13 replies to this topic

[AmyA]

I posted this elsewhere in what I now believe to be the wrong section. I hope someone can help me out!

Here's my malwarebytes log. It started with 23 and got down to 4 that don't die at restart. I've got system restore off during all of these shinnegans. It says no action taken only because I've ran the log several times and didn't bother trying the restart since they keep coming back. SuperAntiSpyware doesn't find the trojan.vundo.h files (and won't do a smart update for some reason, altho firewall is turned off and I'm on internet). Norton has a laughable fix but they didn't stop this thing in the first place - needless to say that didn't work wither. PLEASE HELP! Can I keep working on my computer or will eventually keep grinding to a hault?

Malwarebytes' Anti-Malware 1.36
Database version: 2174
Windows 5.1.2600 Service Pack 2

5/24/2009 3:52:10 PM
Part4_4filesmbam-log-2009-05-24 (15-51-53).txt

Scan type: Quick Scan
Objects scanned: 91697
Time elapsed: 9 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f168810d-0ffd-426b-a866-b121a9240552} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jwkqjblt (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f168810d-0ffd-426b-a866-b121a9240552} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\rzhdtxv.dll (Trojan.Vundo.H) -> No action taken.

[miekiemoes]

Hi,

Not sure why you turned your System Restore off in the first place. Maybe some people recommend this, but imho, that's a bad idea. Reason is, for example, you're trying to clean malware and you've deleted the wrong file or wrong key by accident, or a scanner deleted the wrong file/key (which may happen as well) and because of that, your system becomes more unstable. So, in such cases, you can revert to a previous system restore point.
But if you disable system restore during cleanup, you won't have any previous system restore points anymore, because your system restore points are flushed when you disable system restore. So, if something bad happens during cleanup, you cannot revert to a previous system restore point either.
So, it's better to have an "infected" system restore point (which we can clean), than no system restore point at all.

Afterwards, once your system is clean again, then you can flush your system restore points, by disabling system restore, reboot, enable system restore, so it will create a new clean system restore point afterwards again.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[AmyA]

Yes, agreed turning odd restore was silly - that bit of instruction came from the clowns at Norton. Same guys that let the virus on to begin with. I'm trying to back up my important data first then I'll post the logs. Hope to have it up within the hour. So thankful that there is a forum for help with this. Many thanks!

[miekiemoes]

Hi,

That's ok - just take your time

[AmyA]

Haven't been able (or willing) to run ComboFix yet because when I launch it I get the following warning despite the fact that I believe I have completely uninstalled Norton from my machine.

"ComboFix has detected the following real time scanners: antivirus: Norton Internet Security"

Should I just run ComboFix anyway?

[AmyA]

Well, I found some apparent Norton processes still running so I ended them. And I think/hope I got all my other ant-virus stuff turned off too. Ran combofix and here's the log. What on god's green earth does it mean?

ComboFix 09-05-24.07 - AmyA 05/25/2009 14:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.530 [GMT -7:00]
Running from: c:\documents and settings\AmyA\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\awmupdq.dll
c:\windows\system32\Cache
c:\windows\system32\drivers\oaarrjxa.sys
c:\windows\system32\drivers\rswfcqqo.sys
c:\windows\system32\rzhdtxv.dll
c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OAARRJXA
-------\Service_oaarrjxa


((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 )))))))))))))))))))))))))))))))
.

