Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1]   Go Down

Author Topic: I had a lot of similar symptoms here.  (Read 7066 times)

0 Members and 1 Guest are viewing this topic.

Lucky M

    Topic Starter


    Greenhorn

    I had a lot of similar symptoms here.
    « on: December 08, 2008, 11:43:28 PM »
    Thanks to everyone for the posts and help with these symptoms.  I had ALL of the following on my machine:
    1) Weird sounds playing from ads, without me even on the internet
    2) Internet browser windows linking to inexplicable pages, unprompted by anything
    3) Extreme Slowness
    4) On reboot Windows would often freeze up on the Windows XP or Welcome screen.
    5) "Antivirus 2009" garbage
    6) All helpful antispyware software blocked from downloading, updating, installing, etc.
    7) Websites such as microsoft.com and avg.com won't load.
    8) System Restore capabilities were impacted and lost. 

    With extreme patience, a different internet connection, a zip drive, and lots of luck I was able to walk through the "Malware Removal Guide".  Step "A" was the hardest - I needed to manually update my existing AVG, scan & remove, then uninstall.  I then had luck with the Avast! but only after the AVG quarantined some things and was uninstalled - I could tell it was not working properly.    Then after the Avast! software scanned and did its thing, CCleaner and SAS worked.  Then MBAM would work after the SAS scan.  After completing the steps (IN ORDER ONLY) my machine seems to be running normally, but I wanted to post my logs for the experts to be sure to catch anything that is still hanging.  I'd guess with these viruses I'm not out of the woods yet even with no visible symptoms right now.  Thanks to the pros for your help, and thanks in advance for reviewing my logs.  Everyone hang in there, and I hope I can help someone.

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 12/07/2008 at 11:29 PM

    Application Version : 4.22.1014

    Core Rules Database Version : 3665
    Trace Rules Database Version: 1645

    Scan type       : Complete Scan
    Total Scan Time : 01:29:36

    Memory items scanned      : 355
    Memory threats detected   : 1
    Registry items scanned    : 13055
    Registry threats detected : 172
    File items scanned        : 83040
    File threats detected     : 52

    Adware.Vundo/Variant
       C:\WINDOWS\SYSTEM32\RROZXE.DLL
       C:\WINDOWS\SYSTEM32\RROZXE.DLL
       HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2322F83-BFE6-481A-8423-8FE206FF26BC}

    Adware.Mirar/NetNucleus
       HKLM\Software\Classes\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
       HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
       HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
       HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32
       HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32#ThreadingModel
       HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties
       HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Version
       HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#BuildName
       HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Affiliate
       HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Show3X
       HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#ShowType
       HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#PopupCount
       HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#BlockEnable
       HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Ticket
       HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#WalkThrough
       HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\TypeLib
       HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}
       HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0
       HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\0
       HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\0\win32
       HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\FLAGS
       HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\HELPDIR
       C:\WINDOWS\SYSTEM32\WINNB55.DLL
       HKLM\Software\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
       HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
       HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
       HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32
       HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32#ThreadingModel
       HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\TypeLib
       HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
       HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
       HKLM\Software\Microsoft\Internet Explorer\Toolbar#{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
       HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
       HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}
       HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid
       HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid32
       HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib
       HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib#Version
       HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}
       HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid
       HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid32
       HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib
       HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib#Version
       HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}
       HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid
       HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid32
       HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib
       HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib#Version
       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}
       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}#DisplayName
       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}#UninstallString

    Trojan.Vundo-Variant/NextGen-Six
       HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e2322f83-bfe6-481a-8423-8fe206ff26bc}
       HKCR\CLSID\{E2322F83-BFE6-481A-8423-8FE206FF26BC}
       HKCR\CLSID\{E2322F83-BFE6-481A-8423-8FE206FF26BC}\InprocServer32
       HKCR\CLSID\{E2322F83-BFE6-481A-8423-8FE206FF26BC}\InprocServer32#ThreadingModel

    Adware.MyWebSearch/FunWebProducts
       HKU\S-1-5-21-1220945662-746137067-839522115-1007\SOFTWARE\FunWebProducts

    Trojan.DNSChanger-Codec
       HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\GetModule

    Adware.Vundo Variant/Rel
       HKLM\SOFTWARE\Microsoft\FCOVM
       HKLM\SOFTWARE\Microsoft\RemoveRP
       HKLM\SOFTWARE\Microsoft\MS Juan
       HKLM\SOFTWARE\Microsoft\MS Juan#RID
       HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
       HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
       HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
       HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
       HKLM\SOFTWARE\Microsoft\MS Juan\JKWL
       HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\lxkfqn.dll
       HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\lxkfqn.dll#LU
       HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\lxkfqn.dll#CT
       HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\lxkfqn.dll#LT
       HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
       HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
       HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
       HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
       HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
       HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
       HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
       HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
       HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
       HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
       HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
       HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
       HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
       HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
       HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CPS
       HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
       HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
       HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
       HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
       HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
       HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
       HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
       HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
       HKLM\SOFTWARE\Microsoft\contim
       HKLM\SOFTWARE\Microsoft\contim#SysShell
       HKLM\SOFTWARE\Microsoft\MS Track System
       HKLM\SOFTWARE\Microsoft\MS Track System#Uid
       HKLM\SOFTWARE\Microsoft\MS Track System#Shows
       HKLM\SOFTWARE\Microsoft\MS Track System#Uqs
       HKLM\SOFTWARE\Microsoft\MS Track System#Click1
       HKLM\SOFTWARE\Microsoft\rdfa
       HKLM\SOFTWARE\Microsoft\rdfa#F
       HKLM\SOFTWARE\Microsoft\rdfa#N
       C:\WINDOWS\SYSTEM32\NQTWA.INI2

    Rogue.XP AntiSpyware 2009
       HKU\S-1-5-21-1220945662-746137067-839522115-1007\Control Panel\don't load#wscui.cpl [ No ]

    Trojan.Downloader-Gen
       HKLM\Software\Microsoft\Windows\CurrentVersion\Run#brastk [ brastk.exe ]

    Trojan.Fake-Alert
       C:\Documents and Settings\Melissa\Application Data\gadcom

    Rogue.Component/Trace
       HKLM\Software\Microsoft\40ADE431
       HKLM\Software\Microsoft\40ADE431#40ade431
       HKLM\Software\Microsoft\40ADE431#40ad49b1
       HKLM\Software\Microsoft\40ADE431#40ad2054
       HKLM\Software\Microsoft\40ADE431#Version

    Rogue.AntiVirusPro2009
       HKLM\Software\AntivirusPro2009
       HKLM\Software\AntivirusPro2009#info

    Trojan.Fake-Alert/Trace
       HKU\S-1-5-21-1220945662-746137067-839522115-1007\SOFTWARE\Microsoft\fias4013
       C:\WINDOWS\system32\TDSSfpmp.dll

