Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Victim


  • This topic is locked This topic is locked
30 replies to this topic

#1 Duckie26

Duckie26

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 29 March 2009 - 09:32 AM

Hello,

First I'd like to say thank you to this site for their valuable assistance. Several topics from here have helped me with my Vundo battle but I'm now asking for assistance in getting rid of this nasty trojan. I am a computer novice and I've googled my way through this but I at the end of my rope now.

"Virtumonde" appeared on two of my computers two weeks ago. I recovered my laptop by reformatting it, but I'd like for that to be the last step for this computer, although I am prepared to do it if I have to.

My arsenal for getting rid of this virus has included:
AVG (I got this after I got the virus)
Malwarebytes
SuperAntiSpyware
Spybot

All scans have finally come up clean in both normal and safe mode. However, I was having issues with "bad image file" errors caused by "C:windows\system32\hubejija.dll" being not a valid windows image. So this told me that the virus is still there or at least pieces of it were.

I then ran CCleaner, and ATFCleaner as recommended from another board, but that didn't fix it.

I went googling again and found instructions for removing "hubejija.dll".

I started to follow them and I searched "hubejija.dll" in my files on safe mode and I found one related file and deleted it. I then went to go search my registry per the instructions, only to find out regedit is gone on my computer. I should add I was told to turn of System Restore before doing this and I did do that.

I can access task manager and msconfig, and I downloaded the Spybot version "RegAlyzer" but I have no clue what I am doing with my registry so I haven't done anything with that.

I don't know where else to turn and I'm hoping somebody here can help me. This has been a two week battle which has included 100's of scans, falling victim to a Rogue Spyware scam (MalwareRemovalBot) which in turn caused me to actually PAY MONEY for more nasties to be put my computer. *sigh* I usually know better than this but I can only blame that on desperation and lack of sleep.

Anyway, sorry for my ramblings... My hijack log is attached. Please let me know if you need any additional information. I only know the basics about computers but I follow directions very well. :thumbup2:

Thank you so much in advance for any assistance that is provided.

Sincerely,
Duckie

Attached Files


Edited by Duckie26, 29 March 2009 - 09:33 AM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 PM

Posted 31 March 2009 - 03:41 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Post back with:
-Combofix log
-Description of any problem you still have


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Duckie26

Duckie26
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 31 March 2009 - 03:44 PM

Thank you so much for your reply. I will do this as soon as I can and post my results.

I really appreciate your help.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 PM

Posted 31 March 2009 - 04:02 PM

Thanks for letting me know.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Duckie26

Duckie26
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 31 March 2009 - 06:19 PM

Hi EB,

I've attempted to run Combofix but it will not allow me to because my regedit is missing and to copy that from another machine. . Also, it gave me an OS error and said it wasn't compatable, but I do have Windows XP. I'll await your further instructions.


Thanks,
Duckie

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 PM

Posted 31 March 2009 - 09:20 PM

Hello.

I've attempted to run Combofix but it will not allow me to because my regedit is missing and to copy that from another machine. .

I don't quite understand what you are trying to say. Are you saying you get a error message when trying to run Combofix saying regedit is missing and cannot run? Could you elaborate on that? A screenshot might help me. :thumbup2:

Question: Do you still have your Windows Disk?

Try running Combofix this way. Overwrite the existing Combofix.exe you have on your desktop when downloading it.

Download and Run ComboFix (Rename Before Saving)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

Posted Image

Refer to the page below for further instructions on running ComboFix. This includes installing the Recovery Console. Note that you do not need your Windows XP disk to install it. Refer to this page if you are unsure how.

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a open a report for you. Post back with it. It is at C:\ComboFix.txt.

Do not mouseclick the ComboFix window while it's running. That may cause it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Duckie26

Duckie26
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 01 April 2009 - 09:23 AM

I'm sorry for the misunderstanding.

Yes, I got two errors when I attempted this scan last night. One error message said that my Operating System was not compatible, even though I am using Windows XP.

The second error message said that my regedit is missing (I already knew this) and to copy it from another machine. That is the exact wording of the error.

I do have "recovery disks" for this HP computer that I had to copy myself when I bought the machine.

I will attempt to reinstall and run Combofix as you described above tonight when I get home. If I get the same error messages, I will post a screen shot.

Thanks again. :thumbup2:

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 PM

Posted 01 April 2009 - 02:24 PM

Okay.

Thanks for the update. Always helpful :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Duckie26

Duckie26
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 01 April 2009 - 07:30 PM

Hi EB,

I did what you said and it is still giving me the "regedit" error. Here is a screen shot as requested.

Thanks again,
Duckie


Posted Image

Edited by Duckie26, 01 April 2009 - 07:30 PM.


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 PM

Posted 01 April 2009 - 08:10 PM

Hello.

See if this works, just found th regedit file...

Download this file and save it to your C:\Windows Directory.

Now, please run Combo-Fix.exe the renamed one you downloaded. See if it runs now.

If it runs and works then SKIP the steps below, if it DOESN'T work tell me what happened and continue with the steps below please.


Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and run OTListIT2

We need to create an OTListIt2 Report
  • Please download OTListIt2 from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Post both logs in your next reply please.
Post back with:
-Combofix log
-MBAM log
-OTListIt2 log


With Regards,
Extremeboy

Edited by extremeboy, 01 April 2009 - 08:19 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Duckie26

Duckie26
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 01 April 2009 - 09:02 PM

You rock. The scan is running now. If it doesn't take to long, I'll post the log tonight. If not, same time, same place tomorrow. :thumbup2:

Most sincerely,
Duckie

Edited by Duckie26, 01 April 2009 - 09:02 PM.


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 PM

Posted 01 April 2009 - 09:09 PM

Great! Let me know once it's finished and post the log. :)

I'll probably review it tomorrow evening, as it's fairly late here now. (10:10pm) I still need to wake up early tomorrow :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 Duckie26

Duckie26
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 01 April 2009 - 09:20 PM

The scan is finished and I've posted the results below. I have to be out of the house by 5:15 AM myself and should of shut down an hour ago. I totally understand.

I really (really) appreciate your help.

Sweet dreams,
Duckie

----------------------------------------------

ComboFix 09-04-01.01 - HP_Administrator 2009-04-01 22:01:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.283 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\Combo-Fix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: AVG Firewall *enabled*
* Created a new restore point
.
ADS - svchost.exe: deleted 88 bytes in 2 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\nekigese.dll
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
.

2009-04-01 21:58 . 2009-04-01 21:58 146,432 --a------ c:\windows\system32\dllcache\regedit.exe
2009-04-01 21:58 . 2009-04-01 21:58 146,432 --a------ c:\windows\regedit.exe
2009-03-28 22:54 . 2009-03-28 22:54 <DIR> d-------- c:\program files\Trend Micro
2009-03-28 22:38 . 2009-03-28 22:38 <DIR> d-------- c:\program files\Safer Networking
2009-03-28 22:38 . 2009-03-28 22:38 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Safer Networking
2009-03-28 21:12 . 2009-03-28 21:12 7,168 --ahs---- c:\windows\Thumbs.db
2009-03-28 09:31 . 2009-03-28 09:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-28 09:30 . 2009-03-28 09:30 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-28 09:30 . 2009-03-28 09:30 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-28 09:30 . 2009-03-28 09:30 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-03-28 01:50 . 2009-03-28 01:50 <DIR> d-------- c:\program files\CCleaner
2009-03-28 00:19 . 2009-03-28 00:21 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-28 00:19 . 2009-03-28 22:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-27 17:11 . 2009-03-27 17:11 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-03-27 17:10 . 2009-03-27 17:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 17:10 . 2009-03-27 17:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-27 17:10 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 17:10 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-22 20:00 . 2009-03-29 20:24 <DIR> d-------- c:\documents and settings\HP_Administrator\Tracing
2009-03-22 19:57 . 2009-03-22 19:57 <DIR> d-------- c:\program files\Microsoft Office Outlook Connector
2009-03-22 19:55 . 2009-03-22 19:55 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-22 19:55 . 2009-03-22 19:55 <DIR> d-------- c:\program files\Microsoft
2009-03-22 19:47 . 2009-03-22 19:47 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-21 19:19 . 2009-03-29 12:33 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-21 17:53 . 2009-03-21 17:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-03-21 17:53 . 2009-03-21 17:53 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-21 17:53 . 2009-03-23 18:36 108,552 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-21 17:53 . 2009-03-21 17:53 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-03-21 17:53 . 2009-03-21 17:53 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-21 17:52 . 2009-04-01 19:29 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-21 17:52 . 2009-03-23 19:24 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\AVGTOOLBAR
2009-03-21 17:51 . 2009-03-21 17:51 <DIR> d-------- c:\program files\AVG
2009-03-21 17:51 . 2009-03-21 17:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-21 17:51 . 2009-03-21 17:51 50,968 --a------ c:\windows\system32\avgfwdx.dll
2009-03-21 17:51 . 2009-03-21 17:51 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-02 00:08 --------- d-----w c:\program files\Plaxo
2009-03-31 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-23 00:26 --------- d-----w c:\program files\AWS
2009-03-22 23:54 --------- d-----w c:\program files\Windows Live
2009-03-21 22:39 --------- d-----w c:\program files\QuickTime
2009-03-21 22:39 --------- d-----w c:\program files\Browser Mouse
2009-03-21 21:49 --------- d-----w c:\program files\PC Tools AntiVirus
2009-03-20 00:44 --------- d-----w c:\program files\Spyware Doctor
2009-03-20 00:43 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-14 04:17 --------- d-----w c:\program files\Google
2009-03-02 14:43 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\ZoomBrowser EX
2009-03-02 14:42 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-03-02 02:32 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\CameraWindowDC
2009-03-01 02:57 13,600 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-02-27 15:06 --------- d-----w c:\program files\Safari
2009-02-27 15:02 --------- d-----w c:\program files\iTunes
2009-02-27 15:02 --------- d-----w c:\program files\iPod
2009-02-27 15:02 --------- d-----w c:\program files\Common Files\Apple
2009-02-27 15:02 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-27 14:41 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Apple Computer
2009-02-26 16:46 74,760 ----a-w c:\windows\system32\drivers\UniversalDD.sys
2009-02-26 16:46 25,608 ----a-w c:\windows\system32\drivers\AVGIDSErHr.sys
2006-02-11 01:34 251 ----a-w c:\program files\wt3d.ini
2006-01-31 01:21 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-10 68856]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-18 339968]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-10 253952]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-26 180269]
"A Verizon App"="c:\progra~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2005-05-23 50744]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 188416]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 50688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-21 1932568]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-02-26 1579528]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2005-05-26 45056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-21 17:53 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\hubejija.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\HP_Administrator\Application Data\iolo\

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-03-20 17:34 213936 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\ehome\\ehtray.exe"=
"c:\\Program Files\\Common Files\\Verizon Online\\AppMgr\\vzOpenUIServer.exe"=
"c:\\Program Files\\Microsoft IntelliType Pro\\itype.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Verizon Online\\Help Support\\VerizonSupport.exe"=

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-02-26 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-03-21 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-21 325640]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-21 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R2 AnonMgmtSvc;Anonymizer Management Service;c:\program files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe [2007-10-22 37560]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-21 298264]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-03-21 1356616]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [2009-02-26 5576712]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2009-02-26 563720]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-03-21 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [2009-02-26 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [2009-02-26 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [2009-02-26 27232]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-03-21 29208]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{839e9ab9-68ca-11dd-b135-0013d30cb9b0}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec27ec86-67ff-11dd-b133-0013d30cb9b0}]
\Shell\AutoRun\command - k:\wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-04 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 15:01]

2008-10-04 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2007-08-31 15:13]

2009-04-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://adwoff.com/messageboard/ubbthreads.php?ubb=activetopics&range=1
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://adwoff.com/ubb/ultimatebb.php?ubb=get_daily
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: {65F31DBD-290F-44F8-9B18-47F5AE400A04} - hxxp://www.gould.edu.au/wildlifecams/RasWatch.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qqmbspy1.default\
FF - prefs.js: browser.startup.homepage - hxxp://adwoff.com/messageboard/ubbthreads.php?ubb=activetopics&range=7&type=t
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-01 22:10:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSMonitor.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-04-01 22:16:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-02 02:16:07

Pre-Run: 182,437,556,224 bytes free
Post-Run: 182,321,860,608 bytes free

264 --- E O F --- 2009-03-31 00:24:01

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 PM

Posted 02 April 2009 - 12:02 PM

Hello.

Just came back from lunch so I'll give you the next set of instructions.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    File::
    c:\program files\wt3d.ini
    c:\windows\system32\hubejija.dll
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with:
-Combofix log
-MBAM log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 Duckie26

Duckie26
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 02 April 2009 - 12:54 PM

I've already got the most current MBAM installed so this should be easy enough to do.

Will report back tonight.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users