Jump to content

Trojan.Metajuan, Malware.Trace, and Trojan.Agent


Recommended Posts

Hi. I managed to get infected with AntiVirus 2008, and have been able to remove most of it on my own. However, there are 3 items of malware which reappear every time I remove them. I did some research and it sounds as though it's a common problem. The 3 malware items are...

Trojan.Metajuan

Malware.Trace

Trojan.Agent

However, just recently MalwareBytes stopped finding Trojan.Metajuan and Malware.Trace. I didn't do anything to remove them, they just seem to have disappeared. They were replaced by Trojan.Agent which I hadn't been infected with before.

Here are my logs.

Malwarebytes' Anti-Malware 1.30

Database version: 1416

Windows 5.1.2600 Service Pack 2

11/22/2008 7:55:37 PM

mbam-log-2008-11-22 (19-55-37).txt

Scan type: Quick Scan

Objects scanned: 49274

Time elapsed: 1 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuliwotoga (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-11-23 00:46:53

PROTECTIONS: 0

MALWARE: 7

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Alex Doman\Cookies\alex doman@doubleclick[1].txt

00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Documents and Settings\Alex Doman\Application Data\Mozilla\Firefox\Profiles\4nyyb2vu.default\cookies.txt[.clickbank.net/]

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Alex Doman\Application Data\Mozilla\Firefox\Profiles\4nyyb2vu.default\cookies.txt[.apmebf.com/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Alex Doman\Application Data\Mozilla\Firefox\Profiles\4nyyb2vu.default\cookies.txt[.advertising.com/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Alex Doman\Cookies\alex doman@advertising[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Alex Doman\Application Data\Mozilla\Firefox\Profiles\4nyyb2vu.default\cookies.txt[.advertising.com/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Alex Doman\Application Data\Mozilla\Firefox\Profiles\4nyyb2vu.default\cookies.txt[.advertising.com/]

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Alex Doman\Cookies\alex doman@target[1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Alex Doman\Cookies\alex doman@atwola[1].txt

01048936 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\GameSpy Arcade\Services\_common\PortraitLoader.dll

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:28:32 AM, on 11/23/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\America's Army Deploy Client\AADeployClient.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {0658162D-5D22-4D14-AC7A-7C9117F7E7E3} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {85E42802-0731-4B3A-8463-1CEF26739D35} - (no file)

O2 - BHO: (no name) - {92978f32-d9df-4444-97ad-3c52473d0faa} - (no file)

O2 - BHO: (no name) - {9B61D337-2B6B-49FE-BD23-2F812029B8E4} - (no file)

O2 - BHO: (no name) - {A152B8B9-EE56-413D-A0A4-DBE5B8CB2DA6} - (no file)

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)

O2 - BHO: (no name) - {d2a7209a-f098-4054-bd47-e67f5a15afae} - C:\WINDOWS\system32\pamukuhu.dll (file missing)

O2 - BHO: (no name) - {d34be5ba-393e-4d99-860e-726f16ee669c} - (no file)

O3 - Toolbar: (no name) - {5DEF05FD-97CC-4EAE-A4E9-000062CB0C25} - (no file)

O4 - HKLM\..\Run: [switcher.exe] "C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [wuliwotoga] Rundll32.exe "C:\WINDOWS\system32\humerago.dll",s

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [McAfee Update] C:\DOCUME~1\ALEXDO~1\LOCALS~1\Temp\mcupdate_1221902523.exe /insfin C:\DOCUME~1\ALEXDO~1\LOCALS~1\Temp\mcupdate_1221902523.ini

O4 - HKUS\S-1-5-19\..\Run: [wuliwotoga] Rundll32.exe "C:\WINDOWS\system32\humerago.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [wuliwotoga] Rundll32.exe "C:\WINDOWS\system32\humerago.dll",s (User 'NETWORK SERVICE')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll

O20 - AppInit_DLLs: imqrcf.dll bagipo.dll C:\WINDOWS\system32\nobiwuna.dll

O20 - Winlogon Notify: hgGyyxyY - C:\WINDOWS\

O23 - Service: McAfee Application Installer Cleanup (0272921221902489) (0272921221902489mcinstcleanup) - Unknown owner - C:\DOCUME~1\ALEXDO~1\LOCALS~1\Temp\027292~1.EXE (file missing)

O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O24 - Desktop Component 0: Privacy Protection - (no file)

--

End of file - 7327 bytes

Any help is appreciated.

