View Full Version : virtumonde infection + dll error
Hi there,
I think i've been infected by the virtumonde virus. I've tried the vundo fix and it didn't get rid of it. In addition, when i start my computer, I get a RUNDLL error message as follows: "C:\WINDOWS\system32\baeirsex.dll Access Denied". My computer is running really slow and start up takes quite a long time.
I've read the "Before you post" and i think i've followed all the steps. (i hope!) In desperate need of your help and would greatly appreciate it. Much thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:06 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\SiSAudUt.exe
C:\WINDOWS\system32\khooker.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\system32\SiSAudUt.exe -wdm
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [902bf387] rundll32.exe "C:\WINDOWS\system32\baeirsex.dll",b
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) - http://www.clubbox.co.kr/neo.fld/MultiUpload.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 5744 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, December 13, 2007 10:15:35 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/12/2007
Kaspersky Anti-Virus database records: 481915
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 46945
Number of viruses found: 4
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 00:58:47
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\L\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\L\Desktop\Downloaded\Nero7\Nero-7.7.5.1_eng.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\L\Desktop\Downloaded\Nero7\Nero-7.7.5.1_eng.exe RAR: infected - 1 skipped
C:\Documents and Settings\L\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\L\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\L\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\L\Local Settings\History\History.IE5\MSHist012007121320071214\index.dat Object is locked skipped
C:\Documents and Settings\L\Local Settings\Temp\nakxijxd.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\Documents and Settings\L\Local Settings\Temp\umgxqlan.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\Documents and Settings\L\Local Settings\Temporary Internet Files\Content.IE5\EXYHCPIZ\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\Documents and Settings\L\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\L\Local Settings\Temporary Internet Files\Content.IE5\S7KJI50V\ptch[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\Documents and Settings\L\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\L\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CEFD36F5-C9BA-45E7-8577-FA1F83BCEDE9}\RP2\A0002145.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{CEFD36F5-C9BA-45E7-8577-FA1F83BCEDE9}\RP2\A0002147.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CEFD36F5-C9BA-45E7-8577-FA1F83BCEDE9}\RP2\A0002148.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CEFD36F5-C9BA-45E7-8577-FA1F83BCEDE9}\RP3\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\baeirsex.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\cbxywxy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjr skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\gtjfynmy.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ijloduuu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\onigcjbo.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\qwghyyvq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\slwbebxb.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Hello rukia88
Welcome to Safer Networking.
Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O4 - HKLM\..\Run: [902bf387] rundll32.exe "C:\WINDOWS\system32\baeirsex.dll",b
Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
This is important , do this and post a new Hijackthis log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass ) and rename it to Scanner.exe
I need to see the SAS log, the Combofix log and a new HJT log renamed please
Hi ken545, thank you for the quick response.
I've done up until the SuperAntiSpyware scan. I ran the scan, completed it and was asked to reboot. After the reboot, i get a window stating that windows did not start up successfully and was given some options. I chose to restart from the last good configuration.
While doing the scan, Spybot S&D was running in the background as it was alerting me of key changes, etc.
Please advise. Thanks.
Hello,
You need to disable the Tea Timer in Spybot Search and Destroy or it may prevent the fixes from taking.
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer for it to take effect.
Post the SAS log if you can and then download and run Combofix, you have one entry on your log that I had you remove that was related to Vundo, there may be more so dont forget to rename HJT and post a new log.
Hi there, here are the following logs that you requested. I am posting 2 SAS logs, not sure if necessary. The 2nd one was produced after turning off tea timer.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 12/15/2007 at 01:21 AM
Application Version : 3.9.1008
Core Rules Database Version : 3362
Trace Rules Database Version: 1361
Scan type : Complete Scan
Total Scan Time : 00:29:25
Memory items scanned : 339
Memory threats detected : 4
Registry items scanned : 5174
Registry threats detected : 40
File items scanned : 23840
File threats detected : 20
Adware.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\CBXYWXY.DLL
C:\WINDOWS\SYSTEM32\CBXYWXY.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\cbxywxy
Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\JKHFG.DLL
C:\WINDOWS\SYSTEM32\JKHFG.DLL
HKLM\Software\Classes\CLSID\{15173D82-F6DB-4980-B9EA-5E0F4158120F}
HKCR\CLSID\{15173D82-F6DB-4980-B9EA-5E0F4158120F}
HKCR\CLSID\{15173D82-F6DB-4980-B9EA-5E0F4158120F}\InprocServer32
HKCR\CLSID\{15173D82-F6DB-4980-B9EA-5E0F4158120F}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{B285004D-6D02-4212-91FC-B8F47B68C254}
HKCR\CLSID\{B285004D-6D02-4212-91FC-B8F47B68C254}
HKCR\CLSID\{B285004D-6D02-4212-91FC-B8F47B68C254}\InprocServer32
HKCR\CLSID\{B285004D-6D02-4212-91FC-B8F47B68C254}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{070084BF-5FBE-426A-8EC2-589F39ADF352}
HKCR\CLSID\{070084BF-5FBE-426A-8EC2-589F39ADF352}
HKCR\CLSID\{070084BF-5FBE-426A-8EC2-589F39ADF352}\InprocServer32
HKCR\CLSID\{070084BF-5FBE-426A-8EC2-589F39ADF352}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSQRR.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15173D82-F6DB-4980-B9EA-5E0F4158120F}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B285004D-6D02-4212-91FC-B8F47B68C254}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{B285004D-6D02-4212-91FC-B8F47B68C254}
HKCR\CLSID\{B285004D-6D02-4212-91FC-B8F47B68C254}
Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\BAEIRSEX.DLL
C:\WINDOWS\SYSTEM32\BAEIRSEX.DLL
HKLM\Software\Classes\CLSID\{ad36b4c8-86e6-441a-b82d-a1a8029d8698}
HKCR\CLSID\{AD36B4C8-86E6-441A-B82D-A1A8029D8698}
HKCR\CLSID\{AD36B4C8-86E6-441A-B82D-A1A8029D8698}\InprocServer32
HKCR\CLSID\{AD36B4C8-86E6-441A-B82D-A1A8029D8698}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ad36b4c8-86e6-441a-b82d-a1a8029d8698}
C:\DOCUMENTS AND SETTINGS\L\LOCAL SETTINGS\TEMP\NAKXIJXD.DLL
C:\DOCUMENTS AND SETTINGS\L\LOCAL SETTINGS\TEMP\UMGXQLAN.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CEFD36F5-C9BA-45E7-8577-FA1F83BCEDE9}\RP2\A0002145.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CEFD36F5-C9BA-45E7-8577-FA1F83BCEDE9}\RP2\A0002147.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CEFD36F5-C9BA-45E7-8577-FA1F83BCEDE9}\RP2\A0002148.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CEFD36F5-C9BA-45E7-8577-FA1F83BCEDE9}\RP4\A0013315.DLL
C:\WINDOWS\SYSTEM32\IJLODUUU.DLL
C:\WINDOWS\SYSTEM32\ONIGCJBO.DLL
C:\WINDOWS\SYSTEM32\QWGHYYVQ.DLL
C:\WINDOWS\SYSTEM32\SLWBEBXB.DLL
Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\GTJFYNMY.DLL
C:\WINDOWS\SYSTEM32\GTJFYNMY.DLL
Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc
Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc
Trojan.Downloader-Gen/SnapSNet
C:\DOCUMENTS AND SETTINGS\L\LOCAL SETTINGS\TEMP\SNAPSNET.EXE
Malware.LocusSoftware Inc/BestSellerAntivirus
C:\DOCUMENTS AND SETTINGS\L\LOCAL SETTINGS\TEMP\WINVSNET.EXE
Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CEFD36F5-C9BA-45E7-8577-FA1F83BCEDE9}\RP2\A0002150.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CEFD36F5-C9BA-45E7-8577-FA1F83BCEDE9}\RP3\A0007253.DLL
Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\GFHKJ.INI
===========================================================================
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 12/15/2007 at 12:12 PM
Application Version : 3.9.1008
Core Rules Database Version : 3362
Trace Rules Database Version: 1361
Scan type : Complete Scan
Total Scan Time : 00:36:05
Memory items scanned : 324
Memory threats detected : 0
Registry items scanned : 5313
Registry threats detected : 0
File items scanned : 23842
File threats detected : 3
Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CEFD36F5-C9BA-45E7-8577-FA1F83BCEDE9}\RP5\A0015338.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CEFD36F5-C9BA-45E7-8577-FA1F83BCEDE9}\RP5\A0016337.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CEFD36F5-C9BA-45E7-8577-FA1F83BCEDE9}\RP5\A0017337.DLL
ComboFix 07-12-15.5 - L 2007-12-15 12:26:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.819 [GMT -5:00]
Running from: C:\Documents and Settings\L\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\L\My Documents\ASKS~1
C:\Documents and Settings\L\My Documents\CROSOF~1.NET
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\WINDOWS\system32\pac.txt
.
((((((((((((((((((((((((( Files Created from 2007-11-15 to 2007-12-15 )))))))))))))))))))))))))))))))
.
2007-12-15 00:49 . 2007-12-15 12:20 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-15 00:49 . 2007-12-15 00:49 <DIR> d-------- C:\Documents and Settings\L\Application Data\SUPERAntiSpyware.com
2007-12-15 00:49 . 2007-12-15 00:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-13 23:20 . 2007-12-13 23:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-13 20:34 . 2007-12-15 12:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-13 20:34 . 2007-12-13 20:34 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-13 19:48 . 2007-12-15 01:21 7,494 --ahs---- C:\WINDOWS\system32\gfhkj.ini2
2007-12-13 01:14 . 2007-12-13 08:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-12 23:42 . 2007-12-12 23:42 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-12-12 22:33 . 2007-12-15 00:42 917,260 ---hs---- C:\WINDOWS\system32\xesrieab.ini
2007-12-12 00:29 . 2007-12-12 00:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-12 00:29 . 2007-12-12 00:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-11 19:44 . 2007-12-13 00:10 <DIR> d-------- C:\VundoFix Backups
2007-12-10 22:37 . 2007-12-10 22:37 <DIR> d-------- C:\Documents and Settings\L\Application Data\SuperAdBlocker.com
2007-12-10 22:36 . 2007-12-10 22:36 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-12-10 22:36 . 2007-12-10 22:36 <DIR> d-------- C:\Program Files\SuperAdBlocker.com
2007-12-10 17:20 . 2007-12-10 17:20 858,824 --ahs---- C:\WINDOWS\system32\qvyyhgwq.ini
2007-12-10 16:19 . 2007-12-10 16:19 294 --ahs---- C:\WINDOWS\system32\uuudolji.ini
2007-12-10 00:36 . 2007-12-13 19:52 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-09 22:51 . 2007-12-10 12:33 512 --a------ C:\ScanSectorLog.dat
2007-12-09 20:10 . 2007-12-15 11:12 2,070 --a------ C:\rollback.ini
2007-12-09 20:06 . 2007-12-15 12:31 2,822,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-09 20:06 . 2007-12-15 12:30 40,940 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-09 20:06 . 2007-12-15 12:30 31,776 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-09 20:06 . 2007-12-15 12:30 4,028 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-09 20:04 . 2007-12-09 20:04 <DIR> d-------- C:\Documents and Settings\L\Application Data\MailFrontier
2007-12-09 19:42 . 2007-12-15 00:32 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-12-09 19:40 . 2007-12-15 12:19 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-07 23:57 . 2007-12-09 19:50 16 --a------ C:\WINDOWS\system32\coh.cache
2007-12-07 22:21 . 2007-12-09 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-07 21:00 . 2007-12-07 21:00 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-07 20:50 . 2007-12-13 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-07 20:47 . 2007-12-07 20:47 <DIR> d-------- C:\WINDOWS\system32\tdm2
2007-12-07 20:47 . 2007-12-08 13:16 <DIR> d-------- C:\WINDOWS\system32\pi3
2007-12-07 20:47 . 2007-12-08 14:30 <DIR> d-------- C:\WINDOWS\system32\eu1
2007-12-07 20:46 . 2007-12-08 13:12 <DIR> d-------- C:\WINDOWS\system32\daSgo01
2007-12-07 20:46 . 2007-12-15 12:28 <DIR> d-------- C:\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-15 05:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 02:51 1,203,447 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-11 12:37 96,571 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_12_11_00_37_27_small.dmp.zip
2007-12-10 00:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-02 22:15 --------- d-----w C:\Program Files\BitComet
2007-11-15 02:42 --------- d-----w C:\Program Files\TuneUp Utilities 2006
2007-11-13 17:44 1,617,920 ----a-r C:\WINDOWS\system32\pdbox28.exe
2007-11-03 19:02 --------- d-----w C:\Program Files\SpookyManor_at
2007-11-01 03:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-19 20:41 1,536,000 ----a-r C:\WINDOWS\system32\clubbox.exe
2007-02-16 01:24 87,608 ----a-w C:\Documents and Settings\L\Application Data\ezpinst.exe
2007-02-16 01:24 47,360 ----a-w C:\Documents and Settings\L\Application Data\pcouffin.sys
2007-02-16 01:22 94,080 ----a-w C:\Documents and Settings\L\Application Data\ezplay.sys
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3DF11C63-051F-4EEC-9BCE-8C5BA1EB71D1}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6556CCAC-C1D5-4C24-A3DB-D54145F6225C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82E42D62-88C8-4ED4-91D5-0D50F577A337}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F38858FF-F237-437D-999C-068A62B52016}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 12:49]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS7012Utility"="C:\WINDOWS\system32\SiSAudUt.exe" [2001-11-21 06:39]
"SiS KHooker"="C:\WINDOWS\system32\khooker.exe" [2001-12-13 11:27]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-01-08 14:29]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 18:56 C:\WINDOWS\system32\narrator.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-05 20:30:47]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
R2 TTDec;ATI WDM Teletext Decoder;C:\WINDOWS\system32\DRIVERS\ATINTTXX.sys
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys
S1 SABKUTIL;SABKUTIL;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 sscdserd;SAMSUNG CDMA Modem Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\sscdserd.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-12-08 00:09:34 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 12:36:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-12-15 12:37:10 - machine was rebooted
New HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:36 PM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\SiSAudUt.exe
C:\WINDOWS\system32\khooker.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: (no name) - {3DF11C63-051F-4EEC-9BCE-8C5BA1EB71D1} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6556CCAC-C1D5-4C24-A3DB-D54145F6225C} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {82E42D62-88C8-4ED4-91D5-0D50F577A337} - (no file)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - (no file)
O2 - BHO: (no name) - {F38858FF-F237-437D-999C-068A62B52016} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\system32\SiSAudUt.exe -wdm
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) - http://www.clubbox.co.kr/neo.fld/MultiUpload.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6740 bytes
rukia88,
Sorry for the late response but I was called away today and was not online most of the day.
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
C:\WINDOWS\system32\gfhkj.ini2
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\xesrieab.ini
C:\WINDOWS\system32\qvyyhgwq.ini
C:\WINDOWS\system32\uuudolji.ini
C:\WINDOWS\system32\mcrh.tmp
Folder::
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3DF11C63-051F-4EEC-9BCE-8C5BA1EB71D1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6556CCAC-C1D5-4C24-A3DB-D54145F6225C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82E42D62-88C8-4ED4-91D5-0D50F577A337}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F38858FF-F237-437D-999C-068A62B52016}]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Hi, no worries re: late reply. Appreciating your help!
Before posting the logs, just a side note: today while waiting for your reply, i left the computer on with internet..did very minimal browsing and on 2 occasions Zone Alarm detected the following:
not-a-virus:AdWare.Win32.SuperJuan.ao
not-a-virus:AdWare.Win32.Virtumonde.bjc
i quarantined both using Zone Alarm. It's now sitting there and was wondering if i can just delete them?
Afterwards, i decided to disconnect from the Internet and just logged in from time to time to check for replies.
I did a new HJT log using "Scanner.exe", i didn't rename again cuz i wasn't sure if it was necessary.
ComboFix 07-12-15.5 - L 2007-12-15 23:00:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.793 [GMT -5:00]
Running from: C:\Documents and Settings\L\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\L\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\gfhkj.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qvyyhgwq.ini
C:\WINDOWS\system32\uuudolji.ini
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\xesrieab.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\VundoFix Backups\rrqss.ini.bad
C:\VundoFix Backups\rrqss.ini2.bad
C:\VundoFix Backups\ssqrr.dll.bad
C:\WINDOWS\system32\gfhkj.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qvyyhgwq.ini
C:\WINDOWS\system32\uuudolji.ini
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\xesrieab.ini
.
((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 )))))))))))))))))))))))))))))))
.
2007-12-15 00:49 . 2007-12-15 21:20 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-15 00:49 . 2007-12-15 00:49 <DIR> d-------- C:\Documents and Settings\L\Application Data\SUPERAntiSpyware.com
2007-12-15 00:49 . 2007-12-15 00:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-13 23:20 . 2007-12-13 23:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-13 20:34 . 2007-12-15 12:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-13 20:34 . 2007-12-13 20:34 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-13 01:14 . 2007-12-13 08:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-12 00:29 . 2007-12-12 00:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-12 00:29 . 2007-12-12 00:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-10 22:37 . 2007-12-10 22:37 <DIR> d-------- C:\Documents and Settings\L\Application Data\SuperAdBlocker.com
2007-12-10 22:36 . 2007-12-10 22:36 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-12-10 22:36 . 2007-12-10 22:36 <DIR> d-------- C:\Program Files\SuperAdBlocker.com
2007-12-09 22:51 . 2007-12-10 12:33 512 --a------ C:\ScanSectorLog.dat
2007-12-09 20:10 . 2007-12-15 21:00 796 --a------ C:\rollback.ini
2007-12-09 20:06 . 2007-12-15 23:04 3,033,888 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-09 20:06 . 2007-12-15 23:04 44,064 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-09 20:06 . 2007-12-15 12:30 40,940 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-09 20:06 . 2007-12-15 12:30 4,028 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-09 20:04 . 2007-12-09 20:04 <DIR> d-------- C:\Documents and Settings\L\Application Data\MailFrontier
2007-12-09 19:42 . 2007-12-15 12:32 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-12-09 19:40 . 2007-12-15 23:06 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-07 23:57 . 2007-12-09 19:50 16 --a------ C:\WINDOWS\system32\coh.cache
2007-12-07 22:21 . 2007-12-09 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-07 21:00 . 2007-12-07 21:00 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-07 20:50 . 2007-12-13 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-07 20:47 . 2007-12-07 20:47 <DIR> d-------- C:\WINDOWS\system32\tdm2
2007-12-07 20:47 . 2007-12-08 13:16 <DIR> d-------- C:\WINDOWS\system32\pi3
2007-12-07 20:47 . 2007-12-08 14:30 <DIR> d-------- C:\WINDOWS\system32\eu1
2007-12-07 20:46 . 2007-12-08 13:12 <DIR> d-------- C:\WINDOWS\system32\daSgo01
2007-12-07 20:46 . 2007-12-15 12:28 <DIR> d-------- C:\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-16 02:05 96,983 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_12_15_21_04_54_small.dmp.zip
2007-12-15 05:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 02:51 1,203,447 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-11 12:37 96,571 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_12_11_00_37_27_small.dmp.zip
2007-12-10 00:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-02 22:15 --------- d-----w C:\Program Files\BitComet
2007-11-15 02:42 --------- d-----w C:\Program Files\TuneUp Utilities 2006
2007-11-13 17:44 1,617,920 ----a-r C:\WINDOWS\system32\pdbox28.exe
2007-11-03 19:02 --------- d-----w C:\Program Files\SpookyManor_at
2007-11-01 03:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-19 20:41 1,536,000 ----a-r C:\WINDOWS\system32\clubbox.exe
2007-02-16 01:24 87,608 ----a-w C:\Documents and Settings\L\Application Data\ezpinst.exe
2007-02-16 01:24 47,360 ----a-w C:\Documents and Settings\L\Application Data\pcouffin.sys
2007-02-16 01:22 94,080 ----a-w C:\Documents and Settings\L\Application Data\ezplay.sys
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.
((((((((((((((((((((((((((((( snapshot@2007-12-15_12.32.49.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-15 17:15:36 246,796 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2007-12-16 02:05:34 250,324 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2007-12-13 05:37:43 8,824,832 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
+ 2007-12-16 03:52:27 8,953,856 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 12:49]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS7012Utility"="C:\WINDOWS\system32\SiSAudUt.exe" [2001-11-21 06:39]
"SiS KHooker"="C:\WINDOWS\system32\khooker.exe" [2001-12-13 11:27]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-01-08 14:29]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 18:56 C:\WINDOWS\system32\narrator.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-05 20:30:47]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
R2 TTDec;ATI WDM Teletext Decoder;C:\WINDOWS\system32\DRIVERS\ATINTTXX.sys
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys
S1 SABKUTIL;SABKUTIL;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 sscdserd;SAMSUNG CDMA Modem Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\sscdserd.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-12-08 00:09:34 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 23:06:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-15 23:08:10
C:\ComboFix2.txt ... 2007-12-15 12:37
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:45 PM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\SiSAudUt.exe
C:\WINDOWS\system32\khooker.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\system32\SiSAudUt.exe -wdm
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) - http://www.clubbox.co.kr/neo.fld/MultiUpload.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6469 bytes
Good Morning,
Yes you can delete what ZoneAlarm found. Your log looks clean. :bigthumb:
This is what I would do at this point.
Run this system cleaner to clean out all your temp files and such, it will clean cookies also so if you need any to log on to different sites make sure you know your passwords.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
You also have some bad entries in your System Restore Program that you need to remove so you wont reinfect yourself.
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Reboot your computer
Turn ON System Restore.
Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Create a new Restore Point <-- Very Important
Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point
System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it
Then run Kaspersky again and lets see if it comes up with anything.
Hi, here's the new Kaspersky scan.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 16, 2007 2:49:21 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/12/2007
Kaspersky Anti-Virus database records: 484112
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 45057
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:55:49
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\L\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\L\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\L\Desktop\Downloaded\Nero7\Nero-7.7.5.1_eng.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\L\Desktop\Downloaded\Nero7\Nero-7.7.5.1_eng.exe RAR: infected - 1 skipped
C:\Documents and Settings\L\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\L\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\L\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\L\Local Settings\History\History.IE5\MSHist012007121620071217\index.dat Object is locked skipped
C:\Documents and Settings\L\Local Settings\Temp\~DF1E67.tmp Object is locked skipped
C:\Documents and Settings\L\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\L\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\L\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\MailBuddy.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CEFD36F5-C9BA-45E7-8577-FA1F83BCEDE9}\RP2\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\L-3746562C4F964.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT018d9.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT018df.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
You can delete the file in red
C:\Documents and Settings\L\Desktop\Downloaded\Nero7\Nero-7.7.5.1_eng.exe
Everything else looks fine :bigthumb:
How are things running now??
I've deleted that whole Nero folder and restarted my computer. Things seem to be running back to normal speed now. Thank you so much for your help!! :)
I plan to go through the spybot S&D tutorial and "immunize" my computer. So then i'll be having ZoneAlarm, spybot, and SuperAntiSpyware running. Do you think that is sufficient? I heard that ZoneAlarm was good cuz it's also an antivirus program. I switched from Norton to ZoneAlarm and in the process i caught the virtumonde virus.
Maybe i'm not suppose to or it's inappropriate to pose questions in this thread?? Anyway, much thanks. Really appreciate all your help!
Thats great :bigthumb:
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0.0.6 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.
Glad we could help
Safe Surfn
Ken