    Rootkit.TDSServ
       HKLM\SOFTWARE\TDSS
       HKLM\SOFTWARE\TDSS#build
       HKLM\SOFTWARE\TDSS#type
       HKLM\SOFTWARE\TDSS#affid
       HKLM\SOFTWARE\TDSS#subid
       HKLM\SOFTWARE\TDSS#cmddelay
       HKLM\SOFTWARE\TDSS#serversdown
       HKLM\SOFTWARE\TDSS\connections
       HKLM\SOFTWARE\TDSS\connections#2a4fe91c
       HKLM\SOFTWARE\TDSS\connections#87214514
       HKLM\SOFTWARE\TDSS\disallowed
       HKLM\SOFTWARE\TDSS\disallowed#trsetup.exe
       HKLM\SOFTWARE\TDSS\disallowed#ViewpointService.exe
       HKLM\SOFTWARE\TDSS\disallowed#ViewMgr.exe
       HKLM\SOFTWARE\TDSS\disallowed#SpySweeper.exe
       HKLM\SOFTWARE\TDSS\disallowed#SUPERAntiSpyware.exe
       HKLM\SOFTWARE\TDSS\disallowed#SpySub.exe
       HKLM\SOFTWARE\TDSS\disallowed#SpywareTerminatorShield.exe
       HKLM\SOFTWARE\TDSS\disallowed#SpyHunter3.exe
       HKLM\SOFTWARE\TDSS\disallowed#XoftSpy.exe
       HKLM\SOFTWARE\TDSS\disallowed#SpyEraser.exe
       HKLM\SOFTWARE\TDSS\disallowed#combofix.exe
       HKLM\SOFTWARE\TDSS\disallowed#otscanit.exe
       HKLM\SOFTWARE\TDSS\disallowed#mbam.exe
       HKLM\SOFTWARE\TDSS\disallowed#mbam-setup.exe
       HKLM\SOFTWARE\TDSS\disallowed#flash_disinfector.exe
       HKLM\SOFTWARE\TDSS\disallowed#otmoveit2.exe
       HKLM\SOFTWARE\TDSS\disallowed#smitfraudfix.exe
       HKLM\SOFTWARE\TDSS\disallowed#prevxcsifree.exe
       HKLM\SOFTWARE\TDSS\disallowed#download_mbam-setup.exe
       HKLM\SOFTWARE\TDSS\disallowed#cbo_setup.exe
       HKLM\SOFTWARE\TDSS\disallowed#spywareblastersetup.exe
       HKLM\SOFTWARE\TDSS\disallowed#rminstall.exe
       HKLM\SOFTWARE\TDSS\disallowed#sdsetup.exe
       HKLM\SOFTWARE\TDSS\disallowed#vundofixsvc.exe
       HKLM\SOFTWARE\TDSS\disallowed#daft.exe
       HKLM\SOFTWARE\TDSS\disallowed#gmer.exe
       HKLM\SOFTWARE\TDSS\disallowed#catchme.exe
       HKLM\SOFTWARE\TDSS\disallowed#mcpr.exe
       HKLM\SOFTWARE\TDSS\disallowed#sdfix.exe
       HKLM\SOFTWARE\TDSS\disallowed#hjtinstall.exe
       HKLM\SOFTWARE\TDSS\disallowed#fixpolicies.exe
       HKLM\SOFTWARE\TDSS\disallowed#emergencyutil.exe
       HKLM\SOFTWARE\TDSS\disallowed#techweb.exe
       HKLM\SOFTWARE\TDSS\disallowed#GoogleUpdate.exe
       HKLM\SOFTWARE\TDSS\disallowed#windowsdefender.exe
       HKLM\SOFTWARE\TDSS\disallowed#spybotsd.exe
       HKLM\SOFTWARE\TDSS\injector
       HKLM\SOFTWARE\TDSS\injector#*
       HKLM\SOFTWARE\TDSS\versions
       HKLM\SOFTWARE\TDSS\versions#/tdss2/crcmds/init
       HKLM\SOFTWARE\TDSS\versions#/tdss/crcmds/init
       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#affid
       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#subid
       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#control
       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#prov
       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#googleadserver
       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#flagged

    Adware.Tracking Cookie
       www.countryfinancial.com [ C:\Documents and Settings\Melissa\Application Data\Mozilla\Firefox\Profiles\c95nf8gi.default\cookies.txt ]
       www.countryfinancial.com [ C:\Documents and Settings\Melissa\Application Data\Mozilla\Firefox\Profiles\c95nf8gi.default\cookies.txt ]
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@apmebf[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@azjmp[1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@chitika[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@chitika[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@clickbooth[2].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@da-tracking[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@directtrack[1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@hotbar[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@interclick[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@jamster[1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@media-servers[1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@nextag[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@onlinerewardcenter[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@popularscreensavers[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@precisionclick[1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@reduxmedia[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@revsci[1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@smileycentral[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@spamblockerutility[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@specificclick[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@yx0banners[1].txt

    Trojan.Fake-Drop/Gen
       C:\WINDOWS\SYSTEM32\MSVBVM31.DLL

    Trojan.Unknown Origin
       C:\WINDOWS\SYSTEM32\TDSSOSVN.DAT
       C:\WINDOWS\SYSTEM32\WNSCPICOMSV32.EXE

    Rootkit.TDSServ-Trace
       C:\WINDOWS\SYSTEM32\TDSSTHYM.LOG
       C:\WINDOWS\SYSTEM32\TDSSTKDV.LOG

    ============================
    Malwarebytes' Anti-Malware 1.31
    Database version: 1475
    Windows 5.1.2600 Service Pack 2

    12/8/2008 9:46:42 PM
    mbam-log-2008-12-08 (21-46-42).txt

    Scan type: Quick Scan
    Objects scanned: 74673
    Time elapsed: 10 minute(s), 18 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{b0b3393c-62d1-44d8-abf5-08e0f067f29e} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b0b3393c-62d1-44d8-abf5-08e0f067f29e} (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40adf6bf (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{b0b3393c-62d1-44d8-abf5-08e0f067f29e} (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\Melissa\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\Melissa\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Melissa\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Melissa\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.

    Please find the attached files for other logs.

    Thanks Again for your help.

    [Saving space - attachment deleted by admin]
    Logged

    CBMatt

    • Mod & Malware Specialist


      • Prodigy

    • Sad and lonely...and loving every minute of it.
      • Thanked: 167
      • Yes
    • Experience: Experienced
    • OS: Windows 7
    Re: I had a lot of similar symptoms here.
    « Reply #1 on: December 10, 2008, 09:54:05 PM »
    Please print these instructions as they will be needed later when Internet access is not available.
     
    Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/151585130/SDFix.exe.html

    When using this tool, you must use the Administrator's account or an account with Administrative rights
    • Double click SDFix.exe and it will extract the files to %systemdrive%
    • (this is the drive that contains the Windows Directory, typically C:\SDFix).
    • DO NOT use it just yet.
    .Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
     
    Open the SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
    • Copy and paste the contents of the results file Report.txt in your next reply.
    Logged
    Quote
    An undefined problem has an infinite number of solutions.
    由obert A. Humphrey

    Lucky M

      Topic Starter


      Greenhorn

      Re: I had a lot of similar symptoms here.
      « Reply #2 on: December 13, 2008, 10:16:04 PM »
      Pasted Below is the SDFix Report.txt.

      FYI: I had an error message with the heading-
       16 Bit MS-DOS Subsystem:
                C:\Progra~1\Symantec\S32EVNT1.DLL. An installable Virtual Devise Driver failed Dll initialization.  Choose close to terminate the application.
                                    Close                     Ignore

      After choosing "close" every time this thing popped up in the SDFix process, it seemed to run fine.  Please let me know if I need to do anything different with this.
      I REALLY appreciate your help and time with this.  Here is the log:

      ============================
      SDFix: Version 1.231
      Run by Melissa on Sat 12/13/2008 at 09:49 PM

      Microsoft Windows XP [Version 5.1.2600]
      Running From: C:\SDFix

      Checking Services :


      Restoring Default Security Values
      Restoring Default Hosts File
      Resetting SecurityProviders Value

      Rebooting


      Checking Files :

      No Trojan Files Found




      Folder C:\Program Files\kernel - Removed


      Removing Temp Files

      ADS Check :
       


                                       Final Check :

      catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2008-12-13 21:59:56
      Windows 5.1.2600 Service Pack 2 NTFS

      scanning hidden processes ...

      scanning hidden services & system hive ...

