Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32.Trojan.VB & Rogue.Component/Trace


  • This topic is locked This topic is locked
23 replies to this topic

#1 Eleventytwo

Eleventytwo

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 05 June 2009 - 01:28 AM

Malware removal helpers: Thanks so much for taking the time to look at this, I really appreciate your generosity in helping us...

Here's how this problem unfolded:

1) I think started because of sticking my USB Flash drive into a public computer (I've learned my lesson now...)

2) I found that many of my folders, especially ones with pictures or music in them, had become .exe files. They still look liked folders, but a folder called Dave's Stuff before would now be Dave's Stuff.exe, etc. And when I enabled the "Show hidden files and folders" I could then see the real original folders. I (moronincally) clicked on one of the exe folders by mistake...

3) I scanned with Ad-Aware, Spybot S&D and Malware Bytes' Anti-Maleware. I also used ATFCleaner and then ran a safe mode scan with SUPERAntiSpyware. Various different problems were found each time and I removed them. Here are some of the problem files logged:

From ad-aware (Quarantine screenshot attached):
Win32.Trojan.Agent
Win32.Trojan.VB
Win32.Worm.VB

From SUPERAntiSpyware:
Rogue.Component/Trace

from Malware Bytes' log:
Memory Processes Infected:
C:\Zita.exe (Email.Worm) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\David\local settings\temporary internet files\Content.IE5\HWL47W6T\CAILH98P (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Zita.exe (Email.Worm) -> Quarantined and deleted successfully.

4) My situation right now: My computer functions mostly fine, but I cannot access most of my file folders. Those folders that were changed no longer have the .exe ending, but when I try to open them, I get an error message "The path '101NIKON' does not exist or is not a directory." Every single one of the folders in My Pictures is now 44.0 KB when they are supposed to contain several gigs of photos or mp3s... but strangely, the parent folder (My Pictures) that they are all in still says that it has several gigs of information, suggesting the data may still exist somewhere. (Screenshot Attached)

5) Now when I try to toggle Folder Options > View to "Show hidden files and folders", nothing turns up, and when I go back to Folder Options, I find that it has not been toggled, it still has "Do not shoe hidden files and folders" selected, as if something is stopping me from changing that option.

6) Summary: I am not sure if I have fully cleaned the virus yet, and I would love, if possible, to retrieve those files, many of which I have foolishly not backed up. My girlfriend may have backed up some of the files on her USB Flash Drive, but I have told her not to plug it into her computer until we can figure out how to clean it without infecting another computer. My USB drive is also still infected, I want to know how to clean that and retrieve the files from that, too.

I know this is long... thank you SO SO much for your time. Any help is much appreciated.


DDS (Ver_09-05-14.01) - NTFSx86
Run by David at 13:30:54.84 on Fri 06/05/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.570 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\cypherixsrv.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Zita.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\33BDB2\B8F124.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.msi.com.tw
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.21.0\gears.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Google Update] "c:\documents and settings\david\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Google IME Autoupdater] "c:\program files\google\google pinyin\GooglePinyinDaemon.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [B8F124] c:\windows\system32\33bdb2\B8F124.EXE
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\david\startm~1\programs\startup\b8f124.lnk - c:\windows\system32\33bdb2\B8F124.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.21.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: {CC6823D7-11C3-456E-9ACC-AC1514C23619} = 10.0.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ddcAstst - ddcAstst.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: vqxsur.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\r6bmdyqb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - plugin: c:\documents and settings\david\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\david\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.133.37\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-3 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 cypherixservice;Cypherix service;cypherixsrv.exe --> cypherixsrv.exe [?]
R2 cyphxdrv;cyphxdrv;c:\windows\system32\drivers\cyphxdrv.sys [2009-1-16 100728]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-10 1005904]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-10-16 159744]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-10-16 156160]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-10-16 625792]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S2 gupdate1c987423dcdab50;Google Update Service (gupdate1c987423dcdab50);c:\program files\google\update\GoogleUpdate.exe [2009-2-5 133104]
S3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\drivers\rtl8187Se.sys [2008-10-16 306176]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-14 24652]

=============== Created Last 30 ================

2009-06-04 00:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-04 00:11 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-04 00:11 <DIR> --d----- c:\docume~1\david\applic~1\SUPERAntiSpyware.com
2009-06-04 00:10 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-03 12:05 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-03 11:33 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-03 11:21 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-03 11:21 <DIR> --d----- c:\program files\Lavasoft
2009-05-29 23:34 <DIR> --d-h--- c:\windows\system32\8D7BFB
2009-05-29 23:34 <DIR> --d-h--- c:\windows\system32\33BDB2
2009-05-29 23:34 <DIR> --d-h--- c:\windows\system32\1A03E9
2009-05-29 23:34 <DIR> --d-h--- c:\windows\system32\12C671

==================== Find3M ====================

2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-02-22 20:13 45,056 a------- c:\documents and settings\david\My Documents.exe
2009-02-22 20:13 45,056 a------- c:\documents and settings\david\Desktop.exe

============= FINISH: 13:31:48.14 ===============

Attached Files


Edited by Eleventytwo, 05 June 2009 - 01:30 AM.


BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:49 PM

Posted 15 June 2009 - 03:20 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 Eleventytwo

Eleventytwo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 16 June 2009 - 08:16 AM

Hey, thank you for your reply,

I've tried to use this computer as little as possible since I posted last, so hopefully not much has changed.

One update: I have found that my files do exist -- I can access them if I use firefox to browse the contents of my hard drive (just by typing in the address), but I haven't found any other way to view the contents of these folders. Something also prevents me from viewing the address bar for windows explorer. I haven't run anymore antivirus programs because I am afraid they could remove my data along with the virus.

Thanks again for helping me. Here's the latest log:


DDS (Ver_09-05-14.01) - NTFSx86
Run by ----- at 20:56:27.34 on Tue 06/16/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.559 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Zita.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.msi.com.tw
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.21.0\gears.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Google Update] "c:\documents and settings\david\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Google IME Autoupdater] "c:\program files\google\google pinyin\GooglePinyinDaemon.exe"
mRun: [B8F124] c:\windows\system32\33bdb2\B8F124.EXE
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\david\startm~1\programs\startup\b8f124.lnk - c:\windows\system32\33bdb2\B8F124.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.21.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: {CC6823D7-11C3-456E-9ACC-AC1514C23619} = 10.0.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ddcAstst - ddcAstst.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: vqxsur.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\r6bmdyqb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - plugin: c:\documents and settings\david\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\david\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.133.37\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-3 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 cyphxdrv;cyphxdrv;c:\windows\system32\drivers\cyphxdrv.sys [2009-1-16 100728]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-10 1005904]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-10-16 159744]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-10-16 156160]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-10-16 625792]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S2 cypherixservice;Cypherix service;cypherixsrv.exe --> cypherixsrv.exe [?]
S2 gupdate1c987423dcdab50;Google Update Service (gupdate1c987423dcdab50);c:\program files\google\update\GoogleUpdate.exe [2009-2-5 133104]
S3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\drivers\rtl8187Se.sys [2008-10-16 306176]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-14 24652]

=============== Created Last 30 ================

2009-06-05 14:02 <DIR> --d-h--- c:\windows\PIF
2009-06-04 00:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-04 00:11 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-04 00:11 <DIR> --d----- c:\docume~1\david\applic~1\SUPERAntiSpyware.com
2009-06-04 00:10 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-03 12:05 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-03 11:33 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-03 11:21 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-03 11:21 <DIR> --d----- c:\program files\Lavasoft
2009-05-29 23:34 <DIR> --d-h--- c:\windows\system32\8D7BFB
2009-05-29 23:34 <DIR> --d-h--- c:\windows\system32\33BDB2
2009-05-29 23:34 <DIR> --d-h--- c:\windows\system32\1A03E9
2009-05-29 23:34 <DIR> --d-h--- c:\windows\system32\12C671

==================== Find3M ====================

2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-02-22 20:13 45,056 a------- c:\documents and settings\david\My Documents.exe
2009-02-22 20:13 45,056 a------- c:\documents and settings\david\Desktop.exe
2009-02-22 20:13 45,056 a------- c:\documents and settings\all users\Documents.exe

============= FINISH: 20:57:15.65 ===============

Attached Files



#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:49 AM

Posted 18 June 2009 - 11:18 AM

Hello, Eleventytwo

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.



Let's check for rootkits before we proceed :thumbup2:

Gmer

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 Eleventytwo

Eleventytwo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 19 June 2009 - 01:39 AM

Hey Jat, I like your picture. Here's the log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-19 14:37:01
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF76C387E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF76C3BFE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \FileSystem\Fastfat \Fat kmixer.sys (Kernel Mode Audio Mixer/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:3544] A96CA1F0

---- EOF - GMER 1.0.15 ----

#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:49 AM

Posted 19 June 2009 - 02:55 AM

Hello,

Thanks, great film :thumbup2: Let's proceed with ComboFix:

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 Eleventytwo

Eleventytwo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 19 June 2009 - 04:22 AM

So far, so good. Downloaded Windows Recovery Console, completed the scan, and all of my important data appears to be intact.

Currently my folders are still displayed as .exe files. If I try to rename one of them, e.g. rename Nikon101.exe to Nikon101, it says that Nikon101 already exists.

Anyway, I'm excited for the next step :thumbup2: By the way, you wanna know how I got these scars?

Log file attached.

Attached Files


Edited by Eleventytwo, 19 June 2009 - 06:05 AM.


#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:49 AM

Posted 20 June 2009 - 03:35 AM

No Idea, there's so many ways to get infected these days that its difficult to tell where you got it from but crack and porn sites are notorious for spreading nasty infections (not saying that you go on these sites). Anyway, let's proceed with the fix:

CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\documents and settings\David\Start Menu\Programs\Startup\
B8F124.lnk

Folder::
c:\windows\system32\12C671
c:\windows\system32\1A03E9
c:\windows\system32\33BDB2


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Looks like it was a flash drive infection and ComboFix got rid of the autorun.inf on your D drive. This little tool should check for anything malicious and safeguard it from infection in the future:

Flash Disinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Let me know if the symptoms disappear.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:49 AM

Posted 20 June 2009 - 03:35 AM

~Double Post

Edited by Jat90, 20 June 2009 - 03:37 AM.
hit the reply button twice accidentally

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#10 Eleventytwo

Eleventytwo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 21 June 2009 - 01:47 AM

Oh I didn't mean how I got these viriuses, I was just quoting Dark Knight. Yeah I am pretty sure I got them from being too casual about where I've been using my USB stick...

So I ran ComboFix twice because the second time I downloaded it again to get the updated version... hope that doesn't interfere with the log.

So far, syptoms persist. The log file is attached.

Reason for edit: spelling

Attached Files


Edited by Eleventytwo, 21 June 2009 - 09:33 AM.


#11 Eleventytwo

Eleventytwo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 24 June 2009 - 03:50 AM

Also, I have been getting an error message when I start up the computer. Please see the attached screen shot.

Attached Files



#12 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:49 AM

Posted 24 June 2009 - 02:10 PM

Hello,

Sorry for the delay. My ISP has just now resolved my internet issues and will be able to help you quickly again :thumbup2:

Looks like we have some stubborn entries. That message at startup is harmless because the file that is trying to load is in ComboFix's quarantine. It will not appear once we finish this fix and permanently remove ComboFix. You should not in future run another scan unless requested, it may distort my analysis of your logs. Let's do this:

The Avenger

Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    files to delete:
    c:\documents and settings\David\Start Menu\Programs\Startup\
    B8F124.lnk
    
    folders to delete:
    c:\windows\system32\8D7BFB
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
ReScan

Please rescan with DDS and post DDS.txt

ESET Online Scan

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


In your next reply, please post:
  • Avenger log
  • DDS log
  • ESET log

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#13 Eleventytwo

Eleventytwo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 25 June 2009 - 02:10 AM

Hey Jat,

Avenger seems to have run into a snag. The other two scans were successful. See logs.

Thanks,

D

Attached Files



#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:49 AM

Posted 25 June 2009 - 02:19 AM

Hello,

Some bad news. Win32/VB.GPD is a backdoor trojan:

:thumbup2: Backdoor Threat

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#15 Eleventytwo

Eleventytwo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 25 June 2009 - 03:33 AM

Jat,

I don't do much sensitive work on my computer, mostly it's just my photos and documents saved on here. Anything private has been encrypted and I have not accessed it in several months, before I was having any of these problems.

Ideally, I would like to clean the virus so that I could continue to access my files and non-sensitive information and do normal things like skype with my friends and such, and soon I will get an external hard-drive, back things up, and then use my computer's utility which allows me to restore it to factory settings.

So I want to figure out how to export my files without infecting the back-up... is that possible? And what about my USB? Can I clean it from another computer as well? Will it infect any computer I bring it near?

Thanks again so much for your help, Jat.

D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users