Author Topic: really strange virus (Read 8205 times)

Xuero · « **on:** February 24, 2009, 01:59:40 PM »

never seen anything like this before and i have no idea how to fix it.

there is some sort of virus on the system, it's blocked the task manager, user account menus, properties tab and pretty much everything an admin account should be able to do. i have ran every piece of anti virus and anti spyware programme i can get my hands on both in safe mode and out of safe mode but it just wont go away. if it helps the virus has changed my desktop background to a "warning" page saying i have been infected by spyware and viruses and i get a false windows security warning in the system tray. now unfortunately reformatting the drive isn't really an option as this is a business laptop and it contains files and information vital to the running of the company it belongs to and they can't be lost. does anyone have any ideas?

thanks in advance
will

evilfantasy · « **Reply #1 on:** February 24, 2009, 02:05:01 PM »

Download Malwarebytes' Anti-Malware (MBAM)

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

Double click on RSIT.exe to run.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open.
log.txt <will be maximized and info.txt <will be minimized
Please post the contents of both logs in the next reply.

Xuero · « **Reply #2 on:** February 24, 2009, 02:22:06 PM »

the biggest problem of all is that the internet doesn't work on it >.< at all. everythings been disabled and i think i've left my flash drive in work so i can't even download it here and transfer it -.- bluetooth software on the laptop won't start either so i can't get it over that way

thanks for the reply
will

evilfantasy · « **Reply #3 on:** February 24, 2009, 02:23:18 PM »

What happens when you try to connect to the Internet?

Xuero · « **Reply #4 on:** February 24, 2009, 02:24:51 PM »

nothing at all, I don't even get a page can not be displayed error. it just sits at the blank home screen

evilfantasy · « **Reply #5 on:** February 24, 2009, 02:29:05 PM »

Click Start > Run and copy and paste (or type) the following line into the run box: Be sure to include the space.

regsvr32 urlmon.dll

Press OK
Once it is completed you will get this message DllRegisterServer in urlmon.dll succeeded, repeat the above steps, but replace regsvr32 urlmon.dll with the following: (enter each line one at a time selecting OK after each)

regsvr32 actxprxy.dll
regsvr32 shdocvw.dll
regsvr32 mshtml.dll
regsvr32 browseui.dll
regsvr32 jscript.dll
regsvr32 vbscript.dll
regsvr32 oleaut32.dll

.
When finished restart your computer.

Can you connect now?

Xuero · « **Reply #6 on:** February 24, 2009, 02:38:14 PM »

still no internet, it tries to connect then just says done but it displays no page

heres a couple of images, one of the background and one of the message when i try to get to the task manager

http://img26.imageshack.us/my.php?image=p240209212801.jpg

http://img26.imageshack.us/my.php?image=p240209212802.jpg

will

evilfantasy · « **Reply #7 on:** February 24, 2009, 02:41:27 PM »

Can you restart in Safe Mode With Networking and get online?

Also try this.

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

* Scroll down to Non-plug and Play Drivers and click the plus icon to open those drivers.
* Search for any of the following:

- Seneka.sys
- clbdriver.sys
- TDSSserv.sys

* Let me know if you find them or not.
* If you do find it, right click on it, and select Disable. Do not try to uninstall them.
* Now reboot and see if you can go online.

Xuero · « **Reply #8 on:** February 24, 2009, 02:50:13 PM »

still no luck with either of these, i can't even ping my router even though both ip config and the router are telling me i'm connected to it

edit i can now ping the router, but still no internet >.<

evilfantasy · « **Reply #9 on:** February 24, 2009, 03:01:17 PM »

Reset WINSOCK entries
Reset TCP/IP stack

Go Start > Run (Start search in Vista) then type in: cmd

Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

At the Command Prompt, type in:

netsh winsock reset catalog

On the keyboard press Enter.

Do that again and type in:

netsh int ip reset reset.log

Press Enter.

Restart the computer.

Note: Resetting the Winsock using netsh winsock reset catalog command in SP2 removes all the third-party LSPs and restores Winsock to factory default setting. Existing programs that uses their own LSPs need to be reinstalled again. Example: Google Desktop Search.

----------

Go Start > Run (Start search in Vista) and type in: cmd

Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

In the Command Prompt window type in following commands, and press Enter after each one:

ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew

Note the space before the forward slash /

Restart the computer.

