Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo


  • This topic is locked This topic is locked
14 replies to this topic

#1 SBridges

SBridges

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 11 March 2009 - 07:28 PM

With help in the 'Am I Infected' forum - I have ran: ATF Cleaner, Super AntiSpyware Free, F-Secure Online Scanner, Malwarebytes Anti-Malware, and then VundoFix. All of them found things (Vundo) and cleaned them, VundoFix said it did not find anything. The other moderator asked that I post the HJT log here. (The original problem was an error during BitDenfer scan - C:\hp\bin\ProcessLogger.exe Deep Scan Generic Malware P!.5D10CE80) Thanks!
FYI - I am running SpectorPro in stealth mode

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 16:59:06.95 on Wed 03/11/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.169 [GMT -7:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
FW: BitDefender Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1114143141\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [A00FD1286F.exe] c:\docume~1\owner\locals~1\temp\_A00FD1286F.exe
uRun: [RunDll] c:\windows\system32\rundll.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HostManager] c:\program files\common files\aol\1114143141\ee\AOLSoftware.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} - hxxp://www.winkflash.com/photo/loaders/SAXFile.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - hxxp://ca.com/us/securityadvisor/pestscan/pestscan.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v5.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147990914296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-6u5-windows-i586-jc.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: ms-its50 - {F8606A00-F5CF-11D1-B6BB-0000F80149F6} - c:\program files\common files\microsoft shared\information retrieval\itss50.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\tuvuvspQ
LSA: Notification Packages = :\windows\system32\srr

============= SERVICES / DRIVERS ===============

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\drivers\Achernar.sys [2007-12-30 16855]
R0 movurme;movurme;c:\windows\system32\drivers\movurme.sys [2007-1-1 39296]
R0 pnpacbio;pnpacbio;c:\windows\system32\drivers\pnpacbio.sys [2007-4-23 38528]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\drivers\Aldebaran.sys [2007-12-30 21808]
S2 mrtRate;mrtRate; [x]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 SGUARD;SGUARD;\??\c:\windows\system32\drivers\sguard.sys --> c:\windows\system32\drivers\SGuard.sys [?]
S3 XDva219;XDva219;\??\c:\windows\system32\xdva219.sys --> c:\windows\system32\XDva219.sys [?]
S4 AVWUpSrv;AntiVir Update;c:\geeksquad\avpersonal\AVWUPSRV.EXE [2006-1-1 45096]

=============== Created Last 30 ================

2009-03-08 12:16 <DIR> --d----- c:\program files\Cobian Backup 9
2009-02-27 18:01 <DIR> --d----- C:\VundoFix Backups
2009-02-26 16:43 <DIR> --d----- C:\fsaua.data
2009-02-21 10:43 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-02-21 10:43 15,504 -------- c:\windows\system32\drivers\mbam.sys
2009-02-21 10:43 38,496 -------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-21 10:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-21 10:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-19 10:55 850 -------- c:\windows\system32\ProductTweaks.xml
2009-02-19 10:55 385 -------- c:\windows\system32\user_gensett.xml
2009-02-19 10:44 <DIR> --d----- c:\windows\system32\logs
2009-02-19 10:43 <DIR> --d----- c:\program files\BitDefender
2009-02-19 10:39 <DIR> --d----- c:\program files\common files\BitDefender
2009-02-10 20:03 <DIR> --d----- c:\windows\network diagnostic

==================== Find3M ====================

2009-02-21 11:30 81,984 -------- c:\windows\system32\bdod.bin
2009-02-10 20:39 525,520 -------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-01-01 16:14 4,119 -c------ c:\windows\viassary-hp.reg
2005-12-31 19:37 0 -c-sh--- c:\windows\sminst\HPCD.sys
2008-10-28 19:02 906,166 ---sh--- c:\windows\system32\Qpsvuvut.ini2

============= FINISH: 16:59:50.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:11:17 AM

Posted 22 March 2009 - 10:58 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 SBridges

SBridges
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 25 March 2009 - 01:29 PM

The computer just recently started this - on start up I get Adobe Gamma Loader.exe application error
(has encountered a problem and needs to close) -and- when shutting down I get End Program - rundll32.exe (end now or cancel). Should I just do a system restore and clean everything off?


DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 11:15:54.98 on Wed 03/25/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.262 [GMT -7:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
FW: BitDefender Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1114143141\ee\AOLSoftware.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {42cb5cd5-77b7-6b48-2c94-108697784902}: {20948779-6801-49c2-84b6-7b775dc5bc24} - c:\windows\system32\mlpvxd.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: {daba30d9-ac35-4827-b8a0-d4ee39468135} - c:\windows\system32\valavuja.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [A00FD1286F.exe] c:\docume~1\owner\locals~1\temp\_A00FD1286F.exe
uRun: [RunDll] c:\windows\system32\rundll.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HostManager] c:\program files\common files\aol\1114143141\ee\AOLSoftware.exe
mRun: [pinosokivu] Rundll32.exe "c:\windows\system32\wafofozu.dll",s
mRun: [60c103d4] rundll32.exe "c:\windows\system32\pezatehe.dll",b
mRun: [CPM63f23048] Rundll32.exe "c:\windows\system32\kewevuro.dll",a
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} - hxxp://www.winkflash.com/photo/loaders/SAXFile.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - hxxp://ca.com/us/securityadvisor/pestscan/pestscan.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v5.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147990914296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-6u5-windows-i586-jc.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: ms-its50 - {F8606A00-F5CF-11D1-B6BB-0000F80149F6} - c:\program files\common files\microsoft shared\information retrieval\itss50.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\nijufuvu.dll c:\windows\system32\kewevuro.dll mlpvxd.dll c:\windows\system32\sabobosu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kewevuro.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\kewevuro.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\tuvuvspQ
LSA: Notification Packages = :\windows\system32\srr c:\windows\system32\nijufuvu.dll

============= SERVICES / DRIVERS ===============

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\drivers\Achernar.sys [2007-12-30 16855]
R0 movurme;movurme;c:\windows\system32\drivers\movurme.sys [2007-1-1 39296]
R0 pnpacbio;pnpacbio;c:\windows\system32\drivers\pnpacbio.sys [2007-4-23 38528]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\drivers\Aldebaran.sys [2007-12-30 21808]
S2 mrtRate;mrtRate; [x]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 SGUARD;SGUARD;\??\c:\windows\system32\drivers\sguard.sys --> c:\windows\system32\drivers\SGuard.sys [?]
S3 XDva219;XDva219;\??\c:\windows\system32\xdva219.sys --> c:\windows\system32\XDva219.sys [?]
S4 AVWUpSrv;AntiVir Update;c:\geeksquad\avpersonal\AVWUPSRV.EXE [2006-1-1 45096]

=============== Created Last 30 ================

2009-03-25 11:06 3,291,622 ---sh--- c:\windows\system32\ehetazep.ini
2009-03-25 09:07 128,512 a--sh--- c:\windows\system32\mlpvxd.dll
2009-03-24 21:01 3,317,528 ---sh--- c:\windows\system32\ulokufiw.ini
2009-03-24 21:00 128,000 a--sh--- c:\windows\system32\mlcskc.dll
2009-03-24 09:00 3,317,528 ---sh--- c:\windows\system32\odekikag.ini
2009-03-24 08:59 129,024 a--sh--- c:\windows\system32\zlzmue.dll
2009-03-23 21:06 1,401,255 ---sh--- c:\windows\system32\oziwufey.ini
2009-03-23 20:59 129,024 a--sh--- c:\windows\system32\avjtma.dll
2009-03-23 11:20 1,401,251 ---sh--- c:\windows\system32\epitoruv.ini
2009-03-23 08:59 128,000 a--sh--- c:\windows\system32\jdnpha.dll
2009-03-22 15:04 1,791,169 ---sh--- c:\windows\system32\ohiyijup.ini
2009-03-22 15:03 127,488 a--sh--- c:\windows\system32\zvhfqt.dll
2009-03-21 13:45 1,791,169 ---sh--- c:\windows\system32\udegevib.ini
2009-03-21 13:45 129,536 a--sh--- c:\windows\system32\trasnn.dll
2009-03-20 19:20 1,791,160 ---sh--- c:\windows\system32\ukudafej.ini
2009-03-20 19:19 127,488 a--sh--- c:\windows\system32\tijyuj.dll
2009-03-08 12:16 <DIR> --d----- c:\program files\Cobian Backup 9
2009-02-27 18:01 <DIR> --d----- C:\VundoFix Backups
2009-02-26 16:43 <DIR> --d----- C:\fsaua.data

==================== Find3M ====================

2009-03-25 09:07 128,512 a--sh--- c:\windows\system32\feluniko.dll
2009-03-25 09:07 94,720 a--sh--- c:\windows\system32\sabobosu.dll
2009-03-25 09:07 89,088 a--sh--- c:\windows\system32\pezatehe.dll
2009-03-24 21:00 128,000 a--sh--- c:\windows\system32\nakofubu.dll
2009-03-24 21:00 94,720 a--sh--- c:\windows\system32\kewevuro.dll
2009-03-24 21:00 89,600 a--sh--- c:\windows\system32\wifukolu.dll
2009-03-24 08:59 90,624 -------- c:\windows\system32\gakikedo.dll
2009-03-24 08:59 129,024 a--sh--- c:\windows\system32\fopihofu.dll
2009-03-24 08:59 94,208 a--sh--- c:\windows\system32\nasikaje.dll
2009-03-23 20:59 129,024 a--sh--- c:\windows\system32\revubize.dll
2009-03-23 20:59 96,256 a--sh--- c:\windows\system32\rokesoza.dll
2009-03-23 08:59 128,000 a--sh--- c:\windows\system32\bubedena.dll
2009-03-23 08:59 94,208 a--sh--- c:\windows\system32\perosaro.dll
2009-03-22 15:03 96,256 a--sh--- c:\windows\system32\gudasene.dll
2009-03-22 15:03 127,488 a--sh--- c:\windows\system32\dukotibe.dll
2009-03-22 15:03 90,112 a--sh--- c:\windows\system32\pujiyiho.dll
2009-03-21 13:45 129,536 a--sh--- c:\windows\system32\gefuvura.dll
2009-03-21 13:45 95,232 a--sh--- c:\windows\system32\jeyiniyo.dll
2009-03-21 13:45 90,624 a--sh--- c:\windows\system32\bivegedu.dll
2009-03-20 19:20 94,720 a--sh--- c:\windows\system32\bebutepo.dll
2009-03-20 19:19 127,488 a--sh--- c:\windows\system32\jimekaju.dll
2009-02-21 11:30 81,984 -------- c:\windows\system32\bdod.bin
2009-02-11 11:19 38,496 -------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 -------- c:\windows\system32\drivers\mbam.sys
2009-02-10 20:39 525,520 -------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-02-09 03:19 1,846,272 -------- c:\windows\system32\win32k.sys
2009-01-01 16:14 4,119 -c------ c:\windows\viassary-hp.reg
2005-12-31 19:37 0 -c-sh--- c:\windows\sminst\HPCD.sys
0000-00-00 00:00 59,392 a--sh--- c:\windows\system32\nijufuvu.dll
2008-10-28 19:02 906,166 ---sh--- c:\windows\system32\Qpsvuvut.ini2
0000-00-00 00:00 59,392 a--sh--- c:\windows\system32\valavuja.dll
0000-00-00 00:00 59,392 a--sh--- c:\windows\system32\wafofozu.dll

============= FINISH: 11:17:50.68 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 25 March 2009 - 02:47 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Please do not use the System Restore.

Let's see what we can do.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 SBridges

SBridges
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 28 March 2009 - 03:36 PM

I have done nothing to the computer except what I was asked to do by 'bleepingcomputer'. I don't know if I ran the GMER scan correctly, I never saw the 'select - extract all' option? Oh, I just tried to attach the gmer log and it failed saying - the file was larger than the available space. Please let me know what to do about that. THANK YOU



ComboFix 09-03-27.02 - Owner 2009-03-28 8:21:46.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.262 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
FW: BitDefender Firewall *disabled*
* Created a new restore point

Manual Fix is required for restoring CommonStartup
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\temp\1cb
c:\temp\sanR24
c:\temp\sanR24\lDii.log
c:\windows\IE4 Error Log.txt
c:\windows\system32\abomayuw.ini
c:\windows\system32\avjtma.dll
c:\windows\system32\bebutepo.dll
c:\windows\system32\bivegedu.dll
c:\windows\system32\boyesofo.dll
c:\windows\system32\bubedena.dll
c:\windows\system32\byqiwi.dll
c:\windows\system32\c4
c:\windows\system32\dasofupu.dll
c:\windows\system32\dukotibe.dll
c:\windows\system32\ehetazep.ini
c:\windows\system32\epitoruv.ini
c:\windows\system32\eyupajoy.ini
c:\windows\system32\feluniko.dll
c:\windows\system32\fopihofu.dll
c:\windows\system32\funeroga.dll
c:\windows\system32\gakikedo.dll
c:\windows\system32\gefuvura.dll
c:\windows\system32\gudasene.dll
c:\windows\system32\ietsfz.dll
c:\windows\system32\jdnpha.dll
c:\windows\system32\jeyiniyo.dll
c:\windows\system32\jimekaju.dll
c:\windows\system32\kewevuro.dll
c:\windows\system32\kivumolo.dll
c:\windows\system32\lilayeti.dll
c:\windows\system32\mlcskc.dll
c:\windows\system32\mlpvxd.dll
c:\windows\system32\nakofubu.dll
c:\windows\system32\nasikaje.dll
c:\windows\system32\nijufuvu.dll
c:\windows\system32\nusoyeta.dll
c:\windows\system32\odekikag.ini
c:\windows\system32\ohiyijup.ini
c:\windows\system32\oziwufey.ini
c:\windows\system32\perosaro.dll
c:\windows\system32\pujiyiho.dll
c:\windows\system32\Qpsvuvut.ini
c:\windows\system32\Qpsvuvut.ini2
c:\windows\system32\r2
c:\windows\system32\revubize.dll
c:\windows\system32\rokesoza.dll
c:\windows\system32\sabobosu.dll
c:\windows\system32\spesggfw.ini
c:\windows\system32\tijyuj.dll
c:\windows\system32\trasnn.dll
c:\windows\system32\udegevib.ini
c:\windows\system32\ukudafej.ini
c:\windows\system32\ulokufiw.ini
c:\windows\system32\upufosad.ini
c:\windows\system32\valavuja.dll
c:\windows\system32\wafofozu.dll
c:\windows\system32\wifukolu.dll
c:\windows\system32\x3
c:\windows\system32\zlzmue.dll
c:\windows\system32\zvhfqt.dll
C:\xcrashdump.dat

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SVCPROC
-------\Legacy_ZESOFT
-------\Service_PCIDump


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-26 21:09 . 2009-03-26 21:09 5,202 ---hs---- c:\windows\system32\joludune.dll
2009-03-08 12:16 . 2009-03-08 12:17 <DIR> d-------- c:\program files\Cobian Backup 9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 21:27 --------- d-----w c:\program files\TurboTax
2009-02-22 21:26 --------- d-----w c:\program files\ItsDeductible2005
2009-02-22 21:25 --------- d-----w c:\program files\MAIET
2009-02-21 18:37 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-21 18:32 --------- d-----w c:\program files\Common Files\BitDefender
2009-02-21 18:32 --------- d-----w c:\program files\BitDefender
2009-02-21 17:43 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-02-21 17:43 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-19 17:54 --------- d-----w c:\documents and settings\All Users\Application Data\BitDefender
2009-02-12 06:00 --------- d-----w c:\program files\Common Files\Softwin
2009-02-12 05:43 --------- d-----w c:\program files\Common Files\AOL
2009-02-12 05:42 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2009-02-11 18:19 38,496 ------w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ------w c:\windows\system32\drivers\mbam.sys
2009-01-01 23:14 4,119 -c----w c:\windows\viassary-hp.reg
2006-01-01 02:37 0 -csh--w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-09 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"AOL Fast Start"="c:\program files\America Online 9.0a\AOL.EXE" [2005-07-12 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-13 233472]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-06-01 86016]
"HostManager"="c:\program files\Common Files\AOL\1114143141\ee\AOLSoftware.exe" [2008-06-24 41824]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2006-06-01 c:\windows\system32\nwiz.exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 17:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"VIDC.NSVI"= nsvideo.dll

[HKLM\~\startupfolder\^ml1.srt]
path=\ml1.srt

[HKLM\~\startupfolder\^ml2.srt]
path=\ml2.srt

[HKLM\~\startupfolder\^NTUSER.DAT]
path=\NTUSER.DAT

[HKLM\~\startupfolder\^ntuser.dat.LOG]
path=\ntuser.dat.LOG

[HKLM\~\startupfolder\^ntuser.ini]
path=\ntuser.ini

[HKLM\~\startupfolder\^tempdiff.txt]
path=\tempdiff.txt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--------- 2006-09-14 08:55 61440 c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-r------- 2006-10-23 05:50 71216 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--------- 2008-06-24 11:34 41824 c:\program files\Common Files\AOL\1114143141\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 01]
--------- 2003-06-11 02:52 380928 c:\program files\Visual Networks\Visual IP InSight\SBC\IPClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]
--------- 2003-06-11 02:52 122880 c:\program files\Visual Networks\Visual IP InSight\SBC\ipmon32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--------- 2008-09-10 18:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--------- 2006-06-01 18:22 7618560 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2008-09-06 16:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--------- 2004-09-07 13:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--------- 2006-06-01 18:22 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MDM"=2 (0x2)
"IDriverT"=3 (0x3)
"AVWUpSrv"=2 (0x2)
"AOL ACS"=2 (0x2)
"AdobeActiveFileMonitor5.0"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21317:TCP"= 21317:TCP:PORT_21317
"5716:TCP"= 5716:TCP:PORT_5716
"21226:TCP"= 21226:TCP:PORT_21226
"44766:TCP"= 44766:TCP:PORT_44766
"6864:TCP"= 6864:TCP:PORT_6864
"46713:TCP"= 46713:TCP:PORT_46713
"19897:TCP"= 19897:TCP:PORT_19897
"49551:TCP"= 49551:TCP:PORT_49551
"56108:TCP"= 56108:TCP:Pando Media Booster
"56108:UDP"= 56108:UDP:Pando Media Booster

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\drivers\Achernar.sys [2007-12-30 16855]
R0 movurme;movurme;c:\windows\system32\drivers\movurme.sys [2007-01-01 39296]
R0 pnpacbio;pnpacbio;c:\windows\system32\drivers\pnpacbio.sys [2007-04-23 38528]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\drivers\Aldebaran.sys [2007-12-30 21808]
S2 mrtRate;mrtRate; [x]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
S3 SGUARD;SGUARD;\??\c:\windows\System32\drivers\SGuard.sys --> c:\windows\System32\drivers\SGuard.sys [?]
S3 XDva219;XDva219;\??\c:\windows\system32\XDva219.sys --> c:\windows\system32\XDva219.sys [?]
S4 AVWUpSrv;AntiVir Update;c:\geeksquad\AVPersonal\AVWUPSRV.EXE [2006-01-01 45096]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a88313a7-86a8-11dc-b9a1-00038a000015}]
\Shell\AutoRun\command - G:\Autorun.exe /run
\Shell\Shell00\Command - G:\Autorun.exe /run
\Shell\Shell01\Command - G:\Autorun.exe /action
\Shell\Shell02\Command - G:\Autorun.exe /uninstall
.
- - - - ORPHANS REMOVED - - - -

BHO-{8923d12d-aa8b-483b-9baf-08b7c914a6c5} - c:\windows\system32\byqiwi.dll
BHO-{daba30d9-ac35-4827-b8a0-d4ee39468135} - c:\windows\system32\valavuja.dll
ShellIconOverlayIdentifiers-{364D81FB-8165-FAE7-8686-68741886C2B8} - c:\windows\system32\mtxpxrhd.dIl
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-60c103d4 - c:\windows\system32\yojapuye.dll
HKLM-Run-VTTimer - VTTimer.exe
MSConfigStartUp-PS2 - c:\windows\system32\ps2.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_03\bin\jusched.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Handler: ms-its50 - {F8606A00-F5CF-11D1-B6BB-0000F80149F6} - c:\program files\Common Files\Microsoft Shared\Information Retrieval\itss50.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 08:30:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\engewapp.exe 6352896 bytes executable
c:\windows\system32\inuluri.dll 344064 bytes executable
c:\windows\system32\rasinbro.dll 819200 bytes executable
c:\windows\system32\webipip.dll 562005 bytes
c:\windows\system32\baterad
c:\windows\system32\batudmp4.dll 105 bytes
c:\windows\system32\x32ofvoc.dll 221184 bytes executable

scan completed successfully
hidden files: 7

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\wanmpsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\America Online 9.0a\waol.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\msiexec.exe
c:\program files\Java\jre1.6.0_05\bin\jucheck.exe
c:\program files\America Online 9.0a\shellmon.exe
.
**************************************************************************
.
Completion time: 2009-03-28 8:39:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-28 15:39:04

Pre-Run: 86,396,297,216 bytes free
Post-Run: 88,779,276,288 bytes free

286 --- E O F --- 2009-03-28 15:33:43

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 28 March 2009 - 06:38 PM

Hello.

Let's finish that off.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    KILLALL::
    
    Rootkit::
    c:\windows\system32\engewapp.exe
    c:\windows\system32\inuluri.dll
    c:\windows\system32\rasinbro.dll
    c:\windows\system32\webipip.dll
    c:\windows\system32\baterad
    c:\windows\system32\batudmp4.dll
    c:\windows\system32\x32ofvoc.dll
    
    File::
    c:\windows\system32\joludune.dll
    c:\windows\system32\drivers\movurme.sys
    c:\windows\system32\drivers\pnpacbio.sys 
    
    Driver::
    movurme
    pnpacbio
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

Update Java to Version 6 Update 13
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows".

Delete the installer after use.

Please give me an update on the symptoms.

With Regards,
The Panda

#7 SBridges

SBridges
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 28 March 2009 - 11:05 PM

This is the combofix with cfscript log -
I'm on to the next step.

ComboFix 09-03-27.02 - Owner 2009-03-28 20:44:54.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.255 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
FW: BitDefender Firewall *disabled*
* Created a new restore point

Manual Fix is required for restoring CommonStartup

FILE ::
c:\windows\system32\drivers\movurme.sys
c:\windows\system32\drivers\pnpacbio.sys
c:\windows\system32\joludune.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\batudmp4.dll
c:\windows\system32\drivers\movurme.sys
c:\windows\system32\drivers\pnpacbio.sys
c:\windows\system32\engewapp.exe
c:\windows\system32\inuluri.dll
c:\windows\system32\joludune.dll
c:\windows\system32\rasinbro.dll
c:\windows\system32\webipip.dll
c:\windows\system32\x32ofvoc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MOVURME
-------\Legacy_PNPACBIO
-------\Service_movurme
-------\Service_pnpacbio


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2009-03-08 12:16 . 2009-03-08 12:17 <DIR> d-------- c:\program files\Cobian Backup 9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 21:27 --------- d-----w c:\program files\TurboTax
2009-02-22 21:26 --------- d-----w c:\program files\ItsDeductible2005
2009-02-22 21:25 --------- d-----w c:\program files\MAIET
2009-02-21 18:37 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-21 18:32 --------- d-----w c:\program files\Common Files\BitDefender
2009-02-21 18:32 --------- d-----w c:\program files\BitDefender
2009-02-21 17:43 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-02-21 17:43 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-19 17:54 --------- d-----w c:\documents and settings\All Users\Application Data\BitDefender
2009-02-12 06:00 --------- d-----w c:\program files\Common Files\Softwin
2009-02-12 05:43 --------- d-----w c:\program files\Common Files\AOL
2009-02-12 05:42 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2009-02-11 18:19 38,496 ------w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ------w c:\windows\system32\drivers\mbam.sys
2009-01-01 23:14 4,119 -c----w c:\windows\viassary-hp.reg
2006-01-01 02:37 0 -csh--w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-03-28_ 8.38.12.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-28 14:57:10 32,768 -c----w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-28 19:56:24 32,768 -c----w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-28 14:57:10 32,768 -c----w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-28 19:56:24 32,768 -c----w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-04-16 15:52:53 187,517 ----a-w c:\windows\system32\popipbat32.dll
+ 2007-04-16 15:52:53 187,951 ----a-w c:\windows\system32\popipbat32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-09 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"AOL Fast Start"="c:\program files\America Online 9.0a\AOL.EXE" [2005-07-12 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-13 233472]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-06-01 86016]
"HostManager"="c:\program files\Common Files\AOL\1114143141\ee\AOLSoftware.exe" [2008-06-24 41824]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2006-06-01 c:\windows\system32\nwiz.exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 17:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"VIDC.NSVI"= nsvideo.dll

[HKLM\~\startupfolder\^ml1.srt]
path=\ml1.srt

[HKLM\~\startupfolder\^ml2.srt]
path=\ml2.srt

[HKLM\~\startupfolder\^NTUSER.DAT]
path=\NTUSER.DAT

[HKLM\~\startupfolder\^ntuser.dat.LOG]
path=\ntuser.dat.LOG

[HKLM\~\startupfolder\^ntuser.ini]
path=\ntuser.ini

[HKLM\~\startupfolder\^tempdiff.txt]
path=\tempdiff.txt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--------- 2006-09-14 08:55 61440 c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-r------- 2006-10-23 05:50 71216 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--------- 2008-06-24 11:34 41824 c:\program files\Common Files\AOL\1114143141\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 01]
--------- 2003-06-11 02:52 380928 c:\program files\Visual Networks\Visual IP InSight\SBC\IPClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]
--------- 2003-06-11 02:52 122880 c:\program files\Visual Networks\Visual IP InSight\SBC\ipmon32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--------- 2008-09-10 18:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--------- 2006-06-01 18:22 7618560 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2008-09-06 16:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--------- 2004-09-07 13:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--------- 2006-06-01 18:22 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MDM"=2 (0x2)
"IDriverT"=3 (0x3)
"AVWUpSrv"=2 (0x2)
"AOL ACS"=2 (0x2)
"AdobeActiveFileMonitor5.0"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21317:TCP"= 21317:TCP:PORT_21317
"5716:TCP"= 5716:TCP:PORT_5716
"21226:TCP"= 21226:TCP:PORT_21226
"44766:TCP"= 44766:TCP:PORT_44766
"6864:TCP"= 6864:TCP:PORT_6864
"46713:TCP"= 46713:TCP:PORT_46713
"19897:TCP"= 19897:TCP:PORT_19897
"49551:TCP"= 49551:TCP:PORT_49551
"56108:TCP"= 56108:TCP:Pando Media Booster
"56108:UDP"= 56108:UDP:Pando Media Booster

