Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

malware/vundo removal help [RESOLVED]

Started by jimbo13 , Feb 19 2008 08:45 PM

  • This topic is locked This topic is locked

#1
jimbo13
Posted 19 February 2008 - 08:45 PM

jimbo13

    New Member

  • Member
  • Pip
  • 8 posts
Hi, I am new to the forum.

I am working to clear a friends computer of a spyware/malware infection. I have gotten most of it cleaned, however, at least part of what's left is Vundo. In addition to this infection, the icon for the main drive of the computer (C drive) has been changed to a red X.

Before posting here, I read the malware cleaning guide post. As I previously mentioned I was successful at removing some of the infection. I have run (and now installed) McAfee A.V.S. I have also run super anti spyware, AVG anti spyware, Vundo fix (removes infected files, but they come back after reboot), and Panda online virus scan. I ran windows update and removed the old version of Java. I planned to wait to install the new Java until after the computer was cleaned.

Your help with ridding this computer of its infection is greatly appreciated.

Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:43 PM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijack\Lemon Head.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.accuweath...0...&traveler=0
O2 - BHO: (no name) - {4AF18912-3879-4890-8CD4-17B3230A405D} - C:\WINDOWS\system32\ddabc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\Run: [8cc9f3be] rundll32.exe "C:\WINDOWS\system32\dgbcxlgu.dll",b
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 4248 bytes

Thanks in advance for your help
  • 0

Advertisements

#2
kahdah
Posted 19 February 2008 - 09:04 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello jimbo13

Welcome to G2Go. :)
================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
jimbo13
Posted 20 February 2008 - 08:26 AM

jimbo13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
O.K. I ran combofix and hijackthis. Here are the logs:

