Jump to content

Trojan.Vundo.h found by malwarebytes - won't die. SAS doesn't find it.


Recommended Posts

I posted this elsewhere in what I now believe to be the wrong section. I hope someone can help me out!

Here's my malwarebytes log. It started with 23 and got down to 4 that don't die at restart. I've got system restore off during all of these shinnegans. It says no action taken only because I've ran the log several times and didn't bother trying the restart since they keep coming back. SuperAntiSpyware doesn't find the trojan.vundo.h files (and won't do a smart update for some reason, altho firewall is turned off and I'm on internet). Norton has a laughable fix but they didn't stop this thing in the first place - needless to say that didn't work wither. PLEASE HELP! Can I keep working on my computer or will eventually keep grinding to a hault?

Malwarebytes' Anti-Malware 1.36

Database version: 2174

Windows 5.1.2600 Service Pack 2

5/24/2009 3:52:10 PM

Part4_4filesmbam-log-2009-05-24 (15-51-53).txt

Scan type: Quick Scan

Objects scanned: 91697

Time elapsed: 9 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f168810d-0ffd-426b-a866-b121a9240552} (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jwkqjblt (Trojan.Vundo.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{f168810d-0ffd-426b-a866-b121a9240552} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\rzhdtxv.dll (Trojan.Vundo.H) -> No action taken.

Link to post
Share on other sites

  • Staff

Hi,

Not sure why you turned your System Restore off in the first place. Maybe some people recommend this, but imho, that's a bad idea. Reason is, for example, you're trying to clean malware and you've deleted the wrong file or wrong key by accident, or a scanner deleted the wrong file/key (which may happen as well) and because of that, your system becomes more unstable. So, in such cases, you can revert to a previous system restore point.

But if you disable system restore during cleanup, you won't have any previous system restore points anymore, because your system restore points are flushed when you disable system restore. So, if something bad happens during cleanup, you cannot revert to a previous system restore point either.

So, it's better to have an "infected" system restore point (which we can clean), than no system restore point at all.

Afterwards, once your system is clean again, then you can flush your system restore points, by disabling system restore, reboot, enable system restore, so it will create a new clean system restore point afterwards again.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Yes, agreed turning odd restore was silly - that bit of instruction came from the clowns at Norton. Same guys that let the virus on to begin with. I'm trying to back up my important data first then I'll post the logs. Hope to have it up within the hour. So thankful that there is a forum for help with this. Many thanks!

Link to post
Share on other sites

Haven't been able (or willing) to run ComboFix yet because when I launch it I get the following warning despite the fact that I believe I have completely uninstalled Norton from my machine.

"ComboFix has detected the following real time scanners: antivirus: Norton Internet Security"

Should I just run ComboFix anyway?

Link to post
Share on other sites

Well, I found some apparent Norton processes still running so I ended them. And I think/hope I got all my other ant-virus stuff turned off too. Ran combofix and here's the log. What on god's green earth does it mean?

ComboFix 09-05-24.07 - AmyA 05/25/2009 14:28.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.530 [GMT -7:00]

Running from: c:\documents and settings\AmyA\Desktop\ComboFix.exe

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\IE4 Error Log.txt

c:\windows\system32\awmupdq.dll

c:\windows\system32\Cache

c:\windows\system32\drivers\oaarrjxa.sys

c:\windows\system32\drivers\rswfcqqo.sys

c:\windows\system32\rzhdtxv.dll

c:\windows\Tasks\At1.job

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_OAARRJXA

-------\Service_oaarrjxa

((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 )))))))))))))))))))))))))))))))

.

2009-05-25 18:21 . 2009-05-25 18:21 -------- d-----w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP

2009-05-24 21:33 . 2008-12-11 15:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys

2009-05-24 21:33 . 2009-05-25 21:37 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-05-24 21:33 . 2009-03-06 23:45 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys

2009-05-24 21:33 . 2008-12-18 19:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys

2009-05-24 21:33 . 2009-05-24 21:33 -------- d-----w c:\program files\Common Files\PC Tools

2009-05-24 21:33 . 2008-12-10 19:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys

2009-05-24 21:32 . 2009-05-24 21:34 -------- d-----w c:\program files\Spyware Doctor

2009-05-24 21:32 . 2009-05-24 21:32 -------- d-----w c:\documents and settings\AmyA\Application Data\PC Tools

2009-05-24 21:32 . 2009-05-24 21:32 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools

2009-05-24 20:38 . 2009-05-25 21:37 117760 ----a-w c:\documents and settings\AmyA\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-05-24 20:38 . 2009-05-24 20:38 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-05-24 20:38 . 2009-05-24 20:38 -------- d-----w c:\program files\SUPERAntiSpyware

2009-05-24 20:38 . 2009-05-24 20:38 -------- d-----w c:\documents and settings\AmyA\Application Data\SUPERAntiSpyware.com

2009-05-24 20:36 . 2009-05-24 20:36 -------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-05-24 16:55 . 2009-05-24 16:55 -------- d-----w c:\documents and settings\AmyA\Application Data\Malwarebytes

2009-05-24 16:55 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-05-24 16:55 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-24 16:55 . 2009-05-24 16:55 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-05-24 16:55 . 2009-05-24 16:55 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-24 15:56 . 2009-05-24 15:56 2 ---h--w c:\windows\sonce122730.dat

2009-05-24 15:47 . 2009-05-24 15:47 176 ----a-w C:\487656.bat

2009-05-20 14:55 . 2009-05-20 14:55 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2009-05-19 00:43 . 2009-05-19 00:43 56 ---ha-w c:\windows\system32\ezsidmv.dat

2009-05-19 00:43 . 2009-05-19 23:04 -------- d-----w c:\documents and settings\AmyA\Application Data\skypePM

2009-05-19 00:38 . 2009-05-19 00:38 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google

2009-05-19 00:36 . 2009-05-21 03:57 -------- d-----w c:\documents and settings\AmyA\Application Data\Skype

2009-05-19 00:34 . 2009-05-19 00:34 -------- d-----w c:\program files\Common Files\Skype

2009-05-19 00:34 . 2009-05-19 00:34 -------- d-----r c:\program files\Skype

2009-05-19 00:34 . 2009-05-19 00:34 -------- d-----w c:\documents and settings\All Users\Application Data\Skype

2009-05-18 22:28 . 2009-05-18 22:07 15688 ----a-w c:\windows\system32\lsdelete.exe

2009-05-18 22:07 . 2009-05-18 22:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys

2009-05-18 22:07 . 2009-05-18 22:07 299352 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe

2009-05-18 22:07 . 2009-05-18 22:07 25440 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll

2009-05-18 22:07 . 2009-05-18 22:07 15688 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2009-05-18 22:07 . 2009-05-18 22:07 165728 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll

2009-05-18 22:07 . 2009-05-18 22:07 343888 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll

2009-05-18 22:07 . 2009-05-18 22:07 289632 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll

2009-05-18 22:07 . 2009-05-18 22:07 82784 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll

2009-05-18 22:06 . 2009-05-18 22:06 1629024 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll

2009-05-18 22:06 . 2009-05-18 22:06 212848 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll

2009-05-18 22:06 . 2009-05-18 22:06 40288 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll

2009-05-18 22:06 . 2009-05-18 22:06 64160 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys

2009-05-18 22:06 . 2009-05-18 22:06 632680 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll

2009-05-18 22:06 . 2009-05-18 22:06 539512 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe

2009-05-18 22:06 . 2009-05-18 22:06 552808 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe

2009-05-18 22:06 . 2009-05-18 22:06 2324808 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe

2009-05-18 22:06 . 2009-05-18 22:06 626000 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe

2009-05-18 22:05 . 2009-05-18 22:05 516440 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe

2009-05-18 22:05 . 2009-05-18 22:05 953168 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

2009-05-18 22:02 . 2009-05-18 22:02 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-05-18 22:02 . 2009-03-12 08:17 2902048 -c--a-w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe

2009-05-18 22:01 . 2009-05-18 22:07 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

2009-05-18 22:01 . 2009-05-18 22:01 -------- d-----w c:\program files\Lavasoft

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-25 18:23 . 2005-04-10 13:09 -------- d-----w c:\program files\Common Files\Symantec Shared

2009-05-25 18:21 . 2005-04-10 13:09 -------- d-----w c:\program files\Symantec

2009-05-25 18:20 . 2005-04-10 13:09 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-05-25 15:21 . 2006-03-02 10:16 -------- d-----w c:\program files\Quicken

2009-05-19 00:42 . 2005-04-10 12:59 -------- d-----w c:\program files\Google

2009-04-02 23:51 . 2007-06-23 18:56 -------- d-----w c:\documents and settings\AmyA\Application Data\Image Zone Express

2009-03-06 14:44 . 2004-08-04 08:00 283648 ----a-w c:\windows\system32\pdh.dll

2009-03-03 00:18 . 2004-08-04 08:00 826368 ----a-w c:\windows\system32\wininet.dll

2009-02-28 19:20 . 2006-03-01 15:37 73320 ----a-w c:\documents and settings\AmyA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"TCOYFReminder"="c:\progra~1\TCOYF\tcoyftray.exe" [2005-06-28 139264]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 68856]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-14 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-22 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-22 126976]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]

"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]

"hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-01-21 790528]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-18 516440]

"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-03-13 517768]

c:\documents and settings\AmyA\Start Menu\Programs\Startup\

WinMySQLadmin.lnk - c:\program files\xampp\mysql\bin\winmysqladmin.exe [2007-12-20 936448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-3-2 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2008-9-15 1766744]

BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 569405]

HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

Pandion.lnk - c:\program files\Pandion\Pandion.exe [2006-1-10 993792]

Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2006-9-5 229376]

Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-29 57344]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-11-17 389120]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/18/2009 3:07 PM 64160]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/24/2009 2:33 PM 130424]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/24/2009 2:33 PM 348752]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]

S2 gupdate1c9d81a1f056e6e;Google Update Service (gupdate1c9d81a1f056e6e);c:\program files\Google\Update\GoogleUpdate.exe [5/18/2009 5:36 PM 133104]

S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [8/23/2006 9:41 AM 114016]

S2 mrtRate;mrtRate; [x]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 953168]

S4 Herofsl;Herofsl; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - OAARRJXA

*Deregistered* - mchInjDrv

*Deregistered* - oaarrjxa

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

wpnkvqax

.

Contents of the 'Scheduled Tasks' folder

2009-05-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:06]

2009-05-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 00:57]

2009-05-25 c:\windows\Tasks\GoogleUpdateTaskMachine.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-19 00:35]

2009-05-25 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 05:18]

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

Trusted Zone: turbotax.com

Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

FF - ProfilePath - c:\documents and settings\AmyA\Application Data\Mozilla\Firefox\Profiles\wy6b75a8.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-25 14:37

Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:

ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????5?3?3?7??????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]

"ImagePath"="C:/Program Files/xampp/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]

"ImagePath"="C:/Program Files/xampp/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]

"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]

"ImagePath"="-"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2684)

c:\program files\Spyware Doctor\pctgmhk.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\TCOYF\tcoyftray.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\xampp\mysql\bin\mysqld-nt.exe

c:\program files\Spyware Doctor\pctsSvc.exe

c:\program files\Hp\Digital Imaging\bin\hpqste08.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\windows\system32\wdfmgr.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HPQ\Shared\hpqwmi.exe

c:\program files\Hp\Digital Imaging\Product Assistant\bin\hprblog.exe

.

**************************************************************************

.

Completion time: 2009-05-25 14:42 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-25 21:42

Pre-Run: 30,135,947,264 bytes free

Post-Run: 30,884,225,024 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

282 --- E O F --- 2009-04-22 15:18

Link to post
Share on other sites

  • Staff

Hi,

Navigate to and delete the following files:

c:\windows\sonce122730.dat

C:\487656.bat

Not sure how you uninstalled your Norton Internet security, because I still see it active and running here.

If you want to uninstall it, I suggest this:

* To fully remove Norton AntiVirus or other Symantec related products, select the product you want to uninstall from this list in order to download the removal tool.

Please read the instructions first before you use it.

For older versions of Norton (2000, 2001, 2002), choose this link.

Also read the next article in case you're having problems with uninstalling Norton if above instructions didn't work, or noticed problems after uninstalling Norton: http://basconotw.mvps.org/SymRem.htm

Keep in mind to install another Antivirus instead afterwards, because how are you supposed to prevent malware otherwise?

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Link to post
Share on other sites

I wanted to sincerely thank you for having this forum. I don't know how I would have been able to get rid of this thing without it. Thanks for your quick replies. I will do your above steps in the next few hours. Once the malwarebytes came back clean, I ran as far away from this computer as I could for the next couple of days.

Will report back with results, but I'm pretty confident that I'm out of the woods.

Many thanks!

Link to post
Share on other sites

I am VERY nervous. The thing ran in about 4 hours. I went to type in my reply to you and all the text came in backwards. So when I type "hello" it shows up on the screen as "olleh". I went to a browser and typed something and it had the same results. So I typed this into notepad and cut & pasted it into the reply. That being said here is my log. It found problems in *really* old files that I haven't touched for years. So I've probably had these viruses for a very long time. Any idea how to get the text to come out normal while in a browser?

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0 REPORT

Thursday, May 28, 2009

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Program database last update: Thursday, May 28, 2009 14:26:36

Records in database: 2265298

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Files scanned: 147244

Threat name: 4

Infected objects: 13

Suspicious objects: 2

Duration of the scan: 03:39:04

File name / Threat name / Threats count

C:\Documents and Settings\*****\Local Settings\Application Data\Microsoft\Outlook\archive.pst Infected: Email-Worm.Win32.Mydoom.m.log 2

C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

C:\TransferFiles\oldtower.pst Infected: Trojan-Spy.HTML.Paylap.ev 3

C:\TransferFiles\oldtower.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\TransferFiles\oldtower.pst Infected: Email-Worm.Win32.Mydoom.m.log 2

C:\Webmaster\Burned\OldPeregrineTower\Outlook\outlook.pst Infected: Trojan-Spy.HTML.Paylap.ev 3

C:\Webmaster\Burned\OldPeregrineTower\Outlook\outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Webmaster\Burned\OldPeregrineTower\Outlook\outlook.pst Infected: Email-Worm.Win32.Mydoom.m.log 2

The selected area was scanned.

Link to post
Share on other sites

  • Staff

Hi,

Any idea how to get the text to come out normal while in a browser?
I assume this happens in your Firefox?

See here: http://www.freedomlist.com/forum/viewtopic...p=119058#119058

:P

What Kaspersky found are just some infected mails present in your mail backups (Webmaster\Burned\OldPeregrineTower\Outlook and C:\TransferFiles\oldtower.pst )

You can delete those and create a new backup again.

This one is in your current outlook: C:\Documents and Settings\*****\Local Settings\Application Data\Microsoft\Outlook\archive.pst but in the archive one.

You may ignore this: C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1 it's not a real threat :D

How are things now?

Link to post
Share on other sites

Okay, Firefox is all better. I deleted the files and emptied the recycle bin. I think I'm running pretty smooth now. Anything else I should double check? Does anything related to the Kaspersky scan need to be removed? I don't see an app for it so maybe it doesn't leave anything behind. I still have Malwarebytes and SuperAntiSpyware on the machine. Are those cool to stay? Many thanks for all your help!

Link to post
Share on other sites

  • Staff
anything related to the Kaspersky scan need to be removed? I don't see an app for it so maybe it doesn't leave anything behind.
Yes, you can delete manually what it found as I explained in my previous post. :P
I still have Malwarebytes and SuperAntiSpyware on the machine. Are those cool to stay? Many thanks for all your help!
Yes, they are cool to stay. Also read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again! :D

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.