Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Rogue Software and Vundo removed. [RESOLVED]

Started by SpaCeTraNce , Jul 19 2008 01:14 PM

  • This topic is locked This topic is locked

#1
SpaCeTraNce
Posted 19 July 2008 - 01:14 PM

SpaCeTraNce

    Member

  • Member
  • PipPip
  • 35 posts
geekstogo.com,

A guy in my dorm gave me his computer yesterday and said it was infected. Upon checking it out he had many rogue anti-virus programs running. I followed instructions contained in the "Please Click Here Before Posting A Hijackthis™ Log!". And everything appears to be gone and the machine is running fine. I wanted to post a log and have an expert verify clean logs.

Thanks a bunch for the help. This site is run very, very well, I have spent hours digging through the malware/GeekU forums and I am hooked.

Log follows:
---------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:11 PM, on 7/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: {9814f313-60cf-4558-a684-1c4a437cb332} - {233bc734-a4c1-486a-8554-fc06313f4189} - C:\WINDOWS\system32\yxemcw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SysD.exe] C:\Windows\SysD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [SysD.exe] C:\Windows\SysD.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5525 bytes
  • 0

Advertisements

#2
greyknight17
Posted 19 July 2008 - 02:13 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome aboard to GTG. Glad you could join GeekU :)

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

MyWebSearch

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: {9814f313-60cf-4558-a684-1c4a437cb332} - {233bc734-a4c1-486a-8554-fc06313f4189} - C:\WINDOWS\system32\yxemcw.dll
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [SysD.exe] C:\Windows\SysD.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [SysD.exe] C:\Windows\SysD.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\yxemcw.dll
C:\PROGRA~1\MYWEBS~1\
C:\Windows\SysD.exe

Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
SpaCeTraNce
Posted 19 July 2008 - 03:41 PM

SpaCeTraNce

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
ok here is what happened:

ATF ran w/o a problem.

Hijack this fixed BHO and run entries w/o a problem.

Located C:\WINDOWS\system32\yxemcw.dll but was unable to delete, rebooted to release file, deleted w/o a problem.

I was unable to locate the following files:
C:\PROGRA~1\MYWEBS~1\
C:\Windows\SysD.exe

But I did find:
C:\Windows\Sys1C2.exe
C:\Windows\SysB.exe

Your directions said to delete "if they exists", so I continued with the directions.

Malwarebyte's software downloaded and installed but was unable to locate update server? I had this problem earlier before posting log. Any ideas?
anyways... I ran MBAM here is the log:
Malwarebytes' Anti-Malware 1.21
Database version: 966
Windows 5.1.2600 Service Pack 2

6:30:27 PM 7/19/2008
mbam-log-7-19-2008 (18-30-27).txt

Scan type: Quick Scan
Objects scanned: 38335
Time elapsed: 6 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\rhc52oj0e99a (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SecuriSoft SARL (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\BASE (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\DELETED (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\SAVED (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Sys1C2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wdocmixy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-2000478354-507921405-839522115-1003\Dc1.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG\20080718161841137.log (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG\20080718162404997.log (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG\20080718164650807.log (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG\20080718165717742.log (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG\20080718170507486.log (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG\20080718175144682.log (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG\20080718190501070.log (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG\20080718195321465.log (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG\20080718212751328.log (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG\20080719094811006.log (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG\20080719102746700.log (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG\20080719105018142.log (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\WINDOWS\SysB.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Here is the combofix log:
ComboFix 08-07-19.1 - User 2008-07-19 19:29:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.212 [GMT -5:00]
Running from: C:\Documents and Settings\User\Desktop\Virus cleanup\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\1.tmp
C:\WINDOWS\system32\2.tmp
C:\WINDOWS\system32\3.tmp
C:\WINDOWS\system32\9.tmp
C:\WINDOWS\system32\A.tmp
C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
.

2008-07-19 18:20 . 2008-07-19 18:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-19 18:20 . 2008-07-18 19:15 36,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-19 18:20 . 2008-07-18 19:15 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-19 11:09 . 2008-07-19 11:09 <DIR> d-------- C:\VundoFix Backups
2008-07-19 10:15 . 2008-07-19 10:15 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-07-19 10:15 . 2008-07-19 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-18 22:15 . 2008-07-19 13:40 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-18 22:15 . 2008-07-18 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-18 21:47 . 2008-07-18 21:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-18 21:28 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-07-18 21:28 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-07-18 19:25 . 2008-07-18 19:25 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-18 19:18 . 2008-07-18 19:18 <DIR> d-------- C:\Documents and Settings\User\Application Data\Sammsoft
2008-07-18 19:17 . 2008-07-18 19:17 <DIR> d-------- C:\Program Files\Advanced Registry Optimizer
2008-07-18 13:33 . 2008-07-18 13:33 <DIR> d-------- C:\Documents and Settings\User\Application Data\Apple Computer
2008-07-18 13:32 . 2008-07-18 13:32 <DIR> d-------- C:\Program Files\Bonjour
2008-07-18 13:30 . 2008-07-18 13:30 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-18 13:29 . 2008-07-18 13:29 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-18 13:29 . 2008-07-18 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-06 19:47 . 2008-07-06 19:47 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-07-06 19:47 . 2008-07-06 19:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-06-22 17:23 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-22 17:23 . 2008-06-13 08:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 22:11 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-07-18 20:59 --------- d-----w C:\Documents and Settings\User\Application Data\LimeWire
2008-07-14 01:46 --------- d-----w C:\Program Files\Lx_cats
2008-07-07 00:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-27 01:13 --------- d-----w C:\Program Files\e-Sword
2008-06-25 01:42 --------- d-----w C:\Program Files\Libronix DLS
2008-06-23 00:43 --------- d-----w C:\Program Files\LimeWire
2008-06-04 03:25 --------- d-----w C:\Documents and Settings\User\Application Data\U3
2008-05-25 00:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-25 00:08 --------- d-----w C:\Program Files\EA GAMES
2008-05-23 23:50 --------- d-----w C:\Program Files\Yahoo!
2008-05-23 23:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\YAHOO
2008-05-23 22:37 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-05-23 22:36 --------- d-----w C:\Program Files\illiminable
2008-05-23 22:35 --------- d-----w C:\Program Files\RCA
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18 15360]
"AROReminder"="C:\Program Files\Advanced Registry Optimizer\aro.exe" [2008-04-09 14:22 2135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 00:05 339968]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 12:08 1347584]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 14:50 155648]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 04:21 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 12:47 73728]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbd32733-2f83-11d8-b2af-000f1fa0bb67}]
\Shell\AutoRun\command - D:\Menu.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-07-18 18:31:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
HKCU-Run-PhotoShow Deluxe Media Manager - C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 19:32:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
.
**************************************************************************
.
Completion time: 2008-07-19 19:34:46 - machine was rebooted [User]
ComboFix-quarantined-files.txt 2008-07-20 00:34:42

Pre-Run: 28,674,301,952 bytes free
Post-Run: 28,611,014,656 bytes free

129 --- E O F --- 2008-07-18 15:08:36

Edited by SpaCeTraNce, 19 July 2008 - 06:44 PM.

  • 0

#4
greyknight17
Posted 19 July 2008 - 08:49 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Delete those two files:

C:\Windows\Sys1C2.exe
C:\Windows\SysB.exe

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

Does any of the program updates work for your other security programs? Try updating it again to see if it works....
  • 0

#5
SpaCeTraNce
Posted 20 July 2008 - 10:03 AM

SpaCeTraNce

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
I got MBAM to update, that was unrelated. I'll post the activescan logs once I have the.

Thanks for the help....
  • 0

#6
greyknight17
Posted 20 July 2008 - 01:24 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
How is the system running so far? We'll take a final look at the Panda log, but I'm sure we're almost done here assuming all is running normally.
  • 0

#7
SpaCeTraNce
Posted 20 July 2008 - 05:49 PM

SpaCeTraNce

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
grayknight17,

Machine is running much better! I'll post the logs when I have time to run the scan.

PS. I'm really starting to dig geekstogo.com :)
  • 0

#8
SpaCeTraNce
Posted 21 July 2008 - 10:29 AM

SpaCeTraNce

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
I was unable to locate:

C:\Windows\Sys1C2.exe
C:\Windows\SysB.exe

Because MBAM removed them:

C:\WINDOWS\Sys1C2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SysB.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Activescan log:

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-07-21 11:21:00
PROTECTIONS: 2
MALWARE: 21
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Symantec Antivirus Corporate Edition 8.0 No Yes
Norton Antivirus Edition 7.5 No No
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.casalemedia.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@atdmt[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.247realmedia.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.247realmedia.com/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.fastclick.net/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.tribalfusion.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.mediaplex.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.apmebf.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.burstnet.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.burstnet.com/]
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[www.burstbeacon.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.advertising.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.zedo.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2mr2suqx.default\cookies.txt[.adrevolver.com/]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP70\A0014819.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP70\A0014654.sys
03128601 Adware/MalwareProtector2008 Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\9.tmp.vir
03128601 Adware/MalwareProtector2008 Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\A.tmp.vir
03128601 Adware/MalwareProtector2008 Adware No 0 Yes No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP62\A0011965.exe
03128601 Adware/MalwareProtector2008 Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\3.tmp.vir
03128601 Adware/MalwareProtector2008 Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\2.tmp.vir
03128601 Adware/MalwareProtector2008 Adware No 0 Yes No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP63\A0011995.exe
03128601 Adware/MalwareProtector2008 Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\1.tmp.vir
03128601 Adware/MalwareProtector2008 Adware No 0 Yes No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP68\A0014304.exe
03128601 Adware/MalwareProtector2008 Adware No 0 Yes No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP63\A0012998.exe
03128601 Adware/MalwareProtector2008 Adware No 0 Yes No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP63\A0013988.exe
03128601 Adware/MalwareProtector2008 Adware No 0 Yes No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP63\A0014004.exe
03128601 Adware/MalwareProtector2008 Adware No 0 Yes No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP63\A0014020.exe
03128601 Adware/MalwareProtector2008 Adware No 0 Yes No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP65\A0014046.exe
03128601 Adware/MalwareProtector2008 Adware No 0 Yes No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP67\A0014261.exe
03128601 Adware/MalwareProtector2008 Adware No 0 Yes No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP67\A0014266.exe
03281274 Adware/SpyShredder Adware No 0 Yes No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP68\A0014390.exe
03281376 Adware/AVMaster Adware No 0 Yes No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP67\A0014273.exe
03281377 Adware/AVMaster Adware No 0 Yes No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP68\A0014391.cpl
03324220 Adware/VistaAntivirus Adware No 0 No No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP63\A0012008.exe[5.exe][vav.cpl]
03324220 Adware/VistaAntivirus Adware No 0 No No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP63\A0011974.exe[vav.cpl]
03324220 Adware/VistaAntivirus Adware No 0 No No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP63\A0012004.exe[vav.cpl]
03324220 Adware/VistaAntivirus Adware No 0 No No C:\System Volume Information\_restore{7AF768C2-4A67-4DAC-A742-0712D8FBDC10}\RP67\A0014265.exe[vav.cpl]
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location N
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description N
;===============================================================================
=================================================================================
===================
170907 HIGH MS07-046 N
170904 HIGH MS07-043 N
;===============================================================================
=================================================================================
===================


I'm worried about these two entries:
01185375 Application/Psexec.A HackTools
02885963 Rootkit/Booto.C Virus/Worm
  • 0

#9
greyknight17
Posted 22 July 2008 - 11:09 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
We'll take care of those two entries and the bunch of others found by Panda by removing Combofix (it will do the final cleanup job for you :)).

Go into Firefox->Tools->Clear Private Data and hit OK to delete all your cookie and temp files.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#10
SpaCeTraNce
Posted 24 July 2008 - 10:09 AM

SpaCeTraNce

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hey greyknight17 system is running fine, thanks for your time and assistance.
  • 0

#11
greyknight17
Posted 24 July 2008 - 10:28 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP