Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Vundo Trojan Infection [Solved]

Started by cancia , Dec 20 2008 02:36 AM

  • This topic is locked This topic is locked

#1
cancia
Posted 20 December 2008 - 02:36 AM

cancia

    New Member

  • Member
  • Pip
  • 6 posts
About 3 days ago I realized I had some sort of virus or malware because I was getting popups and wierd things were happening to my machine. I tried to solve it various ways using multiple programs such as: HIjack This, VundoFix, Spyware Terminator, Malwarebytes' Anti-Malware Spyware Hunter to no avail. I seem to have narrowed the root files down to a couple different ones but I can't seem to find them to delete them even though every time I run hijack this or a spyware removal tool it says I have.
Here is my Hijack this Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:52 AM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Terminator\SpywareTerminator.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {e3a9d5e6-1466-42fb-b5dd-8216f6fb42f0} - C:\WINDOWS\system32\fosutozi.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [nayibewuza] Rundll32.exe "C:\WINDOWS\system32\witukezo.dll",s
O4 - HKUS\S-1-5-19\..\Run: [nayibewuza] Rundll32.exe "C:\WINDOWS\system32\witukezo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [nayibewuza] Rundll32.exe "C:\WINDOWS\system32\witukezo.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: C:\WINDOWS\system32\bopedisu.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 2268 bytes



I believe the root problems are the "witukezo.dll" and "nayibewuza.dll" (which comes back occasionally). I also don't know what the "fosutozi.dll" is.

I have tried running safe mode and deleting them but they always come back. It as if I am missing a file which keeps replicating itself. I also have Spyware Terminator running which is set to AUTODENY anything with "witukezo.dll" in it (which happens often). When I try to manually delete the witukezo.dll file I can't find it, it's like it doesn't exist (yes show hidden files are turned on).

Please help! I really, really, really do not want to reformat my machine...AGAIN! Also I plan on purchasing an anti-virus program with active defense, any suggestions? I don't know which one is the best for the best price. Thank in advance! :)

Edited by cancia, 20 December 2008 - 02:38 AM.

  • 0

Advertisements

#2
greyknight17
Posted 20 December 2008 - 01:43 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: (no name) - {e3a9d5e6-1466-42fb-b5dd-8216f6fb42f0} - C:\WINDOWS\system32\fosutozi.dll (file missing)
O4 - HKLM\..\Run: [nayibewuza] Rundll32.exe "C:\WINDOWS\system32\witukezo.dll",s
O4 - HKUS\S-1-5-19\..\Run: [nayibewuza] Rundll32.exe "C:\WINDOWS\system32\witukezo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [nayibewuza] Rundll32.exe "C:\WINDOWS\system32\witukezo.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: C:\WINDOWS\system32\bopedisu.dll

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\witukezo.dll
C:\WINDOWS\system32\bopedisu.dll

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

For the antivirus program, I actually recommend using AVG AntiVirus. It's free for personal use and also comes with the anti-spyware program.
  • 0

#3
cancia
Posted 20 December 2008 - 03:44 PM

cancia

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks. I actually did that and all seems fine as for right now. I will look into AVG Antivirus. A lot of people have been suggestion Avast as well. Thank you very much.
*Hats off to Geeks to Go*. My heroes.
  • 0

#4
greyknight17
Posted 20 December 2008 - 06:35 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please post the log requested. A lot of times there are still a few files left behind that are dormant for the time being. They should be removed as well.
  • 0

