Combofix Report

[golferman]

Sorry, here's MBAM:

Malwarebytes' Anti-Malware 1.30
Database version: 1395
Windows 5.1.2600 Service Pack 3

2008-11-13 11:58:57
mbam-log-2008-11-13 (11-58-57).txt

Scan type: Full Scan (C:\|D:\|G:\|S:\|W:\|X:\|Y:\|Z:\|)
Objects scanned: 166080
Time elapsed: 1 hour(s), 7 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9e91ef7b-6846-45c3-a8ab-67cf7c900783} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\djsfxudb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jqrugf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kahkcvyl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mcggwt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tfrxupqn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\trcack.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vtUoljkl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000010.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000014.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000015.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000016.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000017.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000018.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000020.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\QI19\QI191065.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

 

[golferman]

I'm sorry to make an additional post but there's no edit option to go back.

I just wanted to let you know that for some reason when I click on My Documents I receive this message instead of it opening up:

The network folder, //dc-01.internal....... that contains My Documents is not available. Try again later or contact your system administrator for further assistance.

 

[pskelley]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:39, on 2008-11-13

ComboFix 08-11-12.01 - lwilson 2008-11-13 15:49:08.5 - NTFSx86

The HJT log always needs to be run after the other tools, but in this case it is clean so it is not a big thing. MBAM is finding mostly junk in the combofix quarantine and infected System Restore files. We will address those issues shortly. Before I close I see at least one dangerously out of date program. Please post an uninstall list so I can take a look.

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Thanks

 

[golferman]

Ok, here's the Uninstall list. When I clicked "save list" it game me the exact same error I listed above for when I tried to open My Documents. But then it still opened it behind the error.

32 Bit HP CIO Components Installer
ABBYY FineReader 6.0 Sprint
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop Elements 2.0
Adobe Reader 7.0
Adobe Shockwave Player 11
AnswerWorks 4.0 Runtime - English
Apple Software Update
ATI Catalyst Control Center
ATI Display Driver
AVI to MPEG Converter
AVS Video Converter 6
AVS4YOU Software Navigator 1.2
Bluetooth Stack for Windows by Toshiba
Broadcom Management Programs
Business Complete Care Services Agreement
Celtx (1.0)
CoffeeCup Image Mapper
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Coupon Printer for Windows
Dell Media Experience
DellSupport
Digital Content Portal
Digital Line Detect
Disney Pirates of the Caribbean Online
DVDx
EarthLink setup files
EPSON Attach To Email
EPSON Copy Utility
EPSON Copy Utility 3
EPSON Event Manager
EPSON File Manager
EPSON Perf 4490P Guide
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON TWAIN 5
FinePix Studio
FinePixViewer Resource
FinePixViewer Ver.5.4
FUJIFILM USB Driver
Google Earth
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix 2050 for SQL Server 2000 ENU (KB948110)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Deskjet 460
HP Deskjet 460 Series
HP Imaging Device Functions 8.0
HP Officejet J3600 Series
Intel(R) PROSet/Wireless Software
Internal Network Card Power Management
iSofter DVD Ripper Platinum 1.0.2006.912
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
Macromedia Dreamweaver 8
Macromedia Dreamweaver UltraDev 4
Macromedia Extension Manager
Macromedia Flash Player
Magic Swf2Gif 1.35
Malwarebytes' Anti-Malware
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office Small Business Accounting 2006
Microsoft Office XP Professional
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Modem Helper
Mozilla Firefox (2.0.0.17)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mWMI
mXML
My Screen Recorder Pro 2.51
mZConfig
NetWaiting
NetZeroInstallers
Norton Security Scan
ParetoLogic Privacy Controls
PC-Linq
Pdf995
Photo Click
PowerDVD 5.7
Presto! BizCard 4.1 Eng
Qualxserve Service Agreement
QuickBooks Simple Start Special Edition
QuickSet
QuickTime
RealPlayer
Rhapsody MP3 Download Manager
Rhapsody Player Engine
SBA
SecondLife (remove only)
SecondLifeBetaHavok (remove only)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Skype 2.5
Smart WAV Converter 2.5
SmartCDRipper
SmartSoft Video Converter
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sprint Mobile Broadband (Sierra)
Spybot - Search & Destroy
Super Mp3 Recorder Professional v6.2
Synaptics Pointing Device Driver
Trend Micro PC-cillin Internet Security 12
TurboTax Deluxe 2007
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Viewpoint Media Player
WebCyberCoach 3.2 Dell
Windows Defender Signatures
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Xenu's Link Sleuth

 

[pskelley]

I'm sorry, guess I am trying to help too many folks at once. Could you post that error message for me again, word for word, just as Windows gives it to you. I tried a search engine and got no results, please be sure it is word for word.

Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.

Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested: https://psi.secunia.com/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Reader 7.0 <<< out of date, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/

Java 2 Runtime Environment, SE v1.4.2_03 <<< this one is VERY BADLY out of date, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

Some folks have a problem uninstalling these old versions, that being the case, this tool will help.
http://www.majorgeeks.com/JavaRa_d5967.html

Mozilla Firefox (2.0.0.17) <<< If you are going to run Firefix, I suggest you run the newest version.
http://www.mozilla.com/en-US/firefox/

I also suggest the same thing about Internet Explorer:
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx

Viewpoint Media Player <<< if you don't use this, I would uninstall it.
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

Let's move on and see if we can wrap up.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Clean infected System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.

Update the antivirus program and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions. If all is well at this point, let me know and I will close the topic.


Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

 

[golferman]

This is the message I get when I try to open My Documents:

The network folder, \\dc-01.internal.familydynamics.net/HomeRo...\My Documents, that contains My Documents is not available.

Try again later, or contact your system administrator for further assistance.


I thought I'd tell you that first in case I need to run any of those other things.

 

[pskelley]

No information available and it is not complete. I doubt it would make a difference but part of the message is missing here:
The network folder, \\dc-01.internal.familydynamics.net/HomeRo...\My Documents, that contains My Documents is not available. Where the red is.

I suggest you update your Internet Explorer browser and see if that message goes away.

Try this and tell me what happens.

Click on MyComputer > C:\ drive > Documents and Settings > Your user Name > My Documents. I am interested in the pathway that is now
in the Address line of the My Documents windows, like in my case it is:
C:\Documents and Settings\Philip Skelley\My Documents

Thanks

 

[golferman]

When I follow the path you give me there is no My Documents folder. I guess therein lies the problem.

 

[pskelley]

Check to see if My Documents is elsewhere besides the user name as in my case.

Click on MyComputer > C:\ drive > Documents and Settings >

May be in:

Administrator
All Users
Default User
Any other user name

But you are right, if there is no My Documents folder in your user name I would guess that could cause a problem if you are signed in to that user.
You may find information here:
http://www.google.com/search?hl=en&q=missing+MyDocuments+folder&btnG=Search

 

[golferman]

I found it in another location. Would you please let me know how I set it to where I can go to start and click on the My Documents folder there and get to it?

MBAM is still scanning by the way.

 

[pskelley]

I really don't know, never ran into this one before. Did you look at that information I provided you with from Google?

You can try creating another My Documents folder in your user name...just go there and right click, then choose New Folder. Once you have the folder, then see what happens if you save a notepad text file to that folder.

 

[golferman]

Malwarebytes' Anti-Malware 1.30
Database version: 1395
Windows 5.1.2600 Service Pack 3

2008-11-14 12:00:30 PM
mbam-log-2008-11-14 (12-00-30).txt

Scan type: Full Scan (C:\|D:\|G:\|S:\|W:\|X:\|Y:\|Z:\|)
Objects scanned: 172700
Time elapsed: 1 hour(s), 11 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[golferman]

I really don't know, never ran into this one before. Did you look at that information I provided you with from Google?

You can try creating another My Documents folder in your user name...just go there and right click, then choose New Folder. Once you have the folder, then see what happens if you save a notepad text file to that folder.

Yes, thanks.

The report came back clearn from MBAM so I guess it's clean. I'm very greatful for your help! You are awesome! I don't know what else to say except, again, thank you.