Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected w/ Koobface and Vundo-Please Help/ Computer 1


  • This topic is locked This topic is locked
5 replies to this topic

#1 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:03:27 PM

Posted 17 April 2009 - 01:09 PM

Referred here from: http://www.bleepingcomputer.com/forums/t/218274/badly-infected-with-winpc-defender-please-help/ ~ OB

Hello-- Thanks in advance for your time and help.

1.) In addittion to my main question which is listed below(#2) can you answer this for me?? I have a clean computer and an infected computer. If I unplug my clean computer from my router is it safe for me to plug my infected computer into my router/internet connection so I can download onto the infected computer or can the infected computer actual transfer the virus to the router and subsequently to my clean computer when I unplug the infected computer from the router and re plug in the clean computer to the router?? ??

2.) I have a computer that is heavily infected with multiple viruses including Koobface and Vundo. I have run all of the following scans (All updated with the most recent versions). DDS, MBAM, SAS, HJT. It appears that most of the infections have been removed but I am hoping someone can take a look at the logs to make sure this system is clean. I had a lot of trouble just getting MBAM and HJT to install and update so I am wanting to make sure this system is totally clean. Thnaks again in advance for your time and help.


DDS LOG:
DDS (Ver_09-03-16.01) - FAT32x86
Run by Chuck at 12:53:24.01 on Fri 04/17/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.118 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Atievxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\Chuck\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Eraser] c:\program files\eraser\Eraser.exe -hide
mRun: [SystemTray] SysTray.Exe
mRun: [PRISMSVR.EXE] "c:\program files\u.s. robotics\wireless usb manager\PRISMSVR.EXE" /APPLY
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Win32 Classes
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://ushousecall02.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-16 19:43 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-04-16 19:42 --d----- c:\program files\Avira
2009-04-16 19:42 --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-04-16 18:35 --d----- c:\docume~1\alluse~1\applic~1\Comodo
2009-04-16 18:35 155,384 a------- c:\windows\system32\guard32.dll
2009-04-16 18:35 110,992 a------- c:\windows\system32\drivers\cmdguard.sys
2009-04-16 18:35 24,336 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-04-16 18:34 --d----- c:\program files\COMODO
2009-04-16 18:19 46,456 a----r-- c:\windows\system32\exitwx.exe
2009-04-15 10:50 --d----- c:\documents and settings\chuck\DoctorWeb
2009-04-15 09:57 2,119,208 a------- c:\program files\mbam-rules.exe
2009-04-15 09:21 --d----- c:\docume~1\chuck\applic~1\Malwarebytes
2009-04-15 09:21 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-15 09:21 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-15 09:20 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-15 09:20 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-15 06:54 812,344 a------- c:\program files\HJTInstall.exe
2009-04-15 06:51 2,967,800 a------- c:\program files\mbam-setup.exe
2009-04-12 13:39 --d----- c:\program files\Secunia
2009-04-12 13:36 --d----- c:\program files\Quick StartUp
2009-04-12 13:25 --d----- c:\docume~1\chuck\applic~1\GlarySoft
2009-04-12 13:24 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-12 13:20 --d-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-12 13:17 --d----- c:\program files\Lavasoft
2009-04-12 13:13 --d----- c:\program files\Glary Utilities
2009-04-12 13:10 --d----- c:\program files\VS Revo Group
2009-04-12 13:00 --d----- c:\docume~1\chuck\applic~1\Eraser
2009-04-12 12:57 311,296 a------- c:\windows\system32\Eraser.dll
2009-04-12 12:57 86,016 a------- c:\windows\system32\Erasext.dll
2009-04-12 12:57 77,824 a------- c:\windows\system32\Eraserl.exe
2009-04-12 12:56 --d----- c:\program files\Eraser
2009-04-12 12:37 37,452,296 a------- c:\program files\Ad-AwareAE Setup.exe
2009-04-12 12:27 30,001,096 a------- c:\program files\Avira Antivirus Setup.exe
2009-04-12 12:25 5,645,984 a------- c:\program files\Glary Utilities Setup.exe
2009-04-12 12:22 1,053,744 a------- c:\program files\Revo Uninstaller Setup.exe
2009-04-12 12:19 1,418,282 a------- c:\program files\Quick Stratup Setup.exe
2009-04-12 12:18 7,068,856 a------- c:\program files\Eraser Setup.exe
2009-04-12 07:40 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-12 07:39 --d----- c:\program files\SUPERAntiSpyware
2009-04-12 07:39 --d----- c:\docume~1\chuck\applic~1\SUPERAntiSpyware.com
2009-04-12 07:38 --d----- c:\program files\common files\Wise Installation Wizard
2009-04-12 07:32 6,237,728 a------- c:\program files\SUPERAntiSpyware.exe
2009-04-11 07:28 --dsh--- C:\FOUND.000
2009-04-09 16:02 --d----- c:\program files\Eusing Free Registry Cleaner
2009-04-09 16:02 --d----- c:\program files\CCleaner
2009-04-09 15:24 949,286 a------- c:\program files\Eusing Free Registry Cleaner.exe
2009-04-09 15:23 3,190,688 a------- c:\program files\CCleaner Setup.exe
2009-04-08 14:48 --d----- c:\windows\system32\Service
2009-04-07 13:48 --d----- C:\Log
2009-04-07 13:48 --d----- c:\docume~1\chuck\applic~1\Trend Micro
2009-04-07 13:09 --d----- c:\program files\Trend Micro
2009-04-07 12:29 661,808 a------- c:\windows\system32\UfWSC.cpl
2009-04-07 11:55 0 ----h--- c:\windows\f5087.dat
2009-04-06 16:09 0 a------- c:\windows\system32\nfr.mpref
2009-04-01 17:04 1 ----h--- c:\windows\f23567.dat
2009-04-01 17:03 0 a------- c:\windows\system32\nfr.gpref
2009-04-01 10:51 0 a------- c:\windows\system32\nfr.assembly
2009-03-31 15:10 --dsh--- C:\FOUND.010
2009-03-24 06:03 7,808 a------- c:\windows\system32\drivers\psi_mf.sys

==================== Find3M ====================

2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-01-29 13:51 69,076,264 a------- c:\program files\iTunesSetup.exe
2008-05-01 23:21 24,632 a------- c:\docume~1\chuck\applic~1\GDIPFONTCACHEV1.DAT
2006-07-25 15:11 271 ---sh--- c:\program files\desktop.ini
2006-07-25 15:11 23,357 ----h--- c:\program files\folder.htt
2006-08-03 13:38 952 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 12:54:24.24 ==========



HJT LOG:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:59 PM, on 4/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Atievxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://ushousecall02.trendmicro.com/housec...ivex/hcImpl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe

--
End of file - 5213 bytes

MBAM INFECTED LOG:

Malwarebytes' Anti-Malware 1.36
Database version: 1954
Windows 5.1.2600 Service Pack 2

4/15/2009 10:30:19 AM
mbam-log-2009-04-15 (10-30-19).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 30259
Time elapsed: 22 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2502bbd0-d73b-11dd-b4ec-cebf56d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1428a472-5260-404e-9977-7ecdf1daf936} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1428a472-5260-404e-9977-7ecdf1daf936} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: olepexp2.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\olepexp2.dll (Trojan.Vundo.H) -> Delete on reboot.


MBAM LOG- STILL INFECTED
Malwarebytes' Anti-Malware 1.36
Database version: 1954
Windows 5.1.2600 Service Pack 2

4/15/2009 4:15:31 PM
mbam-log-2009-04-15 (16-15-31).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 94050
Time elapsed: 3 hour(s), 5 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\msmark2.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2809f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2784f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2810f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2829f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2803f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.


MBAM LOG-CLEAN??
Malwarebytes' Anti-Malware 1.36
Database version: 1993
Windows 5.1.2600 Service Pack 2

4/17/2009 11:54:56 AM
mbam-log-2009-04-17 (11-54-56).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 95517
Time elapsed: 2 hour(s), 7 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


SAS LOG- INFECTED

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/12/2009 at 09:44 AM

Application Version : 4.26.1000

Core Rules Database Version : 3838
Trace Rules Database Version: 1794

Scan type : Complete Scan
Total Scan Time : 01:53:13

Memory items scanned : 225
Memory threats detected : 0
Registry items scanned : 4424
Registry threats detected : 11
File items scanned : 28731
File threats detected : 12

Rogue.WinPCDefender
[sysav] C:\DOCUMENTS AND SETTINGS\CHUCK\APPLICATION DATA\PCDEFENDER.EXE
C:\DOCUMENTS AND SETTINGS\CHUCK\APPLICATION DATA\PCDEFENDER.EXE
HKU\S-1-5-21-1482476501-1935655697-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Run#sysav [ C:\Documents and Settings\Chuck\Application Data\pcdefender.exe ]
HKU\S-1-5-21-1482476501-1935655697-854245398-1003\Software\WinPC Defender
C:\Documents and Settings\Chuck\Desktop\WinPC Defender.LNK
C:\Documents and Settings\Chuck\Start Menu\WinPC Defender.LNK
C:\WINDOWS\Prefetch\PCDEFENDER.EXE-3AA987C3.pf

Trojan.Unknown Origin
[dll] C:\WINDOWS\SYSTEM32\DLL32.DLL
C:\WINDOWS\SYSTEM32\DLL32.DLL
HKLM\System\ControlSet001\Services\bc3575346bc2283f02eb4f01da938956
C:\WINDOWS\SYSTEM32\BC3575346BC2283F02EB4F01DA938956.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_bc3575346bc2283f02eb4f01da938956
HKLM\System\ControlSet003\Services\bc3575346bc2283f02eb4f01da938956
HKLM\System\ControlSet003\Enum\Root\LEGACY_bc3575346bc2283f02eb4f01da938956
HKLM\System\CurrentControlSet\Services\bc3575346bc2283f02eb4f01da938956
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_bc3575346bc2283f02eb4f01da938956

Rogue.XP AntiSpyware 2009
HKU\S-1-5-21-1482476501-1935655697-854245398-1003\Control Panel\don't load#wscui.cpl [ No ]

Trojan.WinBo32
C:\WINDOWS\SYSTEM32\COMBOPLUSCTL.OCX

Adware.Vumer
C:\WINDOWS\SYSTEM32\MUKMIL.DLL

Adware.Vundo/Variant-BHONew
C:\WINDOWS\IEOCX.DLL

Trojan.Dropper/Win-NV
C:\WINDOWS\LD03.EXE
C:\WINDOWS\FREDDY40.EXE

Trojan.Agent/Gen-Dropper
C:\WINDOWS\MSTRE15.EXE


SAS LOG-STILL INFECTED

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/13/2009 at 10:48 AM

Application Version : 4.26.1000

Core Rules Database Version : 3838
Trace Rules Database Version: 1794

Scan type : Complete Scan
Total Scan Time : 02:18:23

Memory items scanned : 504
Memory threats detected : 1
Registry items scanned : 4439
Registry threats detected : 1
File items scanned : 29006
File threats detected : 2

Adware.Vundo/Variant
C:\WINDOWS\SYSTEM32\FDFEABECDAF.DLL
C:\WINDOWS\SYSTEM32\FDFEABECDAF.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\fdfeabecdaf
C:\SYSTEM VOLUME INFORMATION\_RESTORE{50F3625E-B1B4-43B7-AD49-6B7C5D4138F4}\RP166\A0085231.DLL


SAS LOG-CLEAN??
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/17/2009 at 12:49 PM

Application Version : 4.26.1000

Core Rules Database Version : 3849
Trace Rules Database Version: 1803

Scan type : Complete Scan
Total Scan Time : 03:18:55

Memory items scanned : 439
Memory threats detected : 0
Registry items scanned : 4401
Registry threats detected : 0
File items scanned : 30020
File threats detected : 0

THANKS MUCH FOR YOUR TIME AND HELP!!

Edited by Orange Blossom, 17 April 2009 - 01:39 PM.

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 PM

Posted 02 May 2009 - 04:02 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log please refer to this page and in step #6 there is instructions on downloading and running DDS. IF you have any problems just let me know in your next reply or simply post a Hijackthis log.

Thanks again and we apologzie for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 PM

Posted 05 May 2009 - 03:37 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the day I replied, the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 PM

Posted 05 May 2009 - 03:42 PM

Hello again.

Just to add.

I believe this is another comptuer that you have apart from the comptuer that I am currently helping you with?

Anyways, if you don't reply within 2 days I'll "expect" it's resolved/inactive and close the topic.

Thanks for understanding.

With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Johnny Computer

Johnny Computer
  • Topic Starter

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:03:27 PM

Posted 05 May 2009 - 07:18 PM

Hello EB-- I am sorry for all the confusion with these multiple posts. I was able to solve this problem on my own so please close the topic. Sorry again for the confusion with the multiple posts. I should now have only one topic open with you that I will respond to now. Thnaks again for your help EB

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 PM

Posted 07 May 2009 - 02:48 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad I could help :thumbup2:
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users