Jump to content

Infected Still

Lunora

By Lunora
in Resolved Malware Removal Logs

 Share

Recommended Posts

Lunora

Lunora

Posted
Posted

http://www.malwarebytes.org/forums/index.p...amp;#entry49197

I just ran the Hijackthis so heres the log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:18:21 PM, on 1/20/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\DOCUME~1\Samantha\LOCALS~1\Temp\orz.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://marianregion.proboards107.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {43EF1C59-99FC-4827-B9C3-DF1273076A74} - (no file)

O2 - BHO: (no name) - {5b0771c2-efb4-4095-bd58-c314ca217503} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198714492626

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199412274304

O19 - User stylesheet: C:\Documents and Settings\Samantha\Desktop\Texts\RBFN.css (file missing)

O20 - AppInit_DLLs: mnjnnq.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O20 - Winlogon Notify: hgghffd - hgghffd.dll (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: ServerTime - Unknown owner - C:\DOCUME~1\Samantha\LOCALS~1\Temp\orz.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 7589 bytes

And here is the Malwarebyte's log from when it removed a lot of stuff--it hasn't been able to remove the Vundo--which today, upon turning my computer on hasn't showed up at all and my Bitdefender is no longer saying I have 10 infected files, nor does it have the Trojan.Vundo in its quarantine.

Malwarebytes' Anti-Malware 1.33

Database version: 1665

Windows 5.1.2600 Service Pack 2

1/18/2009 12:46:32 PM

mbam-log-2009-01-18 (12-46-32).txt

Scan type: Full Scan (C:\|)

Objects scanned: 117332

Time elapsed: 1 hour(s), 17 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 9

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\jlfyasya.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30908726-fc35-4a92-88c1-4e3da024f387} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{30908726-fc35-4a92-88c1-4e3da024f387} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\GetPack (Adware.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\344087e0 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\mnjnnq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\jlfyasya.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\aysayflj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\Samantha\Local Settings\Temp\KB80.exe (Trojan.Waledac) -> Quarantined and deleted successfully.

C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv511232083449.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

Am I somehow fixed? Or should I run Malwarebytes again? (earlier whenever it would run the scan in the System Volume Info and alert would pop up saying that Bitdefender quarantined the stuff...but I dont know about today. It hasnt told me Vundo has been acting up at all...yet...)

Link to post
Share on other sites
  • Replies 76
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Lunora

Lunora

Posted
  • Author
Posted

Ah yeps. Its back.

"Bitdefender has blocked a virus affecting your computer!

Virus Name:

Trojan.Vundo.DVC

Location:

C:\System Volume Information\_restore{C5865CF0-8F95-49F0-8B2D-414EBEF542AC}\RP340\A02061305.OLD

Bitdefender has quarantined the following object which could not be disinfected. A quarantined object is harmless"

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

That is okay. It's in the System Restore area where it's safe for now as long as we don't do a system restore. When we're done we'll clean that area of the computer as well. For now just ignore it.

Start HJT and run Do a system scan only and place a check mark on the following items.

  • O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
  • O2 - BHO: (no name) - {43EF1C59-99FC-4827-B9C3-DF1273076A74} - (no file)
  • O2 - BHO: (no name) - {5b0771c2-efb4-4095-bd58-c314ca217503} - (no file)
  • O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
  • O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  • O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
  • O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
  • O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
  • O20 - AppInit_DLLs: mnjnnq.dll
  • O20 - Winlogon Notify: hgghffd - hgghffd.dll (file missing)
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

When we're done you can go back and install the latest version but for now please do not install any.

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply

Then look for the following Java folders and if found delete them.

C:\Program Files\Java

C:\Program Files\Common Files\Java

C:\Documents and Settings\All Users\Application Data\Java

C:\Documents and Settings\All Users\Application Data\Sun\Java

C:\Documents and Settings\username\Application Data\Java

C:\Documents and Settings\username\Application Data\Sun\Java

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites
Lunora

Lunora

Posted
  • Author
Posted

C:\Program Files\Java will not let me delete it. ;)

And here are the JavaRa log(s)--I don't know why there are two and they both say different things so here you go:

JavaRa 1.13 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Tue Jan 20 16:26:20 2009

Could not delete: C:\Program Files\Java\j2re1.4.2_03Asking Windows to delete

Link to post
Share on other sites
Lunora

Lunora

Posted
  • Author
Posted

Before I forget; when I opened FF it told me it wasn't my standard browser to I set it to that -just incase thats important if not oh well- Here is the...Combofix log:

ComboFix 09-01-19.05 - Samantha 2009-01-20 18:46:39.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.495.224 [GMT -8:00]

Running from: c:\documents and settings\Samantha\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Samantha\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

AV: BitDefender Antivirus *On-access scanning disabled* (Updated)

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)

FW: BitDefender Firewall *disabled*

FW: ZoneAlarm Security Suite Firewall *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\kknnn.ini

c:\windows\system32\kknnn.ini2

c:\windows\system32\prCLonnn.ini

c:\windows\system32\prCLonnn.ini2

c:\windows\Tasks\lstxxieg.job

c:\windows\wiaserviv.log

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SERVERTIME

-------\Service_ServerTime

((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))

.

2009-01-20 14:17 . 2009-01-20 14:17 <DIR> d-------- c:\program files\Trend Micro

2009-01-20 14:02 . 2009-01-20 14:02 <DIR> d-------- c:\program files\MSXML 4.0

2009-01-19 15:45 . 2009-01-19 15:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\LogMeIn

2009-01-19 15:45 . 2008-10-16 20:35 83,288 --a------ c:\windows\system32\LMIRfsClientNP.dll

2009-01-19 15:45 . 2008-07-24 18:46 47,640 --a------ c:\windows\system32\drivers\LMIRfsDriver.sys

2009-01-19 15:45 . 2008-10-16 20:35 28,984 --a------ c:\windows\system32\LMIport.dll

2009-01-19 15:44 . 2008-10-16 20:35 87,352 --a------ c:\windows\system32\LMIinit.dll

2009-01-19 15:44 . 2009-01-19 15:44 1,024 --a------ C:\.rnd

2009-01-19 13:00 . 2009-01-20 18:53 54,156 --ah----- c:\windows\QTFont.qfn

2009-01-19 13:00 . 2009-01-19 13:00 1,409 --a------ c:\windows\QTFont.for

2009-01-19 12:50 . 2009-01-19 12:50 <DIR> d-------- c:\program files\MSN Messenger

2009-01-19 12:27 . 2009-01-19 12:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7

2009-01-18 21:55 . 2009-01-20 18:51 121 --a------ c:\windows\bdagent.INI

2009-01-18 18:48 . 2009-01-20 18:50 81,984 --a------ c:\windows\system32\bdod.bin

2009-01-18 15:44 . 2009-01-18 18:28 260 --a------ c:\windows\system32\BDUpdateV1.xml

2009-01-18 13:55 . 2009-01-18 13:55 850 --a------ c:\windows\system32\ProductTweaks.xml

2009-01-18 13:55 . 2009-01-18 13:55 385 --a------ c:\windows\system32\user_gensett.xml

2009-01-18 13:47 . 2009-01-18 13:47 <DIR> d-------- c:\windows\system32\logs

2009-01-18 13:47 . 2009-01-18 13:47 <DIR> d-------- c:\documents and settings\Samantha\Application Data\BitDefender

2009-01-18 13:46 . 2009-01-18 13:46 <DIR> d-------- C:\Binaries

2009-01-18 13:42 . 2009-01-18 13:45 <DIR> d-------- c:\program files\BitDefender

2009-01-18 13:42 . 2009-01-18 13:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\BitDefender

2009-01-18 13:33 . 2009-01-18 13:45 <DIR> d-------- c:\program files\Common Files\BitDefender

2009-01-18 13:20 . 2009-01-18 13:20 <DIR> d-------- C:\VundoFix Backups

2009-01-18 11:22 . 2009-01-18 11:22 <DIR> d-------- c:\documents and settings\Samantha\Application Data\Malwarebytes

2009-01-18 11:21 . 2009-01-18 11:22 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-18 11:21 . 2009-01-18 11:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-18 11:21 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-18 11:21 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-17 16:50 . 2009-01-18 11:06 <DIR> d-------- c:\documents and settings\Samantha\.housecall6.6

2009-01-17 16:50 . 2009-01-18 11:04 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys

2009-01-17 14:12 . 2009-01-17 14:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2009-01-14 15:03 . 2009-01-18 19:30 <DIR> d-------- C:\dba4020b4e37d1bd4b896cd0

2009-01-07 06:40 . 2004-08-03 22:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys

2009-01-07 06:40 . 2004-08-03 22:01 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-21 02:51 149,252 --sha-w c:\windows\system32\drivers\fidbox.idx

2009-01-21 02:51 11,911,456 --sha-w c:\windows\system32\drivers\fidbox.dat

2009-01-21 00:09 --------- d-----w c:\program files\Java

2009-01-20 22:09 --------- d-----w c:\program files\SUPERAntiSpyware

2009-01-20 05:26 --------- d-----w c:\documents and settings\Samantha\Application Data\Jarte

2009-01-20 00:40 --------- d-----w c:\program files\LimeWire

2009-01-19 20:01 --------- d-----w c:\program files\Windows Live

2009-01-18 22:13 82,696 ----a-w c:\windows\system32\drivers\BDVEDISK.sys

2009-01-18 22:13 242,184 ----a-w c:\windows\system32\drivers\bdfsfltr.sys

2009-01-18 06:27 --------- d-----w c:\documents and settings\Samantha\Application Data\gtk-2.0

2009-01-17 03:23 --------- d-----w c:\program files\Windows Live Safety Center

2009-01-06 23:02 --------- d-----w c:\documents and settings\Samantha\Application Data\LimeWire

2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys

2003-08-27 21:19 36,963 ----a-r c:\program files\Common Files\SM1updtr.dll

2009-01-18 22:13 61,440 ----a-w c:\program files\mozilla firefox\components\FFComm.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-20 1830128]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]

"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-01-18 741376]

"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2008-10-17 69632]

"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-04-07 32881]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2009-01-03 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-01-03 21:46 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2003-12-16 16:49 110592 c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk

backup=c:\windows\pss\RAMASST.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]

--a------ 2004-02-25 13:12 258048 c:\windows\system32\00THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

--a------ 2003-10-30 15:46 192512 c:\program files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

--a------ 2004-03-26 00:04 118843 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2004-01-26 18:03 118784 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2004-01-26 18:03 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IVPServiceMgr]

--a------ 2003-10-20 07:37 475136 c:\toshiba\Ivp\ISM\Ivpsvmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]

--a------ 2003-01-02 15:16 172032 c:\program files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]

--a------ 2004-02-03 13:47 1089589 c:\program files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]

--a------ 2003-10-20 07:39 159744 c:\toshiba\Ivp\ISM\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]

--a------ 2003-12-10 02:36 86016 c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmaTel StacMon]

--a------ 2003-08-03 15:01 86073 c:\program files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]

--a------ 2004-03-02 12:45 135168 c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]

--a------ 2003-09-05 02:24 65536 c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]

--a------ 2003-01-21 17:00 126976 c:\program files\TOSHIBA\TouchED\TouchED.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]

--a------ 2001-06-23 19:28 24576 c:\windows\system32\000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

--a------ 2003-04-18 10:20 88363 c:\windows\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]

--a------ 2003-12-02 13:15 73728 c:\windows\system32\TFNF5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]

--a------ 2004-03-03 11:57 278528 c:\windows\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WLSetupSvc"=3 (0x3)

"WANMiniportService"=2 (0x2)

"usnjsvc"=3 (0x3)

"Swupdtmr"=2 (0x2)

"S24EventMonitor"=2 (0x2)

"RegSrvc"=2 (0x2)

"DVD-RAM_Service"=2 (0x2)

"CFSvcs"=2 (0x2)

"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 55024]

R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-09-18 111112]

R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-10-17 104328]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]

R4 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-09-04 82696]

R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-01-19 47640]

R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-03-16 24652]

S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]

S4 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

S4 mrtRate;mrtRate; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan

.

Contents of the 'Scheduled Tasks' folder

2008-07-16 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe

Notify-hgghffd - hgghffd.dll

MSConfigStartUp-344087e0 - c:\windows\system32\sdcsesso.dll

MSConfigStartUp-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_03\bin\jusched.exe

MSConfigStartUp-TFncKy - TFncKy.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://marianregion.proboards107.com/

mStart Page = hxxp://www.yahoo.com

uInternet Connection Wizard,ShellNext = hxxp://toshibadirect.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: www.neopets.com

Trusted Zone: www.yahoo.com

FF - ProfilePath - c:\documents and settings\Samantha\Application Data\Mozilla\Firefox\Profiles\2y1cksqb.default\

FF - prefs.js: browser.startup.homepage - hxxp://marianregion.proboards107.com/

FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-20 18:53:31

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1328)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\LMIinit.dll

c:\windows\System32\LgNotify.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

c:\program files\BitDefender\BitDefender 2009\vsserv.exe

c:\windows\system32\ZCfgSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\wanmpsvc.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\BitDefender\BitDefender 2009\seccenter.exe

.

**************************************************************************

.

Completion time: 2009-01-20 19:05:26 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-21 03:05:20

Pre-Run: 54,273,089,536 bytes free

Post-Run: 54,264,999,936 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

254 --- E O F --- 2009-01-20 22:02:49

And here is the new HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:07:28 PM, on 1/20/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://marianregion.proboards107.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198714492626

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199412274304

O19 - User stylesheet: C:\Documents and Settings\Samantha\Desktop\Texts\RBFN.css (file missing)

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 6500 bytes

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Woah, hold on there... You have too many versions of Anti-Virus installed on your system.

You can only run one on the system at a time without there being a conflict.

AV: BitDefender Antivirus *On-access scanning disabled* (Updated)

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)

FW: BitDefender Firewall *disabled*

FW: ZoneAlarm Security Suite Firewall *disabled*

You need to choose if you want to use ZoneAlarm Anti-Virus or BitDefender and remove the other one.

You're also running Peer2Peer software c:\program files\LimeWire c:\documents and settings\Samantha\Application Data\LimeWire

I would recommend removing it, but it's up to you but much of the programs downloaded with Peer 2 Peer software these days are infected on purpose trying to get users such as yourself infected.

You should at least disable it from starting while I'm assisting you.

Start HJT and run Do a system scan only and place a check mark on the following items.

  • O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

Then go ahead and update your Java

Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 11.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 11 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u11-windows-i586-p.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer

Please run an online scan with Kaspersky

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:

KAS.gif

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs

Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Link to post
Share on other sites
Lunora

Lunora

Posted
  • Author
Posted

Oh I don't use Zonealarm. A few months ago it went wacky on me and stopped working and wouldn't remove. It stopped working for me--'cept for the firewall (which turned off when Bitdefender's firewall came along)--and I couldn't get rid of it so I just left it alone so long as it didn't do anything. My cousin has the CD not me. ^^;

Link to post
Share on other sites
Lunora

Lunora

Posted
  • Author
Posted

"You're also running Peer2Peer software c:\program files\LimeWire c:\documents and settings\Samantha\Application Data\LimeWire"

Oh...I thought I deleted it? My boyfriend told me to get rid of it right before I posted here for help...and I did the whole remove program deal...so why is it still there?

(Sorry for posting multiple times again. Oh and also BitDefender quarantined another Vundo in the same area)

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

It's okay many programs don't do good removals. It's fine to leave for now.

Please go ahead and update your Java and run the Kaspersky scan while your other AV is disabled.

Post back the log that Kaspersky gives you.

I'll see if I can find an article on how to remove ZoneAlarm manually.

[edit] okay see if this link helps you to remove ZoneAlarm. Manually Remove ZoneAlarm

Link to post
Share on other sites
Lunora

Lunora

Posted
  • Author
Posted

Zonealarm doesn't show up in my Add/Remove Files at all. And when I click on it from Start I get a "Subscription notice" saying:

"YOUR ZONEALARM SECURITY SUITE SUBSCRIPTION HAS EXPIRED!

-> RENEW ZONEALARM SECURITY SUITE

Renew today and continue to recieve the latest security threat updates, product updates and unlimited online technical support.

-> GET IT FREE

Learn how to get Zonealarm free for one year.

-> NO THANKS

Caution: Your PC is unprotected against new security threats and your onine technical support is expired."

What should I do? I don't want it for free and I don't want to renew it either. I rather like Bitdefender more--even though this one is a trial and I'll need to get the free version in a month--as Zonealarm was far to strict and provided a lot of issues for sites I visit like Neopets, Wajas, etc. ^^;

Link to post
Share on other sites
Lunora

Lunora

Posted
  • Author
Posted

When I said "No Thanks" it opened up a "Zonealarm Configuration Wizard" which froze and neither IE or FF would go to the online scanner so I'm rebooting to see if it was just a tempoary glitch cause my LAN cable was plugged in the whole time.... ;)

Link to post
Share on other sites
Lunora

Lunora

Posted
  • Author
Posted

Here's the log:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Tuesday, January 20, 2009

Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Wednesday, January 21, 2009 01:01:14

Records in database: 1656517

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

Scan statistics:

Files scanned: 69525

Threat name: 0

Infected objects: 0

Suspicious objects: 0

Duration of the scan: 01:41:47

No malware has been detected. The scan area is clean.

The selected area was scanned.

And I did disable Bitdefender's Realtime virus part but not the firewall.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Well that's good news. The previous logs and the Kaspersky log show clean.

Please run the following tool to cleanup any utilities we've used for this cleanup process.

Please
Download
OTMoveIt3
by Old Timer
and save it to your
Desktop
.
  • Double-click
    OTMoveIt3.exe
    to run it.
  • While connected to the Internet, Click on the green
    CleanUp!
    button and it will populate a list of items to clean from your system that we used or may have used.

  • It should ask if you want to clean up, select Yes and allow the system to clean up these items.

    NOW
    please reboot your computer to finish the cleanup process

You should be all set now, just make sure you clean your System Restore as shown and review the other information.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • Check Turn off System Restore.

  • Click Apply, and then click OK.

  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • UN-Check *Turn off System Restore*.

  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy

Download it from
here
. Just choose a mirror and off you go.

Find here the tutorial on how to use Spybot properly
here

Install SpyWare Blaster

Download it from
here

Find here the tutorial on how to use Spyware Blaster
here

Install WinPatrol

Download it from
here

Here you can find information about how WinPatrol works
here

Install FireTrust SiteHound

You can find information and download it from
here

Install hpHosts

Download it from
here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Visit Microsoft often to get the latest updates for your computer.

Note 1:

If you are running Windows XP
SP2
, you should upgrade to
SP3
.

Note 2:

Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend
Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.