ComboFix 08-02-20.2 - Marty 2008-02-20 8:56:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.52 [GMT -5:00]
Running from: C:\Documents and Settings\Marty\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ddabc.dll
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Marty\Application Data\STEM32~1
C:\Documents and Settings\Marty\Application Data\STEM32~1\??stem32\
C:\Documents and Settings\Marty\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Marty\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Marty\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\agomkjhu.dll
C:\WINDOWS\system32\bbdlgkit.dll
C:\WINDOWS\system32\bdfnffwl.dll
C:\WINDOWS\system32\bmmmmmms.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\dgbcxlgu.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\fjxqkalx.dll
C:\WINDOWS\system32\kcaqcghf.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\onnnupjq.ini
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\uglxcbgd.ini
C:\WINDOWS\system32\xcogebof.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-17 23:40 . 2008-02-17 23:40 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-02-17 23:38 . 2008-02-17 23:38 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-17 23:34 . 2008-02-17 23:34 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-17 23:25 . 2008-02-17 23:25 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-17 23:25 . 2008-02-17 23:31 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-17 22:48 . 2007-12-06 21:21 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-17 22:48 . 2007-06-30 22:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-17 22:48 . 2007-06-30 22:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-17 22:48 . 2007-12-06 21:21 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-17 22:48 . 2007-12-06 21:21 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-17 22:48 . 2007-12-06 21:21 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-17 22:48 . 2007-12-06 21:21 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-17 22:48 . 2007-12-06 21:21 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-17 22:48 . 2007-12-06 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-17 10:30 . 2008-02-17 10:30 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-16 18:19 . 2007-07-09 08:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-02-16 18:11 . 2008-02-18 01:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 18:11 . 2008-02-17 23:50 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-16 18:11 . 2008-02-17 23:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-16 18:11 . 2008-02-17 23:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 16:42 . 2008-02-16 16:42 <DIR> d-------- C:\Documents and Settings\Marty\Application Data\Grisoft
2008-02-16 16:42 . 2008-02-16 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-16 16:42 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-14 18:13 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-02-14 18:13 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-02-14 18:12 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-14 13:43 . 2007-03-08 10:36 577,536 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-02-14 13:41 . 2008-02-14 13:41 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-13 17:16 . 2008-02-18 00:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-13 17:16 . 2008-02-13 17:16 <DIR> d-------- C:\Documents and Settings\Marty\Application Data\SUPERAntiSpyware.com
2008-02-13 17:16 . 2008-02-13 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-13 17:15 . 2008-02-13 17:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 10:03 . 2008-02-17 22:39 <DIR> d-------- C:\VundoFix Backups
2008-02-11 13:30 . 2008-02-11 13:33 4,792 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-11 13:27 . 2005-07-17 10:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-11 13:27 . 2005-07-17 10:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-02-11 13:27 . 2005-07-17 10:31 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-02-11 13:16 . 2008-02-19 21:35 <DIR> d-------- C:\hijack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 08:28 --------- d-----w C:\Program Files\iTunes
2008-02-15 02:40 --------- d-----w C:\Program Files\Symantec
2008-02-14 23:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-13 21:02 --------- d-----w C:\Program Files\RcvSystem
2008-02-13 14:03 --------- d-----w C:\Program Files\Dell Support
2008-01-21 16:02 --------- d-----w C:\Program Files\QuickTime
2008-01-04 20:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-04 20:49 --------- d-----w C:\Program Files\McAfee
2008-01-04 20:49 --------- d-----w C:\Program Files\Common Files\Cisco Systems
2008-01-04 20:44 --------- d-----w C:\Program Files\Common Files\McAfee
2008-01-04 12:29 --------- d-----w C:\Program Files\MUSICMATCH
2007-12-26 14:50 --------- d-----w C:\Program Files\iPod
2007-12-26 14:50 --------- d-----w C:\Documents and Settings\Marty\Application Data\Apple Computer
2007-12-26 14:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-26 14:47 --------- d-----w C:\Program Files\Apple Software Update
2007-12-26 14:46 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-26 14:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
.
<pre>
----a-w		 1,404,928 2008-02-13 18:03:48  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w			81,920 2008-02-13 18:04:28  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w		   221,184 2008-02-13 18:03:55  C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w		   218,240 2008-01-05 21:26:42  C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt .exe
----a-w			86,016 2008-02-11 18:43:11  C:\Program Files\Dell\Media Experience\DMXLauncher .exe
----a-w		   306,688 2008-02-13 13:59:39  C:\Program Files\Dell Support\DSAgnt .exe
----a-w			49,152 2008-02-13 15:46:07  C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd .exe
----a-w		   233,472 2008-02-11 18:43:17  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w		   221,184 2008-02-13 18:03:49  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w		   267,048 2008-02-16 21:38:20  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		   136,768 2008-02-13 15:46:15  C:\Program Files\McAfee\Common Framework\UdaterUI .exe
----a-w		   112,216 2008-02-13 15:46:14  C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT .EXE
----a-w		 1,694,208 2008-02-13 14:06:58  C:\Program Files\Messenger\msmsgs .exe
----a-w			53,248 2008-01-03 21:35:46  C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask .exe
----a-w		   286,720 2008-02-11 22:53:04  C:\Program Files\QuickTime\qttask				  .exe
----a-w		   286,720 2008-02-11 22:53:05  C:\Program Files\QuickTime\qttask				 .exe
----a-w		   286,720 2008-02-11 22:53:05  C:\Program Files\QuickTime\qttask				.exe
----a-w		   286,720 2008-02-11 22:53:06  C:\Program Files\QuickTime\qttask			   .exe
----a-w		   286,720 2008-02-11 22:53:08  C:\Program Files\QuickTime\qttask			  .exe
----a-w		   286,720 2008-02-11 22:53:09  C:\Program Files\QuickTime\qttask			 .exe
----a-w		   286,720 2008-02-11 22:53:11  C:\Program Files\QuickTime\qttask			.exe
----a-w		   286,720 2008-02-11 22:53:12  C:\Program Files\QuickTime\qttask		   .exe
----a-w		   286,720 2008-02-11 22:53:13  C:\Program Files\QuickTime\qttask		  .exe
----a-w		   286,720 2008-02-11 22:53:13  C:\Program Files\QuickTime\qttask		 .exe
----a-w		   286,720 2008-02-11 22:53:14  C:\Program Files\QuickTime\qttask		.exe
----a-w		   286,720 2008-02-11 22:53:14  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   286,720 2008-02-11 22:53:15  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   286,720 2008-02-11 22:53:15  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   286,720 2008-02-11 22:53:16  C:\Program Files\QuickTime\qttask	.exe
----a-w		   286,720 2008-02-11 22:53:16  C:\Program Files\QuickTime\qttask   .exe
----a-w		   286,720 2008-02-11 22:53:16  C:\Program Files\QuickTime\qttask  .exe
----a-w		   286,720 2008-02-11 22:53:17  C:\Program Files\QuickTime\qttask .exe
----a-w			26,112 2008-02-11 18:43:00  C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w			15,360 2008-02-18 04:40:59  C:\WINDOWS\system32\ctfmon .exe
----a-w		   126,976 2008-02-11 18:42:47  C:\WINDOWS\system32\hkcmd .exe
----a-w		   155,648 2008-02-11 21:46:25  C:\WINDOWS\system32\igfxtray .exe
----a-w		   127,035 2008-02-11 21:46:31  C:\WINDOWS\system32\dla\tfswctrl .exe
----a-w		   176,128 2008-02-11 21:46:52  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-02-20 08:51 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [ ]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [ ]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [ ]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2008-02-20 09:02 112216]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 15:14:58 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 09:09:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\fxssvc.exe
.
**************************************************************************
.
Completion time: 2008-02-20 9:13:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-20 14:13:43
.
2008-02-20 02:40:07 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:41 AM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\hijack\Lemon Head.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.accuweath...0...&traveler=0
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 3818 bytes
  • 0

#4
kahdah
Posted 20 February 2008 - 08:42 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

RenV::
C:\Program Files\Analog Devices\Core\smax4pnp .exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt .exe
C:\Program Files\Dell\Media Experience\DMXLauncher .exe
C:\Program Files\Dell Support\DSAgnt .exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\McAfee\Common Framework\UdaterUI .exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT .EXE
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask .exe
C:\Program Files\QuickTime\qttask				  .exe
C:\Program Files\QuickTime\qttask				 .exe
C:\Program Files\QuickTime\qttask				.exe
C:\Program Files\QuickTime\qttask			   .exe
C:\Program Files\QuickTime\qttask			  .exe
C:\Program Files\QuickTime\qttask			 .exe
C:\Program Files\QuickTime\qttask			.exe
C:\Program Files\QuickTime\qttask		   .exe
C:\Program Files\QuickTime\qttask		  .exe
C:\Program Files\QuickTime\qttask		 .exe
C:\Program Files\QuickTime\qttask		.exe
C:\Program Files\QuickTime\qttask	  .exe
C:\Program Files\QuickTime\qttask	 .exe
C:\Program Files\QuickTime\qttask	.exe
C:\Program Files\QuickTime\qttask   .exe
C:\Program Files\QuickTime\qttask  .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Real\RealPlayer\RealPlay .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\dla\tfswctrl .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
jimbo13
Posted 20 February 2008 - 12:26 PM

jimbo13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Done! No more red X in place of C drive icon! Here are the logs:

ComboFix 08-02-20.2 - Marty 2008-02-20 13:01:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.69 [GMT -5:00]
Running from: C:\Documents and Settings\Marty\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Marty\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-17 23:38 . 2008-02-17 23:38 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-17 23:34 . 2008-02-17 23:34 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-17 23:25 . 2008-02-17 23:25 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-17 23:25 . 2008-02-17 23:31 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-17 22:48 . 2007-12-06 21:21 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-17 22:48 . 2007-06-30 22:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-17 22:48 . 2007-06-30 22:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-17 22:48 . 2007-12-06 21:21 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-17 22:48 . 2007-12-06 21:21 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-17 22:48 . 2007-12-06 21:21 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-17 22:48 . 2007-12-06 21:21 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-17 22:48 . 2007-12-06 21:21 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-17 22:48 . 2007-12-06 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-17 10:30 . 2008-02-17 10:30 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-16 18:19 . 2007-07-09 08:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-02-16 18:11 . 2008-02-18 01:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 18:11 . 2008-02-17 23:50 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-16 18:11 . 2008-02-17 23:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-16 18:11 . 2008-02-17 23:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 16:42 . 2008-02-16 16:42 <DIR> d-------- C:\Documents and Settings\Marty\Application Data\Grisoft
2008-02-16 16:42 . 2008-02-16 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-16 16:42 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-14 18:13 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-02-14 18:13 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-02-14 18:12 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-14 13:43 . 2007-03-08 10:36 577,536 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-02-14 13:41 . 2008-02-14 13:41 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-13 17:16 . 2008-02-18 00:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-13 17:16 . 2008-02-13 17:16 <DIR> d-------- C:\Documents and Settings\Marty\Application Data\SUPERAntiSpyware.com
2008-02-13 17:16 . 2008-02-13 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-13 17:15 . 2008-02-13 17:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 10:03 . 2008-02-17 22:39 <DIR> d-------- C:\VundoFix Backups
2008-02-11 13:30 . 2008-02-11 13:33 4,792 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-11 13:27 . 2005-07-17 10:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-11 13:27 . 2005-07-17 10:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-02-11 13:27 . 2005-07-17 10:31 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-02-11 13:16 . 2008-02-20 09:17 <DIR> d-------- C:\hijack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 18:01 --------- d-----w C:\Program Files\QuickTime
2008-02-20 18:00 --------- d-----w C:\Program Files\iTunes
2008-02-20 18:00 --------- d-----w C:\Program Files\Dell Support
2008-02-15 02:40 --------- d-----w C:\Program Files\Symantec
2008-02-14 23:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-13 21:02 --------- d-----w C:\Program Files\RcvSystem
2008-01-04 20:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-04 20:49 --------- d-----w C:\Program Files\McAfee
2008-01-04 20:49 --------- d-----w C:\Program Files\Common Files\Cisco Systems
2008-01-04 20:44 --------- d-----w C:\Program Files\Common Files\McAfee
2008-01-04 12:29 --------- d-----w C:\Program Files\MUSICMATCH
2007-12-26 14:50 --------- d-----w C:\Program Files\iPod
2007-12-26 14:50 --------- d-----w C:\Documents and Settings\Marty\Application Data\Apple Computer
2007-12-26 14:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-26 14:47 --------- d-----w C:\Program Files\Apple Software Update
2007-12-26 14:46 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-26 14:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
.
<pre>
----a-w		   286,720 2008-02-11 22:53:14  C:\Program Files\QuickTime\qttask	   .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2008-02-13 08:59 306688]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-02-13 09:06 1694208]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-02-20 08:51 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2008-02-13 13:03 1404928]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2008-02-13 13:03 221184]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-02-13 13:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-02-13 13:04 81920]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2008-02-13 10:46 49152]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2008-02-13 10:46 112216]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


