Page 1 of 2 12 LastLast
Results 1 to 10 of 20
  1. #1
    Member
    Join Date
    Jan 2006
    Location
    Michigan
    Posts
    83
    Points
    0

    Default infected with virtumonde and a trojan

    Helping a buddy out here, more like resurecting his pc from some infections.
    I ran the HJT log through the detective and removed the obvious entries it found but there are some "suspicious" ones left over.

    Gateway GT5228 with XP Pro, all is current and up to date.
    Webroots spyware sweeper found and quarantined;
    Mal/behav-067, Virtumonde, Trojan-Downloader.gen and misc tracking cookies. "Mal/behav-067" tried to run again while installing HJT, I'm sure there's a relation.
    I ran Trend Micro Housecall, it found a couple entries and removed them.
    Ad-Aware found a few entries and I removed those as well.
    I ran "Secunia", took all of those recomendations and updated/deleted obsolete software. He's mostly up to date with the exception of yahoo IM.
    (not sure if it's used or not so I left it alone)
    When I first tackled this, the desk top icons were flashing on and off very quickly not giving me enough time to run anything.
    By the time I got into a file it would restart, icons would rearrange on their own and I was back to square one.
    Now that it pretty stable I can get in and poke a round.
    He had 4 different anti virus programs fighting each other trying to load, I cut those off in msconfig and left the web root at his request.
    Files in %temp% are always changing, I try to remove one, another one comes back in and they all have names of different countries.

    Here's a copy of the HJT log.
    I would appreciate any direction as to where to go next trying to disinfect this beast.
    Regards,
    Jeff

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:19:00 PM, on 1/4/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Digital Media Reader\readericon45G.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
    C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\PROGRA~1\Yahoo!\YOP\yop.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.h...s=DTP&M=GT5228
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...s=DTP&M=GT5228
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" /logon
    O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [YOP] "C:\PROGRA~1\Yahoo!\YOP\yop.exe" /autostart
    O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1155139980\EE\AOLHostManager.exe
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Power2GoExpress] NA
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1164671417468
    O20 - Winlogon Notify: ljjhghi - ljjhghi.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

    --
    End of file - 7618 bytes

  2. #2
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    Actually not seeing anything bad in the log.

    The Detective did not like this entry:

    O4 - HKCU\..\Run: [Power2GoExpress] NA
    (Why the detective caught it: Program running on startup, but does not show which directory it is running from. )

    Disconnect from the internet, close all browser windows including this one.

    Run another HJT scan and check the following files to have HJT fix:

    O20 - Winlogon Notify: ljjhghi - ljjhghi.dll (file missing)

    Press the fixed check button, close the HJT program. Re boot the PC

    Next......

    Download CCleaner from :-

    http://www.filehippo.com/download_ccleaner/ (click the download tab)

    doubleclick the ccsetup.exe file and install the program...

    At the Cclean setup screen &Install opitions Uncheck the Add Ccleaner Yahoo ! Tool bar unless you want it

    After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

    Make sure the "windows" tab is selected

    Under "internet explorer" tick...

    Temporary internet files
    Cookies* > see Note below
    History
    Recently typed URL's
    (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
    Delete index.dat files
    Last download location
    Autocomplete form history


    under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

    Other explorer MRU's
    (leave this unticked if you DON'T want to clear lists such as the start\run list)

    under "System"

    Tick ALL these ...


    under "Advanced"

    no need to tick any of these (but you can if you want, and realise what they do)


    Applications tab...

    These will mostly clean out old log files for these applications...

    Clean:- (if you use them)

    Firefox/Mozilla (optional - leave the cookies - see note)
    Opera
    Sun Java
    ZoneAlarm

    ...
    Personally I clean everything in the applications tab... but you tick what you want...

    Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your passward when you next visit that site) ... click options > cookies > then keep the cookies you want.

    click "analyse" if you want to see a list of what is going to be removed, before it is removed.

    Or

    click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

    "This process will permanently delete files from your system. Are you sure you wish to proceed?"

    click OK.


    Next.......

    Download Superantispyware.

    http://www.superantispyware.com/

    Once downloaded and installed update the definitions
    and then run a full system scan quarantine what it finds!

    * Double-click SUPERAntiSypware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

    http://www.superantispyware.com/definitions.html

    * Under "Configuration and Preferences", click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    o Close browsers before scanning.
    o Scan for tracking cookies.
    o Terminate memory threats before quarantining.
    * Click the "Close" button to leave the control center screen.
    * Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under "Complete Scan", choose Perform Complete Scan.
    * Click "Next" to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    * Make sure everything has a checkmark next to it and click "Next".
    * A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    * If asked if you want to reboot, click "Yes".
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    o Click Preferences, then click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    o Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.

    Post the following:

    SUPERAntiSpyware Scan Log
    New HJT log.

    BG

  3. #3
    Member
    Join Date
    Jan 2006
    Location
    Michigan
    Posts
    83
    Points
    0

    Default

    Forgot about unticking delete temps file older than 48hrs. They're gone now, thanks.

    Here's the logs.

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 01/05/2008 at 10:35 AM

    Application Version : 3.9.1008

    Core Rules Database Version : 3374
    Trace Rules Database Version: 1369

    Scan type : Complete Scan
    Total Scan Time : 00:59:36

    Memory items scanned : 447
    Memory threats detected : 0
    Registry items scanned : 5982
    Registry threats detected : 1
    File items scanned : 67376
    File threats detected : 6

    Adware.Vundo Variant
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}

    Adware.WebBuying Assistant-Installer
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E015214-6BB0-4181-B365-456CF1DEC069}\RP141\A0017125.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E015214-6BB0-4181-B365-456CF1DEC069}\RP142\A0017350.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E015214-6BB0-4181-B365-456CF1DEC069}\RP143\A0018376.EXE

    Unclassified.Unknown Origin
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E015214-6BB0-4181-B365-456CF1DEC069}\RP144\A0020538.DLL

    Trojan.Downloader-Gen/BundleBase
    C:\WINDOWS\SYSTEM32\INEWC01\INEWC011065.EXE

    Adware.Vundo Variant/Rel
    C:\WINDOWS\SYSTEM32\JJKKJ.INI


    and HJT.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:22:30 AM, on 1/5/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Digital Media Reader\readericon45G.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
    C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
    C:\PROGRA~1\Yahoo!\YOP\yop.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CCleaner\CCleaner.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.h...s=DTP&M=GT5228
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...s=DTP&M=GT5228
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" /logon
    O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [YOP] "C:\PROGRA~1\Yahoo!\YOP\yop.exe" /autostart
    O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1155139980\EE\AOLHostManager.exe
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1164671417468
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

    --
    End of file - 7542 bytes


    Also, I found a temp file right on the root drive within it there's a app called ulSaa1212.
    Also in the file are two log files.
    One called syscheck that has text like, "/R???&,????S??vee/?[W???o[??xv?mx??=z[?of1Kf?????k??^'s??,??????Z???'Oc'???l??b??6f?1?MM??
    ???????4q|??"
    and the other called etfr with the same kind of log.
    But, since this pc isn't mine, I'm not sure what's supposed to be here.
    Just looks suspicious is all.
    Thanks for your help BG.
    Jeff

  4. #4
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    Delete those log files in the C:\temp folder ... it's a common place fot malware to hide & they're not required files ...

    I'd also like you to run another program for me, after all the malware you've dealt with ... this is a must ...

    Please download Combofix: http://download.bleepingcomputer.com...a/ComboFix.exe
    and save to the desktop.

    1. Double click on combo.exe & follow the prompts.
    2. When finished, it will produce a logfile located at C:\ComboFix.txt.
    3. Post the contents of that log in your next reply with a new hijackthis log.

    Notes:
    * Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
    * Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

    Please remember to post :-

    C:\ComboFix.txt

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  5. #5
    Member
    Join Date
    Jan 2006
    Location
    Michigan
    Posts
    83
    Points
    0

    Default

    Thanks Wiz.
    I forgot to delete the temp file but it looks like combofix did it anyway only thing left in there is the app "ulSaa1212".
    Think it's safe to toss the whole thing?

    Here's a copy of the log.

    Thanks again,
    Jeff

    ComboFix 08-01-06.4 - Owner 2008-01-06 0:36:18.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1427 [GMT -5:00]
    Running from: C:\Documents and Settings\Owner.YOUR-DC3E0B8F38\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Temp\1cb
    C:\Temp\1cb\syscheck.log
    C:\Temp\tpBe12
    C:\Temp\tpBe12\etFr.log
    C:\WINDOWS\system32\abc2
    C:\WINDOWS\system32\ex1
    C:\WINDOWS\system32\ineWc01
    C:\WINDOWS\system32\ipd1
    C:\WINDOWS\system32\jjkkj.ini2
    C:\WINDOWS\system32\oc9
    C:\WINDOWS\system32\pac.txt
    C:\WINDOWS\system32\shel9
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
    .

    2008-01-06 00:35 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-05 15:28 . 2008-01-05 15:28 d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
    2008-01-05 11:06 . 2008-01-05 11:06 d-------- C:\Documents and Settings\Owner.YOUR-DC3E0B8F38\Application Data\CyberLink
    2008-01-05 11:06 . 2008-01-05 11:06 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-01-05 09:29 . 2008-01-05 09:31 d-------- C:\Program Files\SUPERAntiSpyware
    2008-01-05 09:29 . 2008-01-05 09:29 d-------- C:\Documents and Settings\Owner.YOUR-DC3E0B8F38\Application Data\SUPERAntiSpyware.com
    2008-01-05 09:29 . 2008-01-05 09:29 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-01-04 20:24 . 2008-01-04 20:24 d-------- C:\Program Files\Lavasoft
    2008-01-04 20:24 . 2008-01-04 20:24 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-01-04 20:22 . 2008-01-06 00:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-01-04 20:22 . 2008-01-04 20:22 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-01-04 20:20 . 2008-01-04 20:21 d-------- C:\Program Files\iTunes
    2008-01-04 20:20 . 2008-01-04 20:20 d-------- C:\Program Files\iPod
    2008-01-04 20:17 . 2008-01-04 20:18 d-------- C:\Program Files\QuickTime
    2008-01-04 20:15 . 2008-01-04 20:15 d-------- C:\Program Files\Apple Software Update
    2008-01-04 20:14 . 2008-01-04 20:14 d-------- C:\Program Files\Common Files\Apple
    2008-01-04 20:14 . 2008-01-04 20:14 d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2008-01-04 19:28 . 2008-01-04 19:28 d-------- C:\Program Files\Common Files\Adobe
    2008-01-04 19:06 . 2008-01-04 19:02 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-01-04 19:02 . 2008-01-04 19:02 d-------- C:\WINDOWS\Sun
    2008-01-04 19:02 . 2008-01-04 19:44 d-------- C:\Documents and Settings\Owner.YOUR-DC3E0B8F38\.housecall6.6
    2008-01-04 19:01 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-01-04 19:00 . 2008-01-04 19:01 d-------- C:\Program Files\Java
    2008-01-04 18:59 . 2008-01-04 18:59 d-------- C:\Program Files\Common Files\Java
    2008-01-04 18:33 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
    2008-01-04 17:59 . 2008-01-04 18:15 d-------- C:\Program Files\SpywareBlaster
    2008-01-04 17:54 . 2008-01-05 12:26 d-------- C:\Tools
    2007-12-20 17:43 . 2007-12-20 17:43 d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
    2007-12-20 17:40 . 2008-01-05 09:28 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-12-20 17:04 . 2008-01-04 17:56 d-------- C:\Program Files\CCleaner
    2007-12-20 16:59 . 2007-12-20 16:59 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
    2007-12-13 19:48 . 2008-01-06 00:38 d-------- C:\Temp
    2007-12-13 19:48 . 2007-12-13 19:48 532,909 --a------ C:\Temp\ulSaa1212.exe
    2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
    2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-05 18:38 2,354 ----a-w C:\Documents and Settings\Owner.YOUR-DC3E0B8F38\Application Data\wklnhst.dat
    2008-01-05 14:18 --------- d-----w C:\Program Files\Trend Micro
    2008-01-05 00:21 --------- d-----w C:\Program Files\Common Files\Real
    2008-01-04 23:41 --------- d-----w C:\Program Files\BigFix
    2007-12-21 00:04 --------- d-----w C:\Program Files\Norton Security Scan
    2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
    2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="RUNDLL32.exe" [2004-08-10 14:00 33280 C:\WINDOWS\system32\rundll32.exe]
    "RTHDCPL"="RTHDCPL.EXE" [2006-03-14 04:01 16010752 C:\WINDOWS\RTHDCPL.exe]
    "Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
    "readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 20:44 139264]
    "nwiz"="nwiz.exe" [2005-09-18 10:32 1519616 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="RUNDLL32.exe" [2004-08-10 14:00 33280 C:\WINDOWS\system32\rundll32.exe]
    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56 64512]
    "CHotkey"="zHotkey.exe" [2004-12-08 19:57 550912 C:\WINDOWS\zHotkey.exe]
    "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 18:19 77312 C:\WINDOWS\arpwrmsg.exe]
    "CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 20:30 1191936]
    "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
    "YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
    "CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-12-13 20:35 230512]
    "CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-12-13 20:35 185456]
    "YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 10:43 407032]
    "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
    "HostManager"="C:\Program Files\Common Files\AOL\1155139980\EE\AOLHostManager.exe" [ ]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [ ]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
    "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
    backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McafWelcome]
    c:\PROGRA~1\mcafee.com\agent\mcwelcom.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
    c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
    c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
    --a------ 2005-08-12 18:16 1121792 C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
    C:\Program Files\McAfee.com\VSO\oasclnt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
    C:\Program Files\Trend Micro\Antivirus\pccguide.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCClient.exe]
    C:\Program Files\Trend Micro\Antivirus\PCClient.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TM Outbreak Agent]
    C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
    c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
    C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    --a------ 2006-10-26 21:21 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7e6734b-27be-11db-b115-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-01-05 01:15:32 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2007-11-23 17:05:07 C:\WINDOWS\Tasks\Norton Security Scan.job"
    - C:\Program Files\Norton Security Scan\Nss.exe
    "2008-01-04 22:48:22 C:\WINDOWS\Tasks\wrSpySweeper_1B256E22F30146559DB02A7883FDE9E5.job"
    - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe=/ScheduleSweep=wrSpySweeper_1B256E22F30146559DB02A7883FDE9E5
    - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
    - C:\
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-06 00:40:29
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-01-06 0:41:43 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-01-06 05:41:34
    .
    2008-01-04 23:34:01 --- E O F ---

  6. #6
    Member
    Join Date
    Jan 2006
    Location
    Michigan
    Posts
    83
    Points
    0

    Default

    Just for the heck of it I updated and ran superantispyware and it found one of the restore points with;

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 01/06/2008 at 10:06 AM

    Application Version : 3.9.1008

    Core Rules Database Version : 3375
    Trace Rules Database Version: 1369

    Scan type : Complete Scan
    Total Scan Time : 00:54:23

    Memory items scanned : 441
    Memory threats detected : 0
    Registry items scanned : 5979
    Registry threats detected : 0
    File items scanned : 61393
    File threats detected : 1

    Trojan.Downloader-Gen/BundleBase
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E015214-6BB0-4181-B365-456CF1DEC069}\RP154\A0025478.EXE


    Think I should delete them and start new?

  7. #7
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    For the time being leave the restore points as is. It should not present a problem unless you do a system restore.

    When we get done, we will have you clear all old restore points.

    BG

  8. #8
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Nearly there ...

    Combofix shows this :-

    2007-12-13 19:48 . 2008-01-06 00:38 d-------- C:\Temp
    2007-12-13 19:48 . 2007-12-13 19:48 532,909 --a------ C:\Temp\ulSaa1212.exe

    As you can see, that executable came in at the same time the C:\Temp folder was created...

    If you were to do a KAS scan, it would probably show that file as this :-

    C:\temp\ulSaa1212.exe/data0002 Infected: Trojan-Downloader.Win32.Small.buy
    C:\temp\ulSaa1212.exe/data0003 Infected: not-a-virus:AdWare.Win32.Agent.co
    C:\temp\ulSaa1212.exe/data0004 Infected: Trojan-Downloader.Win32.Small.gzs
    C:\temp\ulSaa1212.exe/data0006/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a
    C:\temp\ulSaa1212.exe/data0006 Infected: not-a-virus:AdWare.Win32.TTC.a

    So ... find & delete the C:\Temp\ulSaa1212.exe file ...

    You can delete the C:\Temp folder as well if you want, or just leave it empty ... I have an empty one on my comouter ...

    Then go ahead & purge System Restore ...

    Run all the scans which were showing anything & let us know if they don't come back clean ...

    This one as well...

    Please run a Kaspersky Online Scan

    Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    Click Accept

    You will be promted to install an ActiveX component from Kaspersky,
    Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      [list:8919182916]
    • Scan using the following Anti-Virus database:

    • Extended (if available otherwise Standard)

    • Scan Options:

    • Scan Archives Scan Mail Bases
    [*]Click OK [*]Now under select a target to scan:
    • Select My Computer
    [*]The program will start and scan your system. [*]The scan will take a while so be patient and let it run. [*]Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
    [*]Once finished, save the log to your Desktop as filename KAV.txt[/list:u:8919182916]

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  9. #9
    Member
    Join Date
    Jan 2006
    Location
    Michigan
    Posts
    83
    Points
    0

    Default

    I couldn't find the on line scanner on Kapersky's site.

    So far, everything I used before to scan came back clean and I feel pretty confident that this thing is buttoned up and I deleted the restore points
    Webroot found a cookie from Kapersky and that's about it.

    Only thing I have to ask is the correct way uninstall / delete combo fix.
    If I delete it from the desk top, what happens to the file "QooBox" it created on C: ?

    I don't want to leave anything on here that his kids can mess with.

    Jeff

  10. #10
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Quote Originally Posted by JeffO
    I couldn't find the on line scanner on Kapersky's site.
    :?

    You clicked the link I gave you ?

    Kaspersky WebScanner <<<

    Then clicked this ...
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

Page 1 of 2 12 LastLast