#5
cancia
Posted 21 December 2008 - 01:25 AM

cancia

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
ComboFix 08-12-20.03 - Andrew 2008-12-20 23:16:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1564 [GMT -8:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Andrew\Local Settings\Temporary Internet Files\fbk.sts
C:\install.exe
c:\program files\INSTALL.LOG
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\temp\tn3
c:\windows\system32\aheyuhip.ini
c:\windows\system32\drivers\npf.sys
c:\windows\system32\packet.dll
c:\windows\system32\timikeze.dll
c:\windows\system32\wpcap.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-20 01:06 . 2008-12-20 01:06 <DIR> d-------- c:\program files\Alwil Software
2008-12-19 19:34 . 2008-12-19 19:34 <DIR> d-------- c:\documents and settings\Administrator.ANDREW-4C8A5F4E\Application Data\Malwarebytes
2008-12-19 19:34 . 2008-12-19 19:34 <DIR> d-------- c:\documents and settings\Administrator.ANDREW-4C8A5F4E
2008-12-19 18:46 . 2008-12-20 01:04 <DIR> d-------- c:\program files\Spyware Terminator
2008-12-19 18:35 . 2008-12-19 18:44 <DIR> d-------- c:\program files\Common Files\PC Tools
2008-12-19 18:22 . 2008-12-19 18:35 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-19 16:02 . 2007-11-04 19:30 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-19 02:39 . 2008-12-19 02:39 <DIR> d---s---- c:\windows\Downloaded Program Files
2008-12-18 14:25 . 2008-12-18 14:25 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-18 14:25 . 2008-12-18 14:25 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-12 01:39 . 2008-12-12 01:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-12 01:39 . 2008-12-12 01:39 <DIR> d-------- c:\documents and settings\Andrew\Application Data\Malwarebytes
2008-12-12 01:39 . 2008-12-12 01:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-12 01:39 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-12 01:39 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-12 01:04 . 2008-12-20 02:59 <DIR> d--h----- c:\windows\$hf_mig$
2008-12-12 00:45 . 2008-12-12 00:45 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 00:30 . 2008-12-12 00:57 <DIR> d---s---- c:\documents and settings\Administrator
2008-12-10 19:57 . 2008-12-13 04:42 <DIR> d-------- c:\program files\Varnex
2008-11-26 18:32 . 2008-11-26 18:32 <DIR> d-------- c:\documents and settings\Andrew\Application Data\GlobalSCAPE
2008-11-26 18:32 . 2008-11-26 18:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\GlobalSCAPE
2008-11-26 18:29 . 2008-11-26 18:29 <DIR> d-------- c:\documents and settings\Andrew\Application Data\SmartFTP
2008-11-23 18:14 . 2008-11-23 18:14 <DIR> d-------- c:\windows\system32\scripting
2008-11-23 18:14 . 2008-11-23 18:14 <DIR> d-------- c:\windows\system32\en
2008-11-23 18:14 . 2008-11-23 18:14 <DIR> d-------- c:\windows\system32\bits
2008-11-23 18:14 . 2008-11-23 18:14 <DIR> d-------- c:\windows\l2schemas
2008-11-23 18:13 . 2008-11-23 18:13 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-23 18:09 . 2008-11-23 18:09 <DIR> d-------- c:\windows\EHome

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 01:44 --------- d-----w c:\program files\Steam
2008-12-20 03:06 --------- d-----w c:\program files\fraps
2008-12-20 02:44 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-18 22:25 --------- d-----w c:\program files\Java
2008-12-16 03:34 --------- d-----w c:\program files\World of Warcraft
2008-12-15 06:45 139,280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-14 07:25 --------- d-----w c:\program files\Digsby
2008-12-13 07:35 --------- d-----w c:\documents and settings\Andrew\Application Data\BitTorrent
2008-12-13 07:28 --------- d-----w c:\program files\Electronic Arts
2008-12-02 05:15 --------- d-----w c:\documents and settings\Andrew\Application Data\IGN_DLM
2008-12-02 00:07 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 23:52 22,328 ----a-w c:\documents and settings\Andrew\Application Data\PnkBstrK.sys
2008-11-29 01:37 --------- d-----w c:\program files\mymedia
2008-11-19 10:58 --------- d-----w c:\program files\Activision
2008-11-16 11:11 --------- d-----w c:\program files\Ventrilo
2008-11-16 11:11 --------- d-----w c:\documents and settings\Andrew\Application Data\Ventrilo
2008-11-16 11:10 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-13 03:54 --------- d-----w c:\program files\Warcraft III
2008-11-12 22:49 --------- d-----w c:\documents and settings\Andrew\Application Data\Digsby
2008-11-12 22:49 --------- d-----w c:\documents and settings\All Users\Application Data\Digsby
2008-11-08 09:26 --------- d-----w c:\program files\MSBuild
2008-11-08 09:25 --------- d-----w c:\program files\Reference Assemblies
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2003-12-18 18:33 20,102 ----a-w c:\program files\Readme.txt
2003-09-03 14:46 10,960 ----a-w c:\program files\EULA.txt
2008-09-19 04:00 64,223 --sha-w c:\windows\system32\wimavogu.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"VIDC.XFR1"= xfcodec.dll
"vidc.VSPX"= vspxvfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Common Files\\LogiShrd\\LVMVFM\\LVPrcSrv.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-20 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-20 20560]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3AB.sys [2005-03-22 450400]
S3 idrmkl;idrmkl;\??\c:\docume~1\Andrew\LOCALS~1\Temp\idrmkl.sys []
S3 MaplomL;MaplomL; []
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys []
S3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - d:\setup\rsrc\Autorun.exe
\Shell\dinstall\command - d:\directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6598ada8-b8b6-11db-8204-806d6172696f}]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6fd3feb-b8e8-11db-b832-806d6172696f}]
\Shell\AutoRun\command - D:\ASUSACPI.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\l8tjmc7r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 23:19:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-12-20 23:23:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-21 07:23:47

Pre-Run: 102,967,730,176 bytes free
Post-Run: 106,942,820,352 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

180 --- E O F --- 2008-12-20 10:59:34
  • 0

#6
greyknight17
Posted 21 December 2008 - 10:48 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Driver::
idrmkl
MaplomL
File::
c:\windows\system32\wimavogu.dll

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#7
cancia
Posted 21 December 2008 - 06:29 PM

cancia

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
ComboFix 08-12-20.03 - Andrew 2008-12-21 16:19:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1619 [GMT -8:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\wimavogu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wimavogu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IDRMKL
-------\Service_idrmkl
-------\Service_MaplomL


((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.

2008-12-20 01:06 . 2008-12-20 01:06 <DIR> d-------- c:\program files\Alwil Software
2008-12-19 19:34 . 2008-12-19 19:34 <DIR> d-------- c:\documents and settings\Administrator.ANDREW-4C8A5F4E\Application Data\Malwarebytes
2008-12-19 19:34 . 2008-12-19 19:34 <DIR> d-------- c:\documents and settings\Administrator.ANDREW-4C8A5F4E
2008-12-19 18:46 . 2008-12-20 01:04 <DIR> d-------- c:\program files\Spyware Terminator
2008-12-19 18:35 . 2008-12-19 18:44 <DIR> d-------- c:\program files\Common Files\PC Tools
2008-12-19 18:22 . 2008-12-19 18:35 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-19 16:02 . 2007-11-04 19:30 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-19 02:39 . 2008-12-19 02:39 <DIR> d---s---- c:\windows\Downloaded Program Files
2008-12-18 14:25 . 2008-12-18 14:25 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-18 14:25 . 2008-12-18 14:25 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-12 01:39 . 2008-12-12 01:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-12 01:39 . 2008-12-12 01:39 <DIR> d-------- c:\documents and settings\Andrew\Application Data\Malwarebytes
2008-12-12 01:39 . 2008-12-12 01:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-12 01:39 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-12 01:39 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-12 01:04 . 2008-12-20 02:59 <DIR> d--h----- c:\windows\$hf_mig$
2008-12-12 00:45 . 2008-12-12 00:45 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 00:30 . 2008-12-12 00:57 <DIR> d---s---- c:\documents and settings\Administrator
2008-12-10 19:57 . 2008-12-13 04:42 <DIR> d-------- c:\program files\Varnex
2008-11-26 18:32 . 2008-11-26 18:32 <DIR> d-------- c:\documents and settings\Andrew\Application Data\GlobalSCAPE
2008-11-26 18:32 . 2008-11-26 18:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\GlobalSCAPE
2008-11-26 18:29 . 2008-11-26 18:29 <DIR> d-------- c:\documents and settings\Andrew\Application Data\SmartFTP
2008-11-23 18:14 . 2008-11-23 18:14 <DIR> d-------- c:\windows\system32\scripting
2008-11-23 18:14 . 2008-11-23 18:14 <DIR> d-------- c:\windows\system32\en
2008-11-23 18:14 . 2008-11-23 18:14 <DIR> d-------- c:\windows\system32\bits
2008-11-23 18:14 . 2008-11-23 18:14 <DIR> d-------- c:\windows\l2schemas
2008-11-23 18:13 . 2008-11-23 18:13 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-23 18:09 . 2008-11-23 18:09 <DIR> d-------- c:\windows\EHome

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 08:01 --------- d-----w c:\program files\Steam
2008-12-20 03:06 --------- d-----w c:\program files\fraps
2008-12-20 02:44 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-18 22:25 --------- d-----w c:\program files\Java
2008-12-16 03:34 --------- d-----w c:\program files\World of Warcraft
2008-12-15 06:45 139,280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-14 07:25 --------- d-----w c:\program files\Digsby
2008-12-13 07:35 --------- d-----w c:\documents and settings\Andrew\Application Data\BitTorrent
2008-12-13 07:28 --------- d-----w c:\program files\Electronic Arts
2008-12-02 05:15 --------- d-----w c:\documents and settings\Andrew\Application Data\IGN_DLM
2008-12-02 00:07 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 23:52 22,328 ----a-w c:\documents and settings\Andrew\Application Data\PnkBstrK.sys
2008-11-29 01:37 --------- d-----w c:\program files\mymedia
2008-11-19 10:58 --------- d-----w c:\program files\Activision
2008-11-16 11:11 --------- d-----w c:\program files\Ventrilo
2008-11-16 11:11 --------- d-----w c:\documents and settings\Andrew\Application Data\Ventrilo
2008-11-16 11:10 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-13 03:54 --------- d-----w c:\program files\Warcraft III
2008-11-12 22:49 --------- d-----w c:\documents and settings\Andrew\Application Data\Digsby
2008-11-12 22:49 --------- d-----w c:\documents and settings\All Users\Application Data\Digsby
2008-11-08 09:26 --------- d-----w c:\program files\MSBuild
2008-11-08 09:25 --------- d-----w c:\program files\Reference Assemblies
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2003-12-18 18:33 20,102 ----a-w c:\program files\Readme.txt
2003-09-03 14:46 10,960 ----a-w c:\program files\EULA.txt
.

((((((((((((((((((((((((((((( snapshot@2008-12-20_23.23.29.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-22 00:24:26 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_100.dat
+ 2008-12-22 00:24:19 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_57c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"VIDC.XFR1"= xfcodec.dll
"vidc.VSPX"= vspxvfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Common Files\\LogiShrd\\LVMVFM\\LVPrcSrv.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-20 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-20 20560]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3AB.sys [2005-03-22 450400]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys []
S3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - d:\setup\rsrc\Autorun.exe
\Shell\dinstall\command - d:\directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6598ada8-b8b6-11db-8204-806d6172696f}]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6fd3feb-b8e8-11db-b832-806d6172696f}]
\Shell\AutoRun\command - D:\ASUSACPI.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\l8tjmc7r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 16:24:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-12-21 16:29:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-22 00:29:15
ComboFix2.txt 2008-12-21 07:23:51

Pre-Run: 106,936,254,464 bytes free
Post-Run: 106,919,075,840 bytes free

165 --- E O F --- 2008-12-20 10:59:34
  • 0

#8
greyknight17
Posted 21 December 2008 - 07:29 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#9
cancia
Posted 21 December 2008 - 10:10 PM

cancia

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I think things are back to normal now thanks a lot. Hopefully I won't have another VIrus Episode for a long long time. :)
  • 0

#10
greyknight17
Posted 21 December 2008 - 10:13 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP