LuigiVercotti

Thanks a lot Elise. I see I have a double post above - I can't delete the extra one so if you or an admin want to do that please go ahead. Bugwise things look ok now. Am still slowly going through everything and reversing other changes this crap did. For instance, one of the bugs seems to have installed Adobe Flash!! Blech. Either that or it came from one of the cleaning tools. I purposely do not have that installed because I hate all the crappy ads on so many websites that assault you with via FLASH. I use Seamonkey as my primary browser, sans flash, and surfing is so much quieter without FLASH. If there is a site I need access to that uses flash (eg: youtube) then I use a different browser like Firefox where I have it enabled, and controlled..... Anyway, thanks again, this topic can be locked.

Thanks again for the help. I think the PC is clean now, here's what I did further last night/today b4 reading your response. - Installed something called "Superantispyware", and ran it in SAFE mode. It found 3 registry keys left over from the previous bugs (AdwareHBHelper, BrowserHijacker, RootkitAgent/Gen4DW4R3) that it deleted but it found no infected files. - I was able to finally uninstall the LoudMo Contextual Ad Assistant crap thing via control panel. - I was able to remove some kind of Addon toolbar that installed itself into Firefox, plus get rid of a "bing" default search agent and set it back to Google. - I updated Avast (my usual anti-virus) and had it scan several drives; it found "Other:Malware-gen" in a Java temp file which it deleted. - I changed all the firewall, windoze updates, browser settings, all kinds of stuff like that, back to what they used to be (I can't remember everything and have not even gone through all my other software yet to verify anything else weird didn't get set. I need to look at various Windoze services, group policies, things like that, as one of the bugs did disable System Restore through a "group policy" registry entry so maybe something else like that is also affected that I don't know about). - I ran CCleaner again and cleared out a bunch of temp files/registry keys/etc etc etc. I then saw your note and did this: - Updated Malwarebytes again and did a QuickScan in Normal Startup mode. Nothing found. - Then I did a more complete scan with MBAM of my drives for my opsys, program files, the temp drive, some data drives I had referenced. It found sign of something in one of the restore points I had created while still fighting the bugs so I turned off SystemRestore to delete all the restore points and made a new one (actually several new ones as I've done a bunch of other things during the day). - I tried to uninstall the 3 references I had to Java in my control panel but only one of them actually had a "Remove" button. Only the one called Java6 update15 would uninstall. The other 2, Java6 update 2, and JRE SE 1.42_15 had no options to do anything with in control panel. So I went to CCleaner and found I was able to use its "Tool" to give me access to an "Uninstall" option for both of those, and I successfully uninstalled them. - I then downloaded/installed/configured the latest JRE as per your excellent instructions. Then I switched gears and worked on my clean PC (the one I am typing this on), getting it up to snuff in some of these areas as well, installing the Recovery Console in case anything ever strikes me there, updating MBAM and scanning (all clean), updating Java, bunch of things like that. I think I need to catch my breath now after the last 3-4 days.... I greatly appreciate your help. If you have any other followup cleanup advice, or other things I should look at on the formerly sick patient (who seems to be fully recovered now), I'm all ears! Actually I do have a question - I remember there was a step I did not understand in getting my original logs up here, something about an application that turned off "CD Emulation drives" which I had never even heard of. I don't even know what CD Emulation drives are and never used them afaik but I did do that step; is there something I need to reverse concerning that? Or was that just something that was done prior to that part of generating the logs and doesn't persist after all the reboots/other things that I've been doing? Thanks again.

I think that PC is (almost) back to normal - correct me if I am wrong though! I ran Malwarebytes again, as well as Spybot, in Safe mode, and this time nothing comes up even after going to regular bootup first then back to safemode. No more exes in TEMP getting created by themselves and consuming the CPU. I will do some more scans tomorrow, using other tools as well. Am nosing around, checking out programs, making sure things work, putting settings back to normal if anything changed etc... Thanks for your help.

Thanks for your help. I've helped others with infected PCs before but never ran into anything like this (an actual rootkit!!!). Didn't know about this combofix thing.... Have disabled Avast realtime scanner & turned off the windows firewall as per above and ran Combofix. Am getting the logfile over to this PC for posting it. Nosing around afterwards, Combofix appears to have created a C:\Qoobox directory with various things inside there. Has a subdir there called "Quarantine" with a few things there so maybe it fixed something (I'm not sure, I need to read up on this). The "catchme.log" file in there has no info in it but the ComboFix-quarantined-files.txt does! G:\TEMP no longer has the crazy "setupv.exe" and "ldm1.exe" files in there so perhaps they were part of what Combofix got rid of. I don't see any runaway unknown processes in Task Manager but there are still some I don't recognize (could be valid but I'm not sure). Neither of those two are in there now. I have not rebooted the PC to see if they come back. Also, I've done some research and one of the things I was suspicious of earlier appears to be a valid driver/file. For example "pssnap.sys" is related to my Macrium Reflect image backup software. Let me know how I should proceed next. Maybe there is something else I need to do with Combofix? If not I'm guessing that I need to run Malwarebytes again, probably in safemode, also spybot....then try to figure out stuff like fixing my search engines, removing crappy plugins in Firefox I didn't install (I saw something in one of the logs last night that made me suspicious that my browser setting have been changed). Thanks again for your help. ComboFix.txt ComboFix_quarantined_files.txt

One of my PCs got bit by some kind of multi-whammy malware "fun" after trying some kind of PDF converter a friend sent me last night. It obviously was infected with malware, but I did scan it before installing it and nothing was found (?). I can't think what else could've caused this though. It has taken me all day to get things back in order and thought I everything licked but I noticed some things odd and the PC is still "sick", no matter how many times I scan and fix things. Without going through the whole long story I will just summarize it as this, and ask for some help where I am now: - Malwarebytes had been able to find and supposedly fix some things. Avast anti-virus and spybot also found/fixed things. Drwebcureit gave the PC a clean bill of health. I have been running most of the scans in safe mode. I repaired a lot of crazy damage to the PC where Restorepoints were erased and disabled, new firewall exceptions allowing access were created to previously unheard of programs, all kinds of crazy stuff. - But every time I boot back into regular startup I get crap placed into my TEMP folder and processes running like "setupv.exe" and "Lsass.exe" which are coming from there, consuming almost all the CPU, making connections to the 'net etc. - Booting back into safe mode and scanning again with Malwarebytes it keeps finding registry keys and files for "Worm.Koobface", "adware.agent", and "adware.BHO", even after it has already cleaned them. - I've attached some logs as per the "what do I do now" thread. I greatly appreciate any advice I can get for how to fully eradicate this crap. DDS log: DDS (Ver_09-12-01.01) - NTFSx86 Run by luigi at 23:30:31.29 on Tue 02/23/2010 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.687 [GMT -5:00] AV: avast! antivirus 4.8.1368 [VPS 100223-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe e:\Program Files\Alwil Software\Avast4\aswUpdSv.exe e:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE svchost.exe E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe E:\Program Files\Java\jre6\bin\jqs.exe E:\Program Files\Java\jre6\bin\jusched.exe E:\Program Files\Macrium\Reflect\ReflectService.exe C:\WINDOWS\system32\svchost.exe -k imgsvc e:\Program Files\Alwil Software\Avast4\ashMaiSv.exe G:\TEMP\setupv.exe G:\TEMP\ldm1.exe F:\luigi\My Documents\diag tools for forum\DDS.SCR ============== Pseudo HJT Report =============== uStart Page = hxxp://bing.zugo.com/?cfg=2-80-0-r4My uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/keyword/%s mSearchAssistant = hxxp://www.google.com/ie uURLSearchHooks: H - No File BHO: gwprimawega: {69e26dcf-60b3-f075-facc-288ac43d12c4} - c:\windows\system32\O3GvSlh.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - e:\program files\orbitdownloader\GrabPro.dll TB: Search Toolbar: {0c8413c1-fad1-446c-8584-be50576f863e} - c:\program files\search toolbar\tbcore3.dll mRun: [NWEReboot] mRun: [avast!] e:\progra~1\alwils~1\avast4\ashDisp.exe mRun: [sunJavaUpdateSched] "e:\program files\java\jre6\bin\jusched.exe" mRun: [brStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun StartupFolder: c:\documents and settings\luigi\start menu\programs\startup\esport2.exe * I JUST DELETED THIS* IE: &Download by Orbit - e:\program files\orbitdownloader\orbitmxt.dll/201 IE: &Grab video by Orbit - e:\program files\orbitdownloader\orbitmxt.dll/204 IE: Do&wnload selected by Orbit - e:\program files\orbitdownloader\orbitmxt.dll/203 IE: Down&load all by Orbit - e:\program files\orbitdownloader\orbitmxt.dll/202 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264023056359 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264023047984 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab TCP: {BD9DAB68-4262-4B7E-85C9-BEC5698A7083} = 71.242.0.14,71.250.0.14 Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll AppInit_DLLs: nunupofa.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\luigi\applic~1\mozilla\firefox\profiles\b5v8s6w7.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: browser.search.selectedEngine - Bing FF - component: e:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll FF - plugin: e:\program files\java\jre6\bin\new_plugin\npdeploytk.dll FF - plugin: e:\program files\java\jre6\bin\new_plugin\npjp2.dll FF - plugin: e:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll FF - plugin: e:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll FF - plugin: e:\program files\mozilla firefox\plugins\npDimdimControl.dll FF - plugin: e:\program files\real alternative\browser\plugins\nppl3260.dll FF - plugin: e:\program files\real alternative\browser\plugins\nprpjplug.dll FF - HiddenExtension: LoudMo Contextual Ad Assistant: No Registry Reference - e:\program files\mozilla firefox\extensions\{7a366b93-f7f0-661e-5855-89aaa8e957b4} FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2007-8-3 110360] R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-4 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-4 20560] R2 avast! Antivirus;avast! Antivirus;e:\program files\alwil software\avast4\ashServ.exe [2008-4-4 138680] R2 ReflectService;Macrium Reflect Image Mounting Service;e:\program files\macrium\reflect\ReflectService.exe [2009-8-25 220128] R3 avast! Mail Scanner;avast! Mail Scanner;e:\program files\alwil software\avast4\ashMaiSv.exe [2008-4-4 254040] R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2009-3-28 31896] R3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2001-1-8 15576] S3 avast! Web Scanner;avast! Web Scanner;e:\program files\alwil software\avast4\ashWebSv.exe [2008-4-4 352920] S3 CPjdmN;CPjdmN;e:\program files\cpuid\pc wizard 2009\data\pcwizntl.exe -s --> e:\program files\cpuid\pc wizard 2009\data\pcwizntl.exe -s [?] S3 cpuz132;cpuz132;e:\program files\cpuid\pc wizard 2009\pcwiz32.sys [2009-7-13 12672] S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648] S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2009-7-9 37440] S3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2010-1-27 38976] S3 zFajeM;zFajeM;e:\program files\cpuid\pc wizard 2009\data\pcwizntl.exe -s --> e:\program files\cpuid\pc wizard 2009\data\pcwizntl.exe -s [?] =============== Created Last 30 ================ 2010-02-24 04:30:04 0 ----a-w- c:\documents and settings\luigi\defogger_reenable 2010-02-23 18:46:19 118375 ----a-w- c:\windows\system32\-3-80k-EcKUL.exe 2010-02-23 18:45:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Toolbar4 2010-02-23 18:45:23 0 d-----w- c:\program files\Search Toolbar 2010-02-23 18:03:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-23 18:03:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-02-23 15:22:37 142592 ----a-w- c:\windows\system32\drivers\OLD9.tmp 2010-02-23 15:22:37 142592 ----a-w- c:\windows\system32\drivers\aec.sys 2010-02-23 15:22:33 0 ----a-w- c:\windows\system32\drivers\kgpvxb.sys 2010-02-23 06:37:54 0 d-----w- c:\windows\system32\wbem\Repository 2010-02-23 06:26:44 0 d-----w- c:\docume~1\luigi\applic~1\Thinstall 2010-02-18 08:48:36 1282048 ----a-w- c:\windows\system32\O3GvSlh.dll 2010-02-16 21:19:42 0 d-----r- c:\docume~1\luigi\applic~1\Brother 2010-02-16 21:16:44 145 ----a-w- c:\windows\BRVIDEO.INI 2010-02-16 21:16:44 0 ----a-w- c:\windows\brmx2001.ini 2010-02-16 21:16:27 77824 ------w- c:\windows\system32\brlmw03a.dll 2010-02-16 21:16:27 114 ------w- c:\windows\system32\brlmw03a.ini 2010-02-16 21:16:26 9868 ----a-w- c:\windows\HL-2140.INI 2010-02-16 21:16:26 0 d-----w- c:\program files\Brownie 2010-02-16 21:16:09 426 ----a-w- c:\windows\BRWMARK.INI 2010-02-16 21:16:09 34 ----a-w- c:\windows\system32\BD2140.DAT 2010-02-16 21:14:23 94208 ----a-w- c:\windows\system32\BRRBTOOL.EXE 2010-02-16 21:14:23 176128 ------w- c:\windows\system32\BROSNMP.DLL 2010-02-16 21:14:22 24223 ----a-w- c:\windows\system32\BRLM03A.DLL 2010-02-16 21:14:22 196608 ------w- c:\windows\system32\Pdrvinst.dll 2010-02-16 21:14:22 0 d-----w- c:\program files\Brother 2010-02-16 21:13:14 224 ----a-w- c:\windows\Brownie.ini 2010-01-28 04:14:53 38976 ----a-w- c:\windows\system32\drivers\pssdk42.sys 2010-01-28 04:14:36 1024 ----a-w- C:\.rnd ==================== Find3M ==================== 2010-01-25 02:44:20 100232 ----a-w- c:\documents and settings\luigi\DimdimSetup.exe 2007-08-17 02:24:16 3643424 --sh--w- c:\windows\system32\drivers\fidbox.dat ============= FINISH: 23:31:31.75 =============== Some other observations/questions: - I just noticed this line going through the DDS logfile so I deleted the file. Hopefully that at least gets rid of one thing: -------------------------------------- StartupFolder: c:\documents and settings\luigi\start menu\programs\startup\esport2.exe - What the frack are these?? -------------------------------------- R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2007-8-3 110360] R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328 S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2009-7-9 37440] S3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2010-1-27 38976] - And how do I get rid of this garbage? (noticed it in Attach.txt) -------------------------------------------------------------------------------- LoudMo Contextual Ad Assistant From reading about it on the 'net I think it also has changed my search preferences in either IE, FF, or Seamonkey as well. I tried uninstalling it in Control Panel but that doesn't work. Running the "uninstaller" from CCleaner behaves the same way (does nothing). From the DDR report above I suspect my IE startup and search pages have been changed to some kind of garbage, maybe related to this (bing.zugo.com)???? I rarely use IE but I would like to fix all that. - I even noticed something called "Remote Desktop Connection" in Start Menu under Accessories which shouldn't be there. Maybe this is the standard one from Microsoft? Which I deleted years ago? Or is this malware related? It is associated with %systemroot%\system32\mstsc.exe. I have no desire to ever let anyone remotely control my PC. This was just put there by one of the viruses. Either it is enabling the std one or it is its own foul thing. - I've attached my Malwarebytes logs, runs at various times today in SAFE mode, supposedly things being clean but then after booting normally, seeing wierdness, going back to SAFE mode, it finds more. I also wonder if somehow whatever it is that is going on has even entrenched itself into another program, thus if I run something like Spybot it inadvertantly gives birth to a bug again?? I'm grasping at straws. - I've attached my AVAST log from today as well. I was going to try running Norman Malware cleaner as well but AVAST thinks the version I just downloaded is the "Win32:Goblin" trojan (false positive?). Guess that about wraps it up. Appreciate any help I can get. Luckily I have multiple machines so I am keeping the infected one disconnected from the 'net for now and using this machine to post this. THANKS. Attach.zip mbam_log_2010_02_23__21_51_19_.txt mbam_log_2010_02_23__20_26_29_.txt mbam_log_2010_02_23__13_39_45_.txt AVAST_Warning.txt