04:32 AM

OK I did what you asked. I did a fresh Malwarebyte (full) scan, and used that DDS file you linked to.


-


DDS (Ver_09-02-01.01) - NTFSx86
Run by owner at 1:16:08.28 on Wed 03/11/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1373 [GMT -8:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\medctrro.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\eMule\emule.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program



Malwarebytes' Anti-Malware 1.34
Database version: 1833
Windows 5.1.2600 Service Pack 3, v.3264

3/11/2009 2:28:57 AM
mbam-log-2009-03-11 (02-28-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 205892
Time elapsed: 1 hour(s), 10 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-842925246-113007714-725345543-1003\Dc330.exe (Backdoor.VBBot.H) -> Quarantined and deleted successfully.

Attached Files


Edited by Primantis, 11 March 2009 - 04:32 AM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:03 PM

Posted 11 March 2009 - 05:09 AM

Hi,

Your DDS log is incomplete. Please run it again. Thanks.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Primantis

Primantis
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 11 March 2009 - 05:16 AM

Woops, looks like I didnt select it all before I copied it >< sorry; here it is.

If its worth noting, the only 2 "threat detected" messages I seem to be getting now are Trojan Horse Clicker.XGC and Trojan Horse Agent.APAO

They come randomly and I tell AVG to 'heal' them.



DDS (Ver_09-02-01.01) - NTFSx86
Run by owner at 1:16:08.28 on Wed 03/11/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1373 [GMT -8:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\medctrro.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\eMule\emule.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Taskbar Shuffle] c:\program files\taskbar shuffle\taskbarshuffle.exe
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: bmnet.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202332809312
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
AppInit_DLLs: nvsomx.dll ,
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll, digeste.dll
LSA: Notification Packages = scecli c:\windows\system32\binuvete.dll c:\windows\system32\monigula.dll c:\windows\system32\zadoleso.dll c:\windows\system32\gawosuya.dll c:\windows\system32\bitanazo.dll c:\windows\system32\woyawizi.dll c:\windows\system32\negokofi.dll c:\windows\system32\walikahe.dll c:\windows\system32\yepagone.dll c:\windows\system32\yozezuna.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ln6m1qza.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npWebLaunch.dll
FF - plugin: c:\program files\thrixxx\weblaunch\binaries\npWebLaunch.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-2-6 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-2-6 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-2-6 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-2-6 10760]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-2-6 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-2-6 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2008-2-6 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2008-2-6 4960]
R2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-2-6 26488]
S3 apusbsnt;Sierra Wireless USB Modem Device Driver;c:\windows\system32\drivers\apusbsnt.sys [2008-3-10 40064]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-3-10 32512]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-9-25 587096]

=============== Created Last 30 ================

2009-03-11 01:09 368,961 a------- C:\dds.scr
2009-03-10 02:12 233,472 a------- c:\windows\system32\wpcap.dll
2009-03-10 02:12 81,920 a------- c:\windows\system32\packet.dll
2009-03-10 02:12 61,440 a------- c:\windows\system32\wanpacket.dll
2009-03-10 02:12 57,344 a------- c:\windows\system32\abacadaba.exe
2009-03-10 02:12 32,512 a------- c:\windows\system32\drivers\npf.sys
2009-03-09 03:22 <DIR> --d----- C:\VundoFix Backups
2009-03-08 16:22 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-03-08 16:22 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-08 16:21 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-08 16:21 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-08 16:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-08 16:21 2,876,720 a------- C:\mbam-setup.exe
2009-03-07 18:55 <DIR> --d----- c:\program files\common files\DirectX
2009-03-07 03:47 31,744 a------- c:\windows\system32\01s0254P.exe
2009-03-07 01:27 <DIR> --d----- C:\nDoors
2009-03-03 03:42 <DIR> --d----- c:\program files\TweakCoH
2009-02-14 18:52 <DIR> --d----- c:\program files\Padus
2009-02-14 17:48 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-02-14 17:48 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-02-14 17:46 45,504 a------- c:\windows\system32\drivers\WmXlCore.sys
2009-02-14 17:46 22,240 a------- c:\windows\system32\drivers\WmFilter.sys
2009-02-14 17:46 10,144 a------- c:\windows\system32\drivers\WmBEnum.sys
2009-02-14 17:46 5,600 a------- c:\windows\system32\drivers\WmVirHid.sys
2009-02-14 17:46 <DIR> --d----- c:\program files\common files\Logitech

==================== Find3M ====================

2009-03-10 18:53 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-20 22:04 4,096 a------- c:\windows\d3dx.dat
2008-02-06 14:05 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008020620080207\index.dat

============= FINISH: 1:16:18.65 ===============

Edited by Primantis, 11 March 2009 - 05:19 AM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:03 PM

Posted 11 March 2009 - 05:31 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Primantis

Primantis
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 11 March 2009 - 06:04 AM

Ok, I used ComboFix, here's the log.

