Malwarebytes' removes Juan directory entry, but it comes back.

[Stoneman]

Hello,

Looks like I've got an infection. Shortly after starting my MSIE (V7 on XPSP2), I get popups to findlinks and other such sites (every 4 to 10 minutes). I've executed VundoFix.exe. First time it said it found and fixed Vundo. Now it reports "no find". Ran Spybot S&D scan and it only finds DoubleClick and MediaPlex cookies. Tried to run Panda ActiveScan, (hit their page and clicked on "Run Scan Now" button) but I get no further than an open, blank Foxfire browser window from www.pandasoftware.com (ditto MSIE V7). No x active download information. Tried it several times. No luck.

I'm attaching:

Hijackthis log after reboot.

Malwarebytes log after removal again.

Thanks for your time and effort.

Malwarebytes' Anti-Malware 1.09

Database version: 558

Scan type: Quick Scan

Objects scanned: 38528

Time elapsed: 7 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Edited March 31, 2008 by JeanInMontana
remove outdated hjt log

[JeanInMontana]

Hi Stoneman and welcome to Malwarebytes. Your version of HJT is outdated. Please get the one listed in the prepost HJT instructions at the top of this page. Follow all of those instructions and post the requested logs please. See the how to run a Panda scan tutorial also at the top of this page. You can't use Firefox. Do not use tools like Vundo fix without being instructed. This is very dangerous. Please post that log also.

[Stoneman]

Hi Stoneman and welcome to Malwarebytes. You version of HJT is outdated. Please get the one listed in the prepost HJT instructions at the top of this page. Follow all of those instructions and post the requested logs please.

Roger.

[Stoneman]

Attempted to follow your pre Hijactthis post instructions (as I did earlier), which, i believe say:

============================================================================

Install and launch Spybot Search & Destroy, using immunize feature without TeaTimer enabled.

Install and launch Malwarebytes' Anti-Malware

Perform full scan, then click Scan. View results.

Be sure everything is checked, and click Remove.

When completed, log opens. Save, Copy and Paste log into your next reply.

Run a scan PandaActive Scan (full).

Post logs from Panda, MBAM and HiJack scans.

================================================================================

According to theae pre HJT instructions, I have:

o. Run SBS&D without TeaTimer enabled.

1. Attempted to run PandaActive Scan, however, as I said earlier, it will not run on either

Firefox or MSIE 7 - because I cannot download the active x component. The info bar in MSIE V7 says

"your security settings do not allow web sites to use activex ...". When I (reluctantly) tried to

change tools>internet options>security>custom>medium, MSIE V7 blows out saying it "encountered a

problem and needs to close". When I restart MSIE V7 and hit the PandaActive web site again, and

click on the Scan button, I get the info bar telling me that an "ActiveX download has been

blocked" - clicking on the MSIE info bar does nothing more than bring up "Information Bar Help"

(right and left clicking). I've scoured the web on ways to uninstall MSIE V7 (which I installed

recently, thinking a "MSIE browser helper" has been compromised), but can't find a way to

uninstall it. Help>About gives me no response (to a left or right mouse click), so I can't tell

you what release it is.

Firefox brings up a blank window on hitting the Scan button.

What else can I do to get PandaActive Scan to run?

How about I just go ahead and buy MBAM? Will I then need to run other vendors products like

PandaActive Scan to use and get support from your company on your product? Can you not help me

when you know nothing more than that SpyBot S&D runs clean, and having the HJT and MBAM logs in

hand? Will your attitude about that change if I buy your product?

Believe me, I can understand "free help is worth what you pay for it", and how difficult your job

of "distant water trying to put out a local fire" is. I'm a mainframe software engineer, and

understand the viciousness of these darn malware programs, and the difficulty to remove them. We

call them "hooks" in my world. Amazing how fragile these flaming PC's have become to the

malicious criminals who want to scam us and capitalize on Windows weaknesses. Thank God for RACF.

Somehow, it seems to me that you would be intrigued by why your product will find, and say it has

removed directory entries that come back after I have IPLed this machine. Wouldn't fixing this

issue help the veracity of your product? I am more than willing to help you, if you're interested

in doing so.

Note that (my problem) the popup web pages only occur with MSIE, not with Foxfire.

BTW: I ran Vundo fix before I found this forum, and will not run any tools unless you say so. Vudo fix does not, to my knowledge, leave a log. Just a message on the window it opens saying words to the effect "nothing found".

Thanks for your patience and help.

Following, you will find:

2. MBAM log of full scan and "remove" follows.

3. Hijack this scan 2.0.2. Which I ran before I executed MBAM "remove".

Malwarebytes' Anti-Malware 1.09

Database version: 558

Scan type: Full Scan (C:\|D:\|W:\|)

Objects scanned: 347107

Time elapsed: 1 hour(s), 49 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Edited March 31, 2008 by JeanInMontana
remove hjt log unreadable

[JeanInMontana]

Firefox does not support active x period. It will never run a Panda scan. Are you running under an administrative account? The reason for the scan is the log after will show information I can use to help you.

How about I just go ahead and buy MBAM? Will I then need to run other vendors products like

PandaActive Scan to use and get support from your company on your product? Can you not help me

when you know nothing more than that SpyBot S&D runs clean, and having the HJT and MBAM logs in

hand? Will your attitude about that change if I buy your product?

Purchasing MBAM will not make any difference in how it performs. Everything it does to remove is done for free.

My attitude will change when you lose yours. You have given me an attitude. Don't think for o minute your going to come here asking for help and proceed to bash the products your asked to use. Why isn't Spyware Terminator saving you?

Yes you will need to follow instructions for anyone, anywhere to help you. If you have a problem with that we might as well call it quits now. For someone claiming to be a software engineer you should be aware none of the programs you have been asked to run do the same thing.

Your not getting customer support here. Your asking for help removing malware. No way are they related.

BTW: I ran Vundo fix before I found this forum, and will not run any tools unless you say so. Vudo fix does not, to my knowledge, leave a log. Just a message on the window it opens saying words to the effect "nothing found".

Once again your knowledge fails you. Vundo fix does create a log and that is why I asked to see it. It's named rapport.txt and will be on your main drive usually C. MBAM says according to the log you posted that it did find Vundo and deleted it.

Somehow, it seems to me that you would be intrigued by why your product will find, and say it has

removed directory entries that come back after I have IPLed this machine. Wouldn't fixing this

issue help the veracity of your product? I am more than willing to help you, if you're interested

in doing so.

Malware mutates and no program is capable of always having every variation in the definitions. I don't know what IPLed is. Please explain. Nor do I know why you think directory entries are coming back after removal. Your not following the procedures as they are laid out. You run the malware scan, and remove then you run the HJT scan. It makes no sense to do it the other way. If you want help follow instructions and procedures as they are given to you.

You need to turn off TeaTimer in Spybot Search & Destroy. From your HJT log it is plainly still on.

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

I don't know what your using to post the HJT log, but the formatting is a mess and makes it unreadable. Use notepad only that is how the program saves the log, don't change that. Keep the lines all together, no spacing or wrapping of text.

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer -

{3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program

Files\Real\RealPlayer\rpbrowserrecordplugin.dll <======= this should be all one line not 3. It is too hard to read like this.

There is no need to scan any dive other than C with MBAM either. CD Rom drives don't get infected.

Now, this is how we will proceed.

1. You will turn off Tea Timer.

Open SB S&D

Click on the Tools section and then Resident.

You will see two items.

1. Resident "SD helper" (Internet Explorer bad download blocker.) active

2. Resident "Tea Timer" (Protection of over-all system settings.) active.

Uncheck 2. Leave 1 checked always.

You can enable Tea Timer again if you wish once all special fixes have been done.

2. Run this tool

1. Download this file :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe and save to your desktop.

2. Double click combofix.exe. It will be a red icon with a white X on your desktop.

Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.

Note:

Do not mouseclick combofix's window while its running. That may cause it to stall.

3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.

Post that log, and then scan with HiJack This and post that log in your next reply.

[Stoneman]

OK, points well taken - sorry if I implied insult - that was not certainly not my intention.

IPL is an acronym for Initial Program Load (or in the UNIX/PC world "boot").

Don't know why data was badly formatted, I cut and pasted from a Notebook window (as I did below).

Per your instructions, I have:

1. Turned off Tea Timer.

2. Downloaded and executed combofix.exe

It caused several illegal instruction windows, to which I responded "Close".

3. Ran HJT

Cut and pasted following logs from Notepad windows:

Combofix.txt

ComboFix 08-03-30.2 - Administrator 2008-03-30 13:41:50.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.449 [GMT -4:00]

Running from: C:\Documents and Settings\Administrator.GAM2\Desktop.GAM\ComboFix.exe

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users.WINNT\Application Data\Microsoft\Network\Downloader\qmgr0.dat

C:\Documents and Settings\All Users.WINNT\Application Data\Microsoft\Network\Downloader\qmgr1.dat

C:\WINNT\BM9f00572c.xml

C:\WINNT\cookies.ini

C:\WINNT\pskt.ini

C:\WINNT\system32\bhtyukhj.dll

C:\WINNT\system32\bmrwknpf.dll

C:\WINNT\system32\bnwjrknl.dll

C:\WINNT\system32\bvcptwvs.dll

C:\WINNT\system32\bynouvmo.dll

C:\WINNT\system32\cckvjdyf.dll

C:\WINNT\system32\dawfjhwk.dll

C:\WINNT\system32\dmdltyxs.dll

C:\WINNT\system32\drivers\npf.sys

C:\WINNT\system32\hdvfkynu.dll

C:\WINNT\system32\jkcdovfa.dll

C:\WINNT\system32\ktsssuly.dll

C:\WINNT\system32\mcrh.tmp

C:\WINNT\system32\mmvgtsdv.dll

C:\WINNT\system32\obmkwjbu.dll

C:\WINNT\system32\pthreadVC.dll

C:\WINNT\system32\qcjqvyxh.dll

C:\WINNT\system32\qsygxawu.dll

C:\WINNT\system32\rbfuvvpv.dll

C:\WINNT\system32\tkpbhcvl.dll

C:\WINNT\system32\vgxqfxdm.dll

C:\WINNT\system32\ywsoeohr.dll

C:\WINNT\Web\default.htt

----- BITS: Possible infected sites -----

hxxp://gateway.digitalmusicnotebook.com

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\NPF

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))

.

2008-03-29 16:44 . 2008-03-29 16:44 <DIR> d-------- C:\Program Files\Trend Micro

2008-03-28 23:33 . 2008-03-28 23:33 78 --a------ C:\WINNT\HEDIT.INI

2008-03-28 23:31 . 2008-03-28 23:31 54 --a------ C:\WINNT\SUPERPAD.INI

2008-03-27 20:48 . 2008-03-27 20:48 <DIR> d-------- C:\Program Files\BillP Studios

2008-03-27 20:48 . 2008-03-27 20:48 <DIR> d-------- C:\Documents and Settings\Administrator.GAM2\Application Data\WinPatrol

2008-03-27 20:03 . 2008-03-27 20:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-03-27 19:31 . 2008-03-27 19:31 <DIR> d-------- C:\Program Files\Enigma Software Group

2008-03-27 19:18 . 2008-03-27 20:09 <DIR> d-------- C:\Program Files\XoftSpySE

2008-03-27 18:02 . 2008-03-27 18:03 <DIR> d-------- C:\Program Files\Microsoft User Agent String Utility

2008-03-26 21:42 . 2008-03-26 21:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-03-26 21:42 . 2008-03-26 22:04 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy

2008-03-26 21:05 . 2008-03-26 21:05 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\MSN6

2008-03-26 21:05 . 2008-03-26 21:06 <DIR> d-------- C:\Documents and Settings\Administrator.GAM2\Application Data\MSN6

2008-03-26 20:28 . 2008-03-26 20:28 <DIR> d-------- C:\WMA.rec

2008-03-26 20:10 . 2008-03-26 20:10 <DIR> d-------- C:\Program Files\NCH Software

2008-03-26 20:10 . 2008-03-26 20:10 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\NCH Swift Sound

2008-03-26 20:09 . 2008-03-26 20:09 <DIR> d-------- C:\Documents and Settings\Administrator.GAM2\Application Data\NCH Swift Sound

2008-03-26 20:09 . 2008-03-26 20:09 26,112 --a------ C:\WINNT\system32\drivers\nchssvad.sys

2008-03-26 20:03 . 2008-03-26 20:42 <DIR> d-------- C:\Program Files\WMR11

2008-03-26 18:47 . 2006-10-04 10:06 1,197,294 -----c--- C:\WINNT\system32\dllcache\sysmain.sdb

2008-03-26 18:47 . 2006-10-04 10:06 764,868 -----c--- C:\WINNT\system32\dllcache\apph_sp.sdb

2008-03-26 18:47 . 2006-10-04 10:06 217,118 -----c--- C:\WINNT\system32\dllcache\apphelp.sdb

2008-03-23 12:18 . 2008-03-29 12:04 <DIR> d-------- C:\Program Files\Spyware Terminator

2008-03-23 12:18 . 2008-03-25 22:46 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Spyware Terminator

2008-03-23 12:18 . 2008-03-29 12:04 <DIR> d-------- C:\Documents and Settings\Administrator.GAM2\Application Data\Spyware Terminator

2008-03-23 12:18 . 2008-03-23 12:18 138,752 --a------ C:\WINNT\system32\drivers\sp_rsdrv2.sys

2008-03-23 12:09 . 2008-03-23 12:09 <DIR> d-------- C:\Program Files\Windows Defender

2008-03-23 10:58 . 2008-03-23 10:58 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Malwarebytes

2008-03-23 10:58 . 2008-03-23 10:58 <DIR> d-------- C:\Documents and Settings\Administrator.GAM2\Application Data\Malwarebytes

2008-03-23 10:57 . 2008-03-23 10:57 <DIR> d-------- C:\Program Files\Common Files\Download Manager

2008-03-23 10:04 . 2008-03-23 10:04 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe

2008-03-23 09:54 . 2008-03-23 10:13 <DIR> d-------- C:\VundoFix Backups

2008-03-22 20:30 . 2008-03-22 20:51 1,543,457 ---hs---- C:\WINNT\system32\wiwgerwu.ini

2008-03-22 20:24 . 2008-03-22 20:39 290,857 --ahs---- C:\WINNT\system32\orutv.ini

2008-03-22 20:24 . 2008-03-22 20:38 320 --ahs---- C:\WINNT\system32\orutv.ini2

2008-03-22 20:23 . 2008-03-22 20:24 272,896 --a------ C:\WINNT\system32\vturo.dll.bak

2008-03-22 20:14 . 2008-03-23 09:23 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\SITEguard

2008-03-22 20:13 . 2008-03-23 12:50 <DIR> d-------- C:\Program Files\STOPzilla!

2008-03-22 20:13 . 2008-03-22 20:13 <DIR> d-------- C:\Program Files\Common Files\iS3

2008-03-22 20:13 . 2008-03-23 12:50 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\STOPzilla!

2008-03-22 19:34 . 2008-03-22 19:34 354 --ahs---- C:\WINNT\system32\voulgouh.tmp

2008-03-22 19:30 . 2008-03-22 19:30 294 --ahs---- C:\WINNT\system32\wyuinkvh.ini

2008-03-22 18:00 . 2008-03-22 18:15 <DIR> d-------- C:\bintheredunthat

2008-03-22 13:44 . 2008-03-22 13:44 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft

2008-03-22 13:43 . 2007-12-06 22:21 6,066,176 -----c--- C:\WINNT\system32\dllcache\ieframe.dll

2008-03-22 13:43 . 2007-06-30 23:31 2,455,488 -----c--- C:\WINNT\system32\dllcache\ieapfltr.dat

2008-03-22 13:43 . 2007-06-30 23:36 991,232 -----c--- C:\WINNT\system32\dllcache\ieframe.dll.mui

2008-03-22 13:43 . 2007-12-06 22:21 459,264 -----c--- C:\WINNT\system32\dllcache\msfeeds.dll

2008-03-22 13:43 . 2007-12-06 22:21 383,488 -----c--- C:\WINNT\system32\dllcache\ieapfltr.dll

2008-03-22 13:43 . 2007-12-06 22:21 267,776 -----c--- C:\WINNT\system32\dllcache\iertutil.dll

2008-03-22 13:43 . 2007-12-06 22:21 63,488 -----c--- C:\WINNT\system32\dllcache\icardie.dll

2008-03-22 13:43 . 2007-12-06 22:21 52,224 -----c--- C:\WINNT\system32\dllcache\msfeedsbs.dll

2008-03-22 13:43 . 2007-12-06 07:00 13,824 -----c--- C:\WINNT\system32\dllcache\ieudinit.exe

2008-03-22 13:35 . 2007-08-13 18:54 33,792 --a--c--- C:\WINNT\system32\dllcache\custsat.dll

2008-03-22 13:16 . 2008-03-22 13:16 <DIR> d-------- C:\Program Files\Microsoft Silverlight

2008-03-22 11:00 . 2008-03-22 11:00 <DIR> d-------- C:\Documents and Settings\Administrator.GAM2\Application Data\Uniblue

2008-03-21 20:17 . 2008-03-22 18:25 1,544,419 --ahs---- C:\WINNT\system32\einkbslp.ini

2008-03-21 19:29 . 2007-07-09 09:09 584,192 -----c--- C:\WINNT\system32\dllcache\rpcrt4.dll

2008-03-21 19:20 . 2008-03-21 19:21 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Lavasoft

2008-03-21 18:11 . 2008-03-21 19:39 1,543,457 --ahs---- C:\WINNT\system32\jwuxngvc.ini

2008-03-21 17:50 . 2004-08-04 00:56 380,416 --a------ C:\WINNT\system32\irprops.cpl

2008-03-21 17:50 . 2004-08-04 00:56 96,768 -----c--- C:\WINNT\system32\dllcache\dpcdll.dll

2008-03-21 17:42 . 2004-07-17 11:40 19,528 --a------ C:\WINNT\002724_.tmp

2008-03-21 17:04 . 2007-07-30 19:19 216,408 --a------ C:\WINNT\system32\wuaucpl.cpl

2008-03-21 17:04 . 2007-07-30 19:19 216,408 --a--c--- C:\WINNT\system32\dllcache\wuaucpl.cpl

2008-03-21 16:50 . 2003-09-30 20:00 1,875,968 --a--c--- C:\WINNT\system32\dllcache\msir3jp.lex

2008-03-21 16:49 . 2003-09-30 20:00 13,463,552 --a--c--- C:\WINNT\system32\dllcache\hwxjpn.dll

2008-03-21 16:48 . 2003-09-30 20:00 94,720 --a--c--- C:\WINNT\system32\dllcache\certmap.ocx

2008-03-21 16:48 . 2003-09-30 20:00 14,336 --a--c--- C:\WINNT\system32\dllcache\iisreset.exe

2008-03-21 16:48 . 2003-09-30 20:00 7,680 --a--c--- C:\WINNT\system32\dllcache\inetmgr.exe

2008-03-21 16:48 . 2003-09-30 20:00 6,144 --a--c--- C:\WINNT\system32\dllcache\ftpsapi2.dll

2008-03-21 16:48 . 2003-09-30 20:00 5,632 --a--c--- C:\WINNT\system32\dllcache\iisrstap.dll

2008-03-21 16:47 . 2005-07-26 00:39 1,285,120 --a------ C:\WINNT\system32\ole32.dll

2008-03-21 16:47 . 2007-07-09 09:09 584,192 --a------ C:\WINNT\system32\rpcrt4.dll

2008-03-21 16:47 . 2005-07-26 00:39 397,824 --a------ C:\WINNT\system32\rpcss.dll

2008-03-21 16:41 . 2004-08-04 00:56 239,104 --a------ C:\WINNT\system32\srrstr.dll

2008-03-21 16:35 . 2008-03-21 16:35 749 -rah----- C:\WINNT\WindowsShell.Manifest

2008-03-21 16:35 . 2008-03-21 16:35 749 -rah----- C:\WINNT\system32\wuaucpl.cpl.manifest

2008-03-21 16:35 . 2008-03-21 16:35 749 -rah----- C:\WINNT\system32\sapi.cpl.manifest

2008-03-21 16:35 . 2008-03-21 16:35 749 -rah----- C:\WINNT\system32\nwc.cpl.manifest

2008-03-21 16:35 . 2008-03-21 16:35 749 -rah----- C:\WINNT\system32\ncpa.cpl.manifest

2008-03-21 16:35 . 2008-03-21 16:35 488 -rah----- C:\WINNT\system32\logonui.exe.manifest

2008-03-21 16:32 . 2007-07-30 19:19 1,712,984 --a------ C:\WINNT\system32\wuaueng.dll

2008-03-21 16:30 . 2004-08-03 23:07 52,864 --a------ C:\WINNT\system32\drivers\dmusic.sys

2008-03-21 16:30 . 2006-06-14 04:47 6,400 --a------ C:\WINNT\system32\drivers\splitter.sys

2008-03-21 16:28 . 2003-09-30 20:00 1,086,182 -ra------ C:\WINNT\SET56.tmp

2008-03-21 16:28 . 2003-09-30 20:00 13,608 -ra------ C:\WINNT\SET6B.tmp

2008-03-20 22:21 . 2004-08-03 22:59 57,472 --a------ C:\WINNT\system32\drivers\redbook.sys

2008-03-20 22:19 . 2003-09-30 20:00 1,086,182 -ra------ C:\WINNT\SET55.tmp

2008-03-20 22:19 . 2003-09-30 20:00 13,608 -ra------ C:\WINNT\SET6A.tmp

2008-03-20 21:55 . 2004-08-03 23:01 196,864 --a------ C:\WINNT\system32\drivers\rdpdr.sys

2008-03-20 21:55 . 2004-08-04 01:01 40,840 --a------ C:\WINNT\system32\drivers\termdd.sys

2008-03-20 21:54 . 2004-08-04 00:56 146,432 --a------ C:\WINNT\system\winspool.drv

2008-03-20 21:54 . 2004-08-04 00:56 74,752 --a------ C:\WINNT\system32\storprop.dll

2008-03-20 21:54 . 2003-09-30 20:00 24,661 --a------ C:\WINNT\system32\spxcoins.dll

2008-03-20 21:54 . 2003-09-30 20:00 24,661 --a--c--- C:\WINNT\system32\dllcache\spxcoins.dll

2008-03-20 21:54 . 2003-09-30 20:00 13,312 --a------ C:\WINNT\system32\irclass.dll

2008-03-20 21:54 . 2003-09-30 20:00 13,312 --a--c--- C:\WINNT\system32\dllcache\irclass.dll

2008-03-20 21:54 . 2004-08-03 23:00 11,264 --a------ C:\WINNT\system32\drivers\irenum.sys

2008-03-20 21:52 . 2008-03-21 17:31 2,312,957 --a------ C:\WINNT\setupapi.log.1.old

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-29 04:13 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\Google Updater

2008-03-29 02:49 --------- d-----w C:\Documents and Settings\Administrator.GAM2\Application Data\ACAMPREF

2008-03-28 23:25 --------- d-----w C:\Program Files\Apple Software Update

2008-03-28 01:52 --------- d---a-w C:\Program Files\LapLink Gold

2008-03-28 01:29 37,504 ----a-w C:\Documents and Settings\Administrator.GAM2\Application Data\GDIPFONTCACHEV1.DAT

2008-03-23 14:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-03-22 22:15 --------- d---a-w C:\Program Files\EasyChord

2008-03-22 22:15 --------- d-----w C:\Program Files\Ethereal

2008-03-22 22:13 --------- d-----w C:\Program Files\Free RAW Viewer

2008-03-18 00:32 --------- d---a-w C:\Program Files\OO Software

2008-03-17 20:34 --------- d---a-w C:\Program Files\TallStick

2008-03-17 01:43 --------- d-----w C:\Program Files\Musicnotes

2008-03-17 01:21 --------- d---a-w C:\Program Files\intelliScore Ensemble WAV to MIDI Converter Demo

2008-03-17 01:21 --------- d-----w C:\Program Files\AmazingMIDI

2008-03-16 21:40 28,352 ----a-w C:\WINNT\system32\drivers\MxlW2k.sys

2008-02-21 20:52 --------- d---a-w C:\Program Files\Common Files\Adobe

2007-08-12 01:29 5,632 --sha-w C:\Program Files\Thumbs.db

2007-04-18 00:14 1,414 ----a-w C:\Program Files\uninstal.log

2007-04-08 17:18 271 --sh--w C:\Program Files\desktop.ini

2007-04-08 17:18 21,952 ---h--w C:\Program Files\folder.htt

2006-08-15 22:23 2,098 ----a-w C:\Program Files\Common Files\NaviplexInstallLog.txt

2003-03-21 20:37 16,056 ----a-w C:\Program Files\owcstp16.dll

2001-08-13 22:51 1,396,337 ----a-w C:\Program Files\Captura.exe

2007-12-10 22:40 6,275,816 ----a-w C:\Program Files\mozilla firefox\plugins\ScorchPDFWrapper.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 00:56 15360]

"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 12:40 4167376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Synchronization Manager"="mobsync.exe" [2004-08-04 00:56 143360 C:\WINNT\system32\mobsync.exe]

"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [2001-07-09 13:50 155648]

"IMONTRAY"="C:\Program Files\Intel\Intel

Edited March 31, 2008 by JeanInMontana
Remove quote

[JeanInMontana]

How are you running now? ComboFix took out several Vundo looking files. I would like you to scan the items below and upload them for the team here to analyze also.

C:\WINNT\system32\wiwgerwu.ini

C:\WINNT\system32\orutv.ini

C:\WINNT\system32\orutv.ini2

C:\WINNT\system32\vturo.dll.bak

C:\WINNT\system32\voulgouh.tmp

C:\WINNT\system32\wyuinkvh.in

You can upload here http://uploads.malwarebytes.org/

Please scan them and post the results from those scans. Scan here virustotal.com

Let me know how your running now also.

[Stoneman]

How are you running now? ComboFix took out several Vundo looking files. I would like you to scan the items below and upload them for the team here to analyze also.

C:\WINNT\system32\wiwgerwu.ini

C:\WINNT\system32\orutv.ini

C:\WINNT\system32\orutv.ini2

C:\WINNT\system32\vturo.dll.bak

C:\WINNT\system32\voulgouh.tmp

C:\WINNT\system32\wyuinkvh.in

You can upload here http://uploads.malwarebytes.org/

Please scan them and post the results from those scans. Scan here virustotal.com

Let me know how your running now also.

Hi Jean,

How are you running now?

No longer get spurious pages using MSIE V7, although I think I'll use the Recovery Console to remove it, since things like 'Find' don't work in it.

You can upload here http://uploads.malwarebytes.org/

Uploaded Vturo.dll.bak

None of the others were present, although I see them in the scan above. Not sure what went on there. I'm running McAfee and Spyware Terminator, as I'm sure you see, and they may have deleted them, but I don't recall being told that. I've rebooted several times, started MSIE, and done REGEDIT Find for 'Juan', with no hits.

Any ideas/suggestions? Nothing in the trash folder.

Here's the file list and status - the virustotal log follows.

C:\WINNT\system32\wiwgerwu.ini Not found

C:\WINNT\system32\orutv.ini Not found

C:\WINNT\system32\orutv.ini2 Not found

C:\WINNT\system32\vturo.dll.bak Uploaded to virustotal

C:\WINNT\system32\voulgouh.tmp Not found

C:\WINNT\system32\wyuinkvh.in Not found

File vturo.dll.bak received on 03.31.2008 23:25:39 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 9/32 (28.13%)

Loading server information...

Your file is queued in position: 6.

Estimated start time is between 56 and 80 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Compact

Print results Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

AhnLab-V3 2008.4.1.0 2008.03.31 -

AntiVir 7.6.0.78 2008.03.31 -

Authentium 4.93.8 2008.03.31 -

Avast 4.7.1098.0 2008.03.31 -

AVG 7.5.0.516 2008.03.31 -

BitDefender 7.2 2008.03.31 -

CAT-QuickHeal 9.50 2008.03.31 -

ClamAV None 2008.03.31 -

DrWeb 4.44.0.09170 2008.03.31 -

eSafe 7.0.15.0 2008.03.31 -

eTrust-Vet 31.3.5658 2008.03.31 -

Ewido 4.0 2008.03.31 -

F-Prot 4.4.2.54 2008.03.31 W32/Virtumonde.G.gen!Eldorado

F-Secure 6.70.13260.0 2008.03.31 -

FileAdvisor 1 2008.03.31 -

Fortinet 3.14.0.0 2008.03.31 -

Ikarus T3.1.1.20 2008.03.31 -

Kaspersky 7.0.0.125 2008.03.31 not-a-virus:AdWare.Win32.Virtumonde.gen

McAfee 5263 2008.03.31 -

Microsoft 1.3301 2008.03.31 Trojan:Win32/Vundo.gen!D

NOD32v2 2988 2008.03.31 -

Norman 5.80.02 2008.03.31 Vundo.gen144

Panda 9.0.0.4 2008.03.31 Suspicious file

Prevx1 V2 2008.03.31 Trojan.Vundo

Rising 20.38.01.00 2008.03.31 AdWare.Win32.Virtumonde.ggh

Sophos 4.28.0 2008.03.31 Sus/Behav-200

Sunbelt 3.0.978.0 2008.03.18 -

Symantec 10 2008.03.31 -

TheHacker 6.2.92.259 2008.03.30 -

VBA32 3.12.6.3 2008.03.25 -

VirusBuster 4.3.26:9 2008.03.31 Adware.Vundo.Gen!Pac.18

Webwasher-Gateway 6.6.2 2008.03.31 -

Additional information

File size: 272896 bytes

MD5: cebb2f573b93c1dca964fb2989ae04d0

SHA1: 2715ee95d07a326610d6f1e9f496bf8d6e61a28c

PEiD: -

Prevx info: http://info.prevx.com/aboutprogramtext.asp...A23F100CF24DBF6

[JeanInMontana]

According to the ComboFix you don't have the recovery console installed. I don't use IE unless forced and am not sure what "find" is.

IMO Spyhunter is worthless I doubt it would find what we are after. Do you have the system set to show all files and folders? The ComboFix was run after scans with those other right? If it is still showing the files and it is, then they weren't removed by anything else.

My searches on those files link them to vundo. Let's do this.

Author: Option^Explicit Download Location

License: Freeware KillBox Download Link http://download.bleepingcomputer.com/spyware/KillBox.exe

Operating System: Windows

File Description: C:\WINNT\system32\wiwgerwu.ini

C:\WINNT\system32\orutv.ini

C:\WINNT\system32\orutv.ini2

C:\WINNT\system32\vturo.dll.bak

C:\WINNT\system32\voulgouh.tmp

C:\WINNT\system32\wyuinkvh.in

Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them.

Usage Information:

Download this file and run the killbox.exe file. save to desktop. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.

Also please update MBAM and run a full scan of C again and post the log with a fesh HJT.

[Stoneman]

Hi Jean,

Here's my reply.

Embeding replys in ****'s ("Nathen Hales' - After all, he did only have one asterisk for his country).

According to the ComboFix you don't have the recovery console installed.

|

V

*********

I boot from the XP CD to use it

Boot, Enter, Don't chose to repair, accept agreement, select installation, press r to repair --- etc

Done this before for sundry reasons.

Removing MSIE V7 on XP is at http://support.microsoft.com/kb/917964/ (see other links there).

Use of Recovery Console is also there.

Won't attempt to remove IE V7 until you're satisfied we're clean.

*********

I don't use IE unless forced and am not sure what "find" is.

|

V

**********

I agree with you. It doesn't hold a candle to Mozilla.

I've started using Firefox except to download from Microsoft when MSIE is required. Updated to V7 thinking that might cure what appeared to me to be an infected BHO.

Find is Menu, Edit, Find (search for a string on the info in the browser page - Firefox puts it down on the lower left).

**********

IMO Spyhunter is worthless I doubt it would find what we are after.

|

V

**********

I'll remove it when we're done.

MacFee is set to update every night and scans all the time.

Unfortunately, I run with reports off - I can turn them on, but will make no changes unless you direct me to.

**********

Do you have the system set to show all files and folders?

|

V

********

Yes - see Dir's I did below.

********

The ComboFix was run after scans with those other right?

|

V

********

Not sure what you're asking here. Per your instructions, I did the following:

1. Turned off Tea Timer.

2. Downloaded and executed combofix.exe

It caused several illegal instruction windows, to which I responded "Close".

3. Ran HJT

Then posted the combofix and HJT logs

************************************

My searches on those files link them to vundo.

|

V

***********

OK - For grins, I built and executed a bat file containing:

DIR C:\WINNT\system32\wiwgerwu.ini

DIR C:\WINNT\system32\orutv.ini

DIR C:\WINNT\system32\orutv.ini2

DIR C:\WINNT\system32\vturo.dll.bak

DIR C:\WINNT\system32\voulgouh.tmp

DIR C:\WINNT\system32\wyuinkvh.in

Pause

Only vturo shows up. The rest get "File Not Found".

***********

Let's do this.

Download this file and run the killbox.exe file. save to desktop, etc

|

V

**********

Did so - results are:

C:\WINNT\system32\wiwgerwu.ini - This file does not seem to exist.

C:\WINNT\system32\orutv.ini - This file does not seem to exist.

C:\WINNT\system32\orutv.ini2 - This file does not seem to exist.

C:\WINNT\system32\vturo.dll.bak - Success - file was deleted.

C:\WINNT\system32\voulgouh.tmp - This file does not seem to exist.

C:\WINNT\system32\wyuinkvh.in - This file does not seem to exist.

**********

Also please update MBAM and run a full scan of C again and post the log with a fesh HJT.

|

V

************************

Updated MBAM and performed full Full Scan (it found "fake alerts") , then ran HJT.

Logs follow

************************

Malwarebytes' Anti-Malware 1.09

Database version: 574

Scan type: Full Scan (C:\|)

Objects scanned: 113887

Time elapsed: 30 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\Typelib\{50ccd00a-66b6-4d95-aaef-8ee959498f92} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:28:41 PM, on 3/31/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\Ati2evxx.exe

c:\winnt\tsi32\tsircusr.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Intel\Intel

Edited April 1, 2008 by JeanInMontana
Remove quote no need to quote, save the scroll time.

[JeanInMontana]

Your looking clean, how are things running? BTW the IE Tab extension for FF will allow downloads from MS I've used it. I'm not saying you should remove Spyhunter, if you paid for it especially and IMO McAfee isn't a first choice either. It's a resource hog and rarely on the cutting edge of definitions. But they are not the same type of programs either. One is an AV and the other claims to remove spy/adware and other malware. So you did again essentially what KillBox does and no files. Looks like MBAM did get another trojan. So to be sure on those we will do this one.

Please download this file: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe' rel="external nofollow">

SDFix.exe and save it to your desktop.

Double click SDFix.exe and choose Install to extract it to its

own folder on the Desktop. Please then reboot your computer in Safe

Mode by doing the following :

* Restart your computer

* After hearing your computer beep once during startup, but before the

Windows icon appears, tap the F8 key continually;

* Instead of Windows loading as normal, the Advanced Options Menu should

appear;

* Select the first option, to run Windows in Safe Mode, then press

Enter.

* Choose your usual account.

* Open the extracted SDFix folder and double click RunThis.bat to

start the script.

* Type Y to begin the cleanup process.

* It will remove any Trojan Services or Registry Entries found then prompt

you to press any key to Reboot.

* Press any Key and it will restart the PC.

* When the PC restarts the Fixtool will run again and complete the removal

process then display Finished, press any key to end the script and

load your desktop icons.

* Once the desktop icons load the SDFix report will open on screen and

also save into the SDFix folder as Report.txt.

* Finally copy and paste the contents of the results file

Report.txt with a new HijackThis log

Reboot your system in Normal Mode. Then post the SDFix log and a new HJT log please.

Also update MBAM and scan again post that log to please.

[Stoneman]

Hi Jean, my reply:

Your looking clean, how are things running?

|

V

You're right, it's looking real good, thanks to you Jean.

Running fine (no more MSIE unwanted popups).

I assume the new stuff MBAM found was quarantined by SDFix ?

WinPatrol is telling me, however, that files with .reg are being reassociated with regedit.exe %1 %* from regedit.exe%1. Let's let that go for now though.

BTW the IE Tab extension for FF will allow downloads from MS I've used it.

|

V

I'll check it out, thanks.

I'm not saying you should remove Spyhunter, if you paid for it especially and IMO McAfee isn't a first choice either. It's a resource hog and rarely on the cutting edge of definitions. But they are not the same type of programs either. One is an AV and the other claims to remove spy/adware and other malware. So you did again essentially what KillBox does and no files.

|

V

Haven't paid for Spyhunter, or Malware Terminator, or WinPatrol, or Kero Firewall or McAfee. McAfee is provided by my company, I use this machine to access their "intranet", and they think that keeps them safe - corporate types, don't you know - (also running McAfee's Malware detector - so much for it, huh?). I think I'll keep WinPatrol, because it tells me if the registery has been changed, etc, and perhaps Malware Terminator because it asks before any program can run (once), and have used Kero for so long I can't do without it (great TCP/IP traffic/connection monitor, which, incidently I write for mainframes - I am indeed a software engineer, although I call myself a programmer. Basic Assembler Language - learned in 1967, and still using). I'll either buy MBAM or make a contribution to your favorite charity, or whatever, as you wish, when we're done with this. BTW, I've been using "PC's" since an Altair (running CPM, Wordstar, BBS software and VisiCalc) I built in the mid '70's - never been infected before. Was sick with the flu a couple of weeks ago and downloaded every wav to midi converter I could find on the internet. Would normally have done that on my test machine downstairs, but I was sick. That's my story and I'm sticking to it. Got it through one of those, no doubt. Can send you of list of what I downloaded if there's any interest. Trying to learn how to play "You Are My Flower" like the Nitty Ditty Dirt Band does (yeah, who cares?!).

Looks like MBAM did get another trojan.

|

V

Roger.

Download, run SDFix and prodide log

|

V

Ran Successfully (although I had to turn off McAfee to extract and run Process.exe). Log is below.

Execute HJT and post log.

|

V

Ran successfully run. Log is below.

Update MBAM, perform (full) scan and post that log.

|

V

Full Scan ran successfully. It didn't like some files (but they were quarantined already). Log is below.

Note that during the MBAM scan, McAfee deleted the following files (I wised up and turned on reporting).

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.GAM2\DESKTOP.GAM\VIRUS REMOVAL TOOLS\SDFIX\SDFIX\APPS\PROCESS.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{982131D0-7B68-4723-AB1B-99B9CD45E809}\RP3\A0000574.EXE

Sorry, but I had a senior moment, dumbed down and forgot to disable its "On Access Scan" before running MBAM.

SDFix: Version 1.165

Run by Administrator on Tue 04/01/2008 at 08:18 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\ADMINI~1.GAM\Desktop.GAM\VIRUSR~2\SDFix\SDFix

Checking Services :

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-01 20:23:13

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]

"OODEFRAG06.00.00.01WORKSTATION"="3561E7ECAB7C4833AA7B0737814FF55291DA9B9F18E26D42855F65CF30AE09A70163FDF1604

3AE130B2825598A571F95FC090C83E9A75522D00A48E0AA2CF2C5892DC0F319133FABA119B93B569

2

37EE8C97E9F0270F2BC0CED61D944C026D5F9806724A6EC290D57F3E9C021691B414BB3AB9F9B97A

6

7D101DC3B0BD68715C4570DDAC09ABE7EA097D9A3451D72D3F1E7F98326AFE0483F4E8A795832294

4

7B57B2C2177E88A8CE44822993E66A15A850B0556DBBCACBA401A0B780E7E4A0BD0ABE7A039DB471

D

640A20F6D0DC53D8A9B8FBFBF31593BD14733D581A8CE8DF848C8542BA1698062AD7AB8C8D360539

E

531956FC0DFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E

1

27BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A6171C11EC38DE3D9DB7CE019D40AA5CFEBC9E1

2

7BECC74C8153D5B82767BC077879E53E4F32DEDA094BC174F9C6E9A5FB3D46306B0E261B80D1ABFB

5

DD1BCA2C16A21553D99B1DC49A52E81B00FB24427CC63F0EF7532D27E56E6AD6F2ED23E4AEE42E25

5

D126C1851C89EDC455B97A19664FFC72426E519B1F694615772BF164A6074A140757DA695090A116

1

925F2EECDE16759E2AFBA0DB0CA22D8ACE77B7AF6634F48E8D21D322835EDDBD910FDDC0829A85D4

B

BC551AD0D20299D29DBA0A057F1B972D1AA4324B1B831D1F8A8CAA5EE71B8C71D310200C038A8AF0

5

6B5A4BFB53C778BA42E51A91A78B6F117B5B2619200C750A3F80EAF0D4331130C94EED6962435C15

A

9C87F03FC7D95F2C3564E153F747E4D04568515618694833A521BD6427EE101BF36498CB508AF9B5

E

AC2F5850D1235724B48C67ADBE1A4AF570A2D98009A3A395F8AD9B3532356925767773D280844150

7

D9AAC8401DBFD8C00B215DCAFD89792CAFB19FF7CE8E1523FA853F1B589F38195DDBC15F72B57E19

9

8599389364B954C9DDE6C480F4105183C0105178C54514626801DB50B25603FBCD94DA133CF3C573

4

E9A9B2390F9D2681913C35FAF447741D7BC5A168B2B2B293ECD15D38EA1084E31A9B0A759D8C602F

2

045F053987530BEFBD8E95A059F97501B1DE7DB762634B37DBC853F96767B425BB72896DA2E2B9BE

E

2AB50AC843B83638DF548CCD09E53E64383D6A2871D44936DB9F1BD83337D786BF12EFAC30829E55

7

C9887D2B6C1B0636E31198488EA68E4AEFD0B363D4C2A3C54EE5D656A0578CC8A0C62E921904F567

4

4445DEBBDFD5E262CE62987987E1CA56A0F2A96AF5C43AD56E047BAD3FEED713BB3A73FB7ADCEEDC

0

2F3AB85285CAF68DFA9B59DAD977CDD5E277437E17949C5C19BFE32A65D8937E9669D78120F2FDFC

8

4A4965299A39D5645E440C2DEE513EE55BC3B9F14A7ABFBE3221574D03D1495DF3A717898B58A668

0

B616DFADED6601AC4866091ABCAF5"

"OODEFRAG08.00.00.01WORKSTATION"="0088917E8CF033F82D50FA74B27BD2BAEC3B7697BD69290890C54CCA4422E6169F4B78E94E5

9A85F2736A5559A22C0DD0A73335780547F8DEB49D850E33F9E4D22EAC4B928AFAF7E406BE2F7CC4

6

1D05AA771DF47E95C1893EE0BC99501F8698097ECE85F19095848AD3A5A6035EA1A31215DE92F021

B

1D39EE9FA3EE55207555B11927AC4C911F41F4A03C3B716EB02891544665520F51826B73CE9439E7

2

35A3A3AED7005CB826999A32C5ACCC7CBBDE30BF39E9EC19D7F11349DBC8FCF93DF02BE77149010B

C

1180691B3E597B9416094686CB71C89E7A4B413E59E9CFEBC9E127BECC74CFEBC9E127BECC74CFEB

C

9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A617

1

C11EC38DE3D9DB7CE019D40AA5CBA7FD869164D6794CD5EDB9465161B96D7352FDE450C74CF6FE68

5

3CAA0D719E5738CA351A270EA0037E0B7C6B81C8799E661B7CA2CCD447388E52AF5C83D2E76F6BC9

5

345FE238ABA8436DF27CFC49B35FBD2D281F2BFEE07E44FD3B65628CBD0ED5F98C11F2A4134D8C72

4

07552BC4E4420ED7A94BF12C4ABC284879E26FF031B7C76E689E02438EB6ABA51DFDDBF0D6DA8B70

0

6B26F18563C8BA0879E6B2AAE93C2B8B5244E44D1ADD12F1F47FD5218390C79A51EFC00E15CAAE4E

A

922683499F134BCAEE77AC6522AF06E643794C1D2756BF3A94A56688EBBC92CD5966BB654F80EEED

C

E2B96974B3DDD71997DF63B41B3089B303780CA8A7D180124BF44CCE7D8E1852BD6D299367862620

3

771FAD78710AC4A2C3370AB0AADA78388245290668D31F7BB1640041E030FDCE9F469191E0EDD4AC

2

1298F2607314CEC46978D97856BED4EB102C5207BD92FDEEE206A2459D48D27EA2784895968372DE

6

CA6C5F073F43C31398485CCFE583A922161E1EB15257FC7C36FA4BEBBF99FB04A19FF4475E1B90D6

C

747CFEBCDAD3838C377C0CA6BBB2D7B1164340EEB77EBFE126241A7C8908041E1692BE001022BF97

9

2420839CEACBCAA419DA929479A5804656858B74656FD9EE37F0C15E7CB2EDBB3725C355377E9712

5

42F4F556AE4721EFED2D9C97ECD6D2A1F7BA8BE3816E244A78CF3761781CDAFB5F11FBF3BFA85AAC

4

10FE2564A10B047274B1EBF93068FE4EE601D825A420854039E056FDCA2B3374F7E9D94405081F65

D

CFC22A5EC548B6B985EC6A14B0554DA6FF5916DCE1C313E9A0F2A6E237B5393872F1546D1C0401FD

B

0180EEEAB689525048DD6390D255B6D8E5D058BF42AC779BF1E989720A24F13C62B7931133CD546F

3

F1B60B28E80D5EA69799AAEFBE9F49771BB417AD0F34C9A00933B5BBCF8F5B2CA1C086852C9F75B1

9

4772590F7ED048DD18E1287A21FEAC5B2FB4FDD9192DD25D2AA17AE4FA5E09794DC03D2013B2D36C

0

0084CB04FBA7AFA1A71BF527056DE"

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Nortel Networks\\Extranet.exe"="C:\\Program Files\\Nortel Networks\\Extranet.exe:*:Enabled:Contivity VPN Client"

"C:\\Program Files\\LapLink Gold\\laplink.exe"="C:\\Program Files\\LapLink Gold\\laplink.exe:*:Enabled:LapLink Gold Core Component"

"C:\\Program Files\\LapLink Gold\\LLServerMain.exe"="C:\\Program Files\\LapLink Gold\\LLServerMain.exe:*:Enabled:LLHttpServ Componenet"

"C:\\Program Files\\Kerio\\Personal Firewall\\PERSFW.exe"="C:\\Program Files\\Kerio\\Personal Firewall\\PERSFW.exe:*:Enabled:Kerio Personal Firewall Engine"

"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"

"C:\\Program Files\\Microsoft Office Communicator\\communicator.exe"="C:\\Program Files\\Microsoft Office Communicator\\communicator.exe:*:Enabled:Communicator"

"C:\\Program Files\\America's Army\\System\\ArmyOps.exe"="C:\\Program Files\\America's Army\\System\\ArmyOps.exe:*:Enabled:ArmyOps"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\DOCUME~1\ADMINI~1.GAM\Desktop.GAM\VIRUSR~2\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 2 Jun 2007 12 A..H. --- "C:\WINNT\ecf.sys"

Sat 2 Jun 2007 12 A..H. --- "C:\WINNT\esr.sys"

Sat 2 Jun 2007 12 A..H. --- "C:\WINNT\et.sys"

Sat 2 Jun 2007 12 A..H. --- "C:\WINNT\~mem001.sys"

Sat 2 Jun 2007 12 A..H. --- "C:\WINNT\~memsys.tmp"

Tue 7 Sep 1999 19,456 ...H. --- "C:\ADG\ADG_CERT\~WRL0001.tmp"

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"

Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

Tue 10 Apr 2007 1,024 A..HR --- "C:\WINNT\system32\NTICDMK32.dll"

Thu 19 Jul 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users.WINNT\DRM\DRMv1.bak"

Sat 20 Jan 2001 763 A.SHR --- "C:\PRGS\UTILS\Norton\AUTOEXEC.TMP"

Sat 20 Jan 2001 317 A.SHR --- "C:\PRGS\UTILS\Norton\CONFIG.TMP"

Thu 27 Mar 2008 145,920 ..SHR --- "C:\Program Files\BillP Studios\WinPatrol\Setup.exe"

Fri 16 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users.WINNT\DRM\Cache\Indiv01.tmp"

Wed 5 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users.WINNT\DRM\Cache\Indiv02.tmp"

Wed 26 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users.WINNT\DRM\Cache\Indiv03.tmp"

Sat 20 Jan 2001 763 A.SHR --- "C:\PRGS\TRAYDATE\UTILS\Norton\AUTOEXEC.TMP"

Sat 20 Jan 2001 317 A.SHR --- "C:\PRGS\TRAYDATE\UTILS\Norton\CONFIG.TMP"

Sat 12 May 2007 488,176 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\7f9ed00b8ab9f384a670920f20096ec5\BIT10.tmp"

Sat 12 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\ca1c9a5f6bfb5c940f7b592a816e164e\BIT11.tmp"

Finished!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:33:34 PM, on 4/1/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\Ati2evxx.exe

c:\winnt\tsi32\tsircusr.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\drivers\trcboot.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINNT\System32\drivers\ldlcserv.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\Personal Communications\PCS_AGNT.EXE

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINNT\system32\oodag.exe

C:\Program Files\Kerio\Personal Firewall\persfw.exe

C:\WINNT\system32\PnkBstrA.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\WINNT\System32\TSIRCSRV.EXE

C:\Program Files\Intel\Intel

Edited April 2, 2008 by JeanInMontana
DO NOT QUOTE PLEASE, USE REPLY ONLY.

[JeanInMontana]

Please don't use the quote feature for your replies. Love Nitty Gritty.

WinPatrol is telling me, however, that files with .reg are being reassociated with regedit.exe %1 %* from regedit.exe%1. Let's let that go for now though.

I'm not on my own PC and can't look at what this might be in WinPatrol. However, anything to do with the registry can be malware. Did this happen during any of the scans?

I can't find 'Malware Terminator' in a Google search. Please give program details, the company behind it etc. If it's Spyware Terminator, it is not something to keep IMO. Win Patrol is great and a keeper on any system.

The music programs probably are where you got the infection and if you still have them, or the one that infected you it needs to go.

The SDFix log doesn't look right. The reg keys have no names and text is wrapped. MBAM is finding Vundo in ComboFix quarntine it looks like. Delete all files associated with ComboFix [i should have said this. Sorry] Clear any quarantine in MBAM, shut down McAfee and rescan with MBAM full scan of C after update please, there is a new version. Once again the HJT log is always last. You have it before MBAM's scan. I don't see anything new in it. I do think we should see another MBAM with all the other tools and associated files gone.

[Stoneman]

Hello again Jean,

Replys follow ...

As to Please don't use the quote feature for your replies. Love Nitty Gritty.

|

V

Sorry, pushed the wrong button, I guess. I'm a compelete neophyte in the use of these forums.

I'm not on my own PC and can't look at what this might be in WinPatrol. However, anything to do with

the registry can be malware. Did this happen during any of the scans?

|

V

Happened a few minutes after I run MBAM. If I deny the change, it occurs again in a few minutes as

if running process has struck a timer. Keeps poping up up until I say OK (just to shut it up). I'll

see if it happens again when I've run MBAM again (as of the end of this post, it hasn't happened again).

I can't find 'Malware Terminator' in a Google search. Please give program details, the company behind

it etc. If it's Spyware Terminator, it is not something to keep IMO.

|

V

Sorry, it is Spyware Terminator. Malwarebytes' home page says "Malwarebytes' Anti-Malware monitors

every process and stops malicious processes before they even start". I assume that's in the

purchased product. Does it notify you before a process starts (as Spyware Terminator does)? Do you

run the "purchased" version of Malwarebytes'?

Win Patrol is great and a keeper on any system.

|

V

I agree. Good augment to Task Manager and Kerio Personal Firewall (which notifys you of any attempt

to access remote IP addresses, or attempts from remote IP addresses to access your local system). You

have to authorize each and every in/out connection (once). But it misses accesses via IP addresses you've

previously "allowed", such as HTML, FTP, etc, so malware can mascquarade using those IP addresses.

The music programs probably are where you got the infection and if you still have them, or the one

that infected you it needs to go.

|

V

I agree. The ones I downloaded and installed have been removed and release stuff deleted. Been

listening to Nitty Ditty before they wuz them. That is I've been listening to (and playing) AP

Carter's stuff since the early '50.

The SDFix log doesn't look right. The reg keys have no names and text is wrapped. MBAM is finding

Vundo in ComboFix quarantine it looks like.

|

V

I'm "selecting all", then "copying", and pasting from it's log. Don't know what's up with it.

Delete all files associated with ComboFix ... etc.

|

V

1. Deleted all files associated with ComboFix - done.

2. Deleted all quarantine in MBAM. - done.

3. Shut down McAfee - done

4. Update MBAM - done.

5. Rescan C (full) with MBAM - done.

6. Post MBAM log - done.

7. Run HJT - done.

8. Post HJT log. - done.

|

V

Hope I did it in the right order this time !!!

Malwarebytes' Anti-Malware 1.10

Database version: 584

Scan type: Full Scan (C:\|)

Objects scanned: 112469

Time elapsed: 19 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:06:42 PM, on 4/2/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\Ati2evxx.exe

c:\winnt\tsi32\tsircusr.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\drivers\trcboot.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINNT\System32\drivers\ldlcserv.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\Personal Communications\PCS_AGNT.EXE

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINNT\system32\oodag.exe

C:\Program Files\Kerio\Personal Firewall\persfw.exe

C:\WINNT\system32\PnkBstrA.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\WINNT\System32\TSIRCSRV.EXE

C:\Program Files\Intel\Intel

Edited April 3, 2008 by JeanInMontana
To remove quotes.

[JeanInMontana]

1. You must be using the "Reply button just below the post. Scroll just a tad farther and you will see 3 buttons in a row, fast reply, reply and new topic. The one in the middle is most likely what you want. I has the tags and allows the use of quotes, rather than what your doing now with the arrows and what I said in plain text. The point of the request was to reduce the size of the post and scroll time. I really don't need a repeat of what I said.

Spyware Terminator is crapware IMO. The program was once listed as a rogue, or software using any number of tactics to goad the user into buying amongst these tactics are fals positives and actually infecting the user. You managed to pick two programs that do a dance just this side of the definite rogue line.

Yes I have the full version of MBAM, and yes the full time monitoring is what you pay for when you buy the program. There is a trial link in my signature for the full version. I am also an affiliate for MBAM and RogueRemover Pro.

I also use the paid version of WinPatrol it is a superb program in either version and backed with top notch customer service and developer ethics to be admired.

MBAM says your clean, I can't see anything in the last HJT log that was not broken up with formatting. I think your clean.

We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK.

Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.

Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.

A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.

Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.

SpywareBlaster from Javacool Software

WinPatrol by BillPStudios

SiteHound by FireTrust

RogueRemover

hpHosts

[Stoneman]

OK Jean. Guess we can close this item then?

Thanks a million for your help.

Jim

[JeanInMontana]

If you feel everything is all good, then yes I think we have it whipped. Your welcome Jim.