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\drivers\Achernar.sys [2007-12-30 16855]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\drivers\Aldebaran.sys [2007-12-30 21808]
S2 mrtRate;mrtRate; [x]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
S3 SGUARD;SGUARD;\??\c:\windows\System32\drivers\SGuard.sys --> c:\windows\System32\drivers\SGuard.sys [?]
S3 XDva219;XDva219;\??\c:\windows\system32\XDva219.sys --> c:\windows\system32\XDva219.sys [?]
S4 AVWUpSrv;AntiVir Update;c:\geeksquad\AVPersonal\AVWUPSRV.EXE [2006-01-01 45096]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a88313a7-86a8-11dc-b9a1-00038a000015}]
\Shell\AutoRun\command - G:\Autorun.exe /run
\Shell\Shell00\Command - G:\Autorun.exe /run
\Shell\Shell01\Command - G:\Autorun.exe /action
\Shell\Shell02\Command - G:\Autorun.exe /uninstall
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Handler: ms-its50 - {F8606A00-F5CF-11D1-B6BB-0000F80149F6} - c:\program files\Common Files\Microsoft Shared\Information Retrieval\itss50.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 20:53:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\wanmpsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\America Online 9.0a\waol.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\America Online 9.0a\shellmon.exe
c:\program files\Java\jre1.6.0_05\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-03-28 20:59:41 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-03-29 03:59:38
ComboFix2.txt 2009-03-28 15:39:08

Pre-Run: 88,871,612,416 bytes free
Post-Run: 88,890,445,824 bytes free

226 --- E O F --- 2009-03-28 15:33:43

#8 SBridges

SBridges
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 29 March 2009 - 12:16 AM

Here is the other log:

Malwarebytes' Anti-Malware 1.35
Database version: 1913
Windows 5.1.2600 Service Pack 2

3/28/2009 10:08:35 PM
mbam-log-2009-03-28 (22-08-35).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 262554
Time elapsed: 50 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\byqiwi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\funeroga.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nusoyeta.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP840\A0320842.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP841\A0320932.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP841\A0320940.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP841\A0320956.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kivumolo.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.

Thank you for your help!

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 29 March 2009 - 09:54 AM

Hello.

Download this file to your desktop. Right click the file and select Extract All.

Double click the registry file that was extracted.

You should recieve the message that the entries have been successfully merged. If not, post back with the error message.

Please run ComboFix with this script:
http://www.bleepingcomputer.com/forums/t/210397/vundo/

Suspect::[59]
c:\windows\system32\popipbat32.dll


Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Tell me how it goes.

With Regards,
The Panda

#10 SBridges

SBridges
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 29 March 2009 - 03:43 PM

Hello panda - For some reason combofix will not run with the script from the last post? When I drag it into it, it starts up but then an error "CFScript Name Error - Were you trying to run CFScript? - The name CFScript appears to be incorrectly spelt." with the options of X or OK. Clicking on either one closes combofix. What would you like me to do? Also, would you please recommend good virus/malware program(s) to use when we are done. Thanks

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 29 March 2009 - 08:00 PM

Hello.

We'll work without it then.

Submit File to Online Scanner
There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  • c:\windows\system32\popipbat32.dll
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.
--
Then, double click ComboFix again to run it and post back the log.

With Regards,
The Panda

#12 SBridges

SBridges
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 02 April 2009 - 11:20 AM

VirusTotal online scanner log is attached

Attached Files



#13 SBridges

SBridges
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 02 April 2009 - 12:36 PM

Panda - The combofix log is too big, it will not copy over or upoad?

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 02 April 2009 - 03:03 PM

Hello.

Upload it to me here. Say that the file was tool large in the comments.

Post back here when it is uploaded please.

With Regards,
The Panda

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 10 April 2009 - 07:12 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users