ComboFix 09-03-10.02 - owner 2009-03-11 3:52:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1593 [GMT -8:00]
Running from: C:\ComboFix.exe
AV: AVG 7.5.557 *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\npf.sys
c:\windows\system32\packet.dll
c:\windows\system32\wanpacket.dll
c:\windows\system32\wpcap.dll
c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://sunmicro.ht.rd.llnw.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))
.

2009-03-11 03:46 . 2009-03-11 03:46 2,933,072 -ra------ C:\ComboFix.exe
2009-03-11 01:09 . 2009-03-11 01:09 368,961 --a------ C:\dds.scr
2009-03-10 02:12 . 2009-03-10 02:12 57,344 --a------ c:\windows\system32\abacadaba.exe
2009-03-09 03:22 . 2009-03-09 03:22 <DIR> d-------- C:\VundoFix Backups
2009-03-08 18:38 . 2009-03-08 18:38 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-08 16:22 . 2009-03-08 16:22 <DIR> d-------- c:\documents and settings\owner\Application Data\Malwarebytes
2009-03-08 16:22 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-08 16:21 . 2009-03-08 16:22 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-08 16:21 . 2009-03-08 16:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-08 16:21 . 2009-03-08 16:21 2,876,720 --a------ C:\mbam-setup.exe
2009-03-08 16:21 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-07 18:55 . 2009-03-07 18:55 <DIR> d-------- c:\program files\Common Files\DirectX
2009-03-07 03:47 . 2009-03-07 03:46 31,744 --a------ c:\windows\system32\01s0254P.exe
2009-03-07 01:27 . 2009-03-07 01:27 <DIR> d-------- C:\nDoors
2009-03-03 03:42 . 2009-03-03 03:42 <DIR> d-------- c:\program files\TweakCoH
2009-02-16 16:16 . 2009-02-16 16:16 <DIR> d-------- c:\documents and settings\owner\Application Data\InstallShield
2009-02-14 23:16 . 2009-02-14 23:16 <DIR> d-------- c:\program files\7-Zip
2009-02-14 18:52 . 2009-02-14 18:52 <DIR> d-------- c:\program files\Padus
2009-02-14 17:48 . 2007-11-30 17:23 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-02-14 17:48 . 2007-11-30 17:23 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-02-14 17:46 . 2009-02-14 17:46 <DIR> d-------- c:\program files\Logitech
2009-02-14 17:46 . 2009-02-14 17:46 <DIR> d-------- c:\program files\Common Files\Logitech
2009-02-14 17:46 . 2005-04-12 19:21 45,504 --a------ c:\windows\system32\drivers\WmXlCore.sys
2009-02-14 17:46 . 2005-04-12 19:21 22,240 --a------ c:\windows\system32\drivers\WmFilter.sys
2009-02-14 17:46 . 2005-04-12 19:21 10,144 --a------ c:\windows\system32\drivers\WmBEnum.sys
2009-02-14 17:46 . 2005-04-12 19:21 5,600 --a------ c:\windows\system32\drivers\WmVirHid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-11 11:57 --------- d-----w c:\program files\Taskbar Shuffle
2009-03-11 11:17 --------- d-----w c:\program files\City of Heroes
2009-03-11 02:30 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2009-03-10 12:04 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-03-10 09:20 --------- d-----w c:\documents and settings\owner\Application Data\LimeWire
2009-03-10 08:04 --------- d-----w c:\program files\eMule
2009-03-09 03:27 --------- d-----w c:\program files\BitComet
2009-03-07 09:30 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-19 04:28 --------- d-----w c:\program files\LimeWire
2009-02-09 23:09 --------- d-----w c:\documents and settings\owner\Application Data\IGN_DLM
2009-02-09 08:43 --------- d-----w c:\program files\Perfect World
2009-02-09 08:29 --------- d-----w c:\program files\Perfect World Entertainment
2009-02-09 05:51 --------- d-----w c:\documents and settings\owner\Application Data\GetRightToGo
2009-02-08 08:05 --------- d-----w c:\documents and settings\owner\Application Data\gtk-2.0
2009-02-06 23:38 --------- d-----w c:\program files\World of Warcraft
2009-02-04 09:56 --------- d-----w c:\documents and settings\owner\Application Data\OpenOffice.org2
2009-02-04 09:01 --------- d-----w c:\program files\GIMP-2.0
2009-02-02 05:45 --------- d-----w c:\program files\Oxin's Style!
2009-01-31 09:10 --------- d-----w c:\program files\Kotor Tool
2009-01-31 05:26 --------- d-----w c:\program files\LucasArts
2009-01-29 01:17 --------- d-----w c:\program files\QuickTime
2009-01-29 01:16 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-12 10:58 --------- d-----w c:\program files\VDOWNLOADER
2009-01-12 08:23 --------- d-----w c:\documents and settings\owner\Application Data\Apple Computer
2008-02-06 22:05 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008020620080207\index.dat
.

