Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Vundo Infection But Not Sure


  • Please log in to reply

#1
newbiefollies

newbiefollies

    Member

  • Member
  • PipPip
  • 23 posts
Hi! I’m completely new here with a request for help to remove malware from my laptop running Windows XP SP2.
The problems started a few days ago when I tried to download what I thought was a Thai language learning program from Limewire. An MP3 player got downloaded instead. I uninstalled it through the control panel but started getting popups when connecting to the net. One popup has www.wwwamnc1.com/fallback.php in the addressbar, the other [h**p://happyromantic.com/pop_install.php"]h**p://happyromantic.com/pop_install.php[/url]. The 1st is a blank window; the 2nd has a picture with “Click here. Then click run.”
I downloaded an adware & spyware removal program called Spycatcher & did a deep scan. It found WinAntiSpyware & WhistleSoftware & quarantined them but the popups continue.
In addition, when I reboot my machine I get a Spycatcher Alert window which says that a device or hook is trying to install & that this could be a rootkit. I click on the “Disallow installation” button & continue.
I ran Avast Home with latest updates, both normally as well as in Safe Mode & ran Spycatcher again in Safe Mode but it didn’t help.
A nephew deleted a couple of registry entries which had wwwamc1 & happyromantic in them but this too was of no avail.
I also discovered a new file called ~$_letterhead.doc (which I have not created) in one of my folders. This file has some text, many small empty square boxes & some weird symbols like ì & €.
Avast Home is also warning me of a “DCOM exploit attack from” followed by some numbers.
I thought of using Vundo Fix & VertumundoBegone & then posting a Hijackthis log but since I am a complete newbie I thought it better to ask for expert advice first.
Any help will be sincerely appreciated.
I would also like to mention that I will be traveling from 3rd to 14th April & will not be able to access my machine during this period.
Thanks in advance.

Edited by steamwiz, 29 March 2008 - 08:33 AM.

  • 0

Advertisements


#2
steamwiz

steamwiz

    Malware Expert

  • Retired Staff
  • 68 posts
  • MVP
HI

Post a hijackthis log first ...

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingc...to-use-combofix

steam
  • 0

#3
newbiefollies

newbiefollies

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi steamwiz!
Thanks a ton for your reply.
Here is my HijackThis log.
Before I got your reply, I used ATF Cleaner, created a new system restore point & flushed old & also scanned with AVG antispyware in safe mode.
However when I selected the Reports icon, it said no reports available & the save report as button was greyed out.
I am typing out the report below.

Result Preview
Threat TrackingCookie.Netflame, Risk Medium
Threat Not-A-Virus.Adware.Agent, Risk Low
1 trace detected in the following location:
2 objects found (3 traces)
:mozilla.8:C:\Documents and Settings\Arun\Application

When I clicked on apply all actions I got the following message

The file D:\music_26_12_07\pimleur thai.zip\setup.exe cannot be removed because it is buried in the archive D:\music_26_12_07\pimleur thai.zip. Do you want to remove the whole archive?

I clicked on yes & got the message all actions completed.

I am now going to follow the rest of your advice. Thanks once again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:42 AM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.relianceb...band.co.in/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: InternetProgram - {88C9B3C7-06B6-5C05-CFEC-C09DBC10CC30} - C:\Program Files\InternetProgram\InternetProgram-2.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\SamsungMediaStudio4.1\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: secuload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Tally License Server (NT) (Tally License Server) - Unknown owner - C:\Tally\tallylicserver.exe (file missing)

--
End of file - 8427 bytes
  • 0

#4
newbiefollies

newbiefollies

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi steamwiz!
Here is my Kasper Online Scan report & below that my Combofix log.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 30, 2008 2:12:45 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/03/2008
Kaspersky Anti-Virus database records: 673066
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 56508
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:47:24

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Arun\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Arun\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Arun\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Arun\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Arun\Local Settings\Temp\fnm61.tmp Object is locked skipped
C:\Documents and Settings\Arun\Local Settings\Temp\fnm71.tmp Object is locked skipped
C:\Documents and Settings\Arun\Local Settings\Temp\fnm81.tmp Object is locked skipped
C:\Documents and Settings\Arun\Local Settings\Temp\fnm82.tmp Object is locked skipped
C:\Documents and Settings\Arun\Local Settings\Temp\fnm83.tmp Object is locked skipped
C:\Documents and Settings\Arun\Local Settings\Temp\fnm84.tmp Object is locked skipped
C:\Documents and Settings\Arun\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Arun\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Arun\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Arun\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A1B6D6E5-5398-4225-95EF-6F852DFEFCE0}\RP536\A0033566.dll Infected: not-a-virus:AdWare.Win32.Agent.ahl skipped
C:\System Volume Information\_restore{A1B6D6E5-5398-4225-95EF-6F852DFEFCE0}\RP536\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{DAC00B17-BDE1-442C-839F-5837DB806350}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_550.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

ComboFix 08-03-30.1 - Arun 2008-03-30 15:31:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.186 [GMT 5.5:30]
Running from: C:\Documents and Settings\Arun\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\AutoRun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

2008-03-30 12:56 . 2008-03-30 12:56 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-30 12:56 . 2008-03-30 12:56 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-30 12:56 . 2008-03-30 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-30 10:18 . 2008-03-30 10:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-29 17:28 . 2008-03-29 17:28 <DIR> d-------- C:\Documents and Settings\Arun\Application Data\Grisoft
2008-03-29 17:27 . 2008-03-29 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-29 17:27 . 2007-05-30 17:40 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-22 15:00 . 2008-03-22 15:00 <DIR> d-------- C:\tally
2008-03-22 14:14 . 2008-03-22 14:14 36 --a------ C:\WINDOWS\system32\826O.dat
2008-03-22 12:09 . 2008-03-22 12:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-03-22 12:06 . 2008-03-22 12:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Tenebril
2008-03-16 10:54 . 2008-03-16 10:54 <DIR> d-------- C:\Documents and Settings\Arun\Application Data\Tenebril
2008-03-16 10:47 . 2008-03-16 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tenebril
2008-03-16 10:46 . 2008-03-16 10:46 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2008-03-16 10:46 . 2008-03-16 10:46 <DIR> d-------- C:\Program Files\SpyCatcher
2008-03-16 10:46 . 2007-05-07 11:39 1,103,944 --a-s---- C:\WINDOWS\system32\Protector.dll
2008-03-16 10:46 . 2005-10-12 23:10 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2008-03-16 10:46 . 2007-05-07 11:39 169,544 --a-s---- C:\WINDOWS\system32\SecuLoad.dll
2008-03-16 10:46 . 2007-05-07 11:42 40,960 --a-s---- C:\WINDOWS\system32\ProcessKiller.dll
2008-03-14 16:48 . 2008-03-15 10:20 <DIR> d-------- C:\Program Files\InternetProgram
2008-03-14 16:48 . 2008-03-28 10:23 <DIR> d-------- C:\Program Files\FBrowsingAdvisor
2008-03-14 16:48 . 2008-03-14 16:48 <DIR> d-------- C:\Program Files\FBrowserAdvisor
2008-03-11 13:25 . 2008-03-11 13:25 <DIR> d-------- C:\Program Files\iPod
2008-03-11 13:24 . 2008-03-11 13:25 <DIR> d-------- C:\Program Files\iTunes
2008-03-11 13:23 . 2008-03-11 13:23 <DIR> d-------- C:\Program Files\Bonjour
2008-03-11 13:20 . 2008-03-11 13:20 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-11 13:20 . 2008-03-11 13:20 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-11 13:20 . 2008-03-11 13:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-03-11 13:05 . 2008-03-30 09:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-11 13:05 . 2008-03-11 13:05 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 11:20 --------- d-----w C:\Program Files\LimeWire
2008-03-11 07:53 --------- d-----w C:\Program Files\QuickTime
2008-03-11 07:51 --------- d-----w C:\Program Files\Apple Software Update
2008-03-05 12:08 --------- d-----w C:\Documents and Settings\Arun\Application Data\Canon
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-01-03 06:51 18,408 ----a-w C:\Documents and Settings\Arun\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88C9B3C7-06B6-5C05-CFEC-C09DBC10CC30}]
C:\Program Files\InternetProgram\InternetProgram-2.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 21:54 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:26 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-27 05:45 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-27 05:45 536576]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-30 14:16 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-30 14:03 118784]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-04-30 10:32 208958]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-04-30 13:50 274432]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 18:30 79224]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152]
"OPSE reminder"="C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" [2003-07-07 09:29 729088]
"YeppStudioAgent"="C:\Program Files\Samsung\SamsungMediaStudio4.1\SamsungMediaStudioAgent.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"SpyCatcher Reminder"="C:\Program Files\SpyCatcher\SpyCatcher.exe" [2007-10-16 12:05 103864]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-24 02:48 443968]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Scheduler.lnk - C:\Program Files\SpyCatcher\Scheduler daemon.exe [2008-03-16 10:46:26 86133]

C:\Documents and Settings\Arun\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Scheduler.lnk - C:\Program Files\SpyCatcher\Scheduler daemon.exe [2008-03-16 10:46:26 86133]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
SpyCatcher Protector.lnk - C:\Program Files\SpyCatcher\Protector.exe [2008-03-16 10:46:26 91576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=secuload.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

S2 Tally License Server;Tally License Server (NT);C:\Tally\tallylicserver.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dd59b25-68c8-11dc-9559-00c09f4564e1}]
\Shell\Auto\command - F:\recycled\SVCH0ST.EXE
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL recycled\SVCH0ST.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb388a11-d166-11dc-95b9-00c09f4564e1}]
\Shell\AutoRun\command - wscript.exe VirusRemoval.vbs
\Shell\open\Command - wscript.exe VirusRemoval.vbs

.
Contents of the 'Scheduled Tasks' folder
"2008-03-11 07:51:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 15:32:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????r?e??????????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-30 15:33:10
ComboFix-quarantined-files.txt 2008-03-30 10:02:55
Pre-Run: 12,071,886,848 bytes free
Post-Run: 12,061,470,720 bytes free
.
2008-03-15 13:12:53 --- E O F ---

Thanks in advance for all the help.
  • 0

#5
steamwiz

steamwiz

    Malware Expert

  • Retired Staff
  • 68 posts
  • MVP
Hi

There's no sign of vundo ...

Your computer does look remarkably clean... just a few odd items to clean up ...

The install file for the "Thai language learning program" which turned out to be "An MP3 player" was deleted by AVG ...

KASPERSKY found one infected restore point ... you'll need to purge system restore again to remove that ...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\826O.dat

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88C9B3C7-06B6-5C05-CFEC-C09DBC10CC30}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dd59b25-68c8-11dc-9559-00c09f4564e1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb388a11-d166-11dc-95b9-00c09f4564e1}]


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

ALSO ...

Run hijackthis ...

Click Open the Misc tools section

Click open uninstall manager

Click save list

save the uninstall_list.txt to your desktop

Copy & past the list in your next post here ...

steam
  • 0

#6
newbiefollies

newbiefollies

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Thanks again steamwiz.
Here are the contents of Combofix.txt & uninstall_list.txt.
ComboFix 08-03-30.1 - Arun 2008-04-02 15:30:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.150 [GMT 5.5:30]
Running from: C:\Documents and Settings\Arun\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Arun\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\826O.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\826O.dat

.
((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-03-30 12:56 . 2008-03-30 12:56 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-30 12:56 . 2008-03-30 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-30 10:18 . 2008-03-30 10:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-29 17:28 . 2008-03-29 17:28 <DIR> d-------- C:\Documents and Settings\Arun\Application Data\Grisoft
2008-03-29 17:27 . 2008-03-29 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-29 17:27 . 2007-05-30 17:40 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-22 15:00 . 2008-03-22 15:00 <DIR> d-------- C:\tally
2008-03-22 12:09 . 2008-03-22 12:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-03-22 12:06 . 2008-03-22 12:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Tenebril
2008-03-16 10:54 . 2008-03-16 10:54 <DIR> d-------- C:\Documents and Settings\Arun\Application Data\Tenebril
2008-03-16 10:47 . 2008-03-16 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tenebril
2008-03-16 10:46 . 2008-03-16 10:46 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2008-03-16 10:46 . 2008-03-16 10:46 <DIR> d-------- C:\Program Files\SpyCatcher
2008-03-16 10:46 . 2007-05-07 11:39 1,103,944 --a-s---- C:\WINDOWS\system32\Protector.dll
2008-03-16 10:46 . 2005-10-12 23:10 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2008-03-16 10:46 . 2007-05-07 11:39 169,544 --a-s---- C:\WINDOWS\system32\SecuLoad.dll
2008-03-16 10:46 . 2007-05-07 11:42 40,960 --a-s---- C:\WINDOWS\system32\ProcessKiller.dll
2008-03-14 16:48 . 2008-03-15 10:20 <DIR> d-------- C:\Program Files\InternetProgram
2008-03-14 16:48 . 2008-03-28 10:23 <DIR> d-------- C:\Program Files\FBrowsingAdvisor
2008-03-14 16:48 . 2008-03-14 16:48 <DIR> d-------- C:\Program Files\FBrowserAdvisor
2008-03-11 13:25 . 2008-03-11 13:25 <DIR> d-------- C:\Program Files\iPod
2008-03-11 13:24 . 2008-03-11 13:25 <DIR> d-------- C:\Program Files\iTunes
2008-03-11 13:23 . 2008-03-11 13:23 <DIR> d-------- C:\Program Files\Bonjour
2008-03-11 13:20 . 2008-03-11 13:20 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-11 13:20 . 2008-03-11 13:20 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-11 13:20 . 2008-03-11 13:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-03-11 13:05 . 2008-04-02 11:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-11 13:05 . 2008-03-11 13:05 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 11:20 --------- d-----w C:\Program Files\LimeWire
2008-03-11 07:53 --------- d-----w C:\Program Files\QuickTime
2008-03-11 07:51 --------- d-----w C:\Program Files\Apple Software Update
2008-03-05 12:08 --------- d-----w C:\Documents and Settings\Arun\Application Data\Canon
2007-01-03 06:51 18,408 ----a-w C:\Documents and Settings\Arun\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-03-30_15.32.47.88 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-02 05:53:05 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_570.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 21:54 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:26 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-27 05:45 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-27 05:45 536576]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-30 14:16 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-30 14:03 118784]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-04-30 10:32 208958]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-04-30 13:50 274432]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 18:30 79224]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152]
"OPSE reminder"="C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" [2003-07-07 09:29 729088]
"YeppStudioAgent"="C:\Program Files\Samsung\SamsungMediaStudio4.1\SamsungMediaStudioAgent.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"SpyCatcher Reminder"="C:\Program Files\SpyCatcher\SpyCatcher.exe" [2007-10-16 12:05 103864]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-24 02:48 443968]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Scheduler.lnk - C:\Program Files\SpyCatcher\Scheduler daemon.exe [2008-03-16 10:46:26 86133]

C:\Documents and Settings\Arun\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Scheduler.lnk - C:\Program Files\SpyCatcher\Scheduler daemon.exe [2008-03-16 10:46:26 86133]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
SpyCatcher Protector.lnk - C:\Program Files\SpyCatcher\Protector.exe [2008-03-16 10:46:26 91576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=secuload.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

S2 Tally License Server;Tally License Server (NT);C:\Tally\tallylicserver.exe []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-11 07:51:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 15:31:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????r?e??????????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-02 15:32:03
ComboFix-quarantined-files.txt 2008-04-02 10:01:54
ComboFix2.txt 2008-03-30 10:03:11
Pre-Run: 12,008,058,880 bytes free
Post-Run: 11,997,245,440 bytes free
.
2008-03-15 13:12:53 --- E O F ---

Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.9
Adobe Stock Photos 1.0
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoStudio 5.5
avast! Antivirus
AVG Anti-Spyware 7.5
Bonjour
Broadcom 802.11 Driver
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon MP Navigator 2.0
Canon MP150
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
ClinicGate Basic
Conexant AC-Link Audio
DIGM
Easy-WebPrint
FBrowsingAdvisor
Google Earth
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Intel® Extreme Graphics 2 Driver
InternetProgram
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
Kaspersky Online Scanner
Lame ACM MP3 Codec
LimeWire 4.16.6
Macromedia Dreamweaver 8
Macromedia Extension Manager
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Mozilla Firefox (2.0.0.13)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
OmniPage SE 2.0
Picasa 2
Pinnacle Hollywood FX for Studio
Quick Launch Buttons 5.00 A5
QuickTime
REALTEK Gigabit and Fast Ethernet NIC Driver
RecordNow!
SamsungMediaStudio
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
SmartSound Quicktracks Plugin
SoftV92 Data Fax Modem with SmartCP
Sonic Update Manager
SpyCatcher Express 2007
Synaptics Pointing Device Driver
Teton Viewer
Textbook of Dermatology
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
XviD MPEG-4 Video Codec
  • 0

#7
steamwiz

steamwiz

    Malware Expert

  • Retired Staff
  • 68 posts
  • MVP
Hi

Your logs are clean now ... are you still having any of the problems you mentioned in your first post ?

You are running an out-of-date version of java

Go to add/remove programs and uninstall any earlier versions ... in your case these 2 :-

J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03

Then You can go here and install the latest version of Java.

http://java.sun.com/...loads/index.jsp

Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 5' and press the 'Download' button.


Running an out-of-date version of java is an infection risk.

---
In your first post, you said this :-

"when I reboot my machine I get a Spycatcher Alert window which says that a device or hook is trying to install & that this could be a rootkit."

So I'd like you to run these scans as well please :=

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superanti...efinitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

then... these rootkit scans

Please download Sophos Anti-Rootkit,and save it on your desktop.

http://www.sophos.co...ti-rootkit.html

1. Double-click sarsfx.exe to extract the files and leave the default settings.
2. Open the folder C:\Program Files\Sophos\Sophos Anti-Rootkit and double-click sargui.exe to start the program.
3. Make sure the following are checked:

- Running processes
- Windows Registry
- Local Hard Drives

4. Click the "Start Scan" button.
5. Click the "OK" button after you get the notification that the scan has finished and close the program.
6. Click on Start>Run and type, or copy and paste:-

%temp%\sarscan.log

then press Enter.

7. This should open the log from the rootkit scan.

Post the log into your next reply.

Note:
If the scan is performed while the computer is in use, false positives may appear in the scan results.
This is caused by files or registry entries being deleted,including temporary files being deleted automatically.
It has also been reported that Trojan Hunter is detecting Sophos Anti-rootkit as Trojan.Dropper.Interlac.100
So if you have Trojan Hunter installed you will need to disable it prior to running a scan.

THEN...

