Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Google redirect, worm infection


  • This topic is locked This topic is locked
15 replies to this topic

#1 Correnon

Correnon

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 07 May 2009 - 01:51 PM

I've run MalwareBytes several times in succession, rebooting each time, and still seem to have a downloader somewhere. C:\WINDOWS\Temp\nsrbgxod.bak and C:\WINDOWS\Temp\msb.dll show up in almost every scan. Running MalwareBytes, rebooting, and rerunning it while disconnected from the internet seems to work at first, but then things come back when I reconnect. Here are the most recent DDS and Malwarebytes logs. Thanks!

DDS

DDS (Ver_09-03-16.01) - NTFSx86
Run by Tyler at 14:30:44.32 on Thu 05/07/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.455 [GMT -4:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mdnsresponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\TEMP\BYD733.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmproxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\ConfigFree\cfsserv.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tyler\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://wikipedia.org/
uSearch Bar = hxxp://www.toshiba.com/search
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [EA Core] c:\program files\electronic arts\eadm\Core.exe -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
mRun: [WinFlyer32.dll] "rundll32.exe" c:\windows\system32\WinFlyer32.dll,Run
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [DLADiag] c:\windows\DLADiag.EXE
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
dRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
dRun: [<NO NAME>] c:\windows\temp\qa0dd4c.exe
dRun: [Windows Resurections] c:\windows\temp\qhuwni6w.exe
dRun: [Diagnostic Manager] c:\windows\temp\3747054248.exe
dRun: [uidenhiufgsduiazghs] c:\windows\temp\qa0dd4c.exe
dRun: [SYS32DLL] SYS32DLL
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\metama~1.lnk - c:\program files\metamail inc\metamail tray\Metamail Trust Manager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: urqpOiFv - urqpOiFv.dll
AppInit_DLLs: gow.dll ,
LSA: Authentication Packages = msv1_0 c:\windows\system32\byXPfGYS
LSA: Notification Packages = cli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tyler\applic~1\mozilla\firefox\profiles\sv66wjfa.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wikipedia.org/
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-21 64160]
R1 DLADiagN;DLADiagN;c:\windows\system32\drivers\DLADiagN.SYS [2007-8-18 10908]
R1 DLAPMonN;DLAPMonN;c:\windows\system32\drivers\DLAPMonN.SYS [2007-8-18 22812]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 953168]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2008-11-26 205328]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2008-11-26 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]
R2 WMDrive;WMDrive;c:\windows\system32\drivers\WMDrive.sys [2008-8-3 12288]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2009-1-21 652552]
S2 gupdate1c98cb869f1c736;Google Update Service (gupdate1c98cb869f1c736);c:\program files\google\update\GoogleUpdate.exe [2009-2-11 133104]

=============== Created Last 30 ================

2009-05-07 12:06 202 a------- C:\43214354.bat
2009-05-06 14:11 27,648 a------- c:\windows\system32\lmn_setup.exe
2009-04-30 16:30 <DIR> --d-h--- c:\windows\PIF
2009-04-30 15:03 10,752 a------- c:\windows\DCEBoot.exe
2009-04-30 14:19 14,420 a------- c:\windows\cfgall.ini
2009-04-30 14:19 <DIR> --d----- C:\TMQuarantine
2009-04-30 13:02 142,992 a------- c:\windows\system32\drivers\tmcomm.sys
2009-04-30 13:02 <DIR> --d----- c:\windows\system32\log
2009-04-30 13:00 21 a------- C:\tmuninst.ini
2009-04-25 20:19 <DIR> --d----- c:\program files\WinSCP
2009-04-18 17:22 <DIR> --d----- C:\WTH
2009-04-15 20:21 155 a------- c:\windows\system32\SelfDel.bat
2009-04-08 15:39 19,468 a------- C:\KQ5SG.013
2009-04-07 22:45 20,171 a------- C:\KQ5SG.012
2009-04-07 22:37 20,794 a------- C:\KQ5SG.011
2009-04-07 22:33 20,479 a------- C:\KQ5SG.010
2009-04-07 22:13 18,525 a------- C:\KQ5SG.009
2009-04-07 22:08 18,322 a------- C:\KQ5SG.008
2009-04-07 21:44 19,030 a------- C:\KQ5SG.007
2009-04-07 21:36 19,566 a------- C:\KQ5SG.006
2009-04-07 21:12 19,014 a------- C:\KQ5SG.005
2009-04-07 21:10 19,829 a------- C:\KQ5SG.004
2009-04-07 20:02 17,382 a------- C:\KQ5SG.003
2009-04-07 19:58 18,822 a------- C:\KQ5SG.002
2009-04-07 19:46 17,137 a------- C:\KQ5SG.001
2009-04-07 18:56 114 a------- C:\KQ5SG.DIR
2009-04-07 18:56 19,546 a------- C:\KQ5SG.000
2009-04-07 18:53 <DIR> --d----- C:\KQ
2009-04-07 18:28 <DIR> --d----- C:\SIERRA

==================== Find3M ====================

2009-04-22 09:11 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-22 09:10 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-27 14:03 76,688 a------- c:\windows\system32\drivers\tmtdi.sys
2009-02-20 15:36 139,776 a--sh--- c:\windows\system32\yzirip.dll
2009-02-20 15:36 139,776 a--sh--- c:\windows\system32\bowuridi.dll
2009-02-19 22:31 1,608,722 ---sh--- c:\windows\system32\abapewoz.tmp
2009-02-03 19:34 81,856 a------- c:\docume~1\tyler\applic~1\GDIPFONTCACHEV1.DAT
2007-04-04 03:36 1,280,632 a--sh--- c:\windows\system32\svvwa.bak1
2007-04-08 18:06 1,251,728 a--sh--- c:\windows\system32\svvwa.bak2
2007-04-08 18:54 1,248,236 a--sh--- c:\windows\system32\svvwa.ini2
2009-01-22 08:07 56,317 a--sh--- c:\windows\system32\SYGfPXyb.ini2

============= FINISH: 14:31:06.28 ===============


Malwarebytes

Malwarebytes' Anti-Malware 1.36
Database version: 2085
Windows 5.1.2600 Service Pack 2

5/7/2009 1:20:36 PM
mbam-log-2009-05-07 (13-20-36).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 200458
Time elapsed: 34 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Delete on reboot.
C:\Documents and Settings\Tyler\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tyler\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SYS32DLL.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NOEMO10\nfr[1].exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SUIR5JLF\6244[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\ld08.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tyler\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

Attached Files



BC AdBot (Login to Remove)

 


#2 Correnon

Correnon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 12 May 2009 - 08:03 AM

After a while, Ad-Aware kicked in and found something. I ran Malwarebytes again, and now it's finding nothing, but Ad-Aware is still finding C:\WINDOWS\system32\ovfsthtumddfpxlihohlankvivvxenjmjuqrhc.dll and calling it a Win32TrojanTDSS (I can't seem to find logs for Ad-Aware).

Malwarebytes can't seem to find it, nor does it appear in the folder when I look there (hidden files visible), and it apparently won't go away. Suggestions?

Help would be appreciated!

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:52 PM

Posted 14 May 2009 - 02:42 PM

Hello Correnon,

Sorry for the delay, we have many log backup up.

Is this a business, work or corporate computer?

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

Edited by SifuMike, 14 May 2009 - 02:53 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 Correnon

Correnon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 19 May 2009 - 11:33 PM

Thank you for responding!

This is a personal home computer. Also, the problems are apparently back again, though whether it is the same exact virus or not I am unsure. Here's Security Check and the most recent Malwarebytes log; the two "delete on reboot" files keep coming back, again:

Security Check


Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Ad-Aware
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 5
Out of date Java installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
Malwarebytes' Anti-Malware mbam.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 23 seconds.
`````````End of Log```````````





Malwarebytes

Malwarebytes' Anti-Malware 1.36
Database version: 2156
Windows 5.1.2600 Service Pack 2

5/20/2009 12:16:27 AM
mbam-log-2009-05-20 (00-16-27).txt

Scan type: Quick Scan
Objects scanned: 94274
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Temp\msb.dll (Spyware.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uidenhiufgsduiazghs (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\msb.dll (Spyware.Agent) -> Delete on reboot.
C:\Documents and Settings\Tyler\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\autochk.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\n4oxm7m.exe (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\glsetup.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmn_setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\SystemProfile\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\sfsdfdf.exe (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tyler\Start Menu\Programs\Startup\ChkDisk.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tyler\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:52 PM

Posted 20 May 2009 - 12:17 AM

Hi Correnon,


I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player


If you uninstalled, please navigate to and delete the following folders
C:\Program Files\Viewpoint

******************

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 13.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 4
    Java™ 6 Update 5
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
******************

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Trend Micro OfficeScan Antivirus and Ad-Watch before running ComboFix, as they will prevent it from running.

You will have to ask your company or IT dept how you disable Trend Micro OfficeScan.
If you cant disable it then uninstall it.

Disable Ad-Watch to make sure it won't interfere fixing.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 20 May 2009 - 12:19 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Correnon

Correnon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 20 May 2009 - 08:21 PM

I've removed Viewpoint, updated Java, and run ComboFix. Thanks for the help!

Here's the log:


Combofix

ComboFix 09-05-20.09 - Tyler 05/20/2009 20:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.623 [GMT -4:00]
Running from: c:\documents and settings\Tyler\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {C2D3D306-34D8-434F-9D24-31AB923D6089}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\mbols~1
c:\windows\system32\abapewoz.ini
c:\windows\system32\agimifik.ini
c:\windows\system32\ahawekum.ini
c:\windows\system32\akajawoy.ini
c:\windows\system32\akarenit.ini
c:\windows\system32\akutihuy.ini
c:\windows\system32\apahiyik.ini
c:\windows\system32\AshEvtSvc.exe
c:\windows\system32\asugezek.ini
c:\windows\system32\aviromeb.ini
c:\windows\system32\ayilaweg.ini
c:\windows\system32\ayugayoh.ini
c:\windows\system32\azelujuw.ini
c:\windows\system32\bowuridi.dll
c:\windows\system32\drivers\ovfsthrxbkikokuseaterpitjbkakjmhvfioug.sys
c:\windows\system32\edutiguw.ini
c:\windows\system32\ejegipos.ini
c:\windows\system32\emomubon.ini
c:\windows\system32\epikurul.ini
c:\windows\system32\ewizipog.ini
c:\windows\system32\ewunuzof.ini
c:\windows\system32\ezasudiy.ini
c:\windows\system32\ibatewiv.ini
c:\windows\system32\igategok.ini
c:\windows\system32\igopofuh.ini
c:\windows\system32\ijaparav.ini
c:\windows\system32\itawuwub.ini
c:\windows\system32\kerwaapf.ini
c:\windows\system32\nscbndck.ini
c:\windows\system32\obebasos.ini
c:\windows\system32\ogayonoz.ini
c:\windows\system32\otimepus.ini
c:\windows\system32\ovfsthhuwcoxwirpsrrovhkoaiavlnrdyapxtk.dat
c:\windows\system32\ovfsthptqfsgfwfnfelauxegipmcqxsrgkgbla.dll
c:\windows\system32\ovfsthtpqlkmvrqupnpvqlckldwmnxhusidvut.dat
c:\windows\system32\ovfsthtumddfpxlihohlankvivvxenjmjuqrhc.dll
c:\windows\system32\ovfsthysbbjoqguhqnfnxxfjjevevlskfnosmk.dll
c:\windows\system32\oyekogin.ini
c:\windows\system32\qplekucc.ini
c:\windows\system32\svvwa.bak1
c:\windows\system32\svvwa.bak2
c:\windows\system32\svvwa.ini
c:\windows\system32\svvwa.ini2
c:\windows\system32\svvwa.tmp
c:\windows\system32\SYGfPXyb.ini
c:\windows\system32\SYGfPXyb.ini2
c:\windows\system32\ubevobak.ini
c:\windows\system32\ugefilah.ini
c:\windows\system32\ugepudav.ini
c:\windows\system32\ujofogey.ini
c:\windows\system32\umefomul.ini
c:\windows\system32\upokovir.ini
c:\windows\system32\upotoriy.ini
c:\windows\system32\uwedidam.ini
c:\windows\system32\wefukpdk.ini
c:\windows\system32\yzirip.dll
c:\windows\Tasks\tzqdzgut.job
c:\windows\Temp\1696951126.exe
c:\windows\Temp\1809607376.exe
c:\windows\Temp\2401983830.exe
c:\windows\Temp\2977474390.exe
c:\windows\Temp\3090130640.exe
c:\windows\Temp\3682507094.exe
c:\windows\Temp\3976256198.exe
c:\windows\Temp\3982506198.exe
c:\windows\Temp\415802862.exe
c:\windows\Temp\417834112.exe
c:\windows\Temp\4182662448.exe
c:\windows\Temp\4257997654.exe
c:\windows\Temp\529396612.exe
c:\windows\Temp\668063062.exe
c:\windows\Temp\75686608.exe
c:\windows\TEMP\TH57DD.EXE

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthtudtkiobwnfxuhuiytqxdrtllwtmneef
-------\Legacy_ASHEVTSVC
-------\Service_AshEvtSvc


((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-21 00:23 . 2009-05-21 00:22 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-21 00:22 . 2009-05-21 00:22 -------- d-----w c:\program files\Java
2009-05-20 23:58 . 2009-05-21 00:01 -------- d-----w c:\documents and settings\Tyler\.SunDownloadManager
2009-05-20 19:18 . 2009-05-20 19:18 32768 ----a-w c:\windows\system32\service-466.exe
2009-05-07 16:06 . 2009-05-07 16:06 202 ----a-w C:\43214354.bat
2009-04-30 20:30 . 2009-04-30 20:30 -------- d--h--w c:\windows\PIF
2009-04-30 19:03 . 2009-05-15 08:04 10752 ----a-w c:\windows\DCEBoot.exe
2009-04-30 18:19 . 2009-05-15 08:05 -------- d-----w C:\TMQuarantine
2009-04-30 17:02 . 2009-03-27 18:04 142992 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-30 17:02 . 2009-04-30 17:02 -------- d-----w c:\windows\system32\log
2009-04-26 08:16 . 2009-04-26 08:16 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-26 01:53 . 2009-04-26 01:53 -------- d-----w c:\program files\Adobe Media Player
2009-04-26 01:48 . 2009-04-26 01:48 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-26 01:32 . 2009-04-26 01:35 -------- d-----w c:\documents and settings\Tyler\Application Data\Download Manager
2009-04-26 00:19 . 2009-04-26 00:19 -------- d-----w c:\program files\WinSCP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 22:16 . 2006-03-02 22:23 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-16 22:16 . 2008-07-07 05:21 486 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-05-16 04:25 . 2006-03-03 19:10 -------- d-----w c:\program files\Google
2009-05-14 20:33 . 2006-09-02 05:17 -------- d-----w c:\program files\Azureus
2009-04-30 17:01 . 2007-08-14 18:03 -------- d-----w c:\program files\Trend Micro
2009-04-30 17:01 . 2006-08-22 20:31 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-30 17:01 . 2006-08-22 20:31 -------- d-----w c:\program files\Symantec
2009-04-29 03:48 . 2006-03-02 23:38 -------- d-----w c:\program files\Common Files\Adobe
2009-04-25 16:41 . 2009-02-20 19:42 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-24 01:47 . 2009-04-16 00:21 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-22 13:11 . 2009-01-21 22:17 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-22 13:10 . 2009-01-21 14:11 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-08 20:06 . 2006-08-31 21:19 -------- d-----w c:\program files\DOSBox-0.65
2009-04-06 19:32 . 2009-02-20 19:42 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-02-20 19:42 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-27 18:03 . 2009-03-27 18:03 76688 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-03-16 18:18 . 2009-05-16 22:03 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 18:18 . 2009-05-16 22:03 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 18:18 . 2009-05-16 22:03 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 18:18 . 2009-05-16 22:03 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-09 19:27 . 2009-05-16 22:03 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 19:27 . 2009-05-16 22:03 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-09 19:27 . 2009-05-16 22:03 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-02-20 02:31 . 2009-02-20 02:31 1608722 --sh--w c:\windows\system32\abapewoz.tmp
2008-04-25 18:32 . 2008-04-25 18:32 5817064 ----a-w c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 761945]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-02-20 1589248]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-10 158208]
"DLADiag"="c:\windows\DLADiag.EXE" [2005-08-25 57403]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-22 516440]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-03-27 718120]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-06 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2005-12-29 61952]
"NDSTray.exe"="NDSTray.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-25 218496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
Metamail Trust Manager.lnk - c:\program files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe [2006-3-2 329472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-3-2 155648]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Tyler^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Tyler\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Emulators\\NESTCL95.EXE"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\3DO\\Heroes of Might and Magic 3\\heroes3_31_crk.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\3DO\\Heroes of Might and Magic 3\\Heroes3.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\HP\\Image Zone Express\\HP_IZE.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\Hpqdirec.exe"=
"c:\\Program Files\\HP\\Product Assistant\\bin\\hprbui.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\MDL CrossFire Commander 7.0\\xfdlink.exe"=
"c:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21264:TCP"= 21264:TCP:Trend Micro OfficeScan Listener

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/21/2009 10:11 AM 64160]
R1 DLADiagN;DLADiagN;c:\windows\system32\drivers\DLADiagN.SYS [8/18/2007 2:04 PM 10908]
R1 DLAPMonN;DLAPMonN;c:\windows\system32\drivers\DLAPMonN.SYS [8/18/2007 2:04 PM 22812]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 953168]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXpflt.sys [11/26/2008 6:42 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreflt.sys [11/26/2008 6:42 PM 36368]
R2 WMDrive;WMDrive;c:\windows\system32\drivers\WMDrive.sys [8/3/2008 11:05 AM 12288]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [1/21/2009 1:25 PM 652552]
S2 gupdate1c98cb869f1c736;Google Update Service (gupdate1c98cb869f1c736);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2009 10:20 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2009-05-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 13:10]

2009-05-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-12 03:08]

2009-05-21 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 02:19]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\4182662448.exe
Notify-urqpOiFv - urqpOiFv.dll
MSConfigStartUp-CTFMON - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://wikipedia.org/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tyler\Application Data\Mozilla\Firefox\Profiles\sv66wjfa.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wikipedia.org/
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-20 20:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3828)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\wdfmgr.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\dllhost.exe
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\windows\Temp\JQ1874.EXE
c:\windows\ehome\ehmsas.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Toshiba\ConfigFree\CFSServ.exe
c:\progra~1\METAMA~1\METAMA~1\METAMA~2.EXE
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-05-21 21:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-21 01:00

Pre-Run: 17,847,967,744 bytes free
Post-Run: 18,804,903,936 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

307

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:52 PM

Posted 20 May 2009 - 10:06 PM

Hi Correnon,

I see suspicious files we need to check.


Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste each of the following file paths into the "Suspicious files to scan"box on the top of the page:
    • C:\43214354.bat
      c:\windows\system32\SelfDel.bat
      c:\windows\DCEBoot.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Correnon

Correnon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 22 May 2009 - 08:43 PM

For some reason I don't think the "Copy to Clipboard" button is working for me, but here the results and information for each file:

File Name : 43214354.bat
File Size : 202 byte
File Type : ISO-8859 text
MD5 : d263c401708b8d426f22b3e4762513a6
SHA1 : 508cb80d9433812a076a6be579810f62e4169560
Scanner results
Scanner results : All Scanners reported not find malware!


File Name : DCEBoot.exe
File Size : 10752 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 086e69ac3cac881a07942ae7e07c45d0
SHA1 : 141b26e5b77d3fbccd7515d8511d2108a48d1304
Scanner results
Scanner results : All Scanners reported not find malware!


For some reason SelfDel.bat keeps on giving me different file name results with different results as malware, including scrt621-tbe.exe, SYSTEMRESTORE.EXE, GQQ.exe, and more. Some have no reported malware, for others up to 37% of the scanners reported malware. The url is here if it helps, but refreshing the page alone seems to change the result for me.

Also, Trend and Malwarebytes are occasionally still finding things, often what looks like malware files altered or quarantined by ComboFix. Should I let them do this?
(I don't believe I have done anything or gone to any sites that would risk new infection since my last post.)

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:52 PM

Posted 22 May 2009 - 09:32 PM

Hi,

often what looks like malware files altered or quarantined by ComboFix. Should I let them do this?



No. You should not be running Malwarebytes until we are done.

We will take care of those things your AV and malwarbytes is finding when we finish.



Please disable any running anti-virus program before running Kaspersky Online Scanner.
If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Close any open browsers

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.


Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
This scanner will only scan. It does not remove any malware it finds.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Correnon

Correnon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 23 May 2009 - 02:39 AM

Here you go. Thank you for being so helpful and patient, SifuMike!

Kaspersky Scan Report

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 23, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, May 23, 2009 06:29:17
Records in database: 2223230
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
E:\

Scan statistics:
Files scanned: 101469
Threat name: 21
Infected objects: 93
Suspicious objects: 0
Duration of the scan: 02:38:26


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09380000.VBN Infected: Trojan.Win32.Monder.aort 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A000000.VBN Infected: Trojan.Win32.Agent.bpgp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A200000.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A200001.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A200002.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240000.VBN Infected: Trojan.Win32.Monder.asxw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240001.VBN Infected: Trojan.Win32.Monder.awgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240002.VBN Infected: Trojan.Win32.Monder.asxx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240003.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.jts 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240005.VBN Infected: Trojan.Win32.Monder.asxw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240006.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.jts 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240007.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.jtr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240008.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.jtr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240009.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.jtr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A24000A.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.jtr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A24000B.VBN Infected: Trojan.Win32.Monder.asxw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A4C0000.VBN Infected: Trojan.Win32.Monder.aort 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A4C0001.VBN Infected: Trojan.Win32.Monder.aort 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD80000.VBN Infected: Trojan.Win32.Antavmu.ao 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD80001.VBN Infected: Trojan.Win32.Agent.bwvn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B000001.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B000002.VBN Infected: Trojan.Win32.Monder.beem 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B000003.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B000005.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D300000.VBN Infected: Trojan.Win32.Monder.awgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D780001.VBN Infected: not-a-virus:AdWare.Win32.BannerMod.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DC00000.VBN Infected: Trojan.Win32.Monder.beem 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DC00001.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DC00002.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DC00005.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DC00008.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DC0000A.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DC0000D.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DC0000E.VBN Infected: Trojan.Win32.Monder.avqj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DC0000F.VBN Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DC00010.VBN Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DC00011.VBN Infected: Trojan.Win32.Monder.avud 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DC00012.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DC00013.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DDC0000.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.jts 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DDC0001.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.jts 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DDC0002.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.jtr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DDC0003.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.jtr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DDC0004.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.jtr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DDC0005.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.jtr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DDC0006.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.jtr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DDC0007.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.jtr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DDC0008.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.jtr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DDC0009.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.jtr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DDC000A.VBN Infected: Trojan.Win32.Monder.asxw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DDC000B.VBN Infected: Trojan.Win32.Monder.asxw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180000.VBN Infected: Trojan.Win32.Monder.aort 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180001.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180002.VBN Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180003.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180004.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180006.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180007.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180008.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180009.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E18000A.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E18000B.VBN Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E18000C.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E18000E.VBN Infected: Backdoor.Win32.Hupigon.gmta 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E18000F.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180011.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180012.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180013.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180014.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17C80002.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17C80003.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17C80004.VBN Infected: Trojan.Win32.Monder.beem 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17C80005.VBN Infected: Trojan.Win32.Monder.beem 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17C80006.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17C80007.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17C8000A.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17C8000B.VBN Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bowuridi.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthysbbjoqguhqnfnxxfjjevevlskfnosmk.dll.vir Infected: Trojan.Win32.Tdss.aalc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yzirip.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\3976256198.exe.vir Infected: Trojan-Downloader.Win32.Suurch.qq 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\3982506198.exe.vir Infected: Trojan-Downloader.Win32.Suurch.qq 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\4182662448.exe.vir Infected: Trojan-Downloader.Win32.Suurch.qq 1
C:\TMQuarantine\protect_ba0.VIR Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\TMQuarantine\TYLER-M-WOLF-1087668310.exe Infected: Trojan-Downloader.Win32.Agent.bvpv 1
C:\TMQuarantine\TYLER-M-WOLF-1879176296.exe Infected: Trojan-Downloader.Win32.Agent.bvpv 1
C:\TMQuarantine\TYLER-M-WOLF-2625840532.exe Infected: Trojan-Downloader.Win32.Agent.bvpv 1
C:\TMQuarantine\TYLER-M-WOLF-autochk.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\TMQuarantine\TYLER-M-WOLF-ChkDisk.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\TMQuarantine\TYLER-M-WOLF-ChkDisk.VIR Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\TMQuarantine\TYLER-M-WOLF-protect.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\TMQuarantine\TYLER-M-WOLF-protect.VI0 Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\TMQuarantine\TYLER-M-WOLF-protect.VIR Infected: Trojan-Spy.Win32.Agent.amjg 1

The selected area was scanned.

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:52 PM

Posted 23 May 2009 - 09:25 AM

Hi Correnon,

Looks good. :thumbup2: No stragglers. Everything it found was previously quarentined by the antivirus or combofix.

How is the computer running?

We still have to do program cleanup.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:52 PM

Posted 30 May 2009 - 01:30 PM

This thread will now be closed due to lack of feedback.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:52 PM

Posted 30 May 2009 - 08:58 PM

Opened thread to do clean up.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:52 PM

Posted 30 May 2009 - 09:03 PM

Hi Correnon,

Now for the program clean up. :thumbup2:

Please delete Security Check from your desktop.

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, _OTMoveIt3), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read and follow

Simple and easy ways to keep your computer safe and secure on the Internet
as well
How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes

If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Correnon

Correnon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 30 May 2009 - 10:23 PM

Alright, done.

Thanks yet again for your help! :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users