------- Sigcheck -------

2007-10-10 15:47 825344 0e5d918f87efa7d2424d66b499c7eb04 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2006-03-15 04:00 656384 c0823fc5469663ba63e7db88f9919d70 c:\windows\ie7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 c:\windows\ie7updates\KB942615-IE7\wininet.dll
2007-12-01 00:26 666112 e7f441cde6e418bb68fc700872c004a0 c:\windows\ServicePackFiles\i386\wininet.dll
2007-10-10 15:56 824832 30c1e0f34ad2972c72a01db5c74ab065 c:\windows\system32\wininet.dll
2007-10-10 15:56 824832 30c1e0f34ad2972c72a01db5c74ab065 c:\windows\system32\dllcache\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-12-01 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 590848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-11 185872]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-11-30 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2007-11-30 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-11-30 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-11-30 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-10 148888]
"VTTimer"="VTTimer.exe" [2006-09-21 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2007-08-06 c:\windows\system32\VTTrayp.exe]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-03-08 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.tscc"= c:\progra~1\MpcStar\Codecs\tscc\tsccvid.dll

[HKLM\~\startupfolder\C:^Documents and Settings^owner^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=c:\documents and settings\owner\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KITCO]
c:\program files\Kitco\Kcast\Kcast [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2007-12-01 00:26 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25305:TCP"= 25305:TCP:BitComet 25305 TCP
"25305:UDP"= 25305:UDP:BitComet 25305 UDP
"46000:TCP"= 46000:TCP:emule1
"45000:UDP"= 45000:UDP:emule2
"20775:TCP"= 20775:TCP:BitComet 20775 TCP
"20775:UDP"= 20775:UDP:BitComet 20775 UDP
"27084:TCP"= 27084:TCP:BitComet 27084 TCP
"27084:UDP"= 27084:UDP:BitComet 27084 UDP
"22552:TCP"= 22552:TCP:Truxshare
"22552:UDP"= 22552:UDP:Truxshare

R2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-02-06 26488]
S3 apusbsnt;Sierra Wireless USB Modem Device Driver;c:\windows\system32\drivers\apusbsnt.sys [2008-03-10 40064]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f04f955a-eefd-11dc-a3e4-0016ec6db682}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f04f955b-eefd-11dc-a3e4-0016ec6db682}]
\Shell\AutoRun\command - G:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-11 c:\windows\Tasks\At1.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-08 c:\windows\Tasks\At10.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-08 c:\windows\Tasks\At11.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-08 c:\windows\Tasks\At12.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-08 c:\windows\Tasks\At13.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-08 c:\windows\Tasks\At14.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-08 c:\windows\Tasks\At15.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-08 c:\windows\Tasks\At16.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-09 c:\windows\Tasks\At17.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-09 c:\windows\Tasks\At18.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-09 c:\windows\Tasks\At19.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-11 c:\windows\Tasks\At2.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-11 c:\windows\Tasks\At20.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-11 c:\windows\Tasks\At21.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-11 c:\windows\Tasks\At22.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-11 c:\windows\Tasks\At23.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-11 c:\windows\Tasks\At24.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-11 c:\windows\Tasks\At3.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-11 c:\windows\Tasks\At4.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-11 c:\windows\Tasks\At5.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-08 c:\windows\Tasks\At6.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-08 c:\windows\Tasks\At7.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-08 c:\windows\Tasks\At8.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]

2009-03-08 c:\windows\Tasks\At9.job
- c:\windows\system32\01s0254P.exe [2009-03-07 03:46]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-DriverUpdaterPro - c:\program files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
LSP: bmnet.dll
FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\ln6m1qza.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npWebLaunch.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-11 03:58:00
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(724)
c:\windows\system32\bmnet.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\windows\system32\bmwebcfg.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\ehome\medctrro.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehRec.exe
c:\windows\ehome\ehRec.exe
c:\windows\ehome\ehRec.exe
c:\windows\ehome\ehRec.exe
c:\windows\ehome\ehRec.exe
.
**************************************************************************
.
Completion time: 2009-03-11 4:01:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-11 12:01:10

Pre-Run: 77,416,370,176 bytes free
Post-Run: 77,432,119,296 bytes free

Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
279 --- E O F --- 2008-07-29 20:55:51

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:03 PM

Posted 11 March 2009 - 06:16 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Collect::[8]
c:\windows\system32\01s0254P.exe
c:\windows\system32\abacadaba.exe
Filelook::
c:\windows\system32\spupdsvc.exe
AtJob::
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
Then, please visit this site:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Afterwards, when we are done, please uninstall your AVG7 and update to AVG8
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Primantis

Primantis
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 11 March 2009 - 06:25 AM

Hi there,

Ok I ran it again, and submitted the file like you requested, and here is the new log;


ComboFix 09-03-10.02 - owner 2009-03-11 4:19:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1525 [GMT -8:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript.txt
AV: AVG 7.5.557 *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\01s0254P.exe
c:\windows\system32\abacadaba.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))
.

2009-03-11 03:46 . 2009-03-11 03:46 2,933,072 -ra------ C:\ComboFix.exe
2009-03-11 01:09 . 2009-03-11 01:09 368,961 --a------ C:\dds.scr
2009-03-09 03:22 . 2009-03-09 03:22 <DIR> d-------- C:\VundoFix Backups
2009-03-08 18:38 . 2009-03-08 18:38 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-08 16:22 . 2009-03-08 16:22 <DIR> d-------- c:\documents and settings\owner\Application Data\Malwarebytes
2009-03-08 16:22 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-08 16:21 . 2009-03-08 16:22 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-08 16:21 . 2009-03-08 16:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-08 16:21 . 2009-03-08 16:21 2,876,720 --a------ C:\mbam-setup.exe
2009-03-08 16:21 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-07 18:55 . 2009-03-07 18:55 <DIR> d-------- c:\program files\Common Files\DirectX
2009-03-07 01:27 . 2009-03-07 01:27 <DIR> d-------- C:\nDoors
2009-03-03 03:42 . 2009-03-03 03:42 <DIR> d-------- c:\program files\TweakCoH
2009-02-16 16:16 . 2009-02-16 16:16 <DIR> d-------- c:\documents and settings\owner\Application Data\InstallShield
2009-02-14 23:16 . 2009-02-14 23:16 <DIR> d-------- c:\program files\7-Zip
2009-02-14 18:52 . 2009-02-14 18:52 <DIR> d-------- c:\program files\Padus
2009-02-14 17:48 . 2007-11-30 17:23 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-02-14 17:48 . 2007-11-30 17:23 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-02-14 17:46 . 2009-02-14 17:46 <DIR> d-------- c:\program files\Logitech
2009-02-14 17:46 . 2009-02-14 17:46 <DIR> d-------- c:\program files\Common Files\Logitech
2009-02-14 17:46 . 2005-04-12 19:21 45,504 --a------ c:\windows\system32\drivers\WmXlCore.sys
2009-02-14 17:46 . 2005-04-12 19:21 22,240 --a------ c:\windows\system32\drivers\WmFilter.sys
2009-02-14 17:46 . 2005-04-12 19:21 10,144 --a------ c:\windows\system32\drivers\WmBEnum.sys
2009-02-14 17:46 . 2005-04-12 19:21 5,600 --a------ c:\windows\system32\drivers\WmVirHid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-11 11:57 --------- d-----w c:\program files\Taskbar Shuffle
2009-03-11 11:17 --------- d-----w c:\program files\City of Heroes
2009-03-11 02:53 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-11 02:30 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2009-03-10 12:04 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-03-10 09:20 --------- d-----w c:\documents and settings\owner\Application Data\LimeWire
2009-03-10 08:04 --------- d-----w c:\program files\eMule
2009-03-09 03:27 --------- d-----w c:\program files\BitComet
2009-03-07 09:30 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-19 04:28 --------- d-----w c:\program files\LimeWire
2009-02-09 23:09 --------- d-----w c:\documents and settings\owner\Application Data\IGN_DLM
2009-02-09 08:43 --------- d-----w c:\program files\Perfect World
2009-02-09 08:29 --------- d-----w c:\program files\Perfect World Entertainment
2009-02-09 05:51 --------- d-----w c:\documents and settings\owner\Application Data\GetRightToGo
2009-02-08 08:05 --------- d-----w c:\documents and settings\owner\Application Data\gtk-2.0
2009-02-06 23:38 --------- d-----w c:\program files\World of Warcraft
2009-02-04 09:56 --------- d-----w c:\documents and settings\owner\Application Data\OpenOffice.org2
2009-02-04 09:01 --------- d-----w c:\program files\GIMP-2.0
2009-02-02 05:45 --------- d-----w c:\program files\Oxin's Style!
2009-01-31 09:10 --------- d-----w c:\program files\Kotor Tool
2009-01-31 05:26 --------- d-----w c:\program files\LucasArts
2009-01-29 01:17 --------- d-----w c:\program files\QuickTime
2009-01-29 01:16 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-12 10:58 --------- d-----w c:\program files\VDOWNLOADER
2009-01-12 08:23 --------- d-----w c:\documents and settings\owner\Application Data\Apple Computer
2008-02-06 22:05 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008020620080207\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.


---- c:\windows\system32\spupdsvc.exe ----
Company: Microsoft Corporation
File Description: Update RunOnce Service
File Version: 6.3.0013.0 built by: dnsrv
Product Name: Microsoftr Windowsr Operating System
Copyright: c Microsoft Corporation. All rights reserved.
Original file name: SPUPDSVC.EXE
MD5: 5329079d8726de34a58c2ef0bd2ac8b9


------- Sigcheck -------

2007-10-10 15:47 825344 0e5d918f87efa7d2424d66b499c7eb04 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2006-03-15 04:00 656384 c0823fc5469663ba63e7db88f9919d70 c:\windows\ie7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 c:\windows\ie7updates\KB942615-IE7\wininet.dll
2007-12-01 00:26 666112 e7f441cde6e418bb68fc700872c004a0 c:\windows\ServicePackFiles\i386\wininet.dll
2007-10-10 15:56 824832 30c1e0f34ad2972c72a01db5c74ab065 c:\windows\system32\wininet.dll
2007-10-10 15:56 824832 30c1e0f34ad2972c72a01db5c74ab065 c:\windows\system32\dllcache\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-12-01 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 590848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-11 185872]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-11-30 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2007-11-30 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-11-30 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-11-30 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-10 148888]
"VTTimer"="VTTimer.exe" [2006-09-21 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2007-08-06 c:\windows\system32\VTTrayp.exe]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-03-08 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.tscc"= c:\progra~1\MpcStar\Codecs\tscc\tsccvid.dll

[HKLM\~\startupfolder\C:^Documents and Settings^owner^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=c:\documents and settings\owner\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KITCO]
c:\program files\Kitco\Kcast\Kcast [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2007-12-01 00:26 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25305:TCP"= 25305:TCP:BitComet 25305 TCP
"25305:UDP"= 25305:UDP:BitComet 25305 UDP
"46000:TCP"= 46000:TCP:emule1
"45000:UDP"= 45000:UDP:emule2
"20775:TCP"= 20775:TCP:BitComet 20775 TCP
"20775:UDP"= 20775:UDP:BitComet 20775 UDP
"27084:TCP"= 27084:TCP:BitComet 27084 TCP
"27084:UDP"= 27084:UDP:BitComet 27084 UDP
"22552:TCP"= 22552:TCP:Truxshare
"22552:UDP"= 22552:UDP:Truxshare

R2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-02-06 26488]
S3 apusbsnt;Sierra Wireless USB Modem Device Driver;c:\windows\system32\drivers\apusbsnt.sys [2008-03-10 40064]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f04f955a-eefd-11dc-a3e4-0016ec6db682}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f04f955b-eefd-11dc-a3e4-0016ec6db682}]
\Shell\AutoRun\command - G:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
LSP: bmnet.dll
FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\ln6m1qza.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npWebLaunch.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-11 04:21:24
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(724)
c:\windows\system32\bmnet.dll
.
Completion time: 2009-03-11 4:22:19
ComboFix-quarantined-files.txt 2009-03-11 12:22:17
ComboFix2.txt 2009-03-11 12:01:14

Pre-Run: 77,835,640,832 bytes free
Post-Run: 77,817,892,864 bytes free

Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
225 --- E O F --- 2008-07-29 20:55:51

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:03 PM

Posted 11 March 2009 - 06:59 AM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Primantis

Primantis
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 11 March 2009 - 07:04 AM

Alright, I'll leave my computer on overnight to see if I get any more threat detections from AVG, and let ya know how it turns out.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:03 PM

Posted 11 March 2009 - 07:09 AM

Hi,

As I said in one of my previous posts, please uninstall the AVG7 version you are having and install the AVG8 version.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Primantis

Primantis
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 11 March 2009 - 06:04 PM

Looks like that took care of everything, thank you for your help :thumbup2:.

I installed AVG 8.5 as well.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:03 PM

Posted 11 March 2009 - 06:09 PM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:03 PM

Posted 16 March 2009 - 08:28 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users