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]
      "start"=dword:00000001
      "type"=dword:00000001
      "imagepath"=str(2):"\systemroot\system32\drivers\TDSSpaxt.sys"
      "group"="file system"
      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]
      "start"=dword:00000001
      "type"=dword:00000001
      "imagepath"=str(2):"\systemroot\system32\drivers\TDSSpaxt.sys"
      "group"="file system"

      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules]
      "TDSSserv"="\systemroot\system32\drivers\TDSSpaxt.sys"
      "TDSSl"="\systemroot\system32\TDSSoeqh.dll"
      "tdssservers"="\systemroot\system32\TDSSosvn.dat"
      "tdssmain"="\systemroot\system32\TDSSnrsr.dll"
      "tdsslog"="\systemroot\system32\TDSSriqp.dll"
      "tdssadw"="\systemroot\system32\TDSScfub.dll"
      "tdssinit"="\systemroot\system32\TDSSfpmp.dll"
      "tdssurls"="\systemroot\system32\TDSSnmxh.log"
      "tdsspanels"="\systemroot\system32\TDSSsbhc.dll"
      "tdsserrors"="\systemroot\system32\TDSSthym.log"
      "TDSSproc"="\systemroot\system32\TDSStkdv.log"
      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys]
      "start"=dword:00000001
      "type"=dword:00000001
      "imagepath"=str(2):"\systemroot\system32\drivers\TDSSpaxt.sys"
      "group"="file system"

      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules]
      "TDSSserv"="\systemroot\system32\drivers\TDSSpaxt.sys"
      "TDSSl"="\systemroot\system32\TDSSoeqh.dll"
      "tdssservers"="\systemroot\system32\TDSSosvn.dat"
      "tdssmain"="\systemroot\system32\TDSSnrsr.dll"
      "tdsslog"="\systemroot\system32\TDSSriqp.dll"
      "tdssadw"="\systemroot\system32\TDSScfub.dll"
      "tdssinit"="\systemroot\system32\TDSSfpmp.dll"
      "tdssurls"="\systemroot\system32\TDSSnmxh.log"
      "tdsspanels"="\systemroot\system32\TDSSsbhc.dll"
      "tdsserrors"="\systemroot\system32\TDSSthym.log"
      "TDSSproc"="\systemroot\system32\TDSStkdv.log"
      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys]
      "start"=dword:00000001
      "type"=dword:00000001
      "imagepath"=str(2):"\systemroot\system32\drivers\TDSSpaxt.sys"
      "group"="file system"

      scanning hidden registry entries ...

      scanning hidden files ...

      scan completed successfully
      hidden processes: 0
      hidden services: 0
      hidden files: 0


      Remaining Services :




      Authorized Application Key Export:

      [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
      "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
      "C:\\WINDOWS\\system32\\lpyjidcp.exe"="C:\\WINDOWS\\system32\\lpy"
      "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
      "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
      "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:America Online 9.0"
      "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
      "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
      "C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"
      "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:IEXPLORE"
      "C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"
      "C:\\WINDOWS\\system32\\ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe:*:Enabled:ctfmon"
      "C:\\WINDOWS\\system32\\services.exe"="C:\\WINDOWS\\system32\\services.exe:*:Enabled:services"
      "C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"

      [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
      "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
      "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
      "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
      "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
      "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"

      Remaining Files :


      File Backups: - C:\SDFix\backups\backups.zip

      Files with Hidden Attributes :


      Finished!
                               
      Logged

      CBMatt

      • Mod & Malware Specialist


        • Prodigy

      • Sad and lonely...and loving every minute of it.
        • Thanked: 167
        • Yes
      • Experience: Experienced
      • OS: Windows 7
      Re: I had a lot of similar symptoms here.
      « Reply #3 on: December 14, 2008, 08:23:25 PM »
      This particular infection will occasionally corrupt certain files, so that could be the case for your Symantec.  It may require a reinstall or repair.  For the time being, download ComboFix from one of the links on this page:
      http://www.bleepingcomputer.com/combofix/how-to-use-combofix

      If you can't access the page, you may need to use another computer and then transfer the file.  Once it's on your computer, do the following...

      Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

      Delete these files/folders, as follows:

      1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
      It must be Notepad, not Wordpad.
      2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

      Code: [Select]
      KillAll::

      File::
      C:\WINDOWS\system32\drivers\TDSSpaxt.sys
      C:\WINDOWS\system32\TDSSoeqh.dll
      C:\WINDOWS\system32\TDSSosvn.dat
      C:\WINDOWS\system32\TDSSnrsr.dll
      C:\WINDOWS\system32\TDSSriqp.dll
      C:\WINDOWS\system32\TDSScfub.dll
      C:\WINDOWS\system32\TDSSfpmp.dll
      C:\WINDOWS\system32\TDSSnmxh.log
      C:\WINDOWS\system32\TDSSsbhc.dll
      C:\WINDOWS\system32\TDSSthym.log
      C:\WINDOWS\system32\TDSStkdv.log

      Registry::
      [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]

      [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]

      [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules]

      [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys]

      [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules]

      [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys]

      3. Go to the Notepad window and click Edit > Paste
      4. Then click File > Save
      5. Name the file CFScript.txt - Save the file to your Desktop
      6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



      ComboFix will begin to execute, just follow the prompts.
      After reboot (in case it asks to reboot), it will produce a log for you.
      Post that log (Combofix.txt) in your next reply along with a HijackThis log.

      Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
      Logged
      Quote
      An undefined problem has an infinite number of solutions.
      由obert A. Humphrey

      Lucky M

        Topic Starter


        Greenhorn

        Re: I had a lot of similar symptoms here.
        « Reply #4 on: December 15, 2008, 12:01:53 AM »
        Thanks again for your help.  ComboFix log is attached - too long to post.

        Hijackthis:
        Logfile of Trend Micro HijackThis v2.0.2
        Scan saved at 11:45:57 PM, on 12/14/2008
        Platform: Windows XP SP2 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
        Boot mode: Normal

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
        C:\Program Files\Alwil Software\Avast4\ashServ.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
        C:\Program Files\Analog Devices\Core\smax4pnp.exe
        C:\WINDOWS\system32\hkcmd.exe
        C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
        C:\Program Files\Java\jre6\bin\jqs.exe
        C:\Program Files\Java\jre6\bin\jusched.exe
        C:\WINDOWS\system32\ctfmon.exe
        C:\Program Files\Messenger\msmsgs.exe
        C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
        C:\WINDOWS\system32\svchost.exe
        C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
        C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
        C:\WINDOWS\explorer.exe
        C:\WINDOWS\system32\notepad.exe
        C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
        R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://products.webroot.com/disp0201.php?pc=64002&rc=3029&oc=11&ps=T&mjv=3&mnv=5&bld=198&sid=&lang=en
        O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
        O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
        O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
        O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
        O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
        O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
        O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
        O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
        O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
        O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
        O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
        O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
        O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
        O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
        O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
        O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
        O20 - AppInit_DLLs: karna.dat,rrozxe.dll
        O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
        O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
        O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
        O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
        O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
        O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
        O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
        O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
        O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

        --
        End of file - 4952 bytes


        [Saving space - attachment deleted by admin]
        Logged

        CBMatt

        • Mod & Malware Specialist


          • Prodigy

        • Sad and lonely...and loving every minute of it.
          • Thanked: 167
          • Yes
        • Experience: Experienced
        • OS: Windows 7
        Re: I had a lot of similar symptoms here.
        « Reply #5 on: December 15, 2008, 01:21:28 AM »
        Well, your HijackThis looks pretty good, but your ComboFix is another story.  But no worries, I identified many bad files and we will now instruct ComboFix to remove them.  Copy the text in the box below and create a new CFScript file...

        Code: [Select]
        KillAll::

        Folder::
        C:\Program Files\malwareremovalbot

        File::
        C:\Program Files\malwareremovalbot\malwareremovalbot.exe
        C:\WINDOWS\system32\qomfeffe.dll
        C:\WINDOWS\system32\f0rb45pe.exe
        C:\WINDOWS\system32\oygl44yr.exe
        C:\WINDOWS\system32\r7q7v4nc.exe
        C:\WINDOWS\system32\sysvxd.exe
        C:\WINDOWS\system32\karna.dat
        C:\WINDOWS\system32\rrozxe.dll
        C:\WINDOWS\system32\geBuRKcB.dll
        c:\windows\Tasks\At8.job
        c:\windows\Tasks\At9.job
        c:\windows\Tasks\At10.job
        c:\windows\Tasks\At11.job
        c:\windows\Tasks\At12.job
        c:\windows\Tasks\At13.job
        c:\windows\Tasks\At14.job
        c:\windows\Tasks\At15.job
        c:\windows\Tasks\At16.job
        c:\windows\Tasks\At17.job
        c:\windows\Tasks\At18.job
        c:\windows\Tasks\At19.job
        c:\windows\Tasks\At20.job
        c:\windows\Tasks\At21.job
        c:\windows\Tasks\At22.job
        c:\windows\Tasks\At23.job
        c:\windows\Tasks\At24.job
        c:\windows\Tasks\At25.job
        c:\windows\Tasks\At26.job
        c:\windows\Tasks\At27.job
        c:\windows\Tasks\At28.job
        c:\windows\Tasks\At29.job
        c:\windows\Tasks\At30.job
        c:\windows\Tasks\At31.job
        c:\windows\Tasks\At32.job
        c:\windows\Tasks\At33.job
        c:\windows\Tasks\At34.job
        c:\windows\Tasks\At35.job
        c:\windows\Tasks\At36.job
        c:\windows\Tasks\At37.job
        c:\windows\Tasks\At38.job
        c:\windows\Tasks\At39.job
        c:\windows\Tasks\At40.job
        c:\windows\Tasks\At41.job
        c:\windows\Tasks\At42.job
        c:\windows\Tasks\At43.job
        c:\windows\Tasks\At44.job
        c:\windows\Tasks\At45.job
        c:\windows\Tasks\At46.job
        c:\windows\Tasks\At47.job
        c:\windows\Tasks\At48.job
        c:\windows\Tasks\At49.job
        c:\windows\Tasks\At50.job
        c:\windows\Tasks\At51.job
        c:\windows\Tasks\At52.job
        c:\windows\Tasks\At53.job
        c:\windows\Tasks\At54.job
        c:\windows\Tasks\At55.job
        c:\windows\Tasks\At56.job
        c:\windows\Tasks\At57.job
        c:\windows\Tasks\At58.job
        c:\windows\Tasks\At59.job
        c:\windows\Tasks\At60.job
        c:\windows\Tasks\At61.job
        c:\windows\Tasks\At62.job
        c:\windows\Tasks\At63.job
        c:\windows\Tasks\At64.job
        c:\windows\Tasks\At65.job
        c:\windows\Tasks\At66.job
        c:\windows\Tasks\At67.job
        c:\windows\Tasks\At68.job
        c:\windows\Tasks\At69.job
        c:\windows\Tasks\At70.job
        c:\windows\Tasks\At71.job
        c:\windows\Tasks\At72.job
        c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job

        Registry::
        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
        "AppInit_DLLs"=-

        Then go ahead and follow the same instructions from my previous post.  A new HijackThis log isn't necessary, but I would like to see the new ComboFix log.
        Logged
        Quote
        An undefined problem has an infinite number of solutions.
        由obert A. Humphrey

        Lucky M

          Topic Starter


          Greenhorn

          Re: I had a lot of similar symptoms here.
          « Reply #6 on: December 15, 2008, 10:00:37 PM »
          Thank You - Posted below is my new ComboFix log:

          ComboFix 08-12-14.04 - Melissa 2008-12-15 21:41:26.2 - NTFSx86
          Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.510.205 [GMT -7:00]
          Running from: c:\documents and settings\Melissa\Desktop\ComboFix.exe
          Command switches used :: c:\documents and settings\Melissa\Desktop\CFScript.txt
           * Created a new restore point

          FILE ::
          c:\program files\malwareremovalbot\malwareremovalbot.exe
          c:\windows\system32\f0rb45pe.exe
          c:\windows\system32\geBuRKcB.dll
          c:\windows\system32\karna.dat
          c:\windows\system32\oygl44yr.exe
          c:\windows\system32\qomfeffe.dll
          c:\windows\system32\r7q7v4nc.exe
          c:\windows\system32\rrozxe.dll
          c:\windows\system32\sysvxd.exe
          c:\windows\Tasks\At10.job
          c:\windows\Tasks\At11.job
          c:\windows\Tasks\At12.job
          c:\windows\Tasks\At13.job
          c:\windows\Tasks\At14.job
          c:\windows\Tasks\At15.job
          c:\windows\Tasks\At16.job
          c:\windows\Tasks\At17.job
          c:\windows\Tasks\At18.job
          c:\windows\Tasks\At19.job
          c:\windows\Tasks\At20.job
          c:\windows\Tasks\At21.job
          c:\windows\Tasks\At22.job
          c:\windows\Tasks\At23.job
          c:\windows\Tasks\At24.job
          c:\windows\Tasks\At25.job
          c:\windows\Tasks\At26.job
          c:\windows\Tasks\At27.job
          c:\windows\Tasks\At28.job
          c:\windows\Tasks\At29.job
          c:\windows\Tasks\At30.job
          c:\windows\Tasks\At31.job
          c:\windows\Tasks\At32.job
          c:\windows\Tasks\At33.job
          c:\windows\Tasks\At34.job
          c:\windows\Tasks\At35.job
          c:\windows\Tasks\At36.job
          c:\windows\Tasks\At37.job
          c:\windows\Tasks\At38.job
          c:\windows\Tasks\At39.job
          c:\windows\Tasks\At40.job
          c:\windows\Tasks\At41.job
          c:\windows\Tasks\At42.job
          c:\windows\Tasks\At43.job
          c:\windows\Tasks\At44.job
          c:\windows\Tasks\At45.job
          c:\windows\Tasks\At46.job
          c:\windows\Tasks\At47.job
          c:\windows\Tasks\At48.job
          c:\windows\Tasks\At49.job
          c:\windows\Tasks\At50.job
          c:\windows\Tasks\At51.job
          c:\windows\Tasks\At52.job
          c:\windows\Tasks\At53.job
          c:\windows\Tasks\At54.job
          c:\windows\Tasks\At55.job
          c:\windows\Tasks\At56.job
          c:\windows\Tasks\At57.job
          c:\windows\Tasks\At58.job
          c:\windows\Tasks\At59.job
          c:\windows\Tasks\At60.job
          c:\windows\Tasks\At61.job
          c:\windows\Tasks\At62.job
          c:\windows\Tasks\At63.job
          c:\windows\Tasks\At64.job
          c:\windows\Tasks\At65.job
          c:\windows\Tasks\At66.job
          c:\windows\Tasks\At67.job
          c:\windows\Tasks\At68.job
          c:\windows\Tasks\At69.job
          c:\windows\Tasks\At70.job
          c:\windows\Tasks\At71.job
          c:\windows\Tasks\At72.job
          c:\windows\Tasks\At8.job
          c:\windows\Tasks\At9.job
          c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
          .

          (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
          .

          c:\windows\Tasks\At10.job
          c:\windows\Tasks\At11.job
          c:\windows\Tasks\At12.job
          c:\windows\Tasks\At13.job
          c:\windows\Tasks\At14.job
          c:\windows\Tasks\At15.job
          c:\windows\Tasks\At16.job
          c:\windows\Tasks\At17.job
          c:\windows\Tasks\At18.job
          c:\windows\Tasks\At19.job
          c:\windows\Tasks\At20.job
          c:\windows\Tasks\At21.job
          c:\windows\Tasks\At22.job
          c:\windows\Tasks\At23.job
          c:\windows\Tasks\At24.job
          c:\windows\Tasks\At25.job
          c:\windows\Tasks\At26.job
          c:\windows\Tasks\At27.job
          c:\windows\Tasks\At28.job
          c:\windows\Tasks\At29.job
          c:\windows\Tasks\At30.job
          c:\windows\Tasks\At31.job
          c:\windows\Tasks\At32.job
          c:\windows\Tasks\At33.job
          c:\windows\Tasks\At34.job
          c:\windows\Tasks\At35.job
          c:\windows\Tasks\At36.job
          c:\windows\Tasks\At37.job
          c:\windows\Tasks\At38.job
          c:\windows\Tasks\At39.job
          c:\windows\Tasks\At40.job
          c:\windows\Tasks\At41.job
          c:\windows\Tasks\At42.job
          c:\windows\Tasks\At43.job
          c:\windows\Tasks\At44.job
          c:\windows\Tasks\At45.job
          c:\windows\Tasks\At46.job
          c:\windows\Tasks\At47.job
          c:\windows\Tasks\At48.job
          c:\windows\Tasks\At49.job
          c:\windows\Tasks\At50.job
          c:\windows\Tasks\At51.job
          c:\windows\Tasks\At52.job
          c:\windows\Tasks\At53.job
          c:\windows\Tasks\At54.job
          c:\windows\Tasks\At55.job
          c:\windows\Tasks\At56.job
          c:\windows\Tasks\At57.job
          c:\windows\Tasks\At58.job
          c:\windows\Tasks\At59.job
          c:\windows\Tasks\At60.job
          c:\windows\Tasks\At61.job
          c:\windows\Tasks\At62.job
          c:\windows\Tasks\At63.job
          c:\windows\Tasks\At64.job
          c:\windows\Tasks\At65.job
          c:\windows\Tasks\At66.job
          c:\windows\Tasks\At67.job
          c:\windows\Tasks\At68.job
          c:\windows\Tasks\At69.job
          c:\windows\Tasks\At70.job
          c:\windows\Tasks\At71.job
          c:\windows\Tasks\At72.job
          c:\windows\Tasks\At8.job
          c:\windows\Tasks\At9.job
          c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job

          .
          (((((((((((((((((((((((((   Files Created from 2008-11-16 to 2008-12-16  )))))))))))))))))))))))))))))))
          .

          2008-12-13 21:47 . 2008-12-13 21:47   577,024   --a--c---   c:\windows\system32\dllcache\user32.dll
          2008-12-13 21:42 . 2008-12-13 21:43   <DIR>   d--------   c:\windows\ERUNT
          2008-12-13 21:29 . 2008-12-13 22:04   <DIR>   d--------   C:\SDFix
          2008-12-08 22:25 . 2008-12-08 22:25   <DIR>   d--------   c:\program files\Trend Micro
          2008-12-08 22:22 . 2008-12-08 22:22   410,984   --a------   c:\windows\system32\deploytk.dll
          2008-12-08 22:22 . 2008-12-08 22:22   73,728   --a------   c:\windows\system32\javacpl.cpl
          2008-12-08 19:04 . 2008-12-08 19:06   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
          2008-12-08 19:04 . 2008-12-03 19:52   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
          2008-12-08 19:04 . 2008-12-03 19:52   15,504   --a------   c:\windows\system32\drivers\mbam.sys
          2008-12-07 21:53 . 2008-12-07 21:53   <DIR>   d--------   c:\program files\SUPERAntiSpyware
          2008-12-07 21:53 . 2008-12-07 21:53   <DIR>   d--------   c:\documents and settings\Melissa\Application Data\SUPERAntiSpyware.com
          2008-12-07 21:53 . 2008-12-07 21:53   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
          2008-12-07 21:52 . 2008-12-07 21:52   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard
          2008-12-02 21:20 . 2008-12-02 21:20   <DIR>   d--------   c:\program files\Alwil Software
          2008-12-01 01:01 . 2004-08-04 00:56   380,416   --a------   c:\windows\system32\irprops.cpl
          2008-12-01 01:01 . 2004-08-04 00:56   162,304   --a------   c:\windows\system32\wuaucpl.cpl
          2008-12-01 00:52 . 2004-07-17 11:40   19,528   --a------   c:\windows\002405_.tmp
          2008-11-30 23:54 . 2008-11-30 23:54   <DIR>   d--------   c:\program files\CCleaner
          2008-11-30 19:37 . 2004-02-10 10:50   155,648   --a------   c:\windows\system32\igfxres.dll
          2008-11-30 19:22 . 2004-08-03 23:04   156,672   --a--c---   c:\windows\system32\dllcache\winzm.ime
          2008-11-30 19:22 . 2004-08-03 23:04   156,672   --a--c---   c:\windows\system32\dllcache\winsp.ime
          2008-11-30 19:22 . 2004-08-03 23:04   156,672   --a--c---   c:\windows\system32\dllcache\winpy.ime
          2008-11-30 19:22 . 2004-08-03 23:04   79,360   --a--c---   c:\windows\system32\dllcache\winar30.ime
          2008-11-30 19:22 . 2003-07-16 13:23   69,120   --a--c---   c:\windows\system32\dllcache\wingb.ime
          2008-11-30 19:22 . 2004-08-03 23:04   65,536   --a--c---   c:\windows\system32\dllcache\winime.ime
          2008-11-30 19:22 . 2003-07-16 13:51   41,600   --a--c---   c:\windows\system32\dllcache\weitekp9.dll
          2008-11-30 19:22 . 2003-07-16 13:51   31,232   --a--c---   c:\windows\system32\dllcache\weitekp9.sys
          2008-11-30 19:20 . 2003-07-16 13:22   10,129,408   --a--c---   c:\windows\system32\dllcache\hwxkor.dll
          2008-11-30 19:19 . 2003-07-16 13:22   13,463,552   --a--c---   c:\windows\system32\dllcache\hwxjpn.dll
          2008-11-30 19:18 . 2001-08-17 22:36   2,134,528   --a--c---   c:\windows\system32\dllcache\EXCH_smtpsnap.dll
          2008-11-30 19:18 . 2001-08-17 22:36   175,104   --a--c---   c:\windows\system32\dllcache\EXCH_smtpadm.dll
          2008-11-30 19:18 . 2003-07-16 13:24   19,456   --a--c---   c:\windows\system32\dllcache\agt0804.dll
          2008-11-30 19:18 . 2003-07-16 13:24   19,456   --a--c---   c:\windows\system32\dllcache\agt0412.dll
          2008-11-30 19:18 . 2003-07-16 13:24   19,456   --a--c---   c:\windows\system32\dllcache\agt0411.dll
          2008-11-30 19:18 . 2003-07-16 13:24   19,456   --a--c---   c:\windows\system32\dllcache\agt040d.dll
          2008-11-30 19:18 . 2003-07-16 13:23   19,456   --a--c---   c:\windows\system32\dllcache\agt0404.dll
          2008-11-30 19:18 . 2003-07-16 13:23   19,456   --a--c---   c:\windows\system32\dllcache\agt0401.dll
          2008-11-30 19:18 . 2001-08-17 22:36   5,632   --a--c---   c:\windows\system32\dllcache\EXCH_adsiisex.dll
          2008-11-30 19:06 . 2008-11-30 19:06   749   -rah-----   c:\windows\WindowsShell.Manifest
          2008-11-30 19:06 . 2008-11-30 19:06   749   -rah-----   c:\windows\system32\wuaucpl.cpl.manifest
          2008-11-30 19:06 . 2008-11-30 19:06   749   -rah-----   c:\windows\system32\sapi.cpl.manifest
          2008-11-30 19:06 . 2008-11-30 19:06   749   -rah-----   c:\windows\system32\ncpa.cpl.manifest
          2008-11-30 19:06 . 2008-11-30 19:06   488   -rah-----   c:\windows\system32\logonui.exe.manifest
          2008-11-30 19:03 . 2004-08-04 00:56   949,248   --a------   c:\windows\system32\msdtctm.dll
          2008-11-30 19:02 . 2004-08-04 00:56   1,251,840   --a------   c:\windows\system32\comsvcs.dll
          2008-11-30 18:26 . 2003-07-16 13:39   1,086,182   -ra------   c:\windows\SETE8.tmp
          2008-11-30 18:26 . 2003-07-16 13:30   13,608   -ra------   c:\windows\SETF4.tmp
          2008-11-30 18:26 . 2003-07-16 13:54   7,046   -ra------   c:\windows\SET106.tmp
          2008-11-30 16:35 . 2004-08-03 23:07   6,400   --a------   c:\windows\system32\drivers\splitter.sys
          2008-11-30 16:34 . 2004-08-03 22:59   57,472   --a------   c:\windows\system32\drivers\redbook.sys
          2008-11-30 16:34 . 2004-08-03 23:07   52,864   --a------   c:\windows\system32\drivers\dmusic.sys
          2008-11-30 16:32 . 2004-08-04 00:56   130,048   --a------   c:\windows\system32\ksproxy.ax
          2008-11-30 16:32 . 2004-08-04 00:56   4,096   --a------   c:\windows\system32\ksuser.dll
          2008-11-30 16:31 . 2004-08-04 01:01   40,840   --a------   c:\windows\system32\drivers\termdd.sys
          2008-11-30 16:26 . 2008-11-30 16:26   <DIR>   d---s----   c:\windows\system32\config\systemprofile\History
          2008-11-22 18:22 . 2008-11-22 18:22   <DIR>   d--------   c:\program files\Western Digital
          2008-11-22 18:21 . 2008-11-22 18:21   <DIR>   d--------   c:\program files\Common Files\eSellerate
          2008-11-22 18:19 . 2008-12-02 20:19   <DIR>   d---s----   c:\documents and settings\All Users\Application Data\Memeo
          2008-11-22 18:15 . 2008-11-22 18:15   <DIR>   d--------   c:\program files\Western Digital Technologies
          2008-11-17 17:04 . 2008-11-17 17:04   <DIR>   d--------   c:\documents and settings\Melissa\Application Data\MalwareRemovalBot