DaveLembke · « **Reply #10 on:** February 24, 2009, 03:02:07 PM »

At this point, I would get an external 2.5" drive case and install that laptops hard drive into that and then from a system running an up to date antivirus scan that drive to clean it out of malware, and you can also access the unique business data that you desperately need.

The 2nd computer that scans this drive may be able to remove the virus or malware and you could then pop the drive out of the external hard drive case and install it back into the laptop and maybe be home free if the registry is not swiss cheesed from the virus(s).

If swiss cheesed, then get all vital data off the drive is you havent already done so, then full clean rebuild from an OEM CD or DVD that came with the laptop.

Xuero · « **Reply #11 on:** February 24, 2009, 03:16:36 PM »

ok i got internet, installing mbam now

will

evilfantasy · « **Reply #12 on:** February 24, 2009, 03:21:53 PM »

Be sure to post the log it creates.

Xuero · « **Reply #13 on:** February 24, 2009, 03:29:46 PM »

Malwarebytes' Anti-Malware 1.34
Database version: 1799
Windows 5.1.2600 Service Pack 2

24/02/2009 22:26:17
mbam-log-2009-02-24 (22-26-17).txt

Scan type: Quick Scan
Objects scanned: 110813
Time elapsed: 7 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\senekaejmafqmm.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.DELLD620\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Local Settings\Temp\seneka2be4.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\998.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekanvxjcbnr.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.DELLD620\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Webex.DELLD620\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekafqjwqxwb.dat (Trojan.Agent) -> Quarantined and deleted successfully.

heres the log, still having a bit of a hard time with some things but all in all it seems to be sorted, thank you very much for all your help.

will

evilfantasy · « **Reply #14 on:** February 24, 2009, 03:40:31 PM »

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Xuero · « **Reply #15 on:** February 24, 2009, 03:57:04 PM »

ComboFix 09-02-24.02 - Dave 2009-02-24 22:48:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1455 [GMT 0:00]
Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\init32.exe
c:\windows\system32\JRAccMoq.ini
c:\windows\system32\JRAccMoq.ini2
c:\windows\system32\oratpkjb.ini
c:\windows\system32\pqlkpsmr.ini
c:\windows\system32\rktjpart.ini
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\Tasks\phnbqqru.job
c:\windows\Tasks\pojygpgt.job

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\i386\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-24 22:17 . 2009-02-24 22:17   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2009-02-24 22:17 . 2009-02-24 22:17   <DIR>   d--------   c:\documents and settings\Dave\Application Data\Malwarebytes
2009-02-24 22:17 . 2009-02-24 22:17   <DIR>   d--------   c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-02-24 22:17 . 2009-02-11 10:19   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-24 22:17 . 2009-02-11 10:19   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-02-24 16:50 . 2009-02-24 16:50   <DIR>   d--------   c:\documents and settings\Webex.DELLD620\Application Data\SUPERAntiSpyware.com
2009-02-06 09:25 . 2009-02-06 09:25   <DIR>   d--------   c:\documents and settings\Dave\Application Data\U3
2009-02-05 17:32 . 2009-02-05 17:32   <DIR>   d--------   c:\program files\iTunes
2009-02-05 17:32 . 2009-02-05 17:32   <DIR>   d--------   c:\program files\iPod
2009-02-05 17:32 . 2009-02-05 17:32   <DIR>   d--------   c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-05 17:32 . 2008-04-17 13:12   107,368   --a------   c:\windows\system32\GEARAspi.dll
2009-02-05 17:32 . 2008-04-17 13:12   15,464   --a------   c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-05 17:04 . 2009-02-05 17:04   <DIR>   d--------   c:\program files\Bonjour
2009-02-05 17:04 . 2009-02-24 21:20   <DIR>   d--------   c:\documents and settings\Dave\Application Data\Apple Computer
2009-02-05 17:03 . 2009-02-05 17:03   <DIR>   d--------   c:\program files\Apple Software Update
2009-02-05 17:03 . 2009-02-05 17:03   <DIR>   d--------   c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2009-02-05 17:02 . 2009-02-05 17:02   <DIR>   d--------   c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2009-02-05 17:02 . 2008-11-07 14:23   32,000   --a------   c:\windows\system32\drivers\usbaapl.sys
2009-02-05 17:01 . 2009-02-05 17:01   69,076,264   --a------   C:\iTunesSetup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 20:11   ---------   d-----w   c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-02-24 16:50   ---------   d-----w   c:\program files\SUPERAntiSpyware
2009-02-05 17:32   ---------   d-----w   c:\program files\Common Files\Apple
2009-02-05 17:03   ---------   d-----w   c:\program files\QuickTime
2009-02-05 15:48   325,128   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2009-02-05 15:48   107,272   ----a-w   c:\windows\system32\drivers\avgtdix.sys
2009-01-17 16:59   ---------   d-----w   c:\documents and settings\Dave\Application Data\SUPERAntiSpyware.com
2009-01-17 16:59   ---------   d-----w   c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-01-17 16:40   ---------   d-----w   c:\program files\CCleaner
2009-01-09 20:35   102,664   ----a-w   c:\windows\system32\drivers\tmcomm.sys
2009-01-09 19:46   ---------   d-----w   c:\program files\Common Files\Wise Installation Wizard
2009-01-09 09:18   737,280   ----a-w   c:\windows\iun6002.exe
2009-01-08 20:29   ---------   d---a-w   c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-01-08 20:23   ---------   d-----w   c:\program files\SmartPCTools
2008-12-30 16:11   ---------   d-----w   c:\documents and settings\Dave\Application Data\AVGTOOLBAR
2007-08-23 12:36   60,968   ----a-w   c:\documents and settings\win user\GoToAssistDownloadHelper.exe
2008-09-19 13:11   27,976   ----a-w   c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-09-19 13:11   125,848   ----a-w   c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-09-19 13:12   98,712   ----a-w   c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-05 1601304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"nwiz"="nwiz.exe" [2006-01-19 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-01-19 c:\windows\system32\nvhotkey.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-05 15:48 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 18:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 10:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-26 23:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IRIScan 2 button manager]
--a------ 2008-02-26 10:17 2319024 c:\program files\iriscn2i\bmanm12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2007-05-10 09:22 405504 c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 10:00 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\CCleaner\\CCleaner.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Readiris Pro 11\\readiris.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE"=
"c:\\Program Files\\Hewlett-Packard\\HP Deskjet 1280\\WebReg\\WebReg.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-20 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-06-20 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-30 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-10 298264]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

BHO-{3828d8e6-35cf-4934-88c3-8fbf600b3cf9} - (no file)
Notify-jkkHXrqN - jkkHXrqN.dll
MSConfigStartUp-545aa7bd - c:\windows\system32\trapjtkr.dll
MSConfigStartUp-Dell QuickSet - c:\program files\Dell\QuickSet\quickset.exe

.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\3ybwg2a8.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 22:52:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-02-24 22:55:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-24 22:55:29

Pre-Run: 56,493,228,032 bytes free
Post-Run: 56,971,677,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

216   --- E O F ---   2008-12-18 17:38:19

combo fix log

evilfantasy · « **Reply #16 on:** February 24, 2009, 04:00:49 PM »

Looks good.

How is the computer running now?

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa

Unzip the file and open the JavaRa.exe
Click Remove Older Versions
JavaRa will search for and remove any outdated version of Java and remove any that are found.
Click Additional Tasks
Place a check next to Remove Useless JRE Files and click Go
Exit JavaRa
Delete the JavaRa files from the Desktop

.
Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.

Xuero · « **Reply #17 on:** February 24, 2009, 04:11:11 PM »

seems to be running a lot faster, everything seems to be working as well now which is a massive improvement from before. thank you so much for all of your help, really appreciate it all

will

evilfantasy · « **Reply #18 on:** February 24, 2009, 04:17:08 PM »

Sounds good.

Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.
.

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

.
.
The above procedure will:

Delete:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Computer Hope Forum

News:

Author Topic: really strange virus (Read 8205 times)

Xuero

evilfantasy

Xuero

evilfantasy

Xuero

evilfantasy

Xuero

evilfantasy

Xuero

evilfantasy

DaveLembke

Xuero

evilfantasy

Xuero

evilfantasy

Xuero

evilfantasy

Xuero

evilfantasy