.
Contents of the 'Scheduled Tasks' folder
"2008-02-20 15:14:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 13:08:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\mshta.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
.
**************************************************************************
.
Completion time: 2008-02-20 13:16:06 - machine was rebooted [Marty]
ComboFix-quarantined-files.txt 2008-02-20 18:15:57
ComboFix2.txt 2008-02-20 14:13:55
.
2008-02-20 02:40:07 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:34 PM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
c:\progra~1\common~1\instal~1\update~1\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\hijack\Lemon Head.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.accuweath...0...&traveler=0
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 4287 bytes
  • 0

#6
kahdah
Posted 20 February 2008 - 05:07 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
  • 0

#7
jimbo13
Posted 20 February 2008 - 07:09 PM

jimbo13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
O.k. I have downloaded the file to the desktop of the affected computer. I have not run it yet. At the bottom of your reply, you instruct me NOT to reboot the computer until you have reviewed the log. The last time I ran combofix, it did not ask if I wanted to reboot or not, it simply rebooted. Should I still drag and drop the Winx-XP file into comobfix and allow it to run?
  • 0

#8
kahdah
Posted 20 February 2008 - 07:10 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes go ahead.
  • 0

#9
jimbo13
Posted 20 February 2008 - 07:35 PM

jimbo13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Done. Haven't rebooted, here is the log:

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
  • 0

#10
kahdah
Posted 20 February 2008 - 07:38 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Great.

  • Download RenV.exe by sUBs to your desktop
  • Double click on it to run it
  • It will search your system drive looking for any modified .exe file and will produce a log for you.
    Posted Image

    Refering to the picture above, drag the log it produced into RenV.exe and post the resulting report to your reply.

  • 0

Advertisements

#11
jimbo13
Posted 20 February 2008 - 07:49 PM

jimbo13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Done. Here's the log:

Ran on Wed 02/20/2008 - 20:47:00.60
 Entries:				0  (0)
 Directories:			0  Files:			 0
 Bytes:				  0  Blocks:			0

  • 0

#12
kahdah
Posted 20 February 2008 - 07:51 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#13
jimbo13
Posted 20 February 2008 - 10:19 PM

jimbo13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
That took a while! Here is the report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 20, 2008 11:13:43 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/02/2008
Kaspersky Anti-Virus database records: 574039
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 101680
Number of viruses found: 3
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 01:57:56

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Desktop\catchme.zip/core.sys Infected: Rootkit.Win32.Agent.sg skipped
C:\Documents and Settings\Administrator\Desktop\catchme.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_D1LG3Y71.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_D1LG3Y71.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Marty\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Marty\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Marty\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Marty\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Marty\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Marty\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Marty\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Marty\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Marty\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\hijack\backups\backup-20080219-213517-228.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\hijack\backups\backup-20080219-213517-989.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\agomkjhu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bbdlgkit.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bdfnffwl.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dgbcxlgu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fjxqkalx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-20_ 90831.67.zip/ddabc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-20_ 90831.67.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000006.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000007.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000008.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000009.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000010.dll Infected: not-a-virus:AdWare.Win32.Agent.wx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000011.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000012.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000013.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000014.dll Infected: not-a-virus:AdWare.Win32.Agent.wx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000015.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000016.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000019.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000020.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000021.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000022.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\change.log Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}(2)\RP282\A0151272.dll Infected: not-a-virus:AdWare.Win32.Agent.wx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}(2)\RP282\A0151273.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{DB7FC60C-C2D3-4B03-A0D7-FA15BDE7E1E1}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#14
kahdah
Posted 20 February 2008 - 10:28 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

    The above procedure will delete and do the following:

    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Clean System Restore points.

Also delete\uninstall anything that we used that is left over.

Doing the above will remove what is left over in the Kaspersky scan
=======================================================
After that Your log is clean. :)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
  • 0

#15
jimbo13
Posted 21 February 2008 - 07:20 AM

jimbo13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Sweet!!! Ran combofix unistall, rebooted comptuter; looks good :)

Thanks for all your help!!!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP