lesser-equity

Magazine
Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

Detection of Trojan.Zlob.G - Urgent - Please Help!

Register Site Spy Member List Donate Search Today's Posts Mark Forums Read Forum Rules


Register


Reply
Page 1 of 2 1 2
 
Thread Tools
  #1  
Old 17th Dec 2008, 13:18
Member Group
  
HP Pavilion zt3000 notebook
Windows XP pro (I think)
768 MB RAM


Hi all,

My computer was detected of Trojan.Zlob.G about 10 days ago and I read a blog on it and reinstalled Malware and deleted the Trojan after several hours. I didnt bother doing anything to the registry files though.

I thought my computer was working fine but it had slowed down considerably and many more internet explorer errors were occuring.

I also decided to install another free antivirus software (I already had AVG but this did not detect anything even when I ran a full system scan) so I have been having 2 antivirus softwares - AVG and Alvira apart from the Zone alarm that I have downlaoded with high protectioin - freeware.

My computer has been acting funny again since the past 48 hours and a series of Trojans have been detected since -


Malware detected these:

Trojan.Vundo.H
Trojan.Vundo


AVG detected these:
Trojanhorsevundo.CS


Well, Malware says that some will be deleted upon reboot and I have scaneed and deleted atleast 6 times and the problem persists.

Finally, a short while ago AVG detected the above mentioend and when I forced delete it cannot be deleted since file is missing...

I am no expert when it comes to computers but most of the files that are affected are registry files, system 32 files n so on.

Also, the following error message pops up when I start windows

C:Windows/system32/owukuyu.dll
The specific module could not be found.


The use of my computer is everything to me. Please help me resolve this matter ASAP.

Many thanks for your time and patience.
Tina


FInd enclosed the last log file from malware:

Malwarebytes' Anti-Malware 1.31
Database version: 1512
Windows 5.1.2600 Service Pack 3
12/17/2008 7:57:42 PM
mbam-log-2008-12-17 (19-57-42).txt
Scan type: Quick Scan
Objects scanned: 50266
Time elapsed: 19 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 6
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\radafipi.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\