Download AVG Anti-Rootkit and save to your desktop

http://free.grisoft....up-1.1.0.42.exe

1. Double click avgarkt-setup-1.1.0.42.exe to install. By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit.
2. Accept the license and follow the prompts to install.
3. You will be asked to reboot to finish the installation so click "Finish".
4. After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
5. You will see a window with four buttons at the bottom.
6. Click "Search For Rootkits" and the scan will begin.
7. You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
8. When the scan has finished, a small window will open so you can view the results.
9. Right click and select "Save Result To File".
10. By default the file will be saved with a .csv extension. (You can use notepad to open the .cvs file). Copy and paste the results in your next reply.
11. If anything was found, click "Remove selected items"
12. If nothing was found, please click the "Perform in-depth Search" saving anything found to file as before.

steam
  • 0

#8
newbiefollies

newbiefollies

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Dear steamwiz,
Sorry for the delayed response. Here is the Superantispyware Scan Log.
I will be doing the other scans & posting the logs soon.
Thanks.
newbiefollies.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/15/2008 at 06:27 PM

Application Version : 4.0.1154

Core Rules Database Version : 3438
Trace Rules Database Version: 1430

Scan type : Complete Scan
Total Scan Time : 00:46:20

Memory items scanned : 447
Memory threats detected : 0
Registry items scanned : 5363
Registry threats detected : 0
File items scanned : 56488
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and Settings\Arun\Cookies\arun@tribalfusion[1].txt
C:\Documents and Settings\Arun\Cookies\arun@ads.bleepingcomputer[2].txt
  • 0

#9
steamwiz

steamwiz

    Malware Expert

  • Retired Staff
  • 68 posts
  • MVP
Hi

I await your other logs...

steam
  • 0

#10
newbiefollies

newbiefollies

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Dear steamwiz,
Here is the Sophos Anti-rootkit scan log. I would like to mention that the popups stopped a long time ago. The Spycatcher Alert window regarding device or hook trying to install had also stopped but started reappearing since yesterday. I will be running the AVG Anti-rootkit shortly.
Thanks for all the help.
newbiefollies.

Sophos Anti-Rootkit Version 1.3.1 (data 1.08) © 2006 Sophos Plc
Started logging on 4/16/2008 at 12:13:16 PM
Stopped logging on 4/16/2008 at 12:14:34 PM


Sophos Anti-Rootkit Version 1.3.1 (data 1.08) © 2006 Sophos Plc
Started logging on 4/16/2008 at 12:17:32 PM
Stopped logging on 4/16/2008 at 12:30:43 PM

Edited by newbiefollies, 16 April 2008 - 01:16 AM.

  • 0

Advertisements


#11
newbiefollies

newbiefollies

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Dear steamwiz,
I ran AVG Anti-Rootkit. After I clicked "Search for Rootkits", the scan began. At the end of the scan, I got the following message. Congratulations. There were no installed rootkits found on your computer.
I then clicked "Perform in-depth Search" & 6 rootkits were found. All were hidden files. I have not removed them. I right-clicked & then clicked on "Save to File", but the results did not get saved. So I am typing the contents below.

Rootkit path c:\Documents and Settings\Arun\Application Data\Macromedia\Dreamweaver 8\Confirmation\Menus\Cache\timestamp.xml
Rootkit type Hidden file
Rootkit path d:\car\car_audio\hertz\hl70_1_files\homenews_en_data\caneneroup.htm
Rootkit type Hidden file
Rootkit path d:\car\car_audio\hertz\hsk163_1_files\homenews_en_data\caneneroup.htm
Rootkit type Hidden file
Rootkit path d:\car\car_audio\hertz\ht125_1_files\homenews_en_data\caneneroup.htm
Rootkit type Hidden file
Rootkit path d:\car\car_audio\hertz\hv165_1_files\homenews_en_data\caneneroup.htm
Rootkit type Hidden file
Rootkit path d:\mumbai_hostels\women_files\brick.htm
Rootkit type Hidden file

Please tell me what I should do now.
Thanks a ton.
newbiefollies.
  • 0

#12
steamwiz

steamwiz

    Malware Expert

  • Retired Staff
  • 68 posts
  • MVP
HI

AVG Anti-Rootkit may see these files as possible rootkit files, but all I see are some hidden files, they don't look anything

like a rootkit to me ...

The Dreamweaver 8 file is OK, it's just a hidden locked file ...

As for the other files which I also think are OK, just hidden ... you can delete them if you don't need them ... just delete

the folders :-

Have a look in the folders & make sure it is nothing you want to keep ...

d:\car\car_audio\hertz\hl70_1_files\homenews_en_data\caneneroup.htm
d:\car\car_audio\hertz\hsk163_1_files\homenews_en_data\caneneroup.htm
d:\car\car_audio\hertz\ht125_1_files\homenews_en_data\caneneroup.htm
d:\car\car_audio\hertz\hv165_1_files\homenews_en_data\caneneroup.htm

Deleting any of the 3 bolded folders will suffice ... obviously the nearer the folder to the d:\ the more you will remove ...

& the other one :-

d:\mumbai_hostels\women_files\brick.htm
d:\mumbai_hostels\women_files\brick.htm

delete either of the bolded folders, after first looking in the folders to make sure there is nothing in them that you need.

I have no idea what Spycatcher is seeing or thinks it's seeing, does it not give any hint as to what it is referring to ?

steam
  • 0

#13
newbiefollies

newbiefollies

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Dear steamwiz,
Thanks for all the help. I have deleted the folder d:\mumbai_hostels but kept the others. However I have a lurking suspicion that all is not well. I had forgotten to mention that when the problem started I used to get the following message from Windows on reboot "Your computer might be at risk. No firewall is turned on. Click this balloon to fix this problem." I used to manually turn on Windows firewall but on reboot the same message would reappear. This message had stopped appearing but today it came back. However the Spycatcher alert window regarding the rootkit has again stopped appearing.
I also have a couple of weird files on my D drive, which I have not created. Should I manually delete them? Or should I paste them in my next post for your opinion?
Thanks once again.
newbiefollies.
  • 0

#14
steamwiz

steamwiz

    Malware Expert

  • Retired Staff
  • 68 posts
  • MVP
HI

I also have a couple of weird files on my D drive, which I have not created. Should I manually delete them? Or should I paste them in my next post for your opinion?


As I have no idea what they are, I would never tell you to delete them untill we find out something about them ...

To start with, post their full path/name

Then I'd like you to run a couple more programs ...

Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeek...ware_d5756.html

or here :-

http://www.besttechi.../mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Download Deckard's System Scanner (formerly Comboscan) to your Desktop.

1. Close all applications and windows.
2. Double-click on comboscan.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open - ComboScan.txt
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your next reply.
5. A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
6. Please copy and paste the contents of Supplementary.txt to your post.


Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.


steam
  • 0

#15
newbiefollies

newbiefollies

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Dear steamwiz,
Thanks for your reply.
Here are the full paths/names of the 2 files that I had accidentally found on my machine.

D:\letterheads\~$letterhead.doc
D:\ms_word_docs\~$turednsc1.doc

As both these files had ~$ in common, I went to Start & Search & searched for all files with ~$ in in the file name. A normal search did not reveal anything. But a search including hidden files revealed the above 2 files & 5 more. Their full paths & names are as follows.

C:\Documents and Settings\Arun\Recent\~$slides.doc
C:\Documents and Settings\Arun\Recent\~$tured_nsc1.doc
C:\Documents and Settings\Arun\Application Data\Microsoft\Templates\~$Normal.dot
C:\Documents and Settings\Arun\Application Data\Microsoft\Office\Recent\~$letterhead.doc
C:\Documents and Settings\Arun\Recent\~$letterhead.doc

Of the 7 files listed above, serial numbers 1 & 2 are Microsoft Word Documents, serial numbers 3, 4, 6 & 7 are shortcuts & serial number 5 is a Microsoft Word Template.

I will be carrying out your other instructions & posting results shortly.
Thanks once again.
newbiefollies.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP