Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm infected with Vundo/Virtumonde variant


  • This topic is locked This topic is locked
12 replies to this topic

#1 BigWayne450

BigWayne450

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 16 April 2009 - 09:42 AM

While searching for free online movies, my computer suddenly went haywire at one site and tried to open up numerous I-E windows (I use Firefox tho). Opening the Task Manager showed the Page File and CPU Usage graphs maxed out. I immediately closed all browsers and any strange applications I saw on the T/M List to calm the computer down. I'm running AVG Free but it never picked up on anything being wrong, even when I scanned the comp immediately afterward {that's what you get for free, eh? :) }. I installed Super Anti-Spyware Free and ran it in Safe Mode. It detected numerous infections called ADWARE.VUNDO VARIANT and ADWARE.VUNDO/VARIANT.

I tried System Restore to revert back to 3 previous save points, but 4 further scans and repairs/removals by Super Anti-Spyware Free in Safe Mode still did not remove it. It kept returning. Thinking it may have been *IN* the System Restore files, I turned System Restore off and scanned everything once more in Safe Mode. Two more scans reported the same 5 instances of the virus the same as the scans with System Restore on did (1 in memory, 3 in registry, and 1 in files) and I am still getting the pop-ups and erratic behavior.

I would appreciate any help you guys can offer on this. I hate to even think about wiping out the HDD to remedy it. I'm spending today burning keeper files to CD's. Thanks! :thumbup2:

Here is my DDS report:

=============================================
=============================================


DDS (Ver_09-03-16.01) - NTFSx86
Run by Wayne at 2:11:51.62 on Thu 04/16/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_10

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://my.netzero.net/s/search?r=minisearch
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
mSearchAssistant = hxxp://my.netzero.net/s/search?r=minisearch
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\nzsearch\SearchEnh1.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3d7a1a09-8c14-4d19-8307-ec9d261ca938} - c:\windows\system32\niniyifu.dll
BHO: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - No File
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: ZeroBar: {f5735c15-1fb2-41fe-ba12-242757e69dde} - c:\program files\netzero\toolbar.dll
TB: {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [spc_w] "c:\program files\nzsearch\nzspc.exe" -w
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [BellSouthAlertManager.exe] "c:\program files\bellsouth\am\BellSouthAlertManager.exe" /AUTORUN
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [CPM731f1775] Rundll32.exe "c:\windows\system32\zorabopa.dll",a
mRun: [702c24e9] rundll32.exe "c:\windows\system32\mokosuha.dll",b
mRun: [zifawutojo] Rundll32.exe "c:\windows\system32\fujigayu.dll",s
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219176554031
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\sagikuli.dll c:\windows\system32\gadagore.dll c:\windows\system32\vohejido.dll c:\windows\system32\zorabopa.dll,c:\windows\system32\loloyife.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\loloyife.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\wayne\applic~1\mozilla\firefox\profiles\gs82h1qg.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-15 18:29 1,409,234 ---sh--- c:\windows\system32\ahusokom.ini
2009-04-15 01:28 2,713 ---sh--- c:\windows\system32\nunemuzo.exe
2009-04-14 07:25 1,407,731 ---sh--- c:\windows\system32\akizepuz.ini
2009-04-13 19:25 1,404,782 ---sh--- c:\windows\system32\evalojef.ini
2009-04-13 18:47 <DIR> --d----- C:\VundoFix Backups
2009-03-19 03:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-19 03:30 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-19 03:30 <DIR> --d----- c:\docume~1\wayne\applic~1\SUPERAntiSpyware.com
2009-03-19 03:29 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-18 21:12 <DIR> --d----- c:\program files\Spybot - Search & Destroy2
2009-03-18 20:23 <DIR> --d----- c:\windows\aod

==================== Find3M ====================

2009-04-15 18:29 49,664 a--sh--- c:\windows\system32\humugege.dll
2009-04-15 18:29 89,600 a--sh--- c:\windows\system32\zorabopa.dll
2009-04-15 18:29 81,408 a--sh--- c:\windows\system32\mokosuha.dll
2009-04-14 07:25 81,408 a--sh--- c:\windows\system32\zupezika.dll
2009-04-13 19:24 47,104 a--sh--- c:\windows\system32\refurepo.exe
2009-04-13 02:24 50,688 a--sh--- c:\windows\system32\fewavobo.dll
2009-04-13 02:23 47,104 a--sh--- c:\windows\system32\bazetefu.exe
2009-02-09 04:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 04:19 1,846,272 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 09:06 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2007-06-04 13:56 66,725 a------- c:\program files\INSTALL.LOG
2006-11-02 02:30 194,376 a------- c:\docume~1\wayne\applic~1\shb.dat
2006-07-04 06:07 2,983 a------- c:\program files\install_wizard.log
2005-06-15 20:50 6,033 a------- c:\program files\uninstal.log
2007-06-17 23:14 80 ---shr-- c:\windows\system32\67130A3D49.dll

============= FINISH: 2:13:44.96 ===============

***************************************************************
***************************************************************

I went ahead and scanned with Kaspersky's scanner as per this forum's suggestion. Seems I'm infected worse than I thought.

-------------------------------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, April 16, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, April 16, 2009 05:02:30
Records in database: 2049653
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 79989
Threat name: 4
Infected objects: 50
Suspicious objects: 0
Duration of the scan: 03:03:55


File name / Threat name / Threats count
C:\WINDOWS\system32\niniyifu.dll/C:\WINDOWS\system32\niniyifu.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 13
c:\windows\system32\zorabopa.dll/c:\windows\system32\zorabopa.dll Infected: Trojan.Win32.Monder.bzdz 13
C:\WINDOWS\system32\loloyife.dll/C:\WINDOWS\system32\loloyife.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 13
C:\WINDOWS\system32\fujigayu.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\WINDOWS\system32\geleboje.dll Infected: Trojan.Win32.Monder.bzdz 1
C:\WINDOWS\system32\humugege.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\WINDOWS\system32\kojuziko.dll.tmp Infected: Packed.Win32.Krap.n 1
C:\WINDOWS\system32\loloyife.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\WINDOWS\system32\niniyifu.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\WINDOWS\system32\pamumemo.dll.tmp Infected: Trojan.Win32.Monder.bzea 1
C:\WINDOWS\system32\pizuwozo.dll.tmp Infected: Packed.Win32.Krap.n 1
C:\WINDOWS\system32\wavoriro.dll.tmp Infected: Trojan.Win32.Monder.bzea 1
C:\WINDOWS\system32\zorabopa.dll Infected: Trojan.Win32.Monder.bzdz 1
C:\WINDOWS\system32\zuyavizu.dll.tmp Infected: Trojan.Win32.Monder.bzea 1

The selected area was scanned.
*************************************************************
*************************************************************

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 17 April 2009 - 07:06 AM

Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot into Safe Mode
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.




NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




Please post these logs in your next reply... Post each log in separate post

1. SDFix
2. ComboFix
3. A fresh HijackThis log

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 BigWayne450

BigWayne450
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 17 April 2009 - 06:47 PM

Here is my SD Fix log:


SDFix: Version 1.240
Run by Administrator on Fri 04/17/2009 at 02:32 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files:

No Trojan Files Found


#4 BigWayne450

BigWayne450
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 17 April 2009 - 06:49 PM

Here is my ComboFix log:

ComboFix 09-04-18.01 - Wayne 04/17/2009 18:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.194 [GMT -6:00]
Running from: c:\new folder\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\INSTALL.LOG
c:\windows\system32\ahusokom.ini
c:\windows\system32\akizepuz.ini
c:\windows\system32\bszip.dll
c:\windows\system32\deyiwubo.dll
c:\windows\system32\ejavuras.ini
c:\windows\system32\evalojef.ini
c:\windows\system32\fewavobo.dll
c:\windows\system32\fujigayu.dll
c:\windows\system32\geleboje.dll
c:\windows\system32\genovali.dll
c:\windows\system32\humugege.dll
c:\windows\system32\ilavoneg.ini
c:\windows\system32\komurolo.dll
c:\windows\system32\loloyife.dll
c:\windows\system32\mokosuha.dll
c:\windows\system32\niniyifu.dll
c:\windows\system32\olorumok.ini
c:\windows\system32\saruvaje.dll
c:\windows\system32\sinahuti.dll
c:\windows\system32\zorabopa.dll
c:\windows\system32\zupezika.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
.
((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-17 20:26 . 2009-04-17 20:27 -------- d-----w c:\windows\ERUNT
2009-04-17 20:24 . 2009-04-17 21:56 -------- d-----w C:\SDFix
2009-04-15 07:28 . 2009-04-15 07:28 2713 --sh--w c:\windows\system32\nunemuzo.exe
2009-03-20 08:23 . 2009-03-20 08:23 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-19 09:31 . 2009-03-19 09:31 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-19 09:30 . 2009-03-19 09:30 -------- d-----w c:\documents and settings\Wayne\Application Data\SUPERAntiSpyware.com
2009-03-19 03:24 . 2009-03-19 03:24 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2009-03-19 02:23 . 2009-03-19 02:23 -------- d-----w c:\windows\aod
2009-03-19 02:02 . 2009-03-19 02:22 -------- d-----w c:\documents and settings\Administrator\.gimp-2.6
2009-03-19 02:02 . 2009-03-19 02:22 -------- d-----w c:\documents and settings\Administrator\.gegl-0.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 22:12 . 2008-11-12 16:10 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-17 20:11 . 2009-04-17 20:11 -------- d-----w c:\program files\Trend Micro
2009-04-14 02:14 . 2009-04-14 00:47 136 ----a-w C:\VundoFix.txt
2009-04-14 01:24 . 2009-01-14 01:24 47104 --sha-w c:\windows\system32\refurepo.exe
2009-04-13 08:35 . 2009-03-19 09:30 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-13 08:23 . 2009-01-13 08:23 47104 --sha-w c:\windows\system32\bazetefu.exe
2009-04-08 15:14 . 2005-09-18 08:41 -------- d-----w c:\program files\Inkscape
2009-03-20 11:11 . 2007-12-03 06:46 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-19 19:21 . 2009-02-21 04:48 -------- d-----w c:\program files\Process Explorer
2009-03-19 09:29 . 2009-03-19 09:29 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-19 04:25 . 2009-03-19 03:12 -------- d-----w c:\program files\Spybot - Search & Destroy2
2009-03-05 15:20 . 2009-03-05 15:20 -------- d-----w c:\program files\Olltwit
2009-03-04 01:02 . 2007-01-12 18:38 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-03 08:43 . 2007-06-17 07:21 98816 --sha-w C:\Thumbs.db
2009-02-18 11:41 . 2009-02-18 11:41 -------- d-----w c:\program files\Clones Attack
2009-02-18 11:41 . 2009-02-18 11:41 -------- d-----w c:\program files\Match The Tiles Concentration
2009-02-18 11:41 . 2009-02-18 11:41 -------- d-----w c:\program files\Continental
2009-02-09 10:19 . 2008-03-19 09:47 1846272 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 10:19 . 2004-08-10 17:51 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-07 15:06 . 2008-12-27 19:33 10520 ----a-w c:\windows\system32\avgrsstx.dll
2008-11-12 08:15 . 2005-06-10 02:58 267544 ----a-w c:\documents and settings\Wayne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-11-02 08:30 . 2006-11-03 01:47 194376 ----a-w c:\documents and settings\Wayne\Application Data\shb.dat
2006-08-12 08:14 . 2006-08-12 08:14 128 ----a-w c:\documents and settings\Wayne\Local Settings\Application Data\fusioncache.dat
2006-07-04 12:07 . 2006-07-04 12:03 2983 ----a-w c:\program files\install_wizard.log
2005-06-16 02:50 . 2005-06-16 02:50 6033 ----a-w c:\program files\uninstal.log
2007-06-18 05:14 . 2007-06-18 05:14 80 --sh--r c:\windows\system32\67130A3D49.dll
2009-01-13 08:24 . 2009-01-13 08:24 50688 --sha-w c:\windows\system32\kojuziko.dll.tmp
2009-01-13 08:22 . 2009-01-13 08:22 49152 --sha-w c:\windows\system32\pamumemo.dll.tmp
2009-01-13 08:24 . 2009-01-13 08:24 50688 --sha-w c:\windows\system32\pizuwozo.dll.tmp
2009-01-13 08:22 . 2009-01-13 08:22 49152 --sha-w c:\windows\system32\wavoriro.dll.tmp
2009-01-13 08:22 . 2009-01-13 08:22 49152 --sha-w c:\windows\system32\zuyavizu.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"spc_w"="c:\program files\NZSearch\nzspc.exe" [2006-07-11 311362]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-06-08 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"BellSouthAlertManager.exe"="c:\program files\BellSouth\AM\BellSouthAlertManager.exe" [2007-01-28 2061816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-6-15 113664]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-6-9 315392]
Scanner Detector.lnk - c:\program files\ScanSuite\SDetect.exe [2007-2-1 29184]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-07 15:06 10520 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\NetZero\\qs\\exec.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\DRIVERS\scsiscan.sys [2001-08-17 10880]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-07 325128]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-13 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-07 298264]

.
- - - - ORPHANS REMOVED - - - -

BHO-{3d7a1a09-8c14-4d19-8307-ec9d261ca938} - c:\windows\system32\niniyifu.dll
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_03\bin\jusched.exe
HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
HKLM-Run-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
FF - ProfilePath - c:\documents and settings\Wayne\Application Data\Mozilla\Firefox\Profiles\gs82h1qg.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-17 18:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3669232049-2875415384-651909778-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\sagikuli.dll"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1908)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\fxssvc.exe
.
**************************************************************************
.
Completion time: 2009-04-18 18:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 00:34

Pre-Run: 19,078,602,752 bytes free
Post-Run: 18,997,997,568 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

205 --- E O F --- 2009-03-19 14:14


#5 BigWayne450

BigWayne450
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 17 April 2009 - 06:52 PM

And lastly a HijackThis report done immediately after ComboFix:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:20 PM, on 4/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE


#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 17 April 2009 - 09:22 PM

Hello, please don't alter logs in any way.. No code/quote tags, no fancy fonts/colors, no bold/italic wordings.. Just post it as it is.. Will be much easier to my eyes..



1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/index.php?showtopic=219843&view=findpost&p=1227789

KillAll::

Collect::
c:\windows\system32\nunemuzo.exe
c:\windows\system32\refurepo.exe
c:\windows\system32\bazetefu.exe
c:\windows\system32\67130A3D49.dll
c:\windows\system32\kojuziko.dll.tmp
c:\windows\system32\pamumemo.dll.tmp
c:\windows\system32\pizuwozo.dll.tmp
c:\windows\system32\wavoriro.dll.tmp
c:\windows\system32\sagikuli.dll
c:\windows\system32\zuyavizu.dll.tmp

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]

RegNull::
[HKEY_USERS\S-1-5-21-3669232049-2875415384-651909778-1006\Software\Microsoft\SystemCertificates\AddressBook*]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • Simply follow the instructions to copy/paste/send the requested file.
Note::
If Combofix fails to upload the file, please find C:\Qoobox\Quarantined Files\Submit(Time and date here[/color=red]).zip[/color] and upload it at this site

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 BigWayne450

BigWayne450
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 18 April 2009 - 01:13 AM

I uploaded the requested Qoobox ZIP file to the link noted above. I've noticed the pop-ups aren't hammering me so far since I've been online. Here is the requested 2nd ComboFix file:

ComboFix 09-04-18.01 - Wayne 04/18/2009 0:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.206 [GMT -6:00]
Running from: c:\new folder\ComboFix.exe
Command switches used :: c:\new folder\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\67130A3D49.dll
c:\windows\system32\bazetefu.exe
c:\windows\system32\kojuziko.dll.tmp
c:\windows\system32\nunemuzo.exe
c:\windows\system32\pamumemo.dll.tmp
c:\windows\system32\pizuwozo.dll.tmp
c:\windows\system32\refurepo.exe
c:\windows\system32\wavoriro.dll.tmp
c:\windows\system32\zuyavizu.dll.tmp

.
((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-17 20:26 . 2009-04-17 20:27 -------- d-----w c:\windows\ERUNT
2009-04-17 20:24 . 2009-04-17 21:56 -------- d-----w C:\SDFix
2009-03-20 08:23 . 2009-03-20 08:23 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-19 09:31 . 2009-03-19 09:31 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-19 09:30 . 2009-03-19 09:30 -------- d-----w c:\documents and settings\Wayne\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 01:32 . 2005-06-10 02:58 268328 ----a-w c:\documents and settings\Wayne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 22:12 . 2008-11-12 16:10 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-17 20:11 . 2009-04-17 20:11 -------- d-----w c:\program files\Trend Micro
2009-04-14 02:14 . 2009-04-14 00:47 136 ----a-w C:\VundoFix.txt
2009-04-13 08:35 . 2009-03-19 09:30 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-08 15:14 . 2005-09-18 08:41 -------- d-----w c:\program files\Inkscape
2009-03-20 11:11 . 2007-12-03 06:46 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-19 19:21 . 2009-02-21 04:48 -------- d-----w c:\program files\Process Explorer
2009-03-19 09:29 . 2009-03-19 09:29 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-19 04:25 . 2009-03-19 03:12 -------- d-----w c:\program files\Spybot - Search & Destroy2
2009-03-05 15:20 . 2009-03-05 15:20 -------- d-----w c:\program files\Olltwit
2009-03-04 01:02 . 2007-01-12 18:38 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-03 08:43 . 2007-06-17 07:21 98816 --sha-w C:\Thumbs.db
2009-02-18 11:41 . 2009-02-18 11:41 -------- d-----w c:\program files\Clones Attack
2009-02-18 11:41 . 2009-02-18 11:41 -------- d-----w c:\program files\Match The Tiles Concentration
2009-02-18 11:41 . 2009-02-18 11:41 -------- d-----w c:\program files\Continental
2009-02-09 10:19 . 2008-03-19 09:47 1846272 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 10:19 . 2004-08-10 17:51 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-07 15:06 . 2008-12-27 19:33 10520 ----a-w c:\windows\system32\avgrsstx.dll
2006-11-02 08:30 . 2006-11-03 01:47 194376 ----a-w c:\documents and settings\Wayne\Application Data\shb.dat
2006-08-12 08:14 . 2006-08-12 08:14 128 ----a-w c:\documents and settings\Wayne\Local Settings\Application Data\fusioncache.dat
2006-07-04 12:07 . 2006-07-04 12:03 2983 ----a-w c:\program files\install_wizard.log
2005-06-16 02:50 . 2005-06-16 02:50 6033 ----a-w c:\program files\uninstal.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"spc_w"="c:\program files\NZSearch\nzspc.exe" [2006-07-11 311362]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-06-08 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"BellSouthAlertManager.exe"="c:\program files\BellSouth\AM\BellSouthAlertManager.exe" [2007-01-28 2061816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-6-15 113664]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-6-9 315392]
Scanner Detector.lnk - c:\program files\ScanSuite\SDetect.exe [2007-2-1 29184]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-07 15:06 10520 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\NetZero\\qs\\exec.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\DRIVERS\scsiscan.sys [2001-08-17 10880]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-07 325128]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-13 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-07 298264]

.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
FF - ProfilePath - c:\documents and settings\Wayne\Application Data\Mozilla\Firefox\Profiles\gs82h1qg.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 00:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3669232049-2875415384-651909778-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1288)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\fxssvc.exe
.
**************************************************************************
.
Completion time: 2009-04-18 0:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 06:49
ComboFix2.txt 2009-04-18 00:34

Pre-Run: 18,985,537,536 bytes free
Post-Run: 18,969,808,896 bytes free

159 --- E O F --- 2009-03-19 14:14

#8 BigWayne450

BigWayne450
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 18 April 2009 - 01:16 AM

Thank you again fenzodahl512 for helping me with this. Here is the new HJThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:41 AM, on 4/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll (file missing)
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Scanner Detector.lnk = C:\Program Files\ScanSuite\SDetect.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1219176554031
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 7020 bytes

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 18 April 2009 - 03:54 AM

Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - (no file)


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.



Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 BigWayne450

BigWayne450
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 18 April 2009 - 03:49 PM

I don't know if I might have messed up the last procedure or not. During the scan, near the end, Posted ImageI accidentally hit my mouse button while the cursor was on top of a link. It caused the scanner to stop and go to that other page. After having a friend kick me sqarely in the a$$ for doing that, I immediately returned to the scan page and began a new scan, which found no threats at all. The thing I'm worried about is, right before I hit the button, the scan window indicated there were 6 threats it had found, mostly in the C:\System folder. That's the folder it was scanning when I checked to see how it was coming along, and there were no threats at all up to 5 minutes before the accident when I last checked it's progress. I had the "Fix Threats" box checked.

Like I said, the scan I did right after my error showed no infections. Neither did a third scan I did after rebooting once more, just to see if rebooting might make something reappear. I don't know what type of files those 6 threats were because I never got a LOG.txt from the first scan since it never finished, but the scanner must have deleted those 6 files during the scan (I hope). I haven't seen any erratic behavior so far from my computer or browser, but it will probably be a while before I trust it enough to do any online banking and stuff. So far the only damage I've seen the virus has caused is that when a CD ejects from my CD/DVD/RW drive, I get the Bluescreen of Death and have to reboot. I'll check around in the Hardware Fix section for the remedy for that.

:thumbup2: If this works out fenzodahl512, I will dance at your next wedding! Posted Image

Here is the LOG file you asked for. I'm assuming it is from the third scan.


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4018 (20090418)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=676183f2588a7d46923c30a5fe14b51d
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-04-18 08:38:29
# local_time=2009-04-18 02:38:29 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=321551
# found=0
# scan_time=4395

Edited by BigWayne450, 18 April 2009 - 04:01 PM.


#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 18 April 2009 - 09:19 PM

Looks good to me.. Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware



Read these links about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm



Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbup2:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 BigWayne450

BigWayne450
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 19 April 2009 - 05:10 AM

I've been web surfing for a few hours now with no interruptions or strange occurances. I believe you've fixed her up for me. I plan on returning to that scanner site and doing a full scan once more in a few days just to be sure. If I haven't said it enough already, I really do appreciate all of your work in helping me get my comp back on track.

I have another computer in my closet from a friend that is the same model as my current one (mines the Home vers, it's the Office vers) that is eat up with viruses. My friend had identity theft because of it. Theeldergeek.com couldn't do anything for it and recommended a harddrive wipe. I may start another topic in the future and see if you guys can do anything for it.

You see stereotypical computer techs like on Saturday Night Live that are kind of smug and feel superior over the n00bs. Sometimes, like in my case here, I an humble enough to admit that they deserve to be a little smug. Thanks again, man! :thumbup2: I have nothing to repay your kindness except for the smiley below.

Posted Image

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 19 April 2009 - 05:43 AM

Thank you.. Love that smiley.. I saved it in my Desktop, and if I want to use it, I'm surely give the credit to you :thumbup2:


I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users