          .
          ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
          .
          2008-12-09 05:22   ---------   d-----w   c:\program files\Java
          2008-12-03 05:46   ---------   d-----w   c:\documents and settings\All Users\Application Data\avg8
          2008-12-02 00:54   ---------   d-----w   c:\program files\Common Files\Symantec Shared
          2008-11-23 01:22   ---------   d--h--w   c:\program files\InstallShield Installation Information
          2008-11-17 23:07   2,002   ----a-w   c:\windows\Sysvxd.exe
          2008-11-15 22:34   ---------   d-----w   c:\program files\Windows Live Safety Center
          2008-11-11 22:59   ---------   d-----w   c:\documents and settings\Melissa\Application Data\NLOP
          .

          ------- Sigcheck -------

          2004-08-03 23:00  29056  4448006b6bc60e6c027932cfc38d6855   c:\windows\ServicePackFiles\i386\ip6fw.sys
          2004-08-03 23:00  29056  4448006b6bc60e6c027932cfc38d6855   c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\ip6fw.sys
          2008-04-13 11:53  36608  3bb22519a194418d5fec05d800a19ad0   c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
          2008-04-13 11:53  36608  3bb22519a194418d5fec05d800a19ad0   c:\windows\system32\drivers\ip6fw.sys
          .
          (((((((((((((((((((((((((((((   snapshot@2008-12-14_23.31.45.98   )))))))))))))))))))))))))))))))))))))))))
          .
          + 2008-12-16 04:48:26   16,384   ----atw   c:\windows\Temp\Perflib_Perfdata_56c.dat
          + 2008-12-16 04:48:44   16,384   ----atw   c:\windows\Temp\Perflib_Perfdata_6f8.dat
          .
          (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
          .
          .
          *Note* empty entries & legit default entries are not shown
          REGEDIT4

          [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
          "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
          "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
          "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
          "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-18 81000]
          "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]

          [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
          "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

          [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
          2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

          [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
          "%windir%\\system32\\sessmgr.exe"=
          "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
          "c:\\Program Files\\Messenger\\msmsgs.exe"=
          "c:\\WINDOWS\\system32\\services.exe"=

          R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-02 110160]
          R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
          R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
          R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-02 20560]
          S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
          .
          Contents of the 'Scheduled Tasks' folder

          2008-12-15 c:\windows\Tasks\At3.job
          - c:\windows\system32\f0Rb45Pe.exe []

          2008-12-15 c:\windows\Tasks\At4.job
          - c:\windows\system32\f0Rb45Pe.exe []

          2008-12-15 c:\windows\Tasks\At5.job
          - c:\windows\system32\f0Rb45Pe.exe []

          2008-12-15 c:\windows\Tasks\At6.job
          - c:\windows\system32\f0Rb45Pe.exe []

          2008-12-15 c:\windows\Tasks\At7.job
          - c:\windows\system32\f0Rb45Pe.exe []

          2008-12-16 c:\windows\Tasks\XoftSpySE 2.job
          - c:\program files\XoftSpySE\XoftSpy.exe []
          .
          .
          ------- Supplementary Scan -------
          .
          uStart Page = hxxp://www.google.com
          uInternet Connection Wizard,ShellNext = hxxp://products.webroot.com/disp0201.php?pc=64002&rc=3029&oc=11&ps=T&mjv=3&mnv=5&bld=198&sid=&lang=en
          FF - ProfilePath - c:\documents and settings\Melissa\Application Data\Mozilla\Firefox\Profiles\c95nf8gi.default\
          FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
          FF - plugin: c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
          FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
          FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
          FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
          FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
          .

          **************************************************************************

          catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
          Rootkit scan 2008-12-15 21:48:38
          Windows 5.1.2600 Service Pack 2 NTFS

          scanning hidden processes ...

          scanning hidden autostart entries ...

          scanning hidden files ...

          scan completed successfully
          hidden files: 0

          **************************************************************************
          .
          --------------------- DLLs Loaded Under Running Processes ---------------------

          - - - - - - - > 'winlogon.exe'(616)
          c:\program files\SUPERAntiSpyware\SASWINLO.dll
          .
          ------------------------ Other Running Processes ------------------------
          .
          c:\program files\Alwil Software\Avast4\aswUpdSv.exe
          c:\program files\Alwil Software\Avast4\ashServ.exe
          c:\program files\Cisco Systems\VPN Client\cvpnd.exe
          c:\program files\Java\jre6\bin\jqs.exe
          c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
          c:\program files\Alwil Software\Avast4\ashMaiSv.exe
          c:\program files\Alwil Software\Avast4\ashWebSv.exe
          .
          **************************************************************************
          .
          Completion time: 2008-12-15 21:53:24 - machine was rebooted
          ComboFix-quarantined-files.txt  2008-12-16 04:53:20
          ComboFix2.txt  2008-12-15 06:32:40

          Pre-Run: 57,830,338,560 bytes free
          Post-Run: 57,821,102,080 bytes free

          323   --- E O F ---   2008-10-27 02:53:48
          Logged

          CBMatt

          • Mod & Malware Specialist


            • Prodigy

          • Sad and lonely...and loving every minute of it.
            • Thanked: 167
            • Yes
          • Experience: Experienced
          • OS: Windows 7
          Re: I had a lot of similar symptoms here.
          « Reply #7 on: December 15, 2008, 10:32:05 PM »
          There are still some traces of the infection, but we've worn it down quite a bit.  Let's try one more CFScript...

          Code: [Select]
          KillAll::

          File::
          c:\windows\Tasks\At3.job
          c:\windows\Tasks\At4.job
          c:\windows\Tasks\At5.job
          c:\windows\Tasks\At6.job
          c:\windows\Tasks\At7.job
          c:\windows\system32\f0Rb45Pe.exe

          Do the same this with this CFScript as you did with the previous two.
          Logged
          Quote
          An undefined problem has an infinite number of solutions.
          由obert A. Humphrey

          Lucky M

            Topic Starter


            Greenhorn

            Re: I had a lot of similar symptoms here.
            « Reply #8 on: December 16, 2008, 10:18:41 PM »
            TYVM-Sorry my machine was such an infected mess to start with.  Pasted below is my new ComboFix Log:

            ComboFix 08-12-14.04 - Melissa 2008-12-16 21:43:31.3 - NTFSx86
            Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.510.222 [GMT -7:00]
            Running from: c:\documents and settings\Melissa\Desktop\ComboFix.exe
            Command switches used :: c:\documents and settings\Melissa\Desktop\CFScript.txt
             * Created a new restore point

            FILE ::
            c:\windows\system32\f0Rb45Pe.exe
            c:\windows\Tasks\At3.job
            c:\windows\Tasks\At4.job
            c:\windows\Tasks\At5.job
            c:\windows\Tasks\At6.job
            c:\windows\Tasks\At7.job
            .

            (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
            .

            c:\windows\Tasks\At3.job
            c:\windows\Tasks\At4.job
            c:\windows\Tasks\At5.job
            c:\windows\Tasks\At6.job
            c:\windows\Tasks\At7.job

            .
            (((((((((((((((((((((((((   Files Created from 2008-11-17 to 2008-12-17  )))))))))))))))))))))))))))))))
            .

            2008-12-13 21:47 . 2008-12-13 21:47   577,024   --a--c---   c:\windows\system32\dllcache\user32.dll
            2008-12-13 21:42 . 2008-12-13 21:43   <DIR>   d--------   c:\windows\ERUNT
            2008-12-13 21:29 . 2008-12-13 22:04   <DIR>   d--------   C:\SDFix
            2008-12-08 22:25 . 2008-12-08 22:25   <DIR>   d--------   c:\program files\Trend Micro
            2008-12-08 22:22 . 2008-12-08 22:22   410,984   --a------   c:\windows\system32\deploytk.dll
            2008-12-08 22:22 . 2008-12-08 22:22   73,728   --a------   c:\windows\system32\javacpl.cpl
            2008-12-08 19:04 . 2008-12-08 19:06   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
            2008-12-08 19:04 . 2008-12-03 19:52   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
            2008-12-08 19:04 . 2008-12-03 19:52   15,504   --a------   c:\windows\system32\drivers\mbam.sys
            2008-12-07 21:53 . 2008-12-07 21:53   <DIR>   d--------   c:\program files\SUPERAntiSpyware
            2008-12-07 21:53 . 2008-12-07 21:53   <DIR>   d--------   c:\documents and settings\Melissa\Application Data\SUPERAntiSpyware.com
            2008-12-07 21:53 . 2008-12-07 21:53   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
            2008-12-07 21:52 . 2008-12-07 21:52   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard
            2008-12-02 21:20 . 2008-12-02 21:20   <DIR>   d--------   c:\program files\Alwil Software
            2008-12-01 01:01 . 2004-08-04 00:56   380,416   --a------   c:\windows\system32\irprops.cpl
            2008-12-01 01:01 . 2004-08-04 00:56   162,304   --a------   c:\windows\system32\wuaucpl.cpl
            2008-12-01 00:52 . 2004-07-17 11:40   19,528   --a------   c:\windows\002405_.tmp
            2008-11-30 23:54 . 2008-11-30 23:54   <DIR>   d--------   c:\program files\CCleaner
            2008-11-30 19:37 . 2004-02-10 10:50   155,648   --a------   c:\windows\system32\igfxres.dll
            2008-11-30 19:22 . 2004-08-03 23:04   156,672   --a--c---   c:\windows\system32\dllcache\winzm.ime
            2008-11-30 19:22 . 2004-08-03 23:04   156,672   --a--c---   c:\windows\system32\dllcache\winsp.ime
            2008-11-30 19:22 . 2004-08-03 23:04   156,672   --a--c---   c:\windows\system32\dllcache\winpy.ime
            2008-11-30 19:22 . 2004-08-03 23:04   79,360   --a--c---   c:\windows\system32\dllcache\winar30.ime
            2008-11-30 19:22 . 2003-07-16 13:23   69,120   --a--c---   c:\windows\system32\dllcache\wingb.ime
            2008-11-30 19:22 . 2004-08-03 23:04   65,536   --a--c---   c:\windows\system32\dllcache\winime.ime
            2008-11-30 19:22 . 2003-07-16 13:51   41,600   --a--c---   c:\windows\system32\dllcache\weitekp9.dll
            2008-11-30 19:22 . 2003-07-16 13:51   31,232   --a--c---   c:\windows\system32\dllcache\weitekp9.sys
            2008-11-30 19:20 . 2003-07-16 13:22   10,129,408   --a--c---   c:\windows\system32\dllcache\hwxkor.dll
            2008-11-30 19:19 . 2003-07-16 13:22   13,463,552   --a--c---   c:\windows\system32\dllcache\hwxjpn.dll
            2008-11-30 19:18 . 2001-08-17 22:36   2,134,528   --a--c---   c:\windows\system32\dllcache\EXCH_smtpsnap.dll
            2008-11-30 19:18 . 2001-08-17 22:36   175,104   --a--c---   c:\windows\system32\dllcache\EXCH_smtpadm.dll
            2008-11-30 19:18 . 2003-07-16 13:24   19,456   --a--c---   c:\windows\system32\dllcache\agt0804.dll
            2008-11-30 19:18 . 2003-07-16 13:24   19,456   --a--c---   c:\windows\system32\dllcache\agt0412.dll
            2008-11-30 19:18 . 2003-07-16 13:24   19,456   --a--c---   c:\windows\system32\dllcache\agt0411.dll
            2008-11-30 19:18 . 2003-07-16 13:24   19,456   --a--c---   c:\windows\system32\dllcache\agt040d.dll
            2008-11-30 19:18 . 2003-07-16 13:23   19,456   --a--c---   c:\windows\system32\dllcache\agt0404.dll
            2008-11-30 19:18 . 2003-07-16 13:23   19,456   --a--c---   c:\windows\system32\dllcache\agt0401.dll
            2008-11-30 19:18 . 2001-08-17 22:36   5,632   --a--c---   c:\windows\system32\dllcache\EXCH_adsiisex.dll
            2008-11-30 19:06 . 2008-11-30 19:06   749   -rah-----   c:\windows\WindowsShell.Manifest
            2008-11-30 19:06 . 2008-11-30 19:06   749   -rah-----   c:\windows\system32\wuaucpl.cpl.manifest
            2008-11-30 19:06 . 2008-11-30 19:06   749   -rah-----   c:\windows\system32\sapi.cpl.manifest
            2008-11-30 19:06 . 2008-11-30 19:06   749   -rah-----   c:\windows\system32\ncpa.cpl.manifest
            2008-11-30 19:06 . 2008-11-30 19:06   488   -rah-----   c:\windows\system32\logonui.exe.manifest
            2008-11-30 19:03 . 2004-08-04 00:56   949,248   --a------   c:\windows\system32\msdtctm.dll
            2008-11-30 19:02 . 2004-08-04 00:56   1,251,840   --a------   c:\windows\system32\comsvcs.dll
            2008-11-30 18:26 . 2003-07-16 13:39   1,086,182   -ra------   c:\windows\SETE8.tmp
            2008-11-30 18:26 . 2003-07-16 13:30   13,608   -ra------   c:\windows\SETF4.tmp
            2008-11-30 18:26 . 2003-07-16 13:54   7,046   -ra------   c:\windows\SET106.tmp
            2008-11-30 16:35 . 2004-08-03 23:07   6,400   --a------   c:\windows\system32\drivers\splitter.sys
            2008-11-30 16:34 . 2004-08-03 22:59   57,472   --a------   c:\windows\system32\drivers\redbook.sys
            2008-11-30 16:34 . 2004-08-03 23:07   52,864   --a------   c:\windows\system32\drivers\dmusic.sys
            2008-11-30 16:32 . 2004-08-04 00:56   130,048   --a------   c:\windows\system32\ksproxy.ax
            2008-11-30 16:32 . 2004-08-04 00:56   4,096   --a------   c:\windows\system32\ksuser.dll
            2008-11-30 16:31 . 2004-08-04 01:01   40,840   --a------   c:\windows\system32\drivers\termdd.sys
            2008-11-30 16:26 . 2008-11-30 16:26   <DIR>   d---s----   c:\windows\system32\config\systemprofile\History
            2008-11-22 18:22 . 2008-11-22 18:22   <DIR>   d--------   c:\program files\Western Digital
            2008-11-22 18:21 . 2008-11-22 18:21   <DIR>   d--------   c:\program files\Common Files\eSellerate
            2008-11-22 18:19 . 2008-12-02 20:19   <DIR>   d---s----   c:\documents and settings\All Users\Application Data\Memeo
            2008-11-22 18:15 . 2008-11-22 18:15   <DIR>   d--------   c:\program files\Western Digital Technologies
            2008-11-17 17:04 . 2008-11-17 17:04   <DIR>   d--------   c:\documents and settings\Melissa\Application Data\MalwareRemovalBot

            .
            ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
            .
            2008-12-09 05:22   ---------   d-----w   c:\program files\Java
            2008-12-03 05:46   ---------   d-----w   c:\documents and settings\All Users\Application Data\avg8
            2008-12-02 00:54   ---------   d-----w   c:\program files\Common Files\Symantec Shared
            2008-11-23 01:22   ---------   d--h--w   c:\program files\InstallShield Installation Information
            2008-11-17 23:07   2,002   ----a-w   c:\windows\Sysvxd.exe
            2008-11-15 22:34   ---------   d-----w   c:\program files\Windows Live Safety Center
            2008-11-11 22:59   ---------   d-----w   c:\documents and settings\Melissa\Application Data\NLOP
            .

            ------- Sigcheck -------

            2004-08-03 23:00  29056  4448006b6bc60e6c027932cfc38d6855   c:\windows\ServicePackFiles\i386\ip6fw.sys
            2004-08-03 23:00  29056  4448006b6bc60e6c027932cfc38d6855   c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\ip6fw.sys
            2008-04-13 11:53  36608  3bb22519a194418d5fec05d800a19ad0   c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
            2008-04-13 11:53  36608  3bb22519a194418d5fec05d800a19ad0   c:\windows\system32\drivers\ip6fw.sys
            .
            (((((((((((((((((((((((((((((   snapshot@2008-12-14_23.31.45.98   )))))))))))))))))))))))))))))))))))))))))
            .
            + 2008-12-17 04:50:32   16,384   ----atw   c:\windows\Temp\Perflib_Perfdata_630.dat
            .
            (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
            .
            .
            *Note* empty entries & legit default entries are not shown
            REGEDIT4

            [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
            "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
            "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

            [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
            "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
            "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
            "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
            "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-18 81000]
            "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]

            [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
            "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

            [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
            2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

            [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
            "%windir%\\system32\\sessmgr.exe"=
            "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
            "c:\\Program Files\\Messenger\\msmsgs.exe"=
            "c:\\WINDOWS\\system32\\services.exe"=

            R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-02 110160]
            R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
            R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
            R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-02 20560]
            S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
            .
            Contents of the 'Scheduled Tasks' folder

            2008-12-17 c:\windows\Tasks\XoftSpySE 2.job
            - c:\program files\XoftSpySE\XoftSpy.exe []
            .
            .
            ------- Supplementary Scan -------
            .
            uStart Page = hxxp://www.google.com
            uInternet Connection Wizard,ShellNext = hxxp://products.webroot.com/disp0201.php?pc=64002&rc=3029&oc=11&ps=T&mjv=3&mnv=5&bld=198&sid=&lang=en
            FF - ProfilePath - c:\documents and settings\Melissa\Application Data\Mozilla\Firefox\Profiles\c95nf8gi.default\
            FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
            FF - plugin: c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
            FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
            FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
            FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
            FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
            .

            **************************************************************************

            catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
            Rootkit scan 2008-12-16 21:50:42
            Windows 5.1.2600 Service Pack 2 NTFS

            scanning hidden processes ...

            scanning hidden autostart entries ...

            scanning hidden files ...

            scan completed successfully
            hidden files: 0

            **************************************************************************
            .
            --------------------- DLLs Loaded Under Running Processes ---------------------

            - - - - - - - > 'winlogon.exe'(648)
            c:\program files\SUPERAntiSpyware\SASWINLO.dll
            .
            ------------------------ Other Running Processes ------------------------
            .
            c:\program files\Alwil Software\Avast4\aswUpdSv.exe
            c:\program files\Alwil Software\Avast4\ashServ.exe
            c:\program files\Cisco Systems\VPN Client\cvpnd.exe
            c:\program files\Java\jre6\bin\jqs.exe
            c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
            c:\program files\Alwil Software\Avast4\ashMaiSv.exe
            c:\program files\Alwil Software\Avast4\ashWebSv.exe
            .
            **************************************************************************
            .
            Completion time: 2008-12-16 21:55:26 - machine was rebooted
            ComboFix-quarantined-files.txt  2008-12-17 04:55:22
            ComboFix2.txt  2008-12-16 04:53:27
            ComboFix3.txt  2008-12-15 06:32:40

            Pre-Run: 57,796,665,344 bytes free
            Post-Run: 57,786,298,368 bytes free

            183   --- E O F ---   2008-10-27 02:53:48
            Logged

            CBMatt

            • Mod & Malware Specialist


              • Prodigy

            • Sad and lonely...and loving every minute of it.
              • Thanked: 167
              • Yes
            • Experience: Experienced
            • OS: Windows 7
            Re: I had a lot of similar symptoms here.
            « Reply #9 on: December 16, 2008, 11:45:13 PM »
            No need to apologize.  Everything looks much better, by the way.  How are things running now?

            Since you no longer need ComboFix, go ahead and uninstall it.  Go to Start > Run and type combofix /u (note the space between combofix and /u) and click OK.

            If that doesn't work, then download OTCleanIt.exe and save it to your Desktop.
            • Double-click OTCleanIt.exe.
            • Click the CleanUp! button.
            • Select Yes when the "Begin cleanup Process?" prompt appears.
            • If you are prompted to Reboot during the cleanup, select Yes.
            • The tool will delete itself once it finishes, if not delete it yourself.


            Then clean out your System Restore.  This is to remove any infected files that have been backed up by Windows.  Please follow these steps...

            1.  Go to Start > Programs > Accessories > System Tools > System Restore
            2.  Click on System Restore Settings.
            3.  Check Turn off System Restore and click OK.
            4.  Restart your computer.
            5.  Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
            6.  Create a new restore point and close the program.

            System Restore will now be active again.  If you would like to learn more about System Restore, go here.
            Logged
            Quote
            An undefined problem has an infinite number of solutions.
            由obert A. Humphrey

            Lucky M

              Topic Starter


              Greenhorn

              Re: I had a lot of similar symptoms here.
              « Reply #10 on: December 19, 2008, 09:42:34 PM »
              Everything is working great.  The computer's speed is much better, no mysterious error messages, and all programs are working perfectly.  I have a new restore point created and things look good.

              Just wanted to say thank you to CBMatt(Chris?) for your help through this.  You are very clear and helpful with your instruction, and make people's frustrating problems much easier.  Also with your help I have learned a lot about battling viruses through this experience.  Good Job, I will recommend this site to all.   
              Thank You again and have a wonderful holiday season. 
              Logged

              CBMatt

              • Mod & Malware Specialist


                • Prodigy

              • Sad and lonely...and loving every minute of it.
                • Thanked: 167
                • Yes
              • Experience: Experienced
              • OS: Windows 7
              Re: I had a lot of similar symptoms here.
              « Reply #11 on: December 20, 2008, 02:22:32 AM »
              CBMatt and Chris are both appropriate when referring to me.  I'll respond to either one.  Heh.  Thank you for the kind words, Melissa (the name is in your logs, so I assume it's correct?).  I'm very glad to hear that things are going well now.
              Logged
              Quote
              An undefined problem has an infinite number of solutions.
              由obert A. Humphrey
              Pages: [1]   Go Up
              « previous next »