Thanks!!

Link to post
Share on other sites

Hello adoman28 .

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

These steps are for member adoman28 only. If you are a lurker, do NOT try this on your system!

If you are not adoman28 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

I do not see an antivirus program running on your system. Do you have one? If yes, make sure it is active. If not, get an antivirus program installed as your first priority.

If cost is an issue, you may get Avira AntiVir free edition (for personal non-commercial use)

http://www.free-av.com

=

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

O2 - BHO: (no name) - {d2a7209a-f098-4054-bd47-e67f5a15afae} - C:\WINDOWS\system32\pamukuhu.dll (file missing)

O4 - HKLM\..\Run: [wuliwotoga] Rundll32.exe "C:\WINDOWS\system32\humerago.dll",s

O4 - HKUS\S-1-5-19\..\Run: [wuliwotoga] Rundll32.exe "C:\WINDOWS\system32\humerago.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [wuliwotoga] Rundll32.exe "C:\WINDOWS\system32\humerago.dll",s (User 'NETWORK SERVICE')

O20 - Winlogon Notify: hgGyyxyY - C:\WINDOWS\

O24 - Desktop Component 0: Privacy Protection - (no file)

Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

=

Next, we're going to use OTMoveIt3 to remove files.

Please download the OTMoveIt3 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :filesC:\WINDOWS\system32\humerago.dllC:\WINDOWS\system32\pamukuhu.dll 
    :serviceswuliwotoga
    :commands[EmptyTemp][start explorer]


  • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

Important! :arrow: Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

=

Next, Close all applications and windows.

If you have an older copy of SDFix, delete it now.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual user account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back in a Reply here.

=

Next: If you have a prior copy of SmitFraudFix, delete it now :!:

Please download SmitfraudFix (by S!Ri)

  • Don't download SmitfraudFix until you're ready to run/use it. It's very important that you be using the most recent version (v2.378 as of this post).

Extract the contents of the zip file (a folder named SmitfraudFix) to your Desktop.

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual user account.

1. Once in Safe Mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

2. Select option #2 - Clean by typing 2 and pressing Enter to delete infected files.

3. You will be prompted: "Registry cleaning - Do you want to clean the registry ?" Answer "Yes" by typing Y and pressing Enter in order to remove the desktop background and clean registry keys associated with the infection.

4. The tool will then check if wininet.dll is infected. If prompted to replace the infected file (if found), answer "Yes" by typing Y and pressing Enter.

5. The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

6. A text file will appear onscreen with results from the cleaning process. Please copy/paste the content of that report into your next reply along with the Report.txt from above.

The report also may be found at the root of the system drive, usually at C:\rapport.txt

Notes:

  • process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. More on this at http://www.beyondlogic.org/consulting/proc...processutil.htm
  • Running option #2 on a non-infected computer will remove your Desktop background. No need to worry, you're infected :twisted:

=

If you have a prior copy of Combofix, delete it now :!:

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

Reply back with copy of

  • the Report.txt from above,
  • the MBAM report,
  • C:\rapport.txt from SmitFraudFix run,
  • C:\Combofix.txt
  • and a new Hijackthis log {after running a new HJT Scan And Save}
  • and, Tell me, How is your system now :?:

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.

Link to post
Share on other sites

Thanks for your reply Maurice Naggar. Sorry it's taken me a few days to reply, I was out of town.

Anyway, I downloaded and installed the free antivirus program you linked to, I was able to use HJT to fix the items you suggested, and I successfully ran OTMoveIt3, all without difficulty. The OTMoveIt3 log follows.

========== FILES ==========

File/Folder C:\WINDOWS\system32\humerago.dll not found.

File/Folder C:\WINDOWS\system32\pamukuhu.dll not found.

========== SERVICES/DRIVERS ==========

Unable to stop service wuliwotoga .

========== COMMANDS ==========

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

Windows Temp folder emptied.

Java cache emptied.

FireFox cache emptied.

Temp folders emptied.

Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11302008_152701

Files moved on Reboot...

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

However, that's as far as I got before I ran into problems. I downloaded SDFix.exe, extracted it, and restarted in safe mode. When I run it, it says...

Starting Repairs

Checking Running Processes and Services

After that, the program stalls. My HD light stops blinking, and progress stops.

I decided not to go through any of the other steps you suggested until I okay it with you.

Again, thanks for the help!!

Link to post
Share on other sites

Have plenty ( a lot) of patience with the tools I have you use, most especially with SDFix, SmitfraudFix and Combofix.

Even if you do not see any hard drive light activity, the utilities are running.

I would have given at least 30 minutes before thinking SDFix "might" have been stuck.

Please try again running SDFIX in Safe mode (as per prior directions) ---with patience.

If and only if it may get stuck, proceed with the next steps to SmitFraudfix & the next for Combofix.

It is important to keep going forward.

Link to post
Share on other sites

Alright. I completed all the steps that you suggested and everything appears to be gone. ComboFix did the trick. SDFix was getting stuck. I let it run for a good 4 hours and nothing happened. It was the same situation with SmitfraudFix, which I let run overnight, and again, nothing happened.

I already posted the the log for OTMoveIt3 above. Here's a new MBAM log.

Malwarebytes' Anti-Malware 1.30

Database version: 1416

Windows 5.1.2600 Service Pack 2

12/3/2008 1:04:08 AM

mbam-log-2008-12-03 (01-04-08).txt

Scan type: Quick Scan

Objects scanned: 46508

Time elapsed: 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here's the ComboFix log.

ComboFix 08-12-01.03 - Alex Doman 2008-12-03 0:44:54.1 - NTFSx86

Running from: c:\documents and settings\Alex Doman\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\INSTALL.LOG

c:\windows\IE4 Error Log.txt

c:\windows\system32\daharubo.dll

c:\windows\system32\drfpsowc.ini

c:\windows\system32\elopaban.ini

c:\windows\system32\gebojele.dll

c:\windows\system32\hmdspebv.ini

c:\windows\system32\javinete.dll

c:\windows\system32\jowofebi.dll

c:\windows\system32\kadageko.dll

c:\windows\system32\nabapole.dll

c:\windows\system32\odamobis.ini

c:\windows\system32\okegadak.ini

c:\windows\system32\patowvfx.ini

c:\windows\system32\pusupuro.dll

c:\windows\system32\result.txt

c:\windows\system32\rprklkyk.ini

c:\windows\system32\sndpqnod.ini

c:\windows\system32\tokivafa.dll

c:\windows\system32\tolataga.dll

c:\windows\system32\tomuzipu.dll

c:\windows\system32\tudopupa.dll

c:\windows\system32\vigalefe.dll

c:\windows\system32\widinole.dll

c:\windows\system32\wurubawu.dll

c:\windows\system32\yipiwopa.dll

c:\windows\system32\yosimanu.dll

.

((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))

.

2008-12-02 02:34 . 2007-09-05 23:22 289,144 --a--c--- c:\windows\system32\VCCLSID.exe

2008-12-02 02:34 . 2006-04-27 16:49 288,417 --a--c--- c:\windows\system32\SrchSTS.exe

2008-12-02 02:34 . 2008-10-01 14:51 87,552 --a--c--- c:\windows\system32\VACFix.exe

2008-12-02 02:34 . 2008-11-29 17:58 82,944 --a--c--- c:\windows\system32\o4Patch.exe

2008-12-02 02:34 . 2008-05-18 20:40 82,944 --a--c--- c:\windows\system32\IEDFix.exe

2008-12-02 02:34 . 2008-11-29 17:58 82,944 --a--c--- c:\windows\system32\IEDFix.C.exe

2008-12-02 02:34 . 2008-08-18 11:19 82,432 --a--c--- c:\windows\system32\404Fix.exe

2008-12-02 02:34 . 2003-06-05 20:13 53,248 --a--c--- c:\windows\system32\Process.exe

2008-12-02 02:34 . 2004-07-31 17:50 51,200 --a--c--- c:\windows\system32\dumphive.exe

2008-12-02 02:34 . 2007-10-03 23:36 25,600 --a--c--- c:\windows\system32\WS2Fix.exe

2008-11-30 22:21 . 2008-11-30 22:21 <DIR> d----c--- c:\documents and settings\Administrator

2008-11-30 22:18 . 2008-12-01 17:48 <DIR> d----c--- C:\SDFix

2008-11-30 15:37 . 2008-11-30 15:37 <DIR> d----c--- c:\windows\ERUNT

2008-11-30 15:23 . 2008-11-30 15:23 <DIR> d----c--- C:\_OTMoveIt

2008-11-30 15:07 . 2008-11-30 15:07 <DIR> d----c--- c:\program files\Avira

2008-11-30 15:07 . 2008-11-30 15:07 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Avira

2008-11-20 16:44 . 2008-11-20 16:44 <DIR> d----c--- c:\program files\Trend Micro

2008-11-20 16:40 . 2008-11-20 16:43 <DIR> d----c--- c:\program files\Spybot - Search & Destroy

2008-11-20 16:34 . 2008-11-20 16:34 <DIR> d----c--- c:\program files\Panda Security

2008-11-20 16:34 . 2008-06-19 17:24 28,544 --a--c--- c:\windows\system32\drivers\pavboot.sys

2008-11-18 02:12 . 2008-11-18 23:52 <DIR> d----c--- c:\program files\America's Army Deploy Client

2008-11-18 02:12 . 2008-11-18 02:17 <DIR> d----c--- c:\documents and settings\All Users\Application Data\America's Army Deploy Client

2008-11-05 23:19 . 2008-03-05 15:56 3,786,760 --a--c--- c:\windows\system32\d3dx9_37.dll

2008-11-05 23:16 . 2008-11-05 23:27 <DIR> d--h-c--- c:\windows\msdownld.tmp

2008-11-05 23:16 . 2008-11-05 23:16 <DIR> d----c--- c:\windows\Logs

2008-11-05 18:45 . 2008-11-05 18:55 682,280 --a--c--- c:\windows\system32\pbsvc.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-03 07:40 --------- dc----w c:\program files\Mozilla Thunderbird

2008-12-03 07:15 --------- dc----w c:\documents and settings\Alex Doman\Application Data\FrostWire

2008-12-02 03:40 --------- dc----w c:\program files\PeerGuardian2

2008-12-02 03:40 --------- dc----w c:\documents and settings\Alex Doman\Application Data\uTorrent

2008-11-30 21:30 240 -c--a-w c:\program files\oxvool.txt

2008-11-25 10:43 186 -c--a-w c:\program files\opqhnyth.txt

2008-11-23 02:30 --------- dc----w c:\program files\Malwarebytes' Anti-Malware

2008-11-23 02:06 --------- dc--a-w c:\documents and settings\All Users\Application Data\TEMP

2008-11-23 02:04 --------- dc----w c:\documents and settings\All Users\Application Data\Norton

2008-11-20 23:41 --------- dc----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-11-18 09:09 22,328 -c--a-w c:\windows\system32\drivers\PnkBstrK.sys

2008-11-18 09:09 107,832 -c--a-w c:\windows\system32\PnkBstrB.exe

2008-11-06 01:55 66,872 ----a-w c:\windows\system32\PnkBstrA.exe

2008-11-06 01:55 22,328 -c--a-w c:\documents and settings\Alex Doman\Application Data\PnkBstrK.sys

2008-11-06 01:55 --------- dc-h--w c:\program files\InstallShield Installation Information

2008-11-06 01:52 --------- dc----w c:\program files\Activision

2008-11-03 11:32 --------- dc----w c:\program files\Symantec

2008-11-03 11:32 --------- dc----w c:\program files\Common Files\Symantec Shared

2008-10-27 17:04 70,992 -c--a-w c:\windows\system32\XAPOFX1_2.dll

2008-10-27 17:04 514,384 -c--a-w c:\windows\system32\XAudio2_3.dll

2008-10-27 17:04 235,856 -c--a-w c:\windows\system32\xactengine3_3.dll

2008-10-27 17:04 23,376 -c--a-w c:\windows\system32\X3DAudio1_5.dll

2008-10-25 05:45 --------- dc----w c:\program files\AbiSuite2

2008-10-22 23:10 38,496 -c--a-w c:\windows\system32\drivers\mbamswissarmy.sys

2008-10-22 23:10 15,504 -c--a-w c:\windows\system32\drivers\mbam.sys

2008-10-18 05:35 --------- dc----w c:\documents and settings\LocalService\Application Data\SACore

2008-10-17 20:05 --------- dc----w c:\documents and settings\All Users\Application Data\SiteAdvisor

2008-10-17 20:01 --------- dc----w c:\program files\Common Files\McAfee

2008-10-17 20:00 --------- dc----w c:\program files\McAfee.com

2008-10-16 09:08 --------- dc----w c:\documents and settings\All Users\Application Data\Symantec

2008-10-16 09:05 --------- dc----w c:\documents and settings\All Users\Application Data\PCSettings

2008-10-16 09:05 --------- dc----w c:\documents and settings\All Users\Application Data\NortonInstaller

2008-10-16 08:45 --------- dc----w c:\program files\GameSpy Arcade

2008-10-16 08:45 --------- dc----w c:\program files\AIM

2008-10-16 08:45 --------- dc----w c:\documents and settings\Alex Doman\Application Data\Symantec

2008-10-16 08:43 --------- dc----w c:\documents and settings\All Users\Application Data\NortonSystemWorks

2008-10-16 08:33 --------- dc----w c:\documents and settings\All Users\Application Data\BVRP Software

2008-10-14 09:51 --------- dc----w c:\documents and settings\All Users\Application Data\Malwarebytes

2008-10-14 09:51 --------- dc----w c:\documents and settings\Alex Doman\Application Data\Malwarebytes

2008-10-14 09:24 90,112 ----a-w c:\windows\DUMP2ad8.tmp

2008-10-14 08:49 --------- dc----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-10-14 07:23 --------- dc----w c:\program files\Java

2008-10-10 11:52 452,440 -c--a-w c:\windows\system32\d3dx10_40.dll

2008-10-10 11:52 4,379,984 -c--a-w c:\windows\system32\D3DX9_40.dll

2008-10-10 11:52 2,036,576 -c--a-w c:\windows\system32\D3DCompiler_40.dll

2008-10-08 06:38 --------- dc----w c:\program files\DivX

2008-09-20 09:41 787 -c----w C:\DelUS.bat

2008-09-16 00:12 200,704 -c--a-w c:\windows\system32\ssldivx.dll

2008-09-16 00:12 1,044,480 -c--a-w c:\windows\system32\libdivx.dll

2008-08-24 03:21 24,192 -c----w c:\documents and settings\Alex Doman\usbsermptxp.sys

2008-08-24 03:21 22,768 -c----w c:\documents and settings\Alex Doman\usbsermpt.sys

2002-07-26 22:02 153,088 -c--a-w c:\program files\UNWISE.EXE

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2007-08-31 503808]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-03 8466432]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-03 81920]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-10 67488]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-11-02 118784]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"nwiz"="nwiz.exe" [2007-12-03 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\Sierra\\FEARCombat\\fpupdate.exe"=

"c:\\Program Files\\Sierra\\FEARCombat\\FEARMP.exe"=

"c:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe"=

"c:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe"=

"c:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6VegasServer.exe"=

"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\EA GAMES\\Need for Speed Most Wanted\\speed.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"c:\\Program Files\\America's Army\\System\\ArmyOps.exe"=

"c:\\Program Files\\Activision\\Call of Duty - World at War Beta\\CoDWaWbeta.exe"=

"c:\\Program Files\\America's Army Deploy Client\\AADeployClient.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]

\Shell\AutoRun\command - Z:\Autorun.exe

.

- - - - ORPHANS REMOVED - - - -

BHO-{0658162D-5D22-4D14-AC7A-7C9117F7E7E3} - (no file)

BHO-{85E42802-0731-4B3A-8463-1CEF26739D35} - (no file)

BHO-{92978f32-d9df-4444-97ad-3c52473d0faa} - (no file)

BHO-{9B61D337-2B6B-49FE-BD23-2F812029B8E4} - (no file)

BHO-{A152B8B9-EE56-413D-A0A4-DBE5B8CB2DA6} - (no file)

BHO-{d2a7209a-f098-4054-bd47-e67f5a15afae} - c:\windows\system32\gebojele.dll

BHO-{d34be5ba-393e-4d99-860e-726f16ee669c} - (no file)

.

------- Supplementary Scan -------

.

FireFox -: Profile - c:\documents and settings\Alex Doman\Application Data\Mozilla\Firefox\Profiles\4nyyb2vu.default\

FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll

FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-03 00:47:30

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\system32\rundll32.exe

c:\program files\Apoint\ApntEx.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2008-12-03 0:49:52 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-03 07:49:50

Pre-Run: 70,832,365,568 bytes free

Post-Run: 70,773,448,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

;

;Warning: Boot.ini is used on Windows XP and earlier operating systems.

;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.

;

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT

232 --- E O F --- 2008-09-21 06:54:22

Here's a new HJT log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:01:43 AM, on 12/3/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)

O4 - HKLM\..\Run: [switcher.exe] "C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll

O23 - Service: McAfee Application Installer Cleanup (0272921221902489) (0272921221902489mcinstcleanup) - Unknown owner - C:\DOCUME~1\ALEXDO~1\LOCALS~1\Temp\027292~1.EXE (file missing)

O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O24 - Desktop Component 0: Privacy Protection - (no file)

--

End of file - 6825 bytes

My machine is running significantly faster, the desktop icons that originally disappeared when I got the virus reappeared, and there are no more popup windows when I use my browser. Everything appears to be back to normal.

Thanks you SOOOOOO much for your help Maurice Naggar! You helped me out a ton!

Link to post
Share on other sites

There is a bit more to do.

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here:

http://cid-6aaab341ce47c5c2.skydrive.live....FixPolicies.exe

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

There's one file that needs to be checked out, and if it is tagged as a trojan or other malware, then delete it.

Use your browser to go here at Virustotal website

Click the Browse button and then navigate to C:\Program Files\GameSpy Arcade\Services\_common\PortraitLoader.dll, then click the Submit button.

The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

==

Use your browser to go here at Viruscan.org website

Click the Browse button and then navigate to C:\Program Files\GameSpy Arcade\Services\_common\PortraitLoader.dll, then click the Submit button.

Save the results, and post back here in a reply.

=

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

O24 - Desktop Component 0: Privacy Protection - (no file)
Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

=

De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader. Get the latest version from http://www.adobe.com/products/acrobat/readstep2.html

Download -- to your Desktop -- JavaRa.Zip from either of these two sites:

http://prm753.bchea.org/click/click.php?id=9
http://www.majorgeeks.com/JavaRa_d5967.htmlUnzip the download. This will create a new Folder, JavaRa on your Desktop.
Double click this new Folder to open it, and double click the file within: JavaRa to execute the program.
Click the button: Remove Older Versions.
Agree to the cleanup operation by clicking Yes. After a moment, a notice will appear that a log file has been produced. Click OK. Close the Notepad view that opens.
Click the button: Other Tasks. Choose these options:
Remove Useless JRE Files
Remove Startup Entry
Remove JavaRa Logfile
Click Go. When it finishes, click OK to close the panel, and then Exit the program.
Delete the download, and the unzipped folder and all contents.

This system has an old version of Java Run-time.

Uninstall jre1.6 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.

If you see any other Java versions there,

such as

J2SE Runtime Environment 5.0

Java SE Runtime Environment

Java 6

uninstall all of them. After uninstalling, reboot if directed to do so.

In Windows Explorer, navigate to and delete C:\Program Files\Java <=this folder, if found.

  • Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Open an IE window and go to http://java.sun.com/javase/downloads/index.jsp

> In top of the page (first in the list), click on the Download button to the right of Java Runtime Environment (JRE) 6 Update 11

> Accept the license agreement

> Click on Windows Offline Installation, Multi-language and Save the file to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.

  • Tip: You do not have to accept the MSN toolbar. If you do not want it, uncheck the box for MSN toolbar.

Delete the downloaded installation file after completing the above procedure and reboot if prompted to do so.

If you were /not/ prompted to reboot, please do so now.

=

Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

The MBAM definitions on your system were not the latest. The latest definitions (database) version is 1454.

Start MBAM. Press the Update tab.

Press the "Check for Updates" button.

After it is updated, press the Scanner tab and do a FULL scan.

Reply with the new MBAM log.

Link to post
Share on other sites

Alright.

VirusTotal.com Results

VirusScan.org Results

New MBAM Log

Malwarebytes' Anti-Malware 1.30

Database version: 1455

Windows 5.1.2600 Service Pack 2

12/3/2008 3:58:58 PM

mbam-log-2008-12-03 (15-58-58).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 92103

Time elapsed: 29 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{9BA698BB-C650-4CBF-839B-2C68B88A25C6}\RP2\A0000149.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9BA698BB-C650-4CBF-839B-2C68B88A25C6}\RP2\A0000150.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nobiwuna.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.

Still infected :).

Thanks as always!

Link to post
Share on other sites

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference! Perhaps also save the file on your pc.

  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :filesc:\windows\msdownld.tmp


  • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

The last 3 files tagged were not active. 2 were in restore points, which will be cleared later, and 1 was already renamed.

I'd like for you to do an online scan at ESET.

Using Internet Explorer browser only, go to ESET Online Scanner website:

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

=

Delete the prior copy of SmitFraudFix.exe and get a new (latest) version.

Close all browsers and all open windows & programs.

1. Please download SmitfraudFix (by S!Ri) and SAVE it to your Desktop.

excl.gifIt's very important that you be using the most recent version (v2.381 as of this post).

2. Reboot into Safe Mode (Restart your computer, then continually tap F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. More at http://service1.symantec.com/SUPPORT/tsgen...001052409420406.)

3. Once in Safe Mode:

Double click the SmitFraudfix.exe file. It will create a folder named SmitfraudFix on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Have plenty of patience as a Command prompt window opens. You'll eventually see a message and a "press any key to continue".

Press the space bar or any other key on the keyboard.

4. Select option #2 - Clean by typing 2 and pressing Enter to delete infected files.

5. You will be prompted: "Registry cleaning - Do you want to clean the registry ?" Answer "Yes" by typing Y and pressing Enter in order to remove the desktop background and clean registry keys associated with the infection.

6. The tool will then check if wininet.dll is infected. If prompted to replace the infected file (if found), answer "Yes" by typing Y and pressing Enter.

7. The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

8. A text file will appear onscreen with results from the cleaning process.

The report also may be found at the root of the system drive, usually at C:\rapport.txt

Notes:

  • process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. More on this at http://www.beyondlogic.org/consulting/proc...processutil.htm
  • Running option #2 on a non-infected computer will remove your Desktop background. No need to worry, had been infected

- - -

Please reply with copy of the Eset scan log, the content of C:\rapport.txt into your next reply along with a fresh HJT log. And tell me, How is your system now?

Link to post
Share on other sites

OTMoveIt3 Log

========== FILES ==========

c:\windows\msdownld.tmp moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12052008_001207

Eset Scan Log

# version=4

# OnlineScanner.ocx=1.0.0.635

# OnlineScannerDLLA.dll=1, 0, 0, 79

# OnlineScannerDLLW.dll=1, 0, 0, 78

# OnlineScannerUninstaller.exe=1, 0, 0, 49

# vers_standard_module=3665 (20081204)

# vers_arch_module=1.064 (20080214)

# vers_adv_heur_module=1.064 (20070717)

# EOSSerial=5d74632a84d08b4d9d70f49abcc332dd

# end=finished

# remove_checked=true

# unwanted_checked=true

# utc_time=2008-12-05 07:51:40

# local_time=2008-12-05 12:51:40 (-0700, Mountain Standard Time)

# country="United States"

# osver=5.1.2600 NT Service Pack 2

# scanned=246455

# found=2

# scan_time=1545

C:\System Volume Information\_restore{9BA698BB-C650-4CBF-839B-2C68B88A25C6}\RP2\A0000157.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000

C:\System Volume Information\_restore{9BA698BB-C650-4CBF-839B-2C68B88A25C6}\RP2\A0000159.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000

rapport.txt

SmitFraudFix v2.381

Scan done at 0:57:02.46, Fri 12/05/2008

Run from C:\Documents and Settings\Alex Doman\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

Link to post
Share on other sites

One small adjustment and then we are finsihed.

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)

O23 - Service: McAfee Application Installer Cleanup (0272921221902489) (0272921221902489mcinstcleanup) - Unknown owner - C:\DOCUME~1\ALEXDO~1\LOCALS~1\Temp\027292~1.EXE (file missing)

Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, (either Combofix or Combo-fix), put that name in the RUN box stated just below. The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Click Start, then click Run.
    In the command box that opens, type or copy/paste combofix /u and then click OK.
    CFuninstall.png
  • Please download OTMoveIt3 by OldTimer: http://oldtimer.geekstogo.com/OTMoveIt3.exe
    1. Save it to your desktop.
    2. Please double-click OTMoveIt3.exe to run it.
    3. Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
    4. This step removes the files, folders, and shortcuts created by the tools I had you download and run.
  • Run ATF Cleaner, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.
  • Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  • Check in at Windows Update and install any Critical Updates offered.
  • Download and Install Windows Defender by Microsoft (free) if you do not already have it:
    http://www.microsoft.com/downloads/details...A4-F7F14E605A0D
  • Make certain that Automatic Updates is enabled.
    • How to configure and use Automatic Updates in WinXP:
    http://support.microsoft.com/kb/306525

[*]Download and install Comodo BOClean (free): http://www.comodo.com/boclean/CBO_download.html

[*]Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)

[*]I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm

See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm

That would help to keep your browser away from known spyware/malware sites.

[*] Make regular backups of your system to removable media: DVD, USB external hard drive, etc.

On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:

Kaspersky Webscan Online Virus Scanner

ESET Online Scanner

Panda ActiveScan?

Trend Micro Housecall

F-Secure Online Scanner

[*] Read Tony Klein's article How Did I Get Infected In The First Place

[*] Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !

Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingcomputer.com/tutorials/tutorial82.html

We are finished. All the best.

Link to post
Share on other sites

I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand
how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
http://www.malwarebytes.org/forums/index.php?showtopic=2936' rel="external nofollow">
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.