Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with multiple viruses -- trojans, fake security


  • This topic is locked This topic is locked
37 replies to this topic

#1 ceratops

ceratops

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 26 September 2009 - 11:04 AM

Our problem started over a week ago -- our installed security software (Laplink PC Defense, which I have since discovered is not too highly rated) popped up with warnings of attempt to write to registry. Immediately after, messages started popping up (from virus) notifying that computer security was compromised, and that Windows wanted to download some software to fix this. I was suspicious and didn't click OK on anything.

Later that day, when my husband was looking at the machine, he may have clicked on something (we're not sure at this point). Anyway, got a large gaudy splash screen with red letters, and then for a while we actually had the so-called anti-virus program appearing to run (showing list of files it was scanning). We managed to get some control back (turned off all startup items in msconfig), and run some scans with software we had on hand. At that point viruses were identified as Trojan.malscript!html and Trojan.fakeavealert. We did our best to get rid of them with what we had available, including some manual removal of files. However, we clearly weren't entirely successful, as the problem kept breaking out again.

And before I forget, the computer would not come up in safe mode, right from the beginning of this problem -- just starts reboot process over.

We looked at the computer from time to time over the past week (most of the time it was in standby, or turned off, as we didn't have time to work on it right away). In general, things seemed to go downhill -- more requests to download fake security software, more warnings of registry modifications, more new virus types identified. Some other names/types that popped up were 'mudrop', 'downloader', and 'backdoor.tidserv'.

A few days ago we ran a Pandasoft scan (Panda was recommended by a friend). After running for over a day (we have a lot of files on the computer, but still....), Panda reported 3 threats it could remove with the free version, plus another 17 which would require their paid software. We did run the free version, and it said it got rid of 2, including the one it identified as 'high risk' (which was 'downloader'). We did our best to get rid of another one manually. Most of the 17 others reported were in cookies, so we cleared all cookies.

Computer still seemed very untrustworthy at this point (still things popping up on screen at times; also inexplicably slow performance at times).

Yesterday I downloaded your recommended utilities, and will attach the log files, as requested.

Afterward I downloaded Malwarebytes' Anti-Malware, and ran that a number of times. With a little manual help, it got rid of the problems it found. There is one remaining bad registry entry, which keeps reappearing after removal.

I'll attach the first Malwarebytes log file (after Malwarebytes did its initial scan), as well as the last one (after running the program a number of times).

Do you want new versions of the DDS and ROOTREPEAL logs (the ones attached here were from before I ran the Malwarebytes software)?

So, I'm hoping for advice as to whether we have anything that could be saved, or not, at this point. Computer is behaving OK this morning, but I don't trust it as far as I can throw it after the past week.

We'll try to leave it alone now, pending reply from you :(



DDS (Ver_09-09-24.01) - FAT32x86
Run by Philip at 21:59:45.93 on Fri 09/25/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.481 [GMT -4:00]


============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
F:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
F:\WINDOWS\system32\brsvc01a.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\brss01a.exe
F:\WINDOWS\Explorer.exe
F:\Program Files\Laplink\PCdefense\PCdefense.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Devices\Logitech\SetPoint\SetPoint.exe
F:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
SVCHOST.EXE
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\Program Files\Canon\CAL\CALMAIN.exe
F:\Program Files\Laplink\PCdefense\PCDefense.exe
F:\Program Files\Laplink\PCdefense\PCDefense.exe
F:\Program Files\Online\Mozilla Firefox\firefox.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Documents and Settings\Philip\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Shell=Explorer.exe rundll32.exe tftp.msc beforegllav
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\online\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [Advanced Virus Remover] f:\program files\advancedvirusremover\PAVRM.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows\system32\NvCpl.dll,NvStartup
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [lafekiziv] Rundll32.exe "f:\windows\system32\fiyifine.dll",a
mRun: [QuickTime Task] "f:\program files\online\quicktime\QTTask.exe" -atboottime
mRun: [FineReader6NewsReaderPro] "f:\program files\graphics\abbyy finereader 6.0\AbbyyNewsReader.exe"
mRun: [AcronisTimounterMonitor] f:\program files\maxtor\maxblast\TimounterMonitor.exe
mRun: [PCdefense ] f:\program files\laplink\pcdefense\PCdefense.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - f:\program files\devices\logitech\setpoint\SetPoint.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - f:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
uPolicies-explorer: HideClock = 0 (0x0)
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoResolveTrack = 0 (0x0)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - f:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.laplink.com/scan8/oscan8.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - f:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: LBTWlgn - f:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: AntiLogger.dll f:\windows\system32\nesibohi.dll pusunovi.dll f:\windows\system32\fiyifine.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll
SSODL: hesesakoz - {7110a6a3-e558-4ee0-9ec1-e1e4299fb3e9} - No File
SSODL: hoyiyerih - {14e1a8d8-e4e7-4916-8802-21eb8a8124aa} - f:\windows\system32\fiyifine.dll
STS: {7110a6a3-e558-4ee0-9ec1-e1e4299fb3e9} - No File
STS: jugezatag: {14e1a8d8-e4e7-4916-8802-21eb8a8124aa} - f:\windows\system32\fiyifine.dll
LSA: Notification Packages = scecli lajuduga.dll jadamawa.dll

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\philip\applic~1\mozilla\firefox\profiles\6ix6t5u6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: f:\program files\online\adobe\acrobat 6.0\reader\browser\nppdf32.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin2.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin3.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin4.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin5.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin6.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - f:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;f:\windows\system32\drivers\pavboot.sys [2009-9-24 28544]
R3 SPYPRV;SPYPRV;f:\windows\system32\drivers\spyprv.sys [2006-8-31 54260]
S3 atirage;atirage;f:\windows\system32\drivers\atiragem.sys [2009-5-29 70528]
S3 LLRKD;LLRKD;f:\windows\system32\drivers\LLRKD.sys [2006-8-31 16579]
S3 s3legacy;s3legacy;f:\windows\system32\drivers\s3legacy.sys [2009-5-29 65664]
S3 s3m;s3m;f:\windows\system32\drivers\s3m.sys [2009-5-29 166720]

=============== Created Last 30 ================

2009-09-25 16:13 <DIR> --dsh--- f:\documents and settings\philip\IECompatCache
2009-09-25 16:10 <DIR> --d----- f:\windows\system32\appmgmt
2009-09-24 05:46 28,544 a------- f:\windows\system32\drivers\pavboot.sys
2009-09-20 20:43 <DIR> --d----- f:\program files\Panda Security
2009-09-20 17:55 2,713 ---sh--- f:\windows\system32\tanadafe.exe
2009-09-20 11:03 0 a------- f:\windows\system32\AVR09.exe
2009-09-20 11:03 0 a------- f:\windows\system32\winhelper.dll
2009-09-19 09:45 2,713 ---sh--- f:\windows\system32\sewogire.exe
2009-09-18 17:17 <DIR> --d----- f:\windows\pss
2009-09-18 15:36 <DIR> --dsh--- F:\FOUND.001
2009-09-17 20:06 0 a------- f:\windows\system32\18467.exe
2009-09-17 10:22 25,088 a------- f:\windows\system32\antispytftp.msc
2009-09-17 10:18 0 a------- f:\windows\system32\41.exe
2009-09-11 19:04 <DIR> --d----- f:\temp\CD3
2009-09-11 19:04 <DIR> --d----- f:\temp\CD2
2009-09-11 19:03 <DIR> --d----- f:\temp\CD1
2009-09-11 18:03 5,632 a------- f:\windows\system32\ptpusb.dll
2009-09-11 18:02 159,232 a------- f:\windows\system32\ptpusd.dll
2009-09-11 18:02 15,104 a------- f:\windows\system32\drivers\usbscan.sys
2009-09-11 18:02 15,104 a------- f:\windows\system32\dllcache\usbscan.sys
2009-08-29 19:21 128,512 -------- f:\windows\system32\dllcache\dhtmled.ocx
2009-08-29 19:21 1,315,328 -------- f:\windows\system32\dllcache\msoe.dll
2009-08-29 19:21 594,432 -------- f:\windows\system32\dllcache\msfeeds.dll
2009-08-29 19:21 55,296 -------- f:\windows\system32\dllcache\msfeedsbs.dll

==================== Find3M ====================

2009-09-25 14:55 1,082,916 a--sh--- f:\windows\system32\gopiziwe.exe
2009-09-25 14:55 91,648 a--sh--- f:\windows\system32\fiyifine.dll
2009-09-25 14:55 39,424 a--sh--- f:\windows\system32\vesefaha.dll
2009-09-25 01:52 52,736 a--sh--- f:\windows\system32\zikiboru.dll
2009-09-25 01:51 1,082,404 a--sh--- f:\windows\system32\pogobiwu.exe
2009-09-25 01:51 39,424 a--sh--- f:\windows\system32\vuheluji.dll
2009-09-24 13:51 1,082,916 a--sh--- f:\windows\system32\pufuniso.exe
2009-09-24 13:51 91,648 a--sh--- f:\windows\system32\yakiyetu.dll
2009-09-24 13:51 39,424 a--sh--- f:\windows\system32\ginuzefa.dll
2009-09-24 01:51 52,736 a--sh--- f:\windows\system32\dubajihi.dll
2009-09-24 01:51 1,082,404 a--sh--- f:\windows\system32\lekamupi.exe
2009-09-24 01:51 88,576 a--sh--- f:\windows\system32\dijekaha.dll
2009-09-24 01:51 37,376 a--sh--- f:\windows\system32\jorijefe.dll
2009-09-21 20:24 49,664 a--sh--- f:\windows\system32\bedihidu.dll
2009-09-21 20:23 91,648 a--sh--- f:\windows\system32\BULAWASI.DLL
2009-09-21 20:23 39,424 a--sh--- f:\windows\system32\vepineto.dll
2009-09-18 15:44 52,224 a--sh--- f:\windows\system32\fivuvujo.dll
2009-09-18 15:44 712,228 a--sh--- f:\windows\system32\antispyjuyadewi.exe
2009-09-18 15:44 39,424 a--sh--- f:\windows\system32\sedutodo.dll
2009-09-17 10:21 39,424 a--sh--- f:\windows\system32\fojedisu.dll
2009-08-12 21:55 1,885,464 a------- f:\windows\system32\AutoPartNt.exe
2009-08-12 19:41 441,760 a------- f:\windows\system32\drivers\timntr.sys
2009-08-12 19:41 44,384 a------- f:\windows\system32\drivers\tifsfilt.sys
2009-08-12 19:40 132,224 a------- f:\windows\system32\drivers\snapman.sys
2009-08-12 19:40 368,480 a------- f:\windows\system32\drivers\tdrpman.sys
2009-08-05 05:01 204,800 a------- f:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- f:\windows\system32\dllcache\mswebdvd.dll
2009-07-29 00:37 119,808 a------- f:\windows\system32\t2embed.dll
2009-07-29 00:37 81,920 a------- f:\windows\system32\fontsub.dll
2009-07-29 00:37 119,808 -------- f:\windows\system32\dllcache\t2embed.dll
2009-07-29 00:37 81,920 -------- f:\windows\system32\dllcache\fontsub.dll
2009-07-19 18:48 11,067,392 -------- f:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:19 5,937,152 a------- f:\windows\system32\dllcache\mshtml.dll
2009-07-17 15:01 58,880 a------- f:\windows\system32\ATL.DLL
2009-07-17 15:01 58,880 -------- f:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- f:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- f:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- f:\windows\system32\dllcache\wmpdxm.dll
2009-07-03 13:09 1,208,832 a------- f:\windows\system32\dllcache\urlmon.dll
2009-07-03 13:09 915,456 a------- f:\windows\system32\WININET.DLL
2009-07-03 13:09 915,456 a------- f:\windows\system32\dllcache\wininet.dll
2009-07-03 13:09 206,848 -------- f:\windows\system32\dllcache\occache.dll
2009-07-03 13:09 12,800 -------- f:\windows\system32\dllcache\xpshims.dll
2009-07-03 13:09 1,985,536 -------- f:\windows\system32\dllcache\iertutil.dll
2009-07-03 13:09 246,272 -------- f:\windows\system32\dllcache\ieproxy.dll
2009-07-03 13:09 184,320 -------- f:\windows\system32\dllcache\iepeers.dll
2009-07-03 13:09 25,600 -------- f:\windows\system32\dllcache\jsproxy.dll
2009-07-03 13:09 386,048 -------- f:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 -------- f:\windows\system32\dllcache\ie4uinit.exe
2009-06-25 01:52 52,736 a--sh--- f:\windows\system32\jadamawa.dll
2009-06-25 01:52 52,736 a--sh--- f:\windows\system32\mujoviku.dll
2009-06-25 01:52 52,736 a--sh--- f:\windows\system32\pusunovi.dll

============= FINISH: 22:01:15.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:09 PM

Posted 13 October 2009 - 05:44 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 ceratops

ceratops
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 15 October 2009 - 09:08 AM

Thank you for the reply. Yes, the affected machine is still infected, although we haven't done much with it lately. I'm currently responding from our laptop, which also was infected (it had an even worse case, eventually refused to do anything with .exe files -- which makes it really hard to run any system utilities or diagnostic programs :( -- and has since had its disk reformatted and reloaded).

I will fire up the ailing computer later today, run DDS again, and post with an update.

#4 ceratops

ceratops
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 17 October 2009 - 09:50 PM

Sorry for the additional delay.

We took the hard disk out of the machine, about a week and a half after starting the thread here. We were in the midst of formatting, partitioning, and putting basic OS on a new drive.

When we put the sick disk back in a few days ago (to respond to your post with a new DDS run), it wouldn't boot at all (got error message about hard drive configuration problems). We suspected some further damage from viruses. It took us an embarrassingly long time to figure out that boot.ini got modified at some point during our fiddling with hardware (We don't have Windows on C: partition, so that gives additional opportunities for confusion). Anyway, just got the ailing system back up tonight, and ran DDS again. I will post results in a few hours, once we have that computer back online.

As far as further history, since my initial post, we did have the computer running a few times after that post, including some fairly brief connections to the Internet. The visible virus problems increased again over time. Just before pulling the drive out of the system, we were once again having frequent messages popping up that the computer was infected, and that we should download some bogus antivirus application. I ran Malwarebytes again, and it found 20+ infected files and registry entries. It was able to remove most. Again, as with the initial run of Malwarebytes, it needed a little manual help (a .dll in system32 which could not be deleted -- I was able to drag that out onto the desktop and rename it, and on reboot there was a message that rundll32 couldn't find the file in question; after that I was able to drag it into the trash, and empty trash). As in my initial post, even after running Malwarebytes, and getting rid of everything it reported, one bad registry entry would always reappear.

I did look at the registry with regedit (didn't make changes), and there are a number of references in there to bogus .dll files. The bad .dll's all have names like 'zuwelaki.dll' (consonant, vowel, c, v, c, v, c, v). There are still a number of .dll names like this in system32, when I look around in there. The earliest one that I've found so far has a date of 7/7/09, which is about two and a half months prior to the time the virus symptoms appeared. I don't know if the dates are genuine or manipulated.

As far as virus types, I posted a number of the ones that we saw mentioned in my original message. On the most recent run of Malwarebytes, what I remember seeing was Vundo, and (I think) Vundo.h.

I don't think our antivirus program is running properly at the moment. I did notice that a reference to one of the bogus .dll's was inserted into the series of registry keys related to the AV software.

Anyway, we would still like your opinion on the situation, and will post the DDS results later tonight.

Thank you...

#5 ceratops

ceratops
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 18 October 2009 - 02:48 AM

Here are current dds.txt and attach.txt. Hard drive has two partitions -- C: bootable in DOS, F: with XP Pro. We run Firefox browser, in case that matters. I haven't yet reconnected the ailing machine to the net -- these files are carried over to a different computer on floppy.



DDS (Ver_09-09-24.01) - FAT32x86
Run by Philip at 20:55:06.67 on Sat 10/17/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.584 [GMT -4:00]


============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\WINDOWS\system32\brsvc01a.exe
F:\WINDOWS\system32\brss01a.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
svchost.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\Program Files\Canon\CAL\CALMAIN.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Documents and Settings\Philip\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\online\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
mRun: [MSConfig] f:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
uPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
uPolicies-explorer: HideClock = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 0 (0x0)
IE: E&xport to Microsoft Excel - f:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.laplink.com/scan8/oscan8.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - f:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: LBTWlgn - f:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: AntiLogger.dll f:\windows\system32\nesibohi.dll ,nukogepo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll
SSODL: hesesakoz - {7110a6a3-e558-4ee0-9ec1-e1e4299fb3e9} - No File
STS: {7110a6a3-e558-4ee0-9ec1-e1e4299fb3e9} - No File
LSA: Notification Packages = scecli lajuduga.dll nijubuti.dll

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\philip\applic~1\mozilla\firefox\profiles\6ix6t5u6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: f:\program files\online\adobe\acrobat 6.0\reader\browser\nppdf32.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin2.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin3.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin4.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin5.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin6.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - f:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;f:\windows\system32\drivers\pavboot.sys [2009-9-24 28544]
S3 atirage;atirage;f:\windows\system32\drivers\atiragem.sys [2009-5-29 70528]
S3 LLRKD;LLRKD;f:\windows\system32\drivers\LLRKD.sys [2006-8-31 16579]
S3 s3legacy;s3legacy;f:\windows\system32\drivers\s3legacy.sys [2009-5-29 65664]
S3 s3m;s3m;f:\windows\system32\drivers\s3m.sys [2009-5-29 166720]
S3 SPYPRV;SPYPRV;f:\windows\system32\drivers\spyprv.sys [2006-8-31 54260]

=============== Created Last 30 ================

2009-10-17 20:52 3,888 a------- f:\windows\system32\BMXCtrlState-{00000000-00000000-0000000D-00001102-00000002-80671102}.rfx
2009-10-17 20:52 3,888 a------- f:\windows\system32\BMXBkpCtrlState-{00000000-00000000-0000000D-00001102-00000002-80671102}.rfx
2009-10-09 17:32 <DIR> --dsh--- F:\FOUND.002
2009-09-27 22:26 5,856 ---sh--- f:\windows\system32\juyuyeyo.exe
2009-09-25 22:35 <DIR> --d----- f:\docume~1\philip\applic~1\Malwarebytes
2009-09-25 22:35 38,224 a------- f:\windows\system32\drivers\mbamswissarmy.sys
2009-09-25 22:35 19,160 a------- f:\windows\system32\drivers\mbam.sys
2009-09-25 22:35 <DIR> --d----- f:\program files\Malwarebytes' Anti-Malware
2009-09-25 22:35 <DIR> --d----- f:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-25 16:13 <DIR> --dsh--- f:\documents and settings\philip\IECompatCache
2009-09-25 16:10 <DIR> --d----- f:\windows\system32\appmgmt
2009-09-24 05:46 28,544 a------- f:\windows\system32\drivers\pavboot.sys
2009-09-20 20:43 <DIR> --d----- f:\program files\Panda Security
2009-09-20 17:55 2,713 ---sh--- f:\windows\system32\tanadafe.exe
2009-09-19 09:45 2,713 ---sh--- f:\windows\system32\sewogire.exe
2009-09-18 17:17 <DIR> --d----- f:\windows\pss
2009-09-18 15:36 <DIR> --dsh--- F:\FOUND.001

==================== Find3M ====================

2009-10-07 01:58 53,248 a--sh--- f:\windows\system32\yewotoyo.dll
2009-10-07 01:57 39,424 a--sh--- f:\windows\system32\tubalavu.dll
2009-10-07 01:57 28,160 a--sh--- f:\windows\system32\halebewe.dll
2009-09-28 19:45 52,736 a--sh--- f:\windows\system32\saluboga.dll
2009-09-25 01:52 52,736 a--sh--- f:\windows\system32\zikiboru.dll
2009-09-24 01:51 52,736 a--sh--- f:\windows\system32\dubajihi.dll
2009-09-18 15:44 52,224 a--sh--- f:\windows\system32\fivuvujo.dll
2009-09-18 15:44 39,424 a--sh--- f:\windows\system32\sedutodo.dll
2009-09-17 10:21 39,424 a--sh--- f:\windows\system32\fojedisu.dll
2009-08-12 21:55 1,885,464 a------- f:\windows\system32\AutoPartNt.exe
2009-08-05 05:01 204,800 a------- f:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- f:\windows\system32\dllcache\mswebdvd.dll
2009-07-29 00:37 119,808 a------- f:\windows\system32\t2embed.dll
2009-07-29 00:37 81,920 a------- f:\windows\system32\fontsub.dll
2009-07-29 00:37 119,808 -------- f:\windows\system32\dllcache\t2embed.dll
2009-07-29 00:37 81,920 -------- f:\windows\system32\dllcache\fontsub.dll
2009-07-07 01:58 53,248 a--sh--- f:\windows\system32\nijubuti.dll
2009-07-07 01:58 53,248 a--sh--- f:\windows\system32\pamozove.dll
2009-07-07 01:58 53,248 a--sh--- f:\windows\system32\nukogepo.dll

============= FINISH: 20:55:44.49 ===============

Attached Files



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:09 PM

Posted 22 October 2009 - 02:01 PM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
, My name is Elise. I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
Please be patient and I'd be grateful if you would note the following:
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem.

Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:09 PM

Posted 22 October 2009 - 02:19 PM

Hello ceratops,

Please make sure you have also read my previous post.

My excuses once again for the delay, in all confusion your topic was overlooked. Things have been extremely busy here at the forum.

You have still quite some vundo on the computer, lets see if we can get it all cleaned up :(

COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 ceratops

ceratops
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 24 October 2009 - 05:57 AM

ComboFix ran OK and produced its log file. It did reboot the computer. During that process Windows wanted to do a file system check on the XP partition (F:) -- the check came up with no errors, Windows continued to boot, and ComboFix then completed its operations.

Just a comment on the log file -- I see that the program notes files created in the last 30 days. In our case, the visible signs of a virus infection started on 9/17 (over a month ago now). That may be true of a number of people running ComboFix on these forums, given the inevitable delays. I'm not sure if this has any consequences in terms of ComboFix's algorithms.

Log file follows:


ComboFix 09-10-22.01 - Philip 10/24/2009 6:15.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.579 [GMT -4:00]
Running from: f:\documents and settings\Philip\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
f:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
f:\documents and settings\Philip\My Documents\ZbThumbnail.info
f:\windows\system32\18467.exe
f:\windows\system32\41.exe
f:\windows\system32\bugetaja.dll.tmp
f:\windows\system32\dahiliwi.dll
f:\windows\system32\dezogewi.dll
f:\windows\system32\dubajihi.dll
f:\windows\system32\fajosala.dll.tmp
f:\windows\system32\fivuvujo.dll
f:\windows\system32\fojedisu.dll
f:\windows\system32\halebewe.dll
f:\windows\system32\hezigotu.dll
f:\windows\system32\jayamuja.exe
f:\windows\system32\juyuyeyo.exe
f:\windows\system32\kitehevu.dll
f:\windows\system32\lajuduga.dll.tmp
f:\windows\system32\mujoviku.dll.tmp
f:\windows\system32\nagowupu.dll.tmp
f:\windows\system32\pufuniso.dll
f:\windows\system32\pusunovi.dll.tmp
f:\windows\system32\rewotipe.dll.tmp
f:\windows\system32\saluboga.dll
f:\windows\system32\sedutodo.dll
f:\windows\system32\sewogire.exe
f:\windows\system32\tanadafe.exe
f:\windows\system32\tubalavu.dll
f:\windows\system32\yewotoyo.dll
f:\windows\system32\yizofuyu.dll
f:\windows\system32\zidejuya.dll.tmp
f:\windows\system32\zikiboru.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
.
((((((((((((((((((((((((( Files Created from 2009-09-24 to 2009-10-24 )))))))))))))))))))))))))))))))
.

2009-10-09 21:32 . 2009-10-09 21:32 -------- d-----w- F:\FOUND.002
2009-09-26 02:35 . 2009-09-26 02:35 -------- d-----w- f:\documents and settings\Philip\Application Data\Malwarebytes
2009-09-26 02:35 . 2009-09-10 18:54 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2009-09-26 02:35 . 2009-09-26 02:35 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2009-09-26 02:35 . 2009-09-26 02:35 -------- d-----w- f:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-26 02:35 . 2009-09-10 18:53 19160 ----a-w- f:\windows\system32\drivers\mbam.sys
2009-09-25 20:13 . 2009-09-25 20:13 -------- d-sh--w- f:\documents and settings\Philip\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-21 00:43 . 2009-09-21 00:43 -------- d-----w- f:\program files\Panda Security
2009-08-13 01:55 . 2009-08-13 01:29 1885464 ----a-w- f:\windows\system32\AutoPartNt.exe
2009-08-12 23:41 . 2009-08-12 23:41 44384 ----a-w- f:\windows\system32\drivers\tifsfilt.sys
2009-08-12 23:41 . 2009-08-12 23:41 441760 ----a-w- f:\windows\system32\drivers\timntr.sys
2009-08-12 23:40 . 2009-08-12 23:40 132224 ----a-w- f:\windows\system32\drivers\snapman.sys
2009-08-12 23:40 . 2009-08-12 23:40 368480 ----a-w- f:\windows\system32\drivers\tdrpman.sys
2009-08-05 09:01 . 2004-08-04 02:56 204800 ----a-w- f:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-04 02:56 119808 ----a-w- f:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2001-08-23 16:00 81920 ----a-w- f:\windows\system32\fontsub.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-02-19 04:30 72208 ----a-w- f:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=f:\windows\system32\AntiLogger.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=f:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=f:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"idsvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\WINDOWS\\System32\\dxdiag.exe"=
"f:\\WINDOWS\\System32\\dpnsvr.exe"=
"f:\\WINDOWS\\System32\\dpvsetup.exe"=
"f:\\WINDOWS\\System32\\mmc.exe"=
"f:\\WINDOWS\\System32\\usmt\\migwiz.exe"=
"f:\\WINDOWS\\System32\\SPOOLSV.EXE"=
"f:\\Program Files\\Common Files\\Microsoft Shared\\VS7Debug\\MDM.EXE"=
"f:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\MSCONFIG.EXE"=
"f:\\WINDOWS\\system32\\MSIEXEC.EXE"=

R0 pavboot;pavboot;f:\windows\system32\drivers\pavboot.sys [9/24/2009 5:46 AM 28544]
S3 atirage;atirage;f:\windows\system32\drivers\atiragem.sys [5/29/2009 6:25 PM 70528]
S3 LLRKD;LLRKD;f:\windows\system32\drivers\LLRKD.sys [8/31/2006 3:40 PM 16579]
S3 s3legacy;s3legacy;f:\windows\system32\drivers\s3legacy.sys [5/29/2009 8:12 PM 65664]
S3 s3m;s3m;f:\windows\system32\drivers\s3m.sys [5/29/2009 7:50 PM 166720]
S3 SPYPRV;SPYPRV;f:\windows\system32\drivers\spyprv.sys [8/31/2006 3:40 PM 54260]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.laplink.com/scan8/oscan8.cab
FF - ProfilePath - f:\documents and settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: f:\program files\Online\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF - plugin: f:\program files\Online\QuickTime\Plugins\npqtplugin.dll
FF - plugin: f:\program files\Online\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: f:\program files\Online\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: f:\program files\Online\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: f:\program files\Online\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: f:\program files\Online\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: f:\program files\Online\QuickTime\Plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - f:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{f43879e2-4c09-4f30-be93-ea8e6c0d53cb} - dezogewi.dll
HKLM-Run-lafekiziv - f:\windows\system32\dahiliwi.dll
HKLM-Run-rurohitiso - hezigotu.dll
SharedTaskScheduler-{7110a6a3-e558-4ee0-9ec1-e1e4299fb3e9} - (no file)
SharedTaskScheduler-{206a746e-60fc-40cf-968c-bc276bf0776c} - f:\windows\system32\dahiliwi.dll
SSODL-hesesakoz-{7110a6a3-e558-4ee0-9ec1-e1e4299fb3e9} - (no file)
SSODL-kotajidim-{206a746e-60fc-40cf-968c-bc276bf0776c} - f:\windows\system32\dahiliwi.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-24 06:27
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2f,fc,15,84,5d,b0,62,44,84,15,3a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2f,fc,15,84,5d,b0,62,44,84,15,3a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
f:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
f:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(1240)
f:\windows\system32\WININET.dll
f:\windows\system32\msi.dll
f:\windows\system32\ieframe.dll
f:\windows\system32\webcheck.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
f:\windows\system32\brss01a.exe
f:\windows\system32\nvsvc32.exe
f:\program files\Canon\CAL\CALMAIN.exe
f:\combofix\CF23701.exe
f:\windows\system32\wscntfy.exe
f:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-24 6:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-24 10:30

Pre-Run: 18,638,274,560 bytes free
Post-Run: 18,976,243,712 bytes free

- - End Of File - - D4B3AAD8A6B904CCC9514FA74E28CBF9

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:09 PM

Posted 24 October 2009 - 07:03 AM

Hello ceratops,

Just a comment on the log file -- I see that the program notes files created in the last 30 days. In our case, the visible signs of a virus infection started on 9/17 (over a month ago now). That may be true of a number of people running ComboFix on these forums, given the inevitable delays. I'm not sure if this has any consequences in terms of ComboFix's algorithms.

You have a valid point here and we are aware of this. We have the possibility to ask tools to look for a longer time span. The problem is that this causes huge logs that are hard to analyse.


Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

I am aware you are using Laplink PC defender, but I really would advice you to change this application with one of the below, because it is not very reliable.

Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Two good antivirus programs free for non-commercial home use are Avast! and Antivir

Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.


TFC
--------
Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.



SUPERANTISPYWARE
-----------------------------
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
In your next reply, please include the following:
  • SUPERAntiSpyware scan log
  • A new DDS log
  • A description of the remaining problems.

Edited by elise025, 24 October 2009 - 07:06 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 ceratops

ceratops
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 24 October 2009 - 07:34 AM

> I am aware you are using Laplink PC defender, but I really would advice you to change this application with one of the below, because it is not very reliable. <

Yes, we became aware of this -- AFTER our computer was infected, we did some reading on antivirus programs, and found that PC Defense is not very well rated. I assume the installation of a better antivirus program should wait until later, though ?

We have been minimizing Internet connect time on the sick computer. As much as possible, I've been downloading/uploading on a different PC, and carrying files over on removable media. Looks like SuperAntispyware will want a connection, though, to do its updates.

Come to think of it, the PC that I'm on at the moment is also running PC Defense AV -- we should look at replacing that with one of the others you mentioned ASAP. Thanks for the reminder...

Will post back after running the requested programs.

Thank you...

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:09 PM

Posted 24 October 2009 - 08:03 AM

Its good to keep the infected computer as much as possible disconnected, but yes, let it do its updates, thats very important!

As for the installation of new AV software, if the computer is manageable (as in not too slow/buggy), you should install that ASAP, so that you will have at least some trustworthy protection.

I will wait for your SAS and DDS log (no need for attach.txt).

In the mean time, maybe this can come in handy. You can use the following tool on your clean computer. It will clean your Flash drives so you will not transfer infections from your infected computer to your clean one.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 ceratops

ceratops
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 25 October 2009 - 09:24 AM

-- interim report --

I ran TFC -- no problem.

I then uninstalled PC Defense (or what was left of it) via Control Panel add/remove. It was interesting that the Add/Remove listing showed it as last having been run on 9/25. However, we have seen occasional alerts still popping up (usually about something trying to hook the foreground idle process) much more recently, so some part of PC Defense was apparently still running.

Reconnected the PC to the net (plugged in cable).

Installed avast! AV -- installation seemed to go smoothly.

Installed SuperAntispyware -- installation went smoothly.

Rebooted in Safe Mode. And it actually worked this time! Inability to boot in Safe Mode was one of our early symptoms, so it's nice to see progress there.

Am now running SAS -- judging by the non-blinding speed, it may take a l..o..n..g.. time (maybe like the 24+ hours we saw when we ran PandaSoft a month ago). Weather forecast looks good, so no power failures likely :(

I will post back with SAS (and DDS) logs after the scan finishes.

Behavior of the computer looks perfectly normal so far today (nothing popping up, no weird behaviors).

#13 ceratops

ceratops
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 25 October 2009 - 09:29 AM

Oh, a question (if you have a moment; otherwise I will search around elsewhere for the answer):

When replacing one anti virus application with another (as I wish to do on our clean computer -- getting rid of Laplink PC Defense, and replacing with something else), should one uninstall the old one before installing the new one (to avoid conflicts in terms of what is running)? Or is there a better approach that avoids having the computer unprotected for a while?

Thank you...

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:09 PM

Posted 25 October 2009 - 09:43 AM

Yes, that is the best to do. Uninstall your old application, restart the computer and install the new one. It is advisable to download the installer for the new Antivirus application first and disconnect from the internet before uninstalling the old one.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 ceratops

ceratops
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 25 October 2009 - 05:15 PM

SuperAntiSpyware had finished when I just checked on the computer (took only 4 1/2 hours) -- it apparently ran to completion without trouble, and reported no problems with removing the suspicious items when I told it to go ahead and do that. Rebooted fine, into normal mode. The computer looked/acted normal; however, I only had it on for a few minutes while getting the log files onto floppy.


SuperAntiSpyware log:

**************************************************************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/25/2009 at 02:07 PM

Application Version : 4.29.1004

Core Rules Database Version : 4189
Trace Rules Database Version: 2103

Scan type : Complete Scan
Total Scan Time : 04:29:16

Memory items scanned : 230
Memory threats detected : 0
Registry items scanned : 5701
Registry threats detected : 0
File items scanned : 66480
File threats detected : 105

Adware.Tracking Cookie
.atdmt.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.fastclick.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.fastclick.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.fastclick.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.fastclick.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.mediaplex.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.doubleclick.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.advertising.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.advertising.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.advertising.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.advertising.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.advertising.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.questionmarket.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.questionmarket.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.overture.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.overture.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.specificclick.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.specificclick.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.specificclick.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.specificclick.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.specificclick.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.specificclick.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.specificclick.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.specificclick.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.adopt.specificclick.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.adopt.specificclick.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.specificmedia.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.specificmedia.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.adopt.specificclick.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.adopt.specificclick.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.adopt.specificclick.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.tribalfusion.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.revsci.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.revsci.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.revsci.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.revsci.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.revsci.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.revsci.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.imrworldwide.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.imrworldwide.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.zedo.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.zedo.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
ad.yieldmanager.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
ad.yieldmanager.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
ad.yieldmanager.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
ad.yieldmanager.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
ad.yieldmanager.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.interclick.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.interclick.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.interclick.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.interclick.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.interclick.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.ads.pointroll.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.ads.pointroll.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.ads.pointroll.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.ads.pointroll.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.ads.pointroll.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.ads.pointroll.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.ads.pointroll.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.ads.pointroll.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.adbrite.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.adbrite.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.adbrite.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.tacoda.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.tacoda.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.tacoda.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.tacoda.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.tacoda.net [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.casalemedia.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.casalemedia.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.casalemedia.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.casalemedia.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.casalemedia.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
www.burstnet.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.247realmedia.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.realmedia.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.realmedia.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.realmedia.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.realmedia.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.realmedia.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]
.realmedia.com [ F:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\cookies.txt ]

Adware.Vundo/Variant-KD
F:\SYSTEM VOLUME INFORMATION\_RESTORE{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP31\A0017093.DLL
F:\SYSTEM VOLUME INFORMATION\_RESTORE{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP31\A0017102.DLL
F:\SYSTEM VOLUME INFORMATION\_RESTORE{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP31\A0017103.DLL
F:\SYSTEM VOLUME INFORMATION\_RESTORE{D997D16F-952C-455D-ACAD-39167DC958D7}\RP1\A0000019.DLL
F:\SYSTEM VOLUME INFORMATION\_RESTORE{D997D16F-952C-455D-ACAD-39167DC958D7}\RP1\A0000020.DLL
F:\SYSTEM VOLUME INFORMATION\_RESTORE{D997D16F-952C-455D-ACAD-39167DC958D7}\RP1\A0000028.DLL
F:\SYSTEM VOLUME INFORMATION\_RESTORE{D997D16F-952C-455D-ACAD-39167DC958D7}\RP1\A0000035.DLL

Adware.Vundo/Variant-Rbox
F:\SYSTEM VOLUME INFORMATION\_RESTORE{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP31\A0017098.DLL
F:\SYSTEM VOLUME INFORMATION\_RESTORE{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP31\A0017101.DLL
F:\SYSTEM VOLUME INFORMATION\_RESTORE{D997D16F-952C-455D-ACAD-39167DC958D7}\RP1\A0000022.DLL
F:\SYSTEM VOLUME INFORMATION\_RESTORE{D997D16F-952C-455D-ACAD-39167DC958D7}\RP1\A0000033.DLL

Adware.Vundo/Variant-[Fixed]
F:\SYSTEM VOLUME INFORMATION\_RESTORE{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP31\A0017100.DLL
F:\SYSTEM VOLUME INFORMATION\_RESTORE{D997D16F-952C-455D-ACAD-39167DC958D7}\RP1\A0000021.DLL
F:\SYSTEM VOLUME INFORMATION\_RESTORE{D997D16F-952C-455D-ACAD-39167DC958D7}\RP1\A0000026.DLL
F:\SYSTEM VOLUME INFORMATION\_RESTORE{D997D16F-952C-455D-ACAD-39167DC958D7}\RP1\A0000029.DLL
F:\SYSTEM VOLUME INFORMATION\_RESTORE{D997D16F-952C-455D-ACAD-39167DC958D7}\RP1\A0000032.DLL

Adware.Vundo/Variant-Bonk
F:\SYSTEM VOLUME INFORMATION\_RESTORE{D997D16F-952C-455D-ACAD-39167DC958D7}\RP1\A0000017.DLL

Adware.Vundo/Variant
F:\SYSTEM VOLUME INFORMATION\_RESTORE{D997D16F-952C-455D-ACAD-39167DC958D7}\RP1\A0000018.DLL
F:\SYSTEM VOLUME INFORMATION\_RESTORE{D997D16F-952C-455D-ACAD-39167DC958D7}\RP1\A0000023.DLL
F:\SYSTEM VOLUME INFORMATION\_RESTORE{D997D16F-952C-455D-ACAD-39167DC958D7}\RP1\A0000027.DLL
F:\SYSTEM VOLUME INFORMATION\_RESTORE{D997D16F-952C-455D-ACAD-39167DC958D7}\RP1\A0000034.DLL

Adware.Vundo/Variant-LW
F:\QOOBOX\QUARANTINE\F\WINDOWS\SYSTEM32\BUGETAJA.DLL.TMP.VIR
F:\QOOBOX\QUARANTINE\F\WINDOWS\SYSTEM32\FAJOSALA.DLL.TMP.VIR
F:\QOOBOX\QUARANTINE\F\WINDOWS\SYSTEM32\LAJUDUGA.DLL.TMP.VIR


*************************************************************************************

new DDS log:

*************************************************************************************


DDS (Ver_09-09-24.01) - FAT32x86
Run by Philip at 17:53:15.87 on Sun 10/25/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.552 [GMT -4:00]

AV: avast! antivirus 4.8.1356 [VPS 091024-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
F:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
F:\WINDOWS\Explorer.EXE
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\system32\brsvc01a.exe
F:\WINDOWS\system32\brss01a.exe
F:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\Program Files\Canon\CAL\CALMAIN.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\Documents and Settings\Philip\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\online\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
mRun: [avast!] f:\progra~1\alwils~1\avast4\ashDisp.exe
uPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 0 (0x0)
IE: E&xport to Microsoft Excel - f:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.laplink.com/scan8/oscan8.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - f:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - f:\program files\superantispyware\SASWINLO.dll
Notify: LBTWlgn - f:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: f:\windows\system32\AntiLogger.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - f:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\philip\applic~1\mozilla\firefox\profiles\6ix6t5u6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: f:\program files\online\adobe\acrobat 6.0\reader\browser\nppdf32.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin2.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin3.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin4.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin5.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin6.dll
FF - plugin: f:\program files\online\quicktime\plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - f:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;f:\windows\system32\drivers\pavboot.sys [2009-9-24 28544]
R1 aswSP;avast! Self Protection;f:\windows\system32\drivers\aswSP.sys [2009-10-25 114768]
R1 SASDIFSV;SASDIFSV;f:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;f:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 aswFsBlk;aswFsBlk;f:\windows\system32\drivers\aswFsBlk.sys [2009-10-25 20560]
R2 avast! Antivirus;avast! Antivirus;f:\program files\alwil software\avast4\ashServ.exe [2009-10-25 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;f:\program files\alwil software\avast4\ashMaiSv.exe [2009-10-25 254040]
R3 avast! Web Scanner;avast! Web Scanner;f:\program files\alwil software\avast4\ashWebSv.exe [2009-10-25 352920]
R3 SASENUM;SASENUM;f:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 atirage;atirage;f:\windows\system32\drivers\atiragem.sys [2009-5-29 70528]
S3 LLRKD;LLRKD;\??\f:\windows\system32\drivers\llrkd.sys --> f:\windows\system32\drivers\LLRKD.sys [?]
S3 s3legacy;s3legacy;f:\windows\system32\drivers\s3legacy.sys [2009-5-29 65664]
S3 s3m;s3m;f:\windows\system32\drivers\s3m.sys [2009-5-29 166720]
S3 SPYPRV;SPYPRV;\??\f:\windows\system32\drivers\spyprv.sys --> f:\windows\system32\drivers\SPYPRV.SYS [?]

=============== Created Last 30 ================

2009-10-25 09:24 <DIR> --d----- f:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-25 09:23 <DIR> --d----- f:\program files\SUPERAntiSpyware
2009-10-25 09:23 <DIR> --d----- f:\docume~1\philip\applic~1\SUPERAntiSpyware.com
2009-10-25 09:22 <DIR> --d----- f:\program files\common files\Wise Installation Wizard
2009-10-25 09:16 1,060,864 a------- f:\windows\system32\MFC71.dll
2009-10-24 06:14 236,544 a------- f:\windows\PEV.exe
2009-10-24 06:14 161,792 a------- f:\windows\SWREG.exe
2009-10-24 06:14 98,816 a------- f:\windows\sed.exe
2009-10-24 04:06 <DIR> --d----- f:\windows\setupupd
2009-10-24 03:26 <DIR> --d----- f:\windows\setup.pss
2009-10-17 20:52 3,888 a------- f:\windows\system32\BMXCtrlState-{00000000-00000000-0000000D-00001102-00000002-80671102}.rfx
2009-10-17 20:52 3,888 a------- f:\windows\system32\BMXBkpCtrlState-{00000000-00000000-0000000D-00001102-00000002-80671102}.rfx
2009-10-09 17:32 <DIR> --d----- F:\FOUND.002
2009-09-25 22:35 <DIR> --d----- f:\docume~1\philip\applic~1\Malwarebytes
2009-09-25 22:35 38,224 a------- f:\windows\system32\drivers\mbamswissarmy.sys
2009-09-25 22:35 19,160 a------- f:\windows\system32\drivers\mbam.sys
2009-09-25 22:35 <DIR> --d----- f:\program files\Malwarebytes' Anti-Malware
2009-09-25 22:35 <DIR> --d----- f:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-08-12 21:55 1,885,464 a------- f:\windows\system32\AutoPartNt.exe
2009-08-05 05:01 204,800 a------- f:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- f:\windows\system32\dllcache\mswebdvd.dll
2009-07-29 00:37 119,808 a------- f:\windows\system32\t2embed.dll
2009-07-29 00:37 81,920 a------- f:\windows\system32\fontsub.dll
2009-07-29 00:37 119,808 -------- f:\windows\system32\dllcache\t2embed.dll
2009-07-29 00:37 81,920 -------- f:\windows\system32\dllcache\fontsub.dll

============= FINISH: 17:53:56.78 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users