Trojan Problem - Page 2

Question

gerbil 216 Industrious Poster

16 Years Ago

Weasel, don't use that previous script - I missed one file to delete, so use this modified version instead. The vundo infection there appears to have rootkit capabilities. I should also point out that your friend has had a keylogger trojan on his sys and so it is important that he changes important passwords and bank accounts that he may have accessed from the computer.
The new CFScript.txt:

Killall::

File::
C:\WINDOWS\system32\aKUBdMoq.ini2
C:\WINDOWS\system32\qoMdBUKa.dll
C:\WINDOWS\system32\ssqnMETJ.dll
C:\WINDOWS\system32\nnnNHYqn.dll
C:\WINDOWS\system32\xxyvuutq.dll
C:\WINDOWS\system32\fccYSiGV.dll
C:\WINDOWS\erfb.exe
C:\WINDOWS\grswptdl.exe
C:\WINDOWS\nfavxwdbpgs.dll
C:\WINDOWS\kgxmotapktx.dll
C:\WINDOWS\erms.exe
C:\WINDOWS\agpqlrfm.exe
C:\DOCUMENTS and SETTINGS\ADMINI~1\LOCALS~1\Temp\catchme.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{769D8280-A207-4EEA-9963-F8B156C32855}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBE1F7FF-5D9E-4213-8BD1-54B2AA144997}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{769D8280-A207-4EEA-9963-F8B156C32855}"= -

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvuutq]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

caperjack 875 I hate 20 Questions Team Colleague · Answer 1 · 2008-10-04T17:34:01+00:00

the virus alert by the date and be removed in control panel under ,Regional and language setting ,in there go to customize and time and you will see it there just choose one of the other time settings

gerbil 216 Industrious Poster · Answer 2 · 2008-10-04T19:02:10+00:00

Main problem, caper, is to get any exes to run. Most sys ones do, but not sfc.exe, and not so far any tool exes I have suggested. It's fun.... may be a simple blacklist at work, but it is not started via the methods that hijackthis lists.
Weasel.. combofix: rename the desktop icon to MyCF55.exe, then dclick it. Remember to turn off net connection, firewall, system defence and AV first. If it runs you may find that it has timed out, in which case it will tell you so & delete itself, > dl a fresh copy.
[system defence? the sort of thing that comes with, say, Comodo - it would drive you nuts as CF tries to install and run]

comlor 0 Junior Poster in Training · Answer 3 · 2008-10-06T12:48:12+00:00

use this software to get rid of restrictive policies

Dial-A-Fix

it will get rid of the block task manager and most other restrictive policies

weasel7711 0 Junior Poster in Training · Answer 4 · 2008-10-06T18:21:54+00:00

I will try that when I get out of work this evening. Thanks for the help guys.

weasel7711 0 Junior Poster in Training · Answer 5 · 2008-10-07T17:17:59+00:00

weasel7711 0 Junior Poster in Training

16 Years Ago

Great news. I renamed combofix and its working. So currently I am running combofix. Should I run any of the other files too when it finishes?

I have attatched the log file.

ComboFix.txt (10.35 KB)

The attachment preview is chopped off after the first 10 KB. Please download the entire file.

ComboFix 08-09-26.06 - Administrator 2008-10-07  7:18:04.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.341 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\mycmbfx.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
- REDUCED FUNCTIONALITY MODE -
.

(((((((((((((((((((((((((   Files Created from 2008-09-07 to 2008-10-07  )))))))))))))))))))))))))))))))
.

2008-10-01 20:14 . 2008-10-01 20:14	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\U3
2008-09-28 10:50 . 2008-09-28 10:50	<DIR>	d--------	C:\Program Files\CCleaner
2008-09-26 17:18 . 2008-09-26 17:22	<DIR>	d--------	C:\Program Files\Unlocker
2008-09-25 12:37 . 2008-09-25 12:37	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\.clamwin
2008-09-25 12:36 . 2008-09-25 12:36	<DIR>	d--------	C:\Program Files\ClamWin
2008-09-25 12:36 . 2008-09-25 12:36	<DIR>	d--------	C:\Documents and Settings\All Users\.clamwin
2008-09-25 12:23 . 2006-02-05 09:23	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Intuit
2008-09-25 12:23 . 2008-09-28 10:54	<DIR>	d--------	C:\Documents and Settings\Administrator
2008-09-22 18:53 . 2008-09-22 18:53	<DIR>	d--------	C:\Program Files\Lavasoft
2008-09-22 18:53 . 2008-09-22 18:54	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-22 18:52 . 2008-09-22 18:52	<DIR>	d--------	C:\Program Files\Common Files\Wise Installation Wizard

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 11:18	888,271	--sha-w	C:\WINDOWS\system32\aKUBdMoq.ini2
2008-09-26 21:35	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-07-22 21:32	323,648	----a-w	C:\WINDOWS\system32\qoMdBUKa.dll
2008-07-22 18:01	33,152	----a-w	C:\WINDOWS\system32\ssqnMETJ.dll
2008-07-22 18:01	33,152	----a-w	C:\WINDOWS\system32\nnnNHYqn.dll
2008-07-22 18:00	33,152	----a-w	C:\WINDOWS\system32\xxyvuutq.dll
2008-07-22 18:00	33,152	----a-w	C:\WINDOWS\system32\fccYSiGV.dll
2008-07-22 11:23	94,208	----a-w	C:\WINDOWS\erfb.exe
2008-07-22 11:23	86,016	----a-w	C:\WINDOWS\grswptdl.exe
2008-07-22 11:23	393,216	----a-w	C:\WINDOWS\nfavxwdbpgs.dll
2008-07-17 10:14	454,656	----a-w	C:\WINDOWS\kgxmotapktx.dll
2008-07-17 10:14	163,840	----a-w	C:\WINDOWS\erms.exe
2008-07-17 10:14	155,648	----a-w	C:\WINDOWS\agpqlrfm.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{769D8280-A207-4EEA-9963-F8B156C32855}]
2008-07-22 14:00	33152	--a------	C:\WINDOWS\system32\xxyvuutq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBE1F7FF-5D9E-4213-8BD1-54B2AA144997}]
2008-07-22 17:32	323648	--a------	C:\WINDOWS\system32\qoMdBUKa.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 114688]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2005-02-08 159744]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="C:\Windows\CREATOR\Remind_XP.exe" [2005-10-28 679936]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 26248]
"F5D9010"="C:\Program Files\Belkin\F5D9010\Belkinwcui.exe" [2006-03-14 1585152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2008-09-05 86016]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 C:\WINDOWS\AGRSMMSG.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-07-22 151552]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{769D8280-A207-4EEA-9963-F8B156C32855}"= "C:\WINDOWS\system32\xxyvuutq.dll" [2008-07-22 33152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvuutq]
2008-07-22 14:00 33152 C:\WINDOWS\system32\xxyvuutq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages	REG_MULTI_SZ   	msv1_0 C:\WINDOWS\system32\qoMdBUKa

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys [2005-06-18 19968]
S2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O8 -: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 -: &Translate English Word - C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 -: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 -: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 -: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 -: Translate Page into English - C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O16 -: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://aolsvc.aol.com/onlinegames/dinerdash/DinerDash.1.0.0.93.cab
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.93.inf
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.93.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 07:19:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
"ImagePath"="\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
"ImagePath"="\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:

gerbil 216 Industrious Poster · Answer 6 · 2008-10-07T18:15:12+00:00

Ah, nice, weasel.
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.

Killall::

File::
C:\WINDOWS\system32\qoMdBUKa.dll
C:\WINDOWS\system32\ssqnMETJ.dll
C:\WINDOWS\system32\nnnNHYqn.dll
C:\WINDOWS\system32\xxyvuutq.dll
C:\WINDOWS\system32\fccYSiGV.dll
C:\WINDOWS\erfb.exe
C:\WINDOWS\grswptdl.exe
C:\WINDOWS\nfavxwdbpgs.dll
C:\WINDOWS\kgxmotapktx.dll
C:\WINDOWS\erms.exe
C:\WINDOWS\agpqlrfm.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{769D8280-A207-4EEA-9963-F8B156C32855}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBE1F7FF-5D9E-4213-8BD1-54B2AA144997}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{769D8280-A207-4EEA-9963-F8B156C32855}"= -

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvuutq]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00

Good. Now drag the CFScript.txt icon onto the Combofix icon [mycmbfx.exe] on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
Please now run sfc /scannow
You should now be able to update MBAM and run it also; post the log.
There should be no need to run the other scans.

weasel7711 0 Junior Poster in Training · Answer 7 · 2008-10-08T08:02:41+00:00

weasel7711 0 Junior Poster in Training

16 Years Ago

OK it seems like everything is working great now. After I ran combofix and SDFix the taskmanager was enabled and explorer stopped committing suicide repeatedly.

I ran MBAM twice. First time I ran it it found a bunch of malware, so I have attatched the logs from before i cleaned and after I cleaned, and then the third log from when I ran it a second time once I restarted.

mbam-log-2008-10-07_(21-05-01).txt (3.09 KB)

Malwarebytes' Anti-Malware 1.27
Database version: 1127
Windows 5.1.2600 Service Pack 2

10/7/2008 9:05:19 PM
mbam-log-2008-10-07 (21-05-01).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 105877
Time elapsed: 35 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\fdkowvbp.bbwm (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\User\Application Data\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\fccYSiGV.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnNHYqn.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqnMETJ.dll.vir (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP127\A0033915.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP127\A0033916.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP127\A0033917.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP127\A0033920.exe (Rogue.Installer) -> No action taken.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP127\A0034946.exe (Rogue.Installer) -> No action taken.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP127\A0034948.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP127\A0034949.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP127\A0034956.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP129\A0035178.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP129\A0035179.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP129\A0035180.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\User\Desktop\AntiMalwareGuard.lnk (Rogue.AntiMalwareGuard) -> No action taken.

mbam-log-2008-10-07_(21-05-24).txt (3.48 KB)

Malwarebytes' Anti-Malware 1.27
Database version: 1127
Windows 5.1.2600 Service Pack 2

10/7/2008 9:05:24 PM
mbam-log-2008-10-07 (21-05-24).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 105877
Time elapsed: 35 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\fdkowvbp.bbwm (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\User\Application Data\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fccYSiGV.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnNHYqn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqnMETJ.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP127\A0033915.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP127\A0033916.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP127\A0033917.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP127\A0033920.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP127\A0034946.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP127\A0034948.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP127\A0034949.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP127\A0034956.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP129\A0035178.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP129\A0035179.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP129\A0035180.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Desktop\AntiMalwareGuard.lnk (Rogue.AntiMalwareGuard) -> Quarantined and deleted successfully.

mbam-log-2008-10-07_(21-56-27).txt (0.83 KB)

Malwarebytes' Anti-Malware 1.27
Database version: 1127
Windows 5.1.2600 Service Pack 2

10/7/2008 9:56:27 PM
mbam-log-2008-10-07 (21-56-27).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 105590
Time elapsed: 36 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

gerbil 216 Industrious Poster · Answer 8 · 2008-10-08T08:37:05+00:00

Weasel, could you post the combofix log also? C:\combofix.txt
And the SDFix log; it's saved into the SDFix folder as Report.txt.

weasel7711 0 Junior Poster in Training · Answer 9 · 2008-10-08T18:23:32+00:00

weasel7711 0 Junior Poster in Training

16 Years Ago

NP

log.txt (27.82 KB)

The attachment preview is chopped off after the first 10 KB. Please download the entire file.

ComboFix 08-10-07.06 - User 2008-10-07 18:57:44.2 - NTFSx86
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
 * Created a new restore point

[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]

FILE ::
C:\DOCUMENTS and SETTINGS\ADMINI~1\LOCALS~1\Temp\catchme.sys
C:\WINDOWS\agpqlrfm.exe
C:\WINDOWS\erfb.exe
C:\WINDOWS\erms.exe
C:\WINDOWS\grswptdl.exe
C:\WINDOWS\kgxmotapktx.dll
C:\WINDOWS\nfavxwdbpgs.dll
C:\WINDOWS\system32\aKUBdMoq.ini2
C:\WINDOWS\system32\fccYSiGV.dll
C:\WINDOWS\system32\nnnNHYqn.dll
C:\WINDOWS\system32\qoMdBUKa.dll
C:\WINDOWS\system32\ssqnMETJ.dll
C:\WINDOWS\system32\xxyvuutq.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiMalwareGuard.lnk
C:\Documents and Settings\User\Desktop\Error Cleaner.url
C:\Documents and Settings\User\Desktop\Privacy Protector.url
C:\Documents and Settings\User\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\User\Favorites\Error Cleaner.url
C:\Documents and Settings\User\Favorites\Privacy Protector.url
C:\Documents and Settings\User\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\system32\_000111_.tmp.dll
C:\WINDOWS\system32\aKUBdMoq.ini
C:\WINDOWS\system32\aKUBdMoq.ini2
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\fccYSiGV.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nnnNHYqn.dll
C:\WINDOWS\system32\ssqnMETJ.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


(((((((((((((((((((((((((   Files Created from 2008-09-07 to 2008-10-07  )))))))))))))))))))))))))))))))
.

2008-10-07 19:04 . 2008-10-07 19:05	<DIR>	d--------	C:\WINDOWS\system32\CatRoot_bak
2008-10-07 18:51 . 2008-10-07 18:51	0	--a------	C:\WINDOWS\nsreg.dat
2008-10-07 09:02 . 2008-10-07 09:02	127	--a------	C:\WINDOWS\system32\MRT.INI
2008-10-07 08:58 . 2008-10-07 09:03	1,374	--a------	C:\WINDOWS\imsins.BAK
2008-10-07 07:57 . 2008-05-01 10:30	331,776	---------	C:\WINDOWS\system32\dllcache\msadce.dll
2008-10-07 07:33 . 2008-10-07 07:33	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-10-07 07:32 . 2008-10-07 07:57	<DIR>	d--------	C:\SDFix
2008-10-01 20:14 . 2008-10-01 20:14	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\U3
2008-09-28 10:50 . 2008-09-28 10:50	<DIR>	d--------	C:\Program Files\CCleaner
2008-09-26 17:18 . 2008-09-26 17:22	<DIR>	d--------	C:\Program Files\Unlocker
2008-09-26 17:18 . 2008-09-26 17:18	<DIR>	d--------	C:\Documents and Settings\User\Application Data\Desktopicon
2008-09-25 13:24 . 2008-09-25 17:46	<DIR>	d--------	C:\Documents and Settings\User\Application Data\.clamwin
2008-09-25 12:37 . 2008-09-25 12:37	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\.clamwin
2008-09-25 12:36 . 2008-09-25 12:36	<DIR>	d--------	C:\Program Files\ClamWin
2008-09-25 12:36 . 2008-09-25 12:36	<DIR>	d--------	C:\Documents and Settings\All Users\.clamwin
2008-09-25 12:23 . 2006-02-05 09:23	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Intuit
2008-09-25 12:23 . 2008-09-28 10:54	<DIR>	d--------	C:\Documents and Settings\Administrator
2008-09-22 18:53 . 2008-09-22 18:53	<DIR>	d--------	C:\Program Files\Lavasoft
2008-09-22 18:53 . 2008-09-22 18:54	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-22 18:52 . 2008-09-22 18:52	<DIR>	d--------	C:\Program Files\Common Files\Wise Installation Wizard

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 23:01	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-10-07 12:05	---------	d-----w	C:\Program Files\Norton Internet Security
2008-09-26 21:13	---------	d-----w	C:\Documents and Settings\User\Application Data\U3
2008-07-08 01:31	3,112	----a-w	C:\Documents and Settings\User\Application Data\wklnhst.dat
.

(((((((((((((((((((((((((((((   snapshot@2008-10-07_ 7.20.19.31   )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-07-26 04:20:23	110,080	----a-w	C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll
+ 2005-07-26 04:20:24	498,688	----a-w	C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll
+ 2005-10-21 00:02:28	163,328	----a-w	C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-08-07 20:27:04	163,328	----a-w	C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-10-07 11:33:58	839,680	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-10-07 11:33:58	8,192	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-08-07 20:27:04	163,328	----a-w	C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-10-07 11:33:55	839,680	----a-w	C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-10-07 11:33:55	8,192	----a-w	C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-04-23 04:16:28	124,928	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\advpack.dll
+ 2008-04-23 04:16:28	347,136	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\dxtmsft.dll
+ 2008-04-23 04:16:28	214,528	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\dxtrans.dll
+ 2008-04-23 04:16:28	133,120	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\extmgr.dll
+ 2008-04-23 04:16:28	63,488	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\icardie.dll
+ 2008-04-22 07:39:58	70,656	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\ie4uinit.exe
+ 2008-04-23 04:16:28	153,088	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\ieakeng.dll
+ 2008-04-23 04:16:28	230,400	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\ieaksie.dll
+ 2008-04-20 05:07:51	161,792	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\ieakui.dll
+ 2008-04-23 04:16:28	383,488	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\ieapfltr.dll
+ 2008-04-23 04:16:28	384,512	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\iedkcs32.dll
+ 2008-04-23 04:16:28	6,066,176	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\ieframe.dll
+ 2008-04-23 04:16:28	44,544	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\iernonce.dll
+ 2008-04-23 04:16:28	267,776	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\iertutil.dll
+ 2008-04-22 07:39:58	13,824	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\ieudinit.exe
+ 2008-04-22 07:40:18	625,664	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\iexplore.exe
+ 2008-04-23 04:16:28	27,648	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\jsproxy.dll
+ 2008-04-23 04:16:28	459,264	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\msfeeds.dll
+ 2008-04-23 04:16:28	52,224	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\msfeedsbs.dll
+ 2008-04-24 02:16:30	3,591,680	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\mshtml.dll
+ 2008-04-23 04:16:28	478,208	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\mshtmled.dll
+ 2008-04-23 04:16:28	193,024	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\msrating.dll
+ 2008-04-23 04:16:28	671,232	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\mstime.dll
+ 2008-04-23 04:16:28	102,912	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\occache.dll
+ 2008-04-23 04:16:28	44,544	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\pngfilt.dll
+ 2007-03-06 01:22:39	213,216	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51	371,424	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\updspapi.dll
+ 2008-04-23 04:16:28	105,984	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\url.dll
+ 2008-04-23 04:16:29	1,159,680	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\urlmon.dll
+ 2008-04-23 04:16:29	233,472	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\webcheck.dll
+ 2008-04-23 04:16:29	826,368	-c----w	C:\WINDOWS\ie7updates\KB953838-IE7\wininet.dll
- 2008-04-23 04:16:28	124,928	----a-w	C:\WINDOWS\system32\advpack.dll
+ 2008-06-23 16:57:27	124,928	----a-w	C:\WINDOWS\system32\advpack.dll
- 2007-07-30 23:19:20	92,504	----a-w	C:\WINDOWS\system32\cdm.dll
+ 2008-07-19 02:10:48	94,920	----a-w	C:\WINDOWS\system32\cdm.dll
+ 2004-08-04 08:00:00	10,752	----a-w	C:\WINDOWS\system32\clb.dll
+ 2005-07-26 04:39:43	110,080	----a-w	C:\WINDOWS\system32\clbcatex.dll
+ 2005-07-26 04:39:43	498,688	----a-w	C:\WINDOWS\system32\clbcatq.dll
- 2008-04-23 04:16:28	124,928	----a-w	C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-06-23 16:57:27	124,928	----a-w	C:\WINDOWS\system32\dllcache\advpack.dll
- 2007-07-30 23:19:20	92,504	----a-w	C:\WINDOWS\system32\dllcache\cdm.dll
+ 2008-07-19 02:10:48	94,920	----a-w	C:\WINDOWS\system32\dllcache\cdm.dll
- 2008-04-23 04:16:28	347,136	----a-w	C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-06-23 16:57:27	347,136	----a-w	C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-04-23 04:16:28	214,528	----a-w	C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-06-23 16:57:27	214,528	----a-w	C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-07-07 20:32:22	253,952	------w	C:\WINDOWS\system32\dllcache\es.dll
- 2008-04-23 04:16:28	133,120	----a-w	C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-06-23 16:57:27	133,120	----a-w	C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-04-23 04:16:28	63,488	------w	C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-06-23 16:57:28	63,488	------w	C:\WINDOWS\system32\dllcache\icardie.dll
- 2008-04-22 07:39:58	70,656	----a-w	C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-06-23 09:20:25	70,656	----a-w	C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2008-04-23 04:16:28	153,088	----a-w	C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-06-23 16:57:29	153,088	----a-w	C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2008-04-23 04:16:28	230,400	----a-w	C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-06-23 16:57:29	230,400	----a-w	C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2008-04-20 05:07:51	161,792	----a-w	C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-06-21 05:23:54	161,792	----a-w	C:\WINDOWS\system32\dllcache\ieakui.dll
- 2008-04-23 04:16:28	383,488	------w	C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-06-23 16:57:29	383,488	------w	C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2008-04-23 04:16:28	384,512	----a-w	C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-06-23 16:57:29	384,512	---

gerbil 216 Industrious Poster · Answer 10 · 2008-10-08T18:52:32+00:00

Looks sweet. Just do a manual check that this thing is really gone:
C:\DOCUMENTS and SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\Temp\catchme.sys
And if all seems fine, then... all is fine. Cheers.

gerbil 216 Industrious Poster · Answer 11 · 2008-10-09T06:35:38+00:00

Weasel, if things are okay then to clean up you should:
-uninstall MBAM.
-delete C:\SDFix
-Run combofix /u
Then reset folder options to your preferences.