Jump to content

Vundo and others


Recommended Posts

Well, I got hit by Vundo and a few other things a few days ago.

First AOL Spyware Protection blocked "Haxdoor E".

Then Spybot's Tea Timer goes crazy blocking what I believe is Vundo, but that eventually gets through.

Here's the start of the Tea Timer log at that time:

12/26/2009 2:37:33 PM Allowed (based on user decision) value "Shell" (new data: "Explorer.exe logon.exe") changed in Winlogon!

12/26/2009 2:42:39 PM Denied (based on Spybot-S&D scan) value "buhinemaj" (new data: "{94bd5e23-df3a-4df4-859b-eeb41ffb321a}") added in Shell services!

12/26/2009 2:42:42 PM Denied (based on Spybot-S&D scan) value "sedewagid" (new data: "Rundll32.exe "c:\windows\system32\nizukipu.dll",a") added in System Startup global entry!

I then try to access Malwarebytes', but am unable to.

I used Spybot and found several entries of Vundo, etc.

I used Spybot to remove them, but they came back.

I downloaded and ran Vundofix. It didn't find anything.

I downloaded Avira, but it got disabled and so did Spybot. Something about low memory.

I did a quick scan with Microsoft's OneCare, but it didn't find anything. I got pop-ups for "Windows Defender" at this time.

I tried the system restore twice, but it didn't work. I also restarted the computer several times.

I re-downloaded Malwarebytes' and did a quick scan; Avira's guard blocked Vundo dozens of times during the scan.

Here are the results:

===============

Malwarebytes' Anti-Malware 1.42

Database version: 3437

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

12/26/2009 11:33:17 PM

mbam-log-2009-12-26 (23-33-17).txt

Scan type: Quick Scan

Objects scanned: 108108

Time elapsed: 12 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 4

Registry Keys Infected: 1

Registry Values Infected: 7

Registry Data Items Infected: 5

Folders Infected: 0

Files Infected: 11

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\kabifoti.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\nasikaje.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\system32\pimenuda.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\topipega.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{0040bf8b-1662-4688-a92e-cbe448fc8115} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb4263 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd7922 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga6787 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc1691 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sedewagid (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0040bf8b-1662-4688-a92e-cbe448fc8115} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kazeyoyal (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: popiwoba.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\pimenuda.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\pimenuda.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\bawawaza.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bumokoju.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kabifoti.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\keminazo.dll_old (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\nasikaje.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pimenuda.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\pinofivu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\popiwoba.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\riguhoyu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\topipega.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0LLJ198K\load[1].php (Trojan.Vundo) -> Quarantined and deleted successfully.

===============

After this reboot, Spybot still detected some instances of Vundo and got rid of them.

I noticed alot of entries in Spybot's System Startup list that I don't recall being there before (maybe I'm getting paranoid).

They all share the key "WinLogon (Current System)":

Value / Command Line

crypt32chain / crypt32.dll

cryptnet / cryptnet.dll

cscdll / cscdll.dll

igfxcui / igfxdev.dll

ScCertProp / wlnotify.dll

Schedule / wlnotify.dll

sclgntfy / sclgntfy.dll

SensLogn / WlNotify.dll

termsrv / wlnotify.dll

WgaLogon / WgaLogon.dll

wlballoon / wlnotify.dll

For now, I turned them all off.

There was also a "winlogon" in the exceptions to Windows firewall, I unchecked that too.

The next day, when I started the computer, I noticed the Windows automatic updates icon on the toolbar was missing.

I haven't been able to get it to work since then. Also, I couldn't get the updates from the automatic updates website either.

I could download them, and they seemed to be installing when I shut-down the computer, but they still show up as not installed when I go to the website.

I scanned several times using several programs. Spybot and Malwarebytes' found nothing. A full-scan with OneCare found nothing.

I switched from Tea Timer to Avira guard, and it has found this several times:

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'

detected in file 'C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1552\A0361868.exe.

Action performed: Deny access

And a full scan with Avira found these:

The file 'C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\acsrollb.exe'

contained a virus or unwanted program 'TR/StartPage.HMI' [trojan]

Action(s) taken:

The file was moved to '4bab6d67.qua'!

The file 'C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\OptClean.exe'

contained a virus or unwanted program 'HEUR/Malware' [heuristic]

Action(s) taken:

The detection was classified as suspicious.

The file was moved to '4bab0e99.qua'!

There was an increase of 1 gigabyte of HD space at some point during all this.

And, also pictures on the web are messed up some of the time. Perhaps due to my changing some of IE's ActiveX settings?

I'm not sure which of the above info is important and which isn't, so I'm sorry if I included a bunch of unnecessary information.

Thank you for any advice you can give me.

Link to post
Share on other sites

I downloaded and ran HijackThis.

=======================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:50:11 AM, on 12/30/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16945)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\zHotkey.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\wltray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Dynex G USB Network Adapter\DynexWCUI.exe

C:\Program Files\Common Files\AOL\1129342193\ee\aolsoftware.exe

c:\program files\common files\aol\1129342193\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

C:\Program Files\Common Files\AOL\1129342193\ee\aolsoftware.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\America Online 9.0\waol.exe

C:\Program Files\America Online 9.0\shellmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = about:blank

R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre0.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre0.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [showWnd] ShowWnd.exe

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129342193\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [broadcom Wireless Manager] C:\WINDOWS\system32\wltray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BigFix.lnk.disabled

O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{397F5A0A-CC37-4486-97B6-F82B306E69DB}: NameServer = 205.188.146.145

O20 - AppInit_DLLs: ows\system32\ ,nasikaje.dll

O21 - SSODL: buhinemaj - {94bd5e23-df3a-4df4-859b-eeb41ffb321a} - (no file)

O22 - SharedTaskScheduler: kupuhivus - {94bd5e23-df3a-4df4-859b-eeb41ffb321a} - (no file)

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

--

End of file - 10093 bytes

Link to post
Share on other sites

Thank you for responding. I've run Malwarebytes' a dozen times since the scan posted above, and they all come up clear.

Here's the latest:

==========

Malwarebytes' Anti-Malware 1.43

Database version: 3467

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

1/1/2010 12:22:43 AM

mbam-log-2010-01-01 (00-22-43).txt

Scan type: Quick Scan

Objects scanned: 103966

Time elapsed: 7 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

==========

I still haven't figured out how to turn Windows Automatic Updates back on.

And Avira blocks a few things a day. Here are a few examples:

==========

Virus or unwanted program 'HEUR/HTML.Malware [heuristic]'

detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\X8UZM92T\index[2].htm.

Action performed: Move file to quarantine

Virus or unwanted program 'HEUR/Malware [heuristic]'

detected in file 'C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1552\A0362994.exe.

Action performed: Move file to quarantine

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'

detected in file 'C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1552\A0361868.exe.

Action performed: Move file to quarantine

=========

I wonder if it picks up so much because I have the "Advanced Heuristic Analysis and Detection" set to 'high'.

Still, better that I get false alarms than something slips by again.

I have switched from IE to Firefox as my main web browser, and I don't notice any messed up pics now.

I've also installed SpywareBlaster and plan to install some more anti-malware, etc. soon.

So, currently I have Malwarebytes', Spybot, Avira, AOL Spyware Protection, and SpywareBlaster.

Thank you for your attention.

Link to post
Share on other sites

We probably have some leftovers still on your pc.

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Link to post
Share on other sites

When ComboFix was preparing the log, Avira's guard came back on, but I turned it off pretty quickly.

Also, as I was just about to post this, the PC shut down and rebooted...

==========

ComboFix 09-12-31.A1 - Owner 01/01/2010 16:36:52.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.533 [GMT -6:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton AntiVirus *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Common

c:\program files\Common\helper.sss

c:\recycler\S-1-5-21-1306252711-3682585481-824141028-1003

c:\recycler\S-1-5-21-2487204532-621091825-53575969-1003

c:\recycler\S-1-5-21-2547040661-933609576-1108496238-1003

c:\recycler\S-1-5-21-583907252-1715567821-1801674531-1003

c:\recycler\S-1-5-21-788107208-2542915062-144897898-1003

c:\windows\system32\SIntf16.dll

C:\xcrashdump.dat

.

((((((((((((((((((((((((( Files Created from 2009-12-01 to 2010-01-01 )))))))))))))))))))))))))))))))

.

2009-12-31 07:06 . 2010-01-01 06:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-12-31 07:06 . 2010-01-01 06:30 -------- d-----w- c:\program files\SpywareBlaster Kai

2009-12-31 06:57 . 2009-12-31 06:57 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla

2009-12-31 06:53 . 2010-01-01 21:58 -------- d-----w- c:\program files\Mozilla Firefox Kai

2009-12-30 07:48 . 2009-12-30 07:48 -------- d-----w- c:\program files\Trend Micro

2009-12-27 05:18 . 2009-12-31 02:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2

2009-12-27 01:35 . 2009-12-27 15:24 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-27 01:35 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-12-27 01:35 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-12-27 01:35 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-12-27 01:35 . 2009-12-27 01:35 -------- d-----w- c:\program files\Avira

2009-12-27 01:35 . 2009-12-27 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-01 22:52 . 2004-08-20 01:43 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-12-30 20:55 . 2009-02-03 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-30 20:54 . 2009-02-03 07:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-28 23:13 . 2009-02-02 19:00 -------- d-----w- c:\program files\Windows Live Safety Center

2009-12-15 15:02 . 2004-08-20 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-12-04 05:05 . 2009-02-03 07:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-01 22:45 . 2009-12-01 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-11-12 14:53 . 2009-02-01 05:39 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-10-29 07:46 . 2004-08-20 00:49 832512 ----a-w- c:\windows\system32\wininet.dll

2009-10-29 07:46 . 2004-08-20 00:48 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-10-29 07:46 . 2004-08-20 00:48 17408 ----a-w- c:\windows\system32\corpol.dll

2009-10-13 10:53 . 2004-08-20 00:48 266752 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:54 . 2004-08-20 00:48 69632 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:54 . 2004-08-20 00:48 112128 ----a-w- c:\windows\system32\rastls.dll

2008-03-13 01:43 . 2008-03-13 01:43 2293848 ----a-w- c:\program files\FLV PlayerFCSetup.exe

2008-03-13 01:42 . 2008-03-13 01:42 4265560 ----a-w- c:\program files\FLV PlayerRCATSetup.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre0.dll" [2009-11-16 2166296]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

2009-11-16 01:02 2166296 ----a-w- c:\program files\Freecorder\tbFre0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre0.dll" [2009-11-16 2166296]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFre0.dll" [2009-11-16 2166296]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"CHotkey"="zHotkey.exe" [2004-05-18 543232]

"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]

"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-03-11 135168]

"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-06-30 99480]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]

"SoundMan"="SOUNDMAN.EXE" [2005-05-12 90112]

"AlcWzrd"="ALCWZRD.EXE" [2005-05-12 2805248]

"HostManager"="c:\program files\Common Files\AOL\1129342193\ee\AOLSoftware.exe" [2008-06-24 41824]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]

"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2007-01-14 771704]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]

"Broadcom Wireless Manager"="c:\windows\system32\wltray.exe" [2007-06-14 1282048]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

BigFix.lnk.disabled [2004-6-18 1518]

Dynex Wireless Networking Utility.lnk - c:\program files\Dynex G USB Network Adapter\DynexWCUI.exe [2008-2-27 1458176]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\1129342193\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\KeyHoleTV\\KeyHoleTV.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\AOL\\1129342193\\ee\\AOLServiceHost.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Symantec\\LiveUpdate\\AluSchedulerSvc.exe"=

"c:\\WINDOWS\\system32\\bcmwltry.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\avconfig.exe"=

"c:\\WINDOWS\\system32\\taskmgr.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\avcenter.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\avscan.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\guardgui.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/26/2009 7:35 PM 108289]

R3 NdisWDM;Dynex Wireless G USB Network Adapter Service;c:\windows\system32\drivers\NdisWDM.sys [2/27/2008 2:39 PM 198528]

.

Contents of the 'Scheduled Tasks' folder

2007-06-12 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job

- c:\program files\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ajpxapmy.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll

FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll

FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll

FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll

FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll

FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll

FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{94bd5e23-df3a-4df4-859b-eeb41ffb321a} - (no file)

ShellExecuteHooks-{AE02098A-B53A-A108-CD09-9A11AB16D2BA} - (no file)

SSODL-buhinemaj-{94bd5e23-df3a-4df4-859b-eeb41ffb321a} - (no file)

Notify-WgaLogon - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-01 17:00

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1580)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\wltrysvc.exe

c:\windows\System32\bcmwltry.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows\zHotkey.exe

c:\windows\SOUNDMAN.EXE

c:\windows\ALCWZRD.EXE

c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\program files\Common Files\AOL\ACS\AOLacsd.exe

c:\windows\wanmpsvc.exe

c:\program files\common files\aol\1129342193\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

c:\program files\Avira\AntiVir Desktop\avwsc.exe

.

**************************************************************************

.

Completion time: 2010-01-01 17:05:11 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-01 23:05

Pre-Run: 908,750,848 bytes free

Post-Run: 796,364,800 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 2949DFE6C4BBB06D9925E4C9890C1C04

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:20:51 PM, on 1/1/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16945)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\WINDOWS\zHotkey.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\Common Files\AOL\1129342193\ee\AOLSoftware.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\wltray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Dynex G USB Network Adapter\DynexWCUI.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

c:\program files\common files\aol\1129342193\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

C:\Program Files\Common Files\AOL\1129342193\ee\aolsoftware.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox Kai\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = about:blank

R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre0.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre0.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [showWnd] ShowWnd.exe

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129342193\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [broadcom Wireless Manager] C:\WINDOWS\system32\wltray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BigFix.lnk.disabled

O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--

End of file - 9685 bytes

Link to post
Share on other sites

Here's what happened after the ComboFix ran:

AOL Spyware Protection found something called Bifrost in hkey_current_user \softwarewget

Spybots Immunize page showed that Windows Global Hosts was not at all immunized (even though it was before).

Spybot found "Microsoft.WindowsSecurityCenter_disabled" and seemingly fixed it, but the Automatic updates still aren't back.

"winlogon" was no longer in the Firewall exceptions list.

Here's hoping I can post this...

Link to post
Share on other sites

Oh, and Spybot keeps on finding and supposedly fixing the same "Microsoft.WindowsSecurityCenter_disabled", but it keeps coming back.

That and the latest scan with Malwarebytes' found this:

==========

Malwarebytes' Anti-Malware 1.43

Database version: 3473

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

1/1/2010 9:18:49 PM

mbam-log-2010-01-01 (21-18-49).txt

Scan type: Quick Scan

Objects scanned: 101805

Time elapsed: 4 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\jgaw400.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Avira hasn't found anything in the past two days.

Malwarebytes' last find (Trojan.Hiloti) was a false alarm, so nothing there in the past week.

Spybot hasn't found anything since I ran ComboFix.

However, Windows Automatic Updates still isn't working properly.

The tray icon that notifies when updates are available doesn't show up.

And, while I can download the updates from the Windows website, I'm not sure that they are installing properly.

Judging from the logs, etc., is my PC safe to use?

That is to say, did anything steal my passwords or other info?

Is there anything still on my PC that would do so in the future?

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.