2009-05-25 18:21 . 2009-05-25 18:21 -------- d-----w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-05-24 21:33 . 2008-12-11 15:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-05-24 21:33 . 2009-05-25 21:37 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-24 21:33 . 2009-03-06 23:45 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-05-24 21:33 . 2008-12-18 19:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-24 21:33 . 2009-05-24 21:33 -------- d-----w c:\program files\Common Files\PC Tools
2009-05-24 21:33 . 2008-12-10 19:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-05-24 21:32 . 2009-05-24 21:34 -------- d-----w c:\program files\Spyware Doctor
2009-05-24 21:32 . 2009-05-24 21:32 -------- d-----w c:\documents and settings\AmyA\Application Data\PC Tools
2009-05-24 21:32 . 2009-05-24 21:32 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-05-24 20:38 . 2009-05-25 21:37 117760 ----a-w c:\documents and settings\AmyA\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-24 20:38 . 2009-05-24 20:38 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-24 20:38 . 2009-05-24 20:38 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-24 20:38 . 2009-05-24 20:38 -------- d-----w c:\documents and settings\AmyA\Application Data\SUPERAntiSpyware.com
2009-05-24 20:36 . 2009-05-24 20:36 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-24 16:55 . 2009-05-24 16:55 -------- d-----w c:\documents and settings\AmyA\Application Data\Malwarebytes
2009-05-24 16:55 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-24 16:55 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-24 16:55 . 2009-05-24 16:55 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-24 16:55 . 2009-05-24 16:55 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-24 15:56 . 2009-05-24 15:56 2 ---h--w c:\windows\sonce122730.dat
2009-05-24 15:47 . 2009-05-24 15:47 176 ----a-w C:\487656.bat
2009-05-20 14:55 . 2009-05-20 14:55 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-05-19 00:43 . 2009-05-19 00:43 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-05-19 00:43 . 2009-05-19 23:04 -------- d-----w c:\documents and settings\AmyA\Application Data\skypePM
2009-05-19 00:38 . 2009-05-19 00:38 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-05-19 00:36 . 2009-05-21 03:57 -------- d-----w c:\documents and settings\AmyA\Application Data\Skype
2009-05-19 00:34 . 2009-05-19 00:34 -------- d-----w c:\program files\Common Files\Skype
2009-05-19 00:34 . 2009-05-19 00:34 -------- d-----r c:\program files\Skype
2009-05-19 00:34 . 2009-05-19 00:34 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-05-18 22:28 . 2009-05-18 22:07 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-05-18 22:07 . 2009-05-18 22:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-05-18 22:07 . 2009-05-18 22:07 299352 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-05-18 22:07 . 2009-05-18 22:07 25440 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-05-18 22:07 . 2009-05-18 22:07 15688 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-18 22:07 . 2009-05-18 22:07 165728 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-05-18 22:07 . 2009-05-18 22:07 343888 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-05-18 22:07 . 2009-05-18 22:07 289632 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-05-18 22:07 . 2009-05-18 22:07 82784 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-05-18 22:06 . 2009-05-18 22:06 1629024 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-05-18 22:06 . 2009-05-18 22:06 212848 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-05-18 22:06 . 2009-05-18 22:06 40288 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-05-18 22:06 . 2009-05-18 22:06 64160 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-18 22:06 . 2009-05-18 22:06 632680 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-05-18 22:06 . 2009-05-18 22:06 539512 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-05-18 22:06 . 2009-05-18 22:06 552808 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-05-18 22:06 . 2009-05-18 22:06 2324808 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-05-18 22:06 . 2009-05-18 22:06 626000 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-05-18 22:05 . 2009-05-18 22:05 516440 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-05-18 22:05 . 2009-05-18 22:05 953168 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-05-18 22:02 . 2009-05-18 22:02 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-18 22:02 . 2009-03-12 08:17 2902048 -c--a-w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-05-18 22:01 . 2009-05-18 22:07 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-18 22:01 . 2009-05-18 22:01 -------- d-----w c:\program files\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 18:23 . 2005-04-10 13:09 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-25 18:21 . 2005-04-10 13:09 -------- d-----w c:\program files\Symantec
2009-05-25 18:20 . 2005-04-10 13:09 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-05-25 15:21 . 2006-03-02 10:16 -------- d-----w c:\program files\Quicken
2009-05-19 00:42 . 2005-04-10 12:59 -------- d-----w c:\program files\Google
2009-04-02 23:51 . 2007-06-23 18:56 -------- d-----w c:\documents and settings\AmyA\Application Data\Image Zone Express
2009-03-06 14:44 . 2004-08-04 08:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 08:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 19:20 . 2006-03-01 15:37 73320 ----a-w c:\documents and settings\AmyA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"TCOYFReminder"="c:\progra~1\TCOYF\tcoyftray.exe" [2005-06-28 139264]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-14 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-01-21 790528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-18 516440]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-03-13 517768]

c:\documents and settings\AmyA\Start Menu\Programs\Startup\
WinMySQLadmin.lnk - c:\program files\xampp\mysql\bin\winmysqladmin.exe [2007-12-20 936448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-3-2 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2008-9-15 1766744]
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 569405]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Pandion.lnk - c:\program files\Pandion\Pandion.exe [2006-1-10 993792]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2006-9-5 229376]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-29 57344]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-11-17 389120]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/18/2009 3:07 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/24/2009 2:33 PM 130424]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/24/2009 2:33 PM 348752]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]
S2 gupdate1c9d81a1f056e6e;Google Update Service (gupdate1c9d81a1f056e6e);c:\program files\Google\Update\GoogleUpdate.exe [5/18/2009 5:36 PM 133104]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [8/23/2006 9:41 AM 114016]
S2 mrtRate;mrtRate; [x]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 953168]
S4 Herofsl;Herofsl; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - OAARRJXA
*Deregistered* - mchInjDrv
*Deregistered* - oaarrjxa

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wpnkvqax
.
Contents of the 'Scheduled Tasks' folder

2009-05-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:06]

2009-05-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 00:57]

2009-05-25 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-19 00:35]

2009-05-25 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 05:18]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: turbotax.com
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\AmyA\Application Data\Mozilla\Firefox\Profiles\wy6b75a8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-25 14:37
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????5?3?3?7??????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]
"ImagePath"="C:/Program Files/xampp/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]
"ImagePath"="C:/Program Files/xampp/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2684)
c:\program files\Spyware Doctor\pctgmhk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\TCOYF\tcoyftray.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\xampp\mysql\bin\mysqld-nt.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Hp\Digital Imaging\bin\hpqste08.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HPQ\Shared\hpqwmi.exe
c:\program files\Hp\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2009-05-25 14:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-25 21:42

Pre-Run: 30,135,947,264 bytes free
Post-Run: 30,884,225,024 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

282 --- E O F --- 2009-04-22 15:18

[miekiemoes]

Hi,

Navigate to and delete the following files:

c:\windows\sonce122730.dat
C:\487656.bat

Not sure how you uninstalled your Norton Internet security, because I still see it active and running here.
If you want to uninstall it, I suggest this:

* To fully remove Norton AntiVirus or other Symantec related products, select the product you want to uninstall from this list in order to download the removal tool.
Please read the instructions first before you use it.

For older versions of Norton (2000, 2001, 2002), choose this link.

Also read the next article in case you're having problems with uninstalling Norton if above instructions didn't work, or noticed problems after uninstalling Norton: http://basconotw.mvps.org/SymRem.htm

Keep in mind to install another Antivirus instead afterwards, because how are you supposed to prevent malware otherwise?

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
  
• The program will then begin downloading and installing and will also update the database.
  
• Please be patient as this can take several minutes.
  
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Click View scan report at the bottom.
  
• Click the Save Report As... button.
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
  
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

[AmyA]

I wanted to sincerely thank you for having this forum. I don't know how I would have been able to get rid of this thing without it. Thanks for your quick replies. I will do your above steps in the next few hours. Once the malwarebytes came back clean, I ran as far away from this computer as I could for the next couple of days.

Will report back with results, but I'm pretty confident that I'm out of the woods.

Many thanks!

[miekiemoes]

Hi,

That's ok. Just take your time.
The Kaspersky scan may take a while though.

[AmyA]

I am VERY nervous. The thing ran in about 4 hours. I went to type in my reply to you and all the text came in backwards. So when I type "hello" it shows up on the screen as "olleh". I went to a browser and typed something and it had the same results. So I typed this into notepad and cut & pasted it into the reply. That being said here is my log. It found problems in *really* old files that I haven't touched for years. So I've probably had these viruses for a very long time. Any idea how to get the text to come out normal while in a browser?

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, May 28, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, May 28, 2009 14:26:36
Records in database: 2265298
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 147244
Threat name: 4
Infected objects: 13
Suspicious objects: 2
Duration of the scan: 03:39:04


File name / Threat name / Threats count
C:\Documents and Settings\*****\Local Settings\Application Data\Microsoft\Outlook\archive.pst Infected: Email-Worm.Win32.Mydoom.m.log 2
C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\TransferFiles\oldtower.pst Infected: Trojan-Spy.HTML.Paylap.ev 3
C:\TransferFiles\oldtower.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\TransferFiles\oldtower.pst Infected: Email-Worm.Win32.Mydoom.m.log 2
C:\Webmaster\Burned\OldPeregrineTower\Outlook\outlook.pst Infected: Trojan-Spy.HTML.Paylap.ev 3
C:\Webmaster\Burned\OldPeregrineTower\Outlook\outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Webmaster\Burned\OldPeregrineTower\Outlook\outlook.pst Infected: Email-Worm.Win32.Mydoom.m.log 2

The selected area was scanned.

[miekiemoes]

Hi,

Quote

Any idea how to get the text to come out normal while in a browser?

I assume this happens in your Firefox?
See here: http://www.freedomlist.com/forum/viewtopic...p=119058#119058


What Kaspersky found are just some infected mails present in your mail backups (Webmaster\Burned\OldPeregrineTower\Outlook and C:\TransferFiles\oldtower.pst )
You can delete those and create a new backup again.

This one is in your current outlook: C:\Documents and Settings\*****\Local Settings\Application Data\Microsoft\Outlook\archive.pst but in the archive one.

You may ignore this: C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1 it's not a real threat

How are things now?

[AmyA]

Okay, Firefox is all better. I deleted the files and emptied the recycle bin. I think I'm running pretty smooth now. Anything else I should double check? Does anything related to the Kaspersky scan need to be removed? I don't see an app for it so maybe it doesn't leave anything behind. I still have Malwarebytes and SuperAntiSpyware on the machine. Are those cool to stay? Many thanks for all your help!

[miekiemoes]

Quote

anything related to the Kaspersky scan need to be removed? I don't see an app for it so maybe it doesn't leave anything behind.

Yes, you can delete manually what it found as I explained in my previous post.

Quote

I still have Malwarebytes and SuperAntiSpyware on the machine. Are those cool to stay? Many thanks for all your help!

Yes, they are cool to stay. Also read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.