Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Bot or rootkit suspected


  • This topic is locked This topic is locked
34 replies to this topic

#1 metallord

metallord

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 28 October 2009 - 10:32 AM

Hi,
my VISA card number was recently tried on the other side of the world - I have a fairly moderate limit on it and so the transaction triggered an alert and the bank caught it, but still I have to suspect my computer is compromised. I have tried a few things by myself:

Malwarebytes has identified "Backdoor.Bot" and "Malware.Packer.Krunchy"
Panda finds nothing
Blacklight finds nothing
DarkSpy crashes system
Rootkit Buster does not find the log directory
Rootkit Revealer finds key names with embedded nulls in HKLM\SECURITY\Policy\Secrets\SAC* and ...\SAI*

up to here, the programs were run off a CD I burnt on a system I believe to be clean, the rest was downloaded to the suspect computer

RegDelNull scan returns nothing
RootRepeal ran once after I set the access level to "highest" (I didn't save the log) but now keeps crashing and either immediately rebooting the system, or giving a PAGE_FAULT_IN_NONPAGED_AREA error (sometimes other errors too), so I cannot provide a log yet. Could it be the SATA RAID disk duo?

IceSword and GMER work but I don't know what it all means - this exceeds my capability at the moment.


Here is the DDS log:

DDS (Ver_09-10-26.01) - NTFSx86
Run by Jan at 1:07:22.32 on 29.10.09
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.984 [GMT 11:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\XAMPP\apache\bin\httpd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\XAMPP\mysql\bin\mysqld.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Andrea Electronics\AudioCommander\AEFltrs.exe
C:\Program Files\Andrea Electronics\VoiceCenter\AndreaVC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Hardware\Logitech Maus\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Install\Software\Sun\SUN.EXE
D:\XAMPP\apache\bin\httpd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Java\jre6\bin\javaw.exe
D:\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: PDFCreator Toolbar Helper: {c451c08a-ec37-45df-aaad-18b51ab5e837} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [AEFltrs] "c:\program files\andrea electronics\audiocommander\AEFltrs.exe" /NoDlg
mRun: [VoiceCenter] "c:\program files\andrea electronics\voicecenter\AndreaVC.exe" /tray
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DNS7reminder] "c:\program files\worddragon 10\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking10\Ereg.ini
mRun: [amd_dc_opt] c:\program files\hardware\amd dual-core optimizer\amd_dc_opt.exe
mRun: [ASUS Probe] c:\program files\asus\probe\AsusProb.exe
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\jan\startm~1\programs\startup\sonne.lnk - d:\install\software\sun\SUN.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wincolor.lnk - c:\program files\hardware\ms color control xp\WinColor.exe
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: Jans-Rechner
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245908427078
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2009-6-8 77312]
R2 Apache2.2;Apache2.2;d:\xampp\apache\bin\httpd.exe [2009-6-23 24636]
R3 aeaudiol;AE USB Audio Driver-Lower (WDM);c:\windows\system32\drivers\AEAudioL.sys [2009-6-8 12800]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [2009-6-21 34304]
R3 PIAFCTM;NetworkActiv PIAFCTM Packet Driver Miniport;c:\windows\system32\drivers\PIAFCTM.sys [2009-6-8 15488]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-6-10 12672]
S3 DarkSpy;DarkSpy;c:\windows\system32\DarkSpyKernel.sys [2009-10-28 129536]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2009-10-28 12:46:40 0 d-----w- c:\program files\Sophos Anti-Rootkit
2009-10-28 12:05:10 162616 ----a-w- C:\RegDelNull.exe
2009-10-28 11:37:42 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-28 11:04:26 0 d-----w- c:\windows\ERUNT
2009-10-28 11:00:08 0 d-----w- C:\SDFix
2009-10-28 10:27:34 129536 ----atw- c:\windows\system32\DarkSpyKernel.sys
2009-10-27 20:11:51 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-10-27 20:11:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-10-27 09:39:06 0 d-----w- c:\docume~1\jan\applic~1\Malwarebytes
2009-10-27 09:39:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 09:39:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-27 09:39:02 0 d-----w- c:\program files\Malwarebytes
2009-10-27 09:39:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-22 03:05:45 68 ----a-w- c:\windows\wyko.ini
2009-10-22 03:05:45 448 ----a-w- c:\windows\V32.INI
2009-10-18 08:51:29 0 d-----w- c:\docume~1\jan\applic~1\fdrtools.com
2009-10-18 08:51:08 0 d-----w- c:\program files\FDRTools Basic 2.3.0
2009-10-13 22:36:51 0 d-----w- c:\program files\Neat Image
2009-10-12 07:54:39 0 d-----w- C:\VueScan
2009-10-09 22:49:49 10 ----a-w- c:\windows\popcinfo.dat
2009-10-09 21:20:33 14 ----a-w- c:\windows\popcinfot.dat
2009-10-09 21:20:33 0 d-----w- c:\program files\Games
2009-10-09 21:20:33 0 ----a-w- c:\windows\popcreg.dat

==================== Find3M ====================

2009-10-28 11:49:26 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-10-28 11:49:23 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

============= FINISH: 1:07:28.03 ===============


I'll do what it takes to get RootRepeal to run, or use a suitable substitute.
Thanks in advance,
MetalLord

Attached Files



BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:25 AM

Posted 03 November 2009 - 05:28 AM

Hello and :( to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

*If you have since resolved the original problem you were having, we would appreciate you letting us know.

*If not please perform the following steps below so we can have a look at the current condition of your machine.

*If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

**If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.


You may want to keep the link to this topic in your favorites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications.
In order to be notified via email when your topic has a reply you need to enable topic notifications. To enable topic notifications you should do the following:

1. Click on the My Controls link at the top of the page to enter your control panel.

2. Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.

3. Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.

4. Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied

The topics you are tracking are shown Here.
Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

----------------------------*-------------------------------

We need to see some information about what is happening in your machine.

Please perform the following scan:


Posted Image
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:(

#3 metallord

metallord
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 03 November 2009 - 07:22 AM

Hi there,
thanks for your reply. Here is the new log; I have not used my computer for banking in a week. I have since removed a few hidden drivers left behind by other anti-rootkit applications, which enabled RootRepeal to run, so the RootRepeal log is now attached too.
My computer responds normally and I get no firewall alerts except about Java updates - but as mentioned above, my VISA card number was stolen somehow - I'm not sure if it was via my computer.


DDS log:


DDS (Ver_09-10-26.01) - NTFSx86
Run by Jan at 23:14:13.81 on 03.11.09
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.929 [GMT 11:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\XAMPP\apache\bin\httpd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\XAMPP\mysql\bin\mysqld.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
D:\XAMPP\apache\bin\httpd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Andrea Electronics\AudioCommander\AEFltrs.exe
C:\Program Files\Andrea Electronics\VoiceCenter\AndreaVC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Install\Software\Sun\SUN.EXE
C:\Program Files\Hardware\Logitech Maus\MouseWare\system\em_exec.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\K-Lite Mega Codec Pack 5.0.0\Media Player Classic\mplayerc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: PDFCreator Toolbar Helper: {c451c08a-ec37-45df-aaad-18b51ab5e837} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [AEFltrs] "c:\program files\andrea electronics\audiocommander\AEFltrs.exe" /NoDlg
mRun: [VoiceCenter] "c:\program files\andrea electronics\voicecenter\AndreaVC.exe" /tray
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DNS7reminder] "c:\program files\worddragon 10\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking10\Ereg.ini
mRun: [amd_dc_opt] c:\program files\hardware\amd dual-core optimizer\amd_dc_opt.exe
mRun: [ASUS Probe] c:\program files\asus\probe\AsusProb.exe
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\jan\startm~1\programs\startup\sonne.lnk - d:\install\software\sun\SUN.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wincolor.lnk - c:\program files\hardware\ms color control xp\WinColor.exe
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: Jans-Rechner
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245908427078
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2009-6-8 77312]
R2 Apache2.2;Apache2.2;d:\xampp\apache\bin\httpd.exe [2009-6-23 24636]
R3 aeaudiol;AE USB Audio Driver-Lower (WDM);c:\windows\system32\drivers\AEAudioL.sys [2009-6-8 12800]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [2009-6-21 34304]
R3 PIAFCTM;NetworkActiv PIAFCTM Packet Driver Miniport;c:\windows\system32\drivers\PIAFCTM.sys [2009-6-8 15488]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-6-10 12672]
S3 DarkSpy;DarkSpy;\??\c:\windows\system32\darkspykernel.sys --> c:\windows\system32\DarkSpyKernel.sys [?]
S3 lhffpo34;lhffpo34;\??\c:\windows\system32\drivers\lhffpo34.sys --> c:\windows\system32\drivers\lhffpo34.sys [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 TIVHZB;TIVHZB;c:\docume~1\jan\locals~1\temp\tivhzb.exe --> c:\docume~1\jan\locals~1\temp\TIVHZB.exe [?]

=============== Created Last 30 ================

2009-11-03 12:02:52 0 d-----w- c:\program files\PSPad editor
2009-10-30 13:04:35 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-28 15:07:47 0 d-----w- c:\documents and settings\jan\Pavark
2009-10-28 14:42:57 4795009 ----a-w- c:\windows\system32\XIY
2009-10-28 12:46:40 0 d-----w- c:\program files\Sophos Anti-Rootkit
2009-10-28 12:05:10 162616 ----a-w- C:\RegDelNull.exe
2009-10-28 11:04:26 0 d-----w- c:\windows\ERUNT
2009-10-28 11:00:08 0 d-----w- C:\SDFix
2009-10-27 20:11:51 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-10-27 20:11:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-10-27 09:39:06 0 d-----w- c:\docume~1\jan\applic~1\Malwarebytes
2009-10-27 09:39:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 09:39:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-27 09:39:02 0 d-----w- c:\program files\Malwarebytes
2009-10-27 09:39:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-22 03:05:45 68 ----a-w- c:\windows\wyko.ini
2009-10-22 03:05:45 448 ----a-w- c:\windows\V32.INI
2009-10-18 08:51:29 0 d-----w- c:\docume~1\jan\applic~1\fdrtools.com
2009-10-18 08:51:08 0 d-----w- c:\program files\FDRTools Basic 2.3.0
2009-10-13 22:36:51 0 d-----w- c:\program files\Neat Image
2009-10-12 07:54:39 0 d-----w- C:\VueScan
2009-10-09 22:49:49 10 ----a-w- c:\windows\popcinfo.dat
2009-10-09 21:20:33 14 ----a-w- c:\windows\popcinfot.dat
2009-10-09 21:20:33 0 d-----w- c:\program files\Games
2009-10-09 21:20:33 0 ----a-w- c:\windows\popcreg.dat

==================== Find3M ====================

2009-11-03 08:48:18 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-11-03 08:48:16 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

============= FINISH: 23:14:24.89 ===============

In the "Attach.TXT", I don't see the "Advertising Center" in my list of attached applications - pretty sure I didn't install it.

Attached Files



#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:25 AM

Posted 04 November 2009 - 10:57 AM

Hello metallord :( Welcome to the BC HijackThis Log and Analysis forum. Sorry about your wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


You stated you had run GMER but was unable to decipher it. If you still have the log then please post it. If not download and run it again from the link below:



We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.




Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 metallord

metallord
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 05 November 2009 - 06:33 AM

Hello The Wall,

here is the GMER output:

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-05 22:28:47
Windows 5.1.2600 Service Pack 3
Running: bdjwvs2u.exe; Driver: C:\DOCUME~1\Jan\LOCALS~1\Temp\kxlcaaoc.sys


---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.EXE[3520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AF2F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[3520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AF2C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[3520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AF2CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[3520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AF2CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.)

---- EOF - GMER 1.0.15 ----


As advised, I won't run any rootkit tools other than those that you recommend.
Thank you,
Jan

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:25 AM

Posted 05 November 2009 - 09:34 AM

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 metallord

metallord
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 06 November 2009 - 04:22 AM

Hello TheWall,
here's the Combofix log - the machine did have to install the recovery console, but never rebooted. Should it have?



ComboFix 09-11-05.01 - Jan 06.11.09 20:06.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1203 [GMT 11:00]
Running from: d:\desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1993962763-1292428093-839522115-1010
d:\\ZbThumbnail.info

.
((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

2009-11-05 11:23 . 2009-11-05 11:23 -------- d-----w- c:\documents and settings\Jan\Local Settings\Application Data\kompozer.net
2009-11-05 11:23 . 2009-11-05 11:23 -------- d-----w- c:\documents and settings\Jan\Application Data\kompozer.net
2009-11-05 11:20 . 2009-11-05 11:23 -------- d-----w- c:\program files\Mozilla KompoZer
2009-11-04 11:32 . 2009-11-04 11:32 -------- d-----w- c:\windows\system32\windows media
2009-11-04 11:32 . 2009-11-04 11:32 -------- d--h--w- c:\windows\msdownld.tmp
2009-11-04 11:32 . 2009-11-04 11:32 -------- d-----w- c:\program files\WMEncoder
2009-11-03 12:02 . 2009-11-03 12:03 -------- d-----w- c:\program files\PSPad editor
2009-10-30 13:04 . 2009-10-30 13:04 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-30 12:25 . 2009-10-30 12:25 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-10-30 12:24 . 2009-10-30 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-28 15:07 . 2009-10-28 15:07 -------- d-----w- c:\documents and settings\Jan\Pavark
2009-10-28 12:46 . 2009-10-28 12:46 -------- d-----w- c:\program files\Sophos Anti-Rootkit
2009-10-28 12:05 . 2006-11-01 02:06 162616 ----a-w- C:\RegDelNull.exe
2009-10-28 11:04 . 2009-10-28 11:04 -------- d-----w- c:\windows\ERUNT
2009-10-28 11:00 . 2009-10-28 11:09 -------- d-----w- C:\SDFix
2009-10-27 20:11 . 2009-11-06 09:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-27 20:11 . 2009-10-27 20:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-27 09:39 . 2009-10-27 09:39 -------- d-----w- c:\documents and settings\Jan\Application Data\Malwarebytes
2009-10-27 09:39 . 2009-09-10 03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 09:39 . 2009-10-27 09:39 -------- d-----w- c:\program files\Malwarebytes
2009-10-27 09:39 . 2009-10-27 09:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-27 09:39 . 2009-09-10 03:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-18 08:51 . 2009-10-18 08:53 -------- d-----w- c:\documents and settings\Jan\Application Data\fdrtools.com
2009-10-18 08:51 . 2009-10-18 08:51 -------- d-----w- c:\program files\FDRTools Basic 2.3.0
2009-10-13 22:36 . 2009-10-13 22:36 -------- d-----w- c:\program files\Neat Image
2009-10-12 07:54 . 2009-10-12 07:56 -------- d-----w- C:\VueScan
2009-10-09 22:49 . 2009-10-31 12:56 10 ----a-w- c:\windows\popcinfo.dat
2009-10-09 21:20 . 2009-10-09 22:51 -------- d-----w- c:\program files\Games
2009-10-09 21:20 . 2009-10-09 22:49 14 ----a-w- c:\windows\popcinfot.dat
2009-10-09 21:20 . 2009-10-09 21:20 0 ----a-w- c:\windows\popcreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 08:51 . 2009-06-08 06:02 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-06 08:50 . 2009-06-08 07:24 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-11-06 08:50 . 2009-06-08 07:24 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-11-05 10:11 . 2009-08-29 01:23 -------- d-----w- c:\program files\ACLab 2005
2009-11-04 13:07 . 2009-07-05 14:51 -------- d-----w- c:\program files\SUPER
2009-11-04 09:23 . 2009-06-25 14:36 -------- d-----w- c:\documents and settings\Jan\Application Data\ZoomBrowser EX
2009-10-24 11:00 . 2009-06-28 20:12 -------- d-----w- c:\documents and settings\Jan\Application Data\CameraWindowDC
2009-10-18 13:43 . 2009-07-05 14:56 -------- d-----w- c:\documents and settings\Jan\Application Data\Skype
2009-10-18 09:31 . 2009-07-20 11:54 -------- d-----w- c:\program files\Qtpfsgui
2009-10-18 08:49 . 2009-07-01 06:59 -------- d-----w- c:\program files\DRI Tool 2.0
2009-10-14 09:51 . 2009-06-20 22:26 -------- d-----w- c:\program files\Nero
2009-10-11 14:18 . 2009-06-15 02:00 -------- d-----w- c:\documents and settings\Jan\Application Data\Canon
2009-09-05 21:06 . 2009-06-08 03:16 77728 ----a-w- c:\documents and settings\Jan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-31 08:55 . 2009-08-31 08:55 152576 ----a-w- c:\documents and settings\Jan\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-26 23:32 . 2009-08-26 23:32 64376 ----a-w- c:\documents and settings\Powerpoint 2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-05-03 09:06 . 2009-07-05 14:51 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-07-05 14:51 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-07-05 14:51 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"AEFltrs"="c:\program files\Andrea Electronics\AudioCommander\AEFltrs.exe" [2007-12-05 290816]
"VoiceCenter"="c:\program files\Andrea Electronics\VoiceCenter\AndreaVC.exe" [2008-02-28 1130496]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"DNS7reminder"="c:\program files\WordDragon 10\Ereg\Ereg.exe" [2007-04-16 259624]
"amd_dc_opt"="c:\program files\Hardware\AMD Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"ASUS Probe"="c:\program files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2009-02-05 548864]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-24 210472]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes\mbam.exe" [2009-09-10 1312080]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-02-26 65024]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-10-22 86016]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Jan\Start Menu\Programs\Startup\
Sonne.lnk - d:\install\Software\Sun\SUN.EXE [2009-8-16 106496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinColor.lnk - c:\program files\Hardware\MS Color Control XP\WinColor.exe [2005-10-31 371456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\SUPDSvc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [6/8/2009 4:43 PM 77312]
R2 Apache2.2;Apache2.2;d:\xampp\apache\bin\httpd.exe [6/23/2009 2:06 PM 24636]
R3 aeaudiol;AE USB Audio Driver-Lower (WDM);c:\windows\system32\drivers\AEAudioL.sys [6/8/2009 7:03 PM 12800]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [6/21/2009 8:52 AM 34304]
R3 PIAFCTM;NetworkActiv PIAFCTM Packet Driver Miniport;c:\windows\system32\drivers\PIAFCTM.sys [6/8/2009 6:20 PM 15488]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [6/10/2009 12:41 PM 12672]
S3 DarkSpy;DarkSpy;\??\c:\windows\system32\DarkSpyKernel.sys --> c:\windows\system32\DarkSpyKernel.sys [?]
S3 lhffpo34;lhffpo34;\??\c:\windows\system32\drivers\lhffpo34.sys --> c:\windows\system32\drivers\lhffpo34.sys [?]
S3 TIVHZB;TIVHZB;c:\docume~1\Jan\LOCALS~1\Temp\TIVHZB.exe --> c:\docume~1\Jan\LOCALS~1\Temp\TIVHZB.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: Jans-Rechner
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-VueScan - c:\vuescan\vuescan.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 20:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-06 20:10
ComboFix-quarantined-files.txt 2009-11-06 09:10

Pre-Run: 55,501,000,704 bytes free
Post-Run: 55,590,539,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 5CCC124EF5FD53CB46FDF54AB30D843C


Thank you for your efforts! Once I can use Paypal again, I know what I'll do first...

Jan

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:25 AM

Posted 06 November 2009 - 11:16 AM

You're welcome Jan :(

Usually if ComboFix needs to reboot it will do it itself. I haven't run it myself lately so I am not positive what it is informing the user of as it runs but if it says it's going to reboot and doesn't do so then let me know.


Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\lhffpo34.sys
c:\docume~1\Jan\LOCALS~1\Temp\TIVHZB.exe
Driver::
lhffpo34
TIVHZB


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 metallord

metallord
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 07 November 2009 - 09:30 AM

Hello TheWall,
ComboFix asked to update itself, which I allowed it to do - I hope that was a legitimate update. Also, this time it rebooted the machine. Here's the ComboFix log:

ComboFix 09-11-06.03 - Jan 08.11.09 0:59.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1265 [GMT 11:00]
Running from: d:\desktop\ComboFix.exe
Command switches used :: d:\desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\docume~1\Jan\LOCALS~1\Temp\TIVHZB.exe"
"c:\windows\system32\drivers\lhffpo34.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LHFFPO34
-------\Legacy_TIVHZB
-------\Service_lhffpo34
-------\Service_TIVHZB


((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-06 15:29 . 2009-11-06 15:30 -------- d-----w- c:\program files\Raw Therapee
2009-11-06 14:24 . 2009-11-06 14:24 -------- d-----w- c:\documents and settings\Jan\Application Data\Picturenaut
2009-11-06 14:23 . 2009-11-06 14:23 -------- d-----w- c:\program files\Picturenaut
2009-11-05 11:23 . 2009-11-05 11:23 -------- d-----w- c:\documents and settings\Jan\Local Settings\Application Data\kompozer.net
2009-11-05 11:23 . 2009-11-05 11:23 -------- d-----w- c:\documents and settings\Jan\Application Data\kompozer.net
2009-11-05 11:20 . 2009-11-05 11:23 -------- d-----w- c:\program files\Mozilla KompoZer
2009-11-04 11:32 . 2009-11-04 11:32 -------- d-----w- c:\windows\system32\windows media
2009-11-04 11:32 . 2009-11-04 11:32 -------- d--h--w- c:\windows\msdownld.tmp
2009-11-04 11:32 . 2009-11-04 11:32 -------- d-----w- c:\program files\WMEncoder
2009-11-03 12:02 . 2009-11-03 12:03 -------- d-----w- c:\program files\PSPad editor
2009-10-30 13:04 . 2009-10-30 13:04 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-30 12:25 . 2009-10-30 12:25 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-10-30 12:24 . 2009-10-30 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-28 15:07 . 2009-10-28 15:07 -------- d-----w- c:\documents and settings\Jan\Pavark
2009-10-28 12:46 . 2009-10-28 12:46 -------- d-----w- c:\program files\Sophos Anti-Rootkit
2009-10-28 12:05 . 2006-11-01 02:06 162616 ----a-w- C:\RegDelNull.exe
2009-10-28 11:04 . 2009-10-28 11:04 -------- d-----w- c:\windows\ERUNT
2009-10-28 11:00 . 2009-10-28 11:09 -------- d-----w- C:\SDFix
2009-10-27 20:11 . 2009-11-06 09:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-27 20:11 . 2009-10-27 20:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-27 09:39 . 2009-10-27 09:39 -------- d-----w- c:\documents and settings\Jan\Application Data\Malwarebytes
2009-10-27 09:39 . 2009-09-10 03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 09:39 . 2009-10-27 09:39 -------- d-----w- c:\program files\Malwarebytes
2009-10-27 09:39 . 2009-10-27 09:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-27 09:39 . 2009-09-10 03:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-18 08:51 . 2009-10-18 08:53 -------- d-----w- c:\documents and settings\Jan\Application Data\fdrtools.com
2009-10-18 08:51 . 2009-10-18 08:51 -------- d-----w- c:\program files\FDRTools Basic 2.3.0
2009-10-13 22:36 . 2009-10-13 22:36 -------- d-----w- c:\program files\Neat Image
2009-10-12 07:54 . 2009-10-12 07:56 -------- d-----w- C:\VueScan
2009-10-09 22:49 . 2009-10-31 12:56 10 ----a-w- c:\windows\popcinfo.dat
2009-10-09 21:20 . 2009-10-09 22:51 -------- d-----w- c:\program files\Games
2009-10-09 21:20 . 2009-10-09 22:49 14 ----a-w- c:\windows\popcinfot.dat
2009-10-09 21:20 . 2009-10-09 21:20 0 ----a-w- c:\windows\popcreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-07 14:04 . 2009-06-08 07:24 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-11-07 14:04 . 2009-06-08 07:24 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-11-07 13:37 . 2009-06-08 06:02 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-06 17:33 . 2009-07-05 14:51 -------- d-----w- c:\program files\SUPER
2009-11-06 15:32 . 2009-06-28 22:12 -------- d-----w- c:\documents and settings\Jan\Application Data\gtk-2.0
2009-11-06 14:18 . 2009-06-25 14:36 -------- d-----w- c:\documents and settings\Jan\Application Data\ZoomBrowser EX
2009-11-05 10:11 . 2009-08-29 01:23 -------- d-----w- c:\program files\ACLab 2005
2009-10-24 11:00 . 2009-06-28 20:12 -------- d-----w- c:\documents and settings\Jan\Application Data\CameraWindowDC
2009-10-18 13:43 . 2009-07-05 14:56 -------- d-----w- c:\documents and settings\Jan\Application Data\Skype
2009-10-18 09:31 . 2009-07-20 11:54 -------- d-----w- c:\program files\Qtpfsgui
2009-10-18 08:49 . 2009-07-01 06:59 -------- d-----w- c:\program files\DRI Tool 2.0
2009-10-14 09:51 . 2009-06-20 22:26 -------- d-----w- c:\program files\Nero
2009-10-11 14:18 . 2009-06-15 02:00 -------- d-----w- c:\documents and settings\Jan\Application Data\Canon
2009-09-05 21:06 . 2009-06-08 03:16 77728 ----a-w- c:\documents and settings\Jan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-31 08:55 . 2009-08-31 08:55 152576 ----a-w- c:\documents and settings\Jan\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-26 23:32 . 2009-08-26 23:32 64376 ----a-w- c:\documents and settings\Powerpoint 2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-05-03 09:06 . 2009-07-05 14:51 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-07-05 14:51 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-07-05 14:51 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-06_09.09.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-07 14:04 . 2009-11-07 14:04 16384 c:\windows\Temp\Perflib_Perfdata_73c.dat
+ 2009-11-07 14:04 . 2009-04-30 06:01 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"AEFltrs"="c:\program files\Andrea Electronics\AudioCommander\AEFltrs.exe" [2007-12-05 290816]
"VoiceCenter"="c:\program files\Andrea Electronics\VoiceCenter\AndreaVC.exe" [2008-02-28 1130496]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"DNS7reminder"="c:\program files\WordDragon 10\Ereg\Ereg.exe" [2007-04-16 259624]
"amd_dc_opt"="c:\program files\Hardware\AMD Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"ASUS Probe"="c:\program files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2009-02-05 548864]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-24 210472]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes\mbam.exe" [2009-09-10 1312080]
"combofix"="c:\combofix\CF18958.exe" [2009-11-07 389120]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-02-26 65024]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-10-22 86016]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Jan\Start Menu\Programs\Startup\
Sonne.lnk - d:\install\Software\Sun\SUN.EXE [2009-8-16 106496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinColor.lnk - c:\program files\Hardware\MS Color Control XP\WinColor.exe [2005-10-31 371456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\SUPDSvc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [6/8/2009 4:43 PM 77312]
R2 Apache2.2;Apache2.2;d:\xampp\apache\bin\httpd.exe [6/23/2009 2:06 PM 24636]
R3 aeaudiol;AE USB Audio Driver-Lower (WDM);c:\windows\system32\drivers\AEAudioL.sys [6/8/2009 7:03 PM 12800]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [6/21/2009 8:52 AM 34304]
R3 PIAFCTM;NetworkActiv PIAFCTM Packet Driver Miniport;c:\windows\system32\drivers\PIAFCTM.sys [6/8/2009 6:20 PM 15488]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [6/10/2009 12:41 PM 12672]
S3 DarkSpy;DarkSpy;\??\c:\windows\system32\DarkSpyKernel.sys --> c:\windows\system32\DarkSpyKernel.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: Jans-Rechner
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-08 01:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4068)
c:\program files\Hardware\Logitech Maus\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
d:\xampp\mysql\bin\mysqld.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hardware\Logitech Maus\MouseWare\system\em_exec.exe
.
**************************************************************************
.
Completion time: 2009-11-07 1:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-07 14:07

Pre-Run: 55,412,035,584 bytes free
Post-Run: 55,315,435,520 bytes free

- - End Of File - - 5D46946019E4F0DDA7628B094191782D


The LHFFPO34 was an instance of RootRepeal that I had renamed (before coming to BleepingComputer), because it woulnd't run and I thought I'd try with a random name - the other one I'm not sure about.
Thanks,
Jan

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:25 AM

Posted 07 November 2009 - 11:14 AM

Hi jan,

Often Malware will show up in the drivers section so we clean off anything we can't find any info on and have a suspicious look about them. Of course there is more goes into it than that but basically that is our first tipoff.

It is quite normal for CF to update it's on self so you did the right thing. I need to change my instructions to include that info so people don't get thrown off.

I don't see an antivirus on your machine and we have got to get you one up and running. With the amount of infections out there that are probing machines and looking for vulnerabilities yours is a prime target. We'll run the following program first but I strongly advise against any surfing until after we get you an AV installed.

Let's do this next. Kaspersky will take quite a bit to run so you just have to be patient and let it finish because it is very thorough.


Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 metallord

metallord
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 08 November 2009 - 03:02 PM

Hello,
here it is. Ran for almost 7 hours - it's a fast computer, but a big HD as well. C: is the system drive, and D: is the data and software storage.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, November 9, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, November 08, 2009 03:40:29
Records in database: 3173638
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 229961
Threats found: 55
Infected objects found: 601
Suspicious objects found: 210
Scan duration: 06:43:55


File name / Threat / Threats count
C:\System Volume Information\_restore{1B1B5CAB-6BB6-4FBF-91ED-7839E9384DE7}\RP131\A0054429.sys Infected: Rootkit.Win32.Fuzen.r 1
D:\Genesis\Navigator Suite\Ftp\Backup\UPGRD304.GZP Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
D:\Genesis\Navigator Suite\Ftp\Backup\UPGRD304.GZP Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
D:\Genesis\Navigator Suite\Ftp\Backup\UPGRD305.GZP Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
D:\Genesis\Navigator Suite\Ftp\Backup\UPGRD305.GZP Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
D:\Genesis\Navigator Suite\Ftp\Backup\UPGRD40.GZP Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
D:\Genesis\Navigator Suite\Ftp\Backup\UPGRD40.GZP Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
D:\Genesis\Navigator Suite\Info\Remote\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
D:\Genesis\Navigator Suite\Info\Remote\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
D:\Genesis\Navigator Suite\Info\RemoteNew\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
D:\Genesis\Navigator Suite\Info\RemoteNew\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
D:\Install\Software\Nero\keymaker.exe Infected: Packed.Win32.Black.a 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan-Downloader.Win32.FraudLoad.epb 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan.Win32.Patcher.eh 3
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Suspicious: Trojan-Spy.HTML.Fraud.gen 42
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.UltimateDefender.xp 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan-Spy.Win32.Zbot.zur 14
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan-Downloader.Win32.Agent.byc 5
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan-Spy.Win32.Zbot.gen 6
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.dq 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.eh 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.fg 2
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.hq 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.ix 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.jh 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.kh 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.nz 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.pp 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.os 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Bredavi.abe 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan.Win32.Vilsel.ihd 12
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan.Win32.Vilsel.ijw 5
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Packed.Win32.Krap.w 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan.Win32.Vilsel.ikw 3
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan.Win32.Vilsel.ilx 5
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan.Win32.Vilsel.imq 9
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan.Win32.Vilsel.iop 4
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan.Win32.Vilsel.ipu 2
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan.Win32.Inject.akjn 4
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan.Win32.Vilsel.itv 3
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.ajj 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Bredavi.akp 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan.Win32.Vilsel.ivf 9
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Packed.Win32.Krap.ah 35
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Packed.Win32.Krap.x 4
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan-Downloader.Win32.FraudLoad.wuis 11
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan.Win32.FraudPack.xek 2
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Suspicious: Password-protected-EXE 16
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.aue 3
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan-Spy.Win32.Zbot.acsp 4
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.apa 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Small.zo 20
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.ary 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.asm 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Small.zp 2
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan-Downloader.Win32.FraudLoad.epb 21
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan.Win32.Patcher.eh 3
D:\Mozilla Thunderbird\Mail\Mail\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 42
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan-Spy.Win32.Zbot.zur 14
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.UltimateDefender.xp 1
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan-Downloader.Win32.Agent.byc 5
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan-Spy.Win32.Zbot.gen 9
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Bredolab.dq 1
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Bredolab.eh 1
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Bredolab.fg 2
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Bredolab.hq 1
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Bredolab.ix 1
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Bredolab.jh 1
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Bredolab.kh 1
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Bredolab.nz 1
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Bredolab.pp 1
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Bredolab.os 1
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Bredavi.abe 1
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan.Win32.Vilsel.ihd 12
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan.Win32.Vilsel.ijw 5
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Packed.Win32.Krap.w 1
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan.Win32.Vilsel.ikw 3
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan.Win32.Vilsel.ilx 5
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan.Win32.Vilsel.imq 9
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan.Win32.Vilsel.iop 4
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan.Win32.Vilsel.ipu 2
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan.Win32.Inject.akjn 4
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Bredavi.akp 1
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan.Win32.Vilsel.itv 3
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Bredolab.ajj 1
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan.Win32.Vilsel.ivf 9
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Packed.Win32.Krap.ah 35
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Packed.Win32.Krap.x 4
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan-Downloader.Win32.FraudLoad.wuis 11
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan.Win32.FraudPack.xek 2
D:\Mozilla Thunderbird\Mail\Mail\Inbox Suspicious: Password-protected-EXE 16
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Bredolab.aue 4
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan-Spy.Win32.Zbot.acsp 4
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Bredolab.apa 1
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Small.zo 20
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Bredolab.ary 1
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Bredolab.asm 1
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Small.zp 2
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Small.zs 24
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan.Win32.Sasfis.tub 2
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Trojan.Win32.Buzus.cltg 1
D:\Mozilla Thunderbird\Mail\Mail\Sent Suspicious: Trojan-Spy.HTML.Fraud.gen 3
D:\Mozilla Thunderbird\Mail\Mail\Trash Infected: Trojan-Downloader.Win32.Agent.bfv 1
D:\Mozilla Thunderbird\Mail\Mail\Trash Infected: Trojan-Spy.Win32.Zbot.gen 1
D:\Mozilla Thunderbird\Mail\Mail\Trash.sbd\eBay Infected: Email-Worm.Win32.NetSky.q 1
D:\Mozilla Thunderbird\Mail\Mail\Trash.sbd\Webseiten.sbd\1&1 Infected: Backdoor.Win32.Agent.akf 1
D:\Mozilla Thunderbird\Mail\Shopping\eBay Infected: Email-Worm.Win32.NetSky.q 1
D:\Mozilla Thunderbird\Mail\Subscriptions\Greens Infected: Email-Worm.Win32.NetSky.q 1
D:\Mozilla Thunderbird\Mail\Subscriptions\Jason Hommel Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\Mozilla Thunderbird\Mail\Webseiten\1&1 Infected: Backdoor.Win32.Agent.akf 1
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Infected: Trojan-Downloader.Win32.FraudLoad.epb 1
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Infected: Trojan.Win32.Patcher.eh 3
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Suspicious: Trojan-Spy.HTML.Fraud.gen 42
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Infected: Backdoor.Win32.UltimateDefender.xp 1
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Infected: Trojan-Spy.Win32.Zbot.zur 14
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Infected: Trojan-Downloader.Win32.Agent.byc 5
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Infected: Trojan-Spy.Win32.Zbot.gen 1
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.dq 1
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.eh 1
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.fg 2
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.hq 1
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.ix 1
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.jh 1
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.kh 1
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.nz 1
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.pp 1
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.os 1
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Infected: Backdoor.Win32.Bredavi.abe 1
D:\Mozilla Thunderbird\Mail Backup\Local Folders\spamato Infected: Trojan.Win32.Vilsel.ihd 5
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Infected: Trojan-Downloader.Win32.FraudLoad.epb 21
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Infected: Trojan.Win32.Patcher.eh 3
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 42
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Infected: Trojan-Spy.Win32.Zbot.zur 14
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Infected: Backdoor.Win32.UltimateDefender.xp 1
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Infected: Trojan-Downloader.Win32.Agent.byc 5
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Infected: Trojan-Spy.Win32.Zbot.gen 2
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Infected: Backdoor.Win32.Bredolab.dq 1
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Infected: Backdoor.Win32.Bredolab.eh 1
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Infected: Backdoor.Win32.Bredolab.fg 2
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Infected: Backdoor.Win32.Bredolab.hq 1
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Infected: Backdoor.Win32.Bredolab.ix 1
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Infected: Backdoor.Win32.Bredolab.jh 1
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Infected: Backdoor.Win32.Bredolab.kh 1
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Infected: Backdoor.Win32.Bredolab.nz 1
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Infected: Backdoor.Win32.Bredolab.pp 1
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Infected: Backdoor.Win32.Bredolab.os 1
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Infected: Backdoor.Win32.Bredavi.abe 1
D:\Mozilla Thunderbird\Mail Backup\Mail\Inbox Infected: Trojan.Win32.Vilsel.ihd 5
D:\Mozilla Thunderbird\Mail Backup\Mail\Konsum & Better Jan.sbd\eBay Infected: Email-Worm.Win32.NetSky.q 1
D:\Mozilla Thunderbird\Mail Backup\Mail\Sent Suspicious: Trojan-Spy.HTML.Fraud.gen 3
D:\Mozilla Thunderbird\Mail Backup\Mail\Trash Infected: Trojan-Downloader.Win32.Agent.bfv 1
D:\Mozilla Thunderbird\Mail Backup\Mail\Trash Infected: Trojan-Spy.Win32.Zbot.gen 1
D:\Mozilla Thunderbird\Mail Backup\Mail\Webseiten.sbd\1&1 Infected: Backdoor.Win32.Agent.akf 1
D:\Mozilla Thunderbird\Mail Backup\Shopping\eBay Infected: Email-Worm.Win32.NetSky.q 1
D:\Mozilla Thunderbird\Mail Backup\Subscriptions\Greens Infected: Email-Worm.Win32.NetSky.q 1
D:\Mozilla Thunderbird\Mail Backup\Subscriptions\Jason Hommel Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\Mozilla Thunderbird\Mail Backup\Webseiten\1&1 Infected: Backdoor.Win32.Agent.akf 1
D:\ZZZ WinXP SP2 backup\Install\Software\Acrobat\PDFUnlocker.exe Infected: P2P-Worm.Win32.Palevo.kae 1
D:\ZZZ WinXP SP2 backup\Install\Software\Nero\keymaker.exe Infected: Packed.Win32.Black.a 1
D:\ZZZ WinXP SP2 backup\Install\Software\Nero\Nero.9.X.Keygen-Silver.rar Infected: Packed.Win32.Black.a 1
D:\ZZZ WinXP SP2 backup\Install\Software\Zubehör\Microsoft\ie60.exe Infected: Trojan-Ransom.Win32.PogBlock.dl 1
D:\ZZZ WinXP SP2 backup\Mozilla Thunderbird\Mail\all-inkl.com\Inbox Infected: Trojan-Downloader.Win32.FraudLoad.epb 20
D:\ZZZ WinXP SP2 backup\Mozilla Thunderbird\Mail\all-inkl.com\Konsum & Better Jan.sbd\eBay Infected: Email-Worm.Win32.NetSky.q 1
D:\ZZZ WinXP SP2 backup\Mozilla Thunderbird\Mail\all-inkl.com\Trash Infected: Trojan-Downloader.Win32.Agent.bfv 1
D:\ZZZ WinXP SP2 backup\Mozilla Thunderbird\Mail\all-inkl.com\Trash.sbd\Greens Infected: Email-Worm.Win32.NetSky.q 1
D:\ZZZ WinXP SP2 backup\Mozilla Thunderbird\Mail\all-inkl.com\Trash.sbd\Jason Hommel Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\ZZZ WinXP SP2 backup\Mozilla Thunderbird\Mail\all-inkl.com\Webseiten.sbd\1&1 Infected: Backdoor.Win32.Agent.akf 1
D:\ZZZ WinXP SP2 backup\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Trojan-Downloader.Win32.FraudLoad.epb 20
D:\ZZZ WinXP SP2 backup\Mozilla Thunderbird\Mail\subscriptions\Greens Infected: Email-Worm.Win32.NetSky.q 1
D:\ZZZ WinXP SP2 backup\Mozilla Thunderbird\Mail\subscriptions\Jason Hommel Suspicious: Trojan-Spy.HTML.Fraud.gen 1

Selected area has been scanned.


Thanks,
Jan

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:25 AM

Posted 08 November 2009 - 07:19 PM

As you can see your Thunderbird mail is heavily infected. If possible you need to empty as much as possible and if you can't we'll take it out another way. Also want you to run the following and let it clean what if finds then we'll go from there.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 metallord

metallord
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 09 November 2009 - 08:59 AM

Hello TheWall,
here are the scan results. I guess I should have emptied the recycle bin first - that would have been faster. Tried to delete the infected e-mails first (mostly known phishing stuff forwarded to the respective spoof departments) but that was too much stuff to go through for some folders.


D:\Install\Software\Nero\keymaker.exe probably a variant of Win32/Obfuscated trojan cleaned by deleting - quarantined
D:\Install\Software\Nero\Nero-9.2.6.0_trial.exe Win32/Toolbar.AskSBar application deleted - quarantined
D:\Mozilla Thunderbird\Mail\Local Folders\Trash a variant of Win32/Kryptik.AOL trojan contained infected files
D:\Mozilla Thunderbird\Mail\Mail\Trash multiple threats contained infected files
D:\Mozilla Thunderbird\Mail\Shopping\Trash Win32/Netsky.Q worm contained infected files
D:\Mozilla Thunderbird\Mail\Subscriptions\Greens Win32/Netsky.Q worm contained infected files
D:\Mozilla Thunderbird\Mail\Webseiten\1&1 Win32/TrojanDownloader.Agent.NIN trojan contained infected files
D:\Mozilla Thunderbird\Mail\Webseiten\Trash Win32/TrojanDownloader.Agent.NIN trojan contained infected files
D:\RECYCLER\S-1-5-21-1202660629-1677128483-1801674531-1003\Dd6\Mail\all-inkl.com\Inbox Win32/TrojanDownloader.Small.OPX trojan contained infected files
D:\RECYCLER\S-1-5-21-1202660629-1677128483-1801674531-1003\Dd6\Mail\all-inkl.com\Trash Win32/TrojanDownloader.Nurech.NAD trojan contained infected files
D:\RECYCLER\S-1-5-21-1202660629-1677128483-1801674531-1003\Dd6\Mail\all-inkl.com\Trash.sbd\Greens Win32/Netsky.Q worm contained infected files
D:\RECYCLER\S-1-5-21-1202660629-1677128483-1801674531-1003\Dd6\Mail\all-inkl.com\Webseiten.sbd\1&1 Win32/TrojanDownloader.Agent.NIN trojan contained infected files
D:\RECYCLER\S-1-5-21-1202660629-1677128483-1801674531-1003\Dd6\Mail\Local Folders\spamato Win32/TrojanDownloader.Small.OPX trojan contained infected files
D:\RECYCLER\S-1-5-21-1202660629-1677128483-1801674531-1003\Dd6\Mail\subscriptions\Greens Win32/Netsky.Q worm contained infected files
D:\RECYCLER\S-1-5-21-1202660629-1677128483-1801674531-1003\Dd8\Mail\Trash multiple threats contained infected files
D:\RECYCLER\S-1-5-21-1202660629-1677128483-1801674531-1003\Dd8\Mail\Webseiten.sbd\1&1 Win32/TrojanDownloader.Agent.NIN trojan contained infected files
D:\RECYCLER\S-1-5-21-1202660629-1677128483-1801674531-1003\Dd8\Subscriptions\Greens Win32/Netsky.Q worm contained infected files
D:\RECYCLER\S-1-5-21-1202660629-1677128483-1801674531-1003\Dd8\Webseiten\1&1 Win32/TrojanDownloader.Agent.NIN trojan contained infected files
D:\ZZZ WinXP SP2 backup\Install\Software\Nero\Nero-7.7.5.1_all_update.exe Win32/Toolbar.AskSBar application deleted - quarantined
D:\ZZZ WinXP SP2 backup\Install\Software\Nero\Nero-7.7.5.1_deu.exe Win32/Toolbar.AskSBar application deleted - quarantined
D:\ZZZ WinXP SP2 backup\Install\Software\Nero\Nero-9.2.6.0_trial.exe Win32/Toolbar.AskSBar application deleted - quarantined
D:\ZZZ WinXP SP2 backup\Install\Software\Zubehör\Pdf995.Printer.Driver.v7.9s.Incl.Keymaker-CORE.rar probably a variant of Win32/Agent trojan deleted - quarantined


I think I will now run the Kaspersky scanner again overnight.
Thanks,
Jan

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:25 AM

Posted 09 November 2009 - 10:00 AM

Sounds good, just post it when through.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 metallord

metallord
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 10 November 2009 - 02:53 AM

All right then,
here it is.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, November 10, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, November 09, 2009 14:03:09
Records in database: 3181044
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 227503
Threats found: 5
Infected objects found: 14
Suspicious objects found: 88
Scan duration: 06:12:18


File name / Threat / Threats count
C:\System Volume Information\_restore{1B1B5CAB-6BB6-4FBF-91ED-7839E9384DE7}\RP131\A0054429.sys Infected: Rootkit.Win32.Fuzen.r 1
D:\Genesis\Navigator Suite\Ftp\Backup\UPGRD304.GZP Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
D:\Genesis\Navigator Suite\Ftp\Backup\UPGRD304.GZP Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
D:\Genesis\Navigator Suite\Ftp\Backup\UPGRD305.GZP Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
D:\Genesis\Navigator Suite\Ftp\Backup\UPGRD305.GZP Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
D:\Genesis\Navigator Suite\Ftp\Backup\UPGRD40.GZP Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
D:\Genesis\Navigator Suite\Ftp\Backup\UPGRD40.GZP Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
D:\Genesis\Navigator Suite\Info\Remote\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
D:\Genesis\Navigator Suite\Info\Remote\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
D:\Genesis\Navigator Suite\Info\RemoteNew\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
D:\Genesis\Navigator Suite\Info\RemoteNew\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Suspicious: Trojan-Spy.HTML.Fraud.gen 42
D:\Mozilla Thunderbird\Mail\Local Folders\spamato Infected: Backdoor.Win32.Bredolab.aue 1
D:\Mozilla Thunderbird\Mail\Local Folders\Trash Infected: Backdoor.Win32.Bredolab.aue 1
D:\Mozilla Thunderbird\Mail\Mail\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 42
D:\Mozilla Thunderbird\Mail\Mail\Inbox Infected: Backdoor.Win32.Bredolab.aue 1
D:\Mozilla Thunderbird\Mail\Mail\Sent Suspicious: Trojan-Spy.HTML.Fraud.gen 3
D:\Mozilla Thunderbird\Mail\Subscriptions\Jason Hommel Suspicious: Trojan-Spy.HTML.Fraud.gen 1

Selected area has been scanned.


I had deleted everything from the "spamato" and "Trash" folders, and the "Inbox" too, but spam keeps coming in as the scan proceeds. I had set it to stop downloading new mails automatically but apparently that didn't stick (just one of the many small bugs in Thunderbird). I've now also compressed all the folders to overwrite the virus mails, and had emptied the recycle bin before I started.

I'll do another ESET scan now.

Update: the ESET scan came back clean but there are still 6 quarantined files.

Jan

Edited by metallord, 10 November 2009 - 05:31 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users