Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo, Seneka, ... oh my! Can't enable firewall too?


  • This topic is locked This topic is locked
14 replies to this topic

#1 pesci

pesci

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 20 March 2009 - 07:28 AM

Hi folks. I first noticed problems on my PC when I got the fake antispyware apps pop up on my PC. I then ran malwarebytes and thought I'd got rid of them but they came back a few weeks later. I loaded Spybot S&D and Superantispyware and they all seemed to find different problems such as Vundo, Virtumonde, etc. Every time I scan and clean and then re-scan something else appears. The last time it was Seneka rootkit. Following this fourum's guidelines I also tried to enable my windows internet firewall but it is grayed out for enabling, don't know if that is another spyware issue. I have installed and run OneCare, maybe that stops me using the windows firewall.

I've included the DDS and hijackthis logs below - thanks!

DDS:


DDS (Ver_09-03-16.01) - NTFSx86
Run by McDonagh at 7:58:37.56 on Fri 03/20/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1439 [GMT -4:00]

AV: Windows Live OneCare *On-access scanning enabled* (Updated)
FW: Windows Live OneCare Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\system32\Defrag.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\McDonagh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.yahoo.com/i/716
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus Photo R260 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibna.exe /fu "c:\windows\temp\E_S34C.tmp" /EF "HKCU"
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [AdobeBridge]
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [AsusStartupHelp] c:\program files\asus\aasp\1.00.15\AsRunHelp.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
dRun: [msiexec.exe] msiconf.exe
StartupFolder: c:\docume~1\mcdonagh\startm~1\programs\startup\speedfan.lnk - c:\program files\speedfan\speedfan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logoca~1.lnk - c:\program files\gretagmacbeth\i1\eye-one match 3\calibrationloader\CalibrationLoader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\profil~1.lnk - c:\program files\gretagmacbeth\i1\eye-one match 3\ProfileReminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: com,llnwd.net,rhap\listen.com,%20real
Trusted Zone: turbotax.com
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168575371171
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232543151906
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://www.mpix.com/Customer/Uploading/activex/ImageUploader3.cab
DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CBFF31B5-91C0-4361-98BD-4C56D0F9CDAC} - hxxp://www.betterphoto.com/_shared/uploadImageDragDrop46/DragAndDropUploader2.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F89EF74A-956B-4BD3-A066-4F23DF891982} - hxxp://www.betterphoto.com/_shared/uploadImageDragDrop/DragAndDropUploader2.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: ,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2009-2-12 26104]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [2007-9-7 14416]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 xdduahhcz;xdduahhcz;\??\c:\windows\system32\drivers\yalknjcvzvzdrm.sys --> c:\windows\system32\drivers\yalknjcvzvzdrm.sys [?]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2007-9-7 44344]

=============== Created Last 30 ================

2009-03-19 23:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-19 23:02 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-19 22:44 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-19 22:44 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-19 22:29 91,328 a------- c:\windows\system32\drivers\msfwdrv.sys
2009-03-19 22:29 116,416 a------- c:\windows\system32\drivers\msfwhlpr.sys
2009-03-19 22:28 53,168 a------- c:\windows\system32\drivers\MpFilter.sys
2009-03-19 22:24 <DIR> --d----- c:\program files\Microsoft Windows OneCare Live
2009-03-19 21:58 <DIR> --d----- c:\windows\system32\XPSViewer
2009-03-19 21:57 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-19 21:57 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-19 21:57 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-19 21:57 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-03-19 21:57 117,760 -------- c:\windows\system32\prntvpt.dll
2009-03-19 21:57 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-03-19 21:57 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-03-19 20:03 <DIR> --d----- c:\program files\Trend Micro
2009-03-19 19:13 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-19 19:13 <DIR> --d----- c:\docume~1\mcdonagh\applic~1\SUPERAntiSpyware.com
2009-03-19 18:22 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-19 18:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-19 17:22 0 a------- c:\windows\system32\nfr.assembly
2009-03-19 17:10 1 a------- c:\windows\9g234sdfdfgjf23
2009-03-19 17:10 2 ----h--- c:\windows\t55ft2951f44.dat
2009-03-09 20:36 <DIR> --d----- c:\docume~1\mcdonagh\applic~1\LEGO Company
2009-03-09 20:36 <DIR> --d----- c:\program files\LEGO Company

==================== Find3M ====================

2009-03-18 19:48 36,086 a------- c:\docume~1\mcdonagh\applic~1\wklnhst.dat
2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-21 09:25 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-23 22:58 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-20 19:15 826,368 a------- c:\windows\system32\wininet.dll
2007-05-07 23:30 31,240 a------- c:\docume~1\mcdonagh\applic~1\GDIPFONTCACHEV1.DAT
2006-06-23 02:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 7:59:30.48 ===============



hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:48 AM, on 3/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/i/716
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.15\AsRunHelp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R260 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE /FU "C:\WINDOWS\TEMP\E_S34C.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: listen.com,%20real.com,llnwd.net,rhap
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168575371171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1232543151906
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.mpix.com/Customer/Uploading/act...geUploader3.cab
O16 - DPF: {CBFF31B5-91C0-4361-98BD-4C56D0F9CDAC} (Drag and Drop Uploader Control) - http://www.betterphoto.com/_shared/uploadI...opUploader2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F89EF74A-956B-4BD3-A066-4F23DF891982} (Drag and Drop Uploader Control) - http://www.betterphoto.com/_shared/uploadI...opUploader2.cab
O20 - AppInit_DLLs: ,
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 9202 bytes

Attached File  Attach.txt   8.1KB   29 downloads

BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:56 PM

Posted 21 March 2009 - 02:15 PM

Hi pesci,

My name is Syler and I will be helping you to clean your computer, please give me some time
to look over your logs and I will get back to you as soon as possible.

Thanks

unite.jpg


#3 pesci

pesci
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 21 March 2009 - 09:21 PM

Hi Syler, thanks for taking the time to look, I really appreciate it. At the moment I'm not seeing any thing reported when I run Malwarebytes, Search&Destroy or Superantispayware and OneCare - so maybe I did clean it? Seeing as some rootkit objects were previously reported I am worried if it is really clean though.

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:56 PM

Posted 22 March 2009 - 06:26 AM

Hello Pesci,

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you still want to try and clean it please follow the instructions below.

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

Next

Please download Malwarebytes' Anti-Malware from Here
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

Posted Image
Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.
  • Then post back with DDS.txt.
Can you also tell me if you no anything about these sites being placed in your Internet Explorer trusted zone?

O15 - Trusted Zone: listen.com,%20real.com,llnwd.net,rhap
O15 - Trusted Zone: http://*.turbotax.com

Please answer my question and post back with:
  • Report.txt
  • MBAM log
  • DDS.txt

unite.jpg


#5 pesci

pesci
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 22 March 2009 - 01:25 PM

Thanks, I think I will re-format the drive. I only have program files on my C: drive, all data files are stored on other drives (plus externals). Is it necessary to re-format any drives other than the C: drive?

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:56 PM

Posted 23 March 2009 - 03:00 PM

Hi Pesci

Thanks for letting me no that you are going to reformat. The safest option in this situation would be to format all your other
drives aswell as your C:\ drive. One of the infectios you have is the W32.Mandaph Worm, which will spread through fixed and
external drives and has backdoor capabilities and you also had some other nasty infections.

unite.jpg


#7 pesci

pesci
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 24 March 2009 - 08:41 AM

OK, I re-formated my system drive before I saw your response, I didn't re-format my external data drives as I don't keep any executables on them. I installed Windows-XP with SP2 and got all windows updates, then installed OneCare and ran Malwarebytes, neither found anything. I then installed my other applications. Also ran spybot S&d which found nothing.
However, today OneCare reported finding "Adware:Win32/Clickspring.C Adware", which I let it remove. Am I still infected?

I downloaded DDS and hijackthis and ran them, here's the logs, I'd appreciate help analyzing it:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:53 AM, on 3/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Adobe\Adobe Photoshop CS4\Photoshop.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/i/716
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1237787272468
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 4900 bytes

DDS (Ver_09-03-16.01) - NTFSx86
Run by McDonagh at 10:03:15.59 on Tue 03/24/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1173 [GMT -4:00]

AV: Windows Live OneCare *On-access scanning enabled* (Updated)
FW: Windows Live OneCare Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Adobe\Adobe Photoshop CS4\Photoshop.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\McDonagh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.yahoo.com/i/716
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AdobeBridge]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
mRun: [JMB36X Configure] c:\windows\system32\JMRaidTool.exe boot
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237787272468

============= SERVICES / DRIVERS ===============

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2009-2-12 26104]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-3-23 2749224]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-3-23 38496]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-3-23 15656]

=============== Created Last 30 ================

2009-03-24 09:31 <DIR> --d----- c:\program files\Trend Micro
2009-03-23 21:06 116 a------- c:\docume~1\mcdonagh\applic~1\wklnhst.dat
2009-03-23 20:51 268,648 a------- c:\windows\system32\mucltui.dll
2009-03-23 20:51 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-03-23 19:07 <DIR> --d----- c:\docume~1\mcdonagh\applic~1\NeatImage PS
2009-03-23 18:23 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-23 18:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-23 09:56 <DIR> --d----- c:\docume~1\mcdonagh\applic~1\WTablet
2009-03-23 09:56 <DIR> --d----- c:\program files\Tablet
2009-03-23 09:39 <DIR> --d----- c:\windows\system32\NtmsData
2009-03-23 09:30 <DIR> --d----- c:\docume~1\mcdonagh\applic~1\Malwarebytes
2009-03-23 09:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-23 09:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-23 09:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-23 09:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-23 09:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\GoodSync
2009-03-23 09:25 <DIR> --d----- c:\docume~1\mcdonagh\applic~1\GoodSync
2009-03-23 09:25 <DIR> --d----- c:\program files\Siber Systems
2009-03-23 09:19 <DIR> --d----- c:\docume~1\mcdonagh\applic~1\Nvu
2009-03-23 09:19 <DIR> --d----- c:\program files\Nvu
2009-03-23 09:15 <DIR> --d----- c:\program files\Photodex Presenter
2009-03-23 09:15 <DIR> --d----- c:\program files\Photodex
2009-03-23 09:09 <DIR> --d----- c:\docume~1\mcdonagh\applic~1\Photodex
2009-03-23 08:54 376 a------- c:\windows\ODBC.INI
2009-03-23 08:54 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-03-23 08:54 <DIR> --d----- c:\windows\ShellNew
2009-03-23 08:48 <DIR> --d----- c:\program files\Microsoft Works Suite 2006
2009-03-23 02:51 52,418 -------- c:\windows\UNNMP.cfg
2009-03-23 02:51 1,802,240 -------- c:\windows\UNNMP.exe
2009-03-23 02:48 155,648 a------- c:\windows\system32\NeroCheck.exe
2009-03-23 02:47 96,891 -------- c:\windows\UNNeroVision.cfg
2009-03-23 02:47 24,064 a------- c:\windows\system32\msxml3a.dll
2009-03-23 02:47 1,814,528 -------- c:\windows\UNNeroVision.exe
2009-03-23 02:46 569,344 a------- c:\windows\system32\imagr5.dll
2009-03-23 02:46 544,768 a------- c:\windows\system32\imagx5.dll
2009-03-23 02:46 106,496 a------- c:\windows\system32\TwnLib20.dll
2009-03-23 02:46 38,912 a------- c:\windows\system32\picn20.dll
2009-03-23 02:46 283,920 a------- c:\windows\system32\ImagXpr5.dll
2009-03-23 02:37 <DIR> --d----- c:\program files\Porta
2009-03-23 02:27 <DIR> --d----- c:\docume~1\mcdonagh\applic~1\ZoomBrowser EX
2009-03-23 02:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ZoomBrowser
2009-03-23 02:21 <DIR> --d----- c:\program files\Canon
2009-03-23 02:20 <DIR> --d----- c:\program files\common files\Canon
2009-03-23 02:08 <DIR> --d----- c:\program files\Neat Image
2009-03-23 01:40 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-03-23 01:33 212,711 a------- c:\windows\system32\nvapps.nvb
2009-03-23 01:33 <DIR> --d----- c:\windows\NV21563696.TMP
2009-03-23 01:32 <DIR> --d----- C:\NVIDIA
2009-03-23 01:30 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-03-23 01:24 <DIR> --d----- c:\docume~1\mcdonagh\applic~1\Intuit
2009-03-23 01:23 <DIR> --d----- c:\program files\common files\supportsoft
2009-03-23 01:23 1,933,312 a------- c:\windows\system32\cdintf251.dll
2009-03-23 01:21 385,024 -----r-- c:\windows\system32\JMRaidTool.exe
2009-03-23 01:21 <DIR> --d----- c:\windows\JM
2009-03-23 01:21 43,392 a----r-- c:\windows\system32\drivers\jraid.sys
2009-03-23 01:21 6,912 a----r-- c:\windows\system32\drivers\JGOGO.sys
2009-03-23 01:21 <DIR> --d----- c:\program files\common files\AnswerWorks 4.0
2009-03-23 01:20 <DIR> --d----- c:\program files\Intuit
2009-03-23 01:20 <DIR> --d----- c:\program files\common files\Intuit
2009-03-23 01:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2009-03-23 01:19 <DIR> --d----- c:\program files\Marvell
2009-03-23 01:19 21,724 a------- c:\windows\Ascd_tmp.ini
2009-03-23 01:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\COMMON FILES
2009-03-23 01:18 <DIR> --d----- c:\program files\MSXML 4.0
2009-03-23 01:14 <DIR> --d----- c:\windows\system32\URTTEMP
2009-03-23 01:14 <DIR> --d----- c:\windows\ASUSInstAll
2009-03-23 01:13 <DIR> --d----- c:\windows\system32\drivers\INF
2009-03-23 01:13 <DIR> --d----- c:\windows\system32\drivers\system32
2009-03-23 01:12 22,047 a------- c:\windows\Ascd_log.ini
2009-03-23 01:12 5,810 a----r-- c:\windows\system32\drivers\ASACPI.sys
2009-03-23 01:12 5,824 a------- c:\windows\system32\drivers\ASUSHWIO.SYS
2009-03-23 01:04 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-23 01:03 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-03-23 01:03 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-03-23 01:03 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-03-23 01:03 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-03-23 01:03 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-23 01:03 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-03-23 01:03 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-03-23 01:03 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-23 01:03 6,066,688 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-03-23 00:58 <DIR> --d----- c:\windows\system32\XPSViewer
2009-03-23 00:57 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-23 00:57 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-23 00:57 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-23 00:57 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-03-23 00:57 117,760 -------- c:\windows\system32\prntvpt.dll
2009-03-23 00:57 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-03-23 00:57 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-03-23 00:57 91,328 a------- c:\windows\system32\drivers\msfwdrv.sys
2009-03-23 00:57 116,416 a------- c:\windows\system32\drivers\msfwhlpr.sys
2009-03-23 00:56 53,168 a------- c:\windows\system32\drivers\MpFilter.sys
2009-03-23 00:52 <DIR> --d----- c:\program files\Microsoft Windows OneCare Live
2009-03-23 00:43 229,376 a----r-- c:\windows\system32\drivers\ADIHdAud.sys
2009-03-23 00:43 142,464 a----r-- c:\windows\system32\drivers\adidts.sys
2009-03-23 00:43 93,824 a----r-- c:\windows\system32\drivers\aeaudio.sys
2009-03-23 00:43 24,064 a----r-- c:\windows\system32\PostProc.dll
2009-03-23 00:43 <DIR> --d----- c:\program files\Analog Devices
2009-03-23 00:43 146,048 ac------ c:\windows\system32\dllcache\portcls.sys
2009-03-23 00:43 129,536 ac------ c:\windows\system32\dllcache\ksproxy.ax
2009-03-23 00:43 60,160 ac------ c:\windows\system32\dllcache\drmk.sys
2009-03-23 00:43 4,096 ac------ c:\windows\system32\dllcache\ksuser.dll
2009-03-23 00:43 146,048 a------- c:\windows\system32\drivers\portcls.sys
2009-03-23 00:43 129,536 a------- c:\windows\system32\ksproxy.ax
2009-03-23 00:43 60,160 a------- c:\windows\system32\drivers\drmk.sys
2009-03-23 00:43 4,096 a------- c:\windows\system32\ksuser.dll
2009-03-23 00:36 <DIR> --d----- c:\windows\system32\scripting
2009-03-23 00:36 <DIR> --d----- c:\windows\l2schemas
2009-03-23 00:36 <DIR> --d----- c:\windows\system32\en
2009-03-23 00:36 <DIR> --d----- c:\windows\system32\bits
2009-03-23 00:35 <DIR> --d----- c:\windows\ServicePackFiles
2009-03-23 00:34 <DIR> --d----- c:\windows\network diagnostic
2009-03-23 00:33 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-03-23 00:32 <DIR> --d----- c:\windows\EHome
2009-03-23 00:32 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-03-23 00:30 613,334 -c------ c:\windows\system32\dllcache\wmplayer.chm
2009-03-23 00:29 701,440 -------- c:\windows\system32\drivers\ati2mtag.sys
2009-03-23 00:17 <DIR> --d----- c:\program files\Linksys Wireless-G PCI Wireless Network Monitor
2009-03-23 00:13 203,346 a------- c:\windows\system32\nvapps.xml
2009-03-23 00:12 453,152 a------- c:\windows\system32\nvudisp.exe
2009-03-23 00:12 19,021 a------- c:\windows\system32\nvdisp.nvu
2009-03-23 00:12 <DIR> --d----- c:\windows\nview
2009-03-23 00:12 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-03-23 00:11 23,040 a----r-- c:\windows\system32\drivers\GVCplDrv.sys
2009-03-23 00:05 <DIR> --d----- c:\documents and settings\McDonagh
2009-03-23 00:04 <DIR> --ds---- c:\windows\system32\Microsoft
2009-03-23 00:03 8,192 a------- c:\windows\REGLOCS.OLD
2009-03-23 00:01 10,129,408 ac------ c:\windows\system32\dllcache\hwxkor.dll
2009-03-23 00:00 2,577 a------- c:\windows\system32\CONFIG.NT
2009-03-23 00:00 0 a------- c:\windows\control.ini
2009-03-23 00:00 316,640 a------- c:\windows\WMSysPr9.prx
2009-03-23 00:00 23,392 a------- c:\windows\system32\nscompat.tlb
2009-03-23 00:00 16,832 a------- c:\windows\system32\amcompat.tlb
2009-03-22 23:59 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-03-22 23:59 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-03-22 23:58 <DIR> --d----- c:\program files\common files\MSSoap
2009-03-22 23:57 <DIR> --d----- c:\program files\Online Services
2009-03-22 23:57 <DIR> --d----- c:\program files\Messenger
2009-03-22 23:57 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-03-22 23:56 <DIR> --d----- c:\program files\Windows NT
2009-03-22 23:24 <DIR> --dsh--- c:\documents and settings\mcdonagh\UserData
2009-03-22 18:31 <DIR> --d----- c:\program files\common files\ODBC
2009-03-22 18:31 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-03-22 18:31 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-03-23 00:37 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-23 00:17 20,747 a------- c:\windows\system32\drivers\AegisP.sys
2009-03-22 23:58 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2006-06-23 02:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 10:03:31.95 ===============


Attached File  Attach.txt   4.72KB   24 downloads

Edited by pesci, 24 March 2009 - 09:07 AM.


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:56 PM

Posted 25 March 2009 - 08:15 AM

Have you plugged any of your external drives into your machine since reinstalling your OS? You should do a scan on them to see if they
are infected but before you plug them in you need to disable the Autoplay feature. If you do not then as soon as you plug your externals
in, your computer could become infected, as this feature can trigger the malware to run.

After disabling Autoplay, plug in your externals then scan them with Kaspersky Online Scanner.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.

Post back with the Kaspersky results.

unite.jpg


#9 pesci

pesci
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 25 March 2009 - 11:35 PM

Thanks for the reply Syler.

I ran the Kaspersky online scan - first just the "Critical Areas", it found no problems. I then set it off on "My Computer", after 1 hour it is showing 1% progress - so I guess it could be a few days !! I do have 3 500Gb externals attached, lots of photos (big RAW and Photoshop PSD files) but no executables... Oh, an update - it finished after 1:24, guess it didn't scan all the data files :thumbup2: Here's the report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, March 26, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, March 26, 2009 04:49:01
Records in database: 1971197
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
M:\

Scan statistics:
Files scanned: 113711
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:24:49

No malware has been detected. The scan area is clean.

The selected area was scanned.


Now after a re-format of my C: drive I thought I'd be completely clean, I didn't turn off autorun/play to start with but on the other hand I didn't plug in any externals since (they remained plugged in the whole time) - does autorun only invoke for drives just plugged in, not those plugged in at boot? On the other hand I did see the OneCare warning about clickspring.c twice (the first time I didn't take action, wanted to see more details on it first), however on both occassions OneCare detected it I had another antispyware running a scan - can you get false reports like that? In between when I ran a OneCare scan it didn't find clickspring.c.

Sorry for all the questions!

Edited by pesci, 26 March 2009 - 08:30 AM.


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:56 PM

Posted 26 March 2009 - 04:32 PM

Hello Pesci :thumbup2:

You are welcome to ask any questions you want. Your logs are looking clean to me and since Kaspersky found nothing
and neither have your other scanners it looks good except for clickspring.c which OneCare is finding. Scanners can
produce false reports (false positives) sometimes, can you tell me what file OneCare is reporting as clickspring.c?
Autoplay/AutoRun are not invoked on boot but Autorun can be invoked when opening the drives in Windows Explorer,
so I would still keep them disabled unless you actually have a use for these features.

unite.jpg


#11 pesci

pesci
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 26 March 2009 - 09:28 PM

Thanks Syler, glad to hear my logs look good :thumbup2: I just remembered I copied my C:<user>/Documents and Settings to a temp folder on my D: drive before reformatting the C: drive in case I needed anything from there and forgot to delete it, I suspect OneCare was finding a clickspring executable in there as I read that it copies an executable to that location, must have been a remnant from the previous infection. I've now deleted that temp folder and everything is scanning clean. Thanks for your help!

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:56 PM

Posted 27 March 2009 - 07:12 PM

You are welcome Pesci, If you have no more problems? I will consider this thread solved and get my coach to close it.

Regards

unite.jpg


#13 pesci

pesci
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 27 March 2009 - 07:39 PM

Perfect - thanks a lot!

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:56 PM

Posted 28 March 2009 - 08:43 AM

Now that you are clean please read my advice below to help secure and prevent you
from being infected again.

Updating Windows
It is extremley important to keep windows upto date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates is always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install an AntiSpyware Program
A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.
Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.
Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.
Tutorials on using these programs can be found below:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing :thumbup2:

unite.jpg


#15 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:56 PM

Posted 30 March 2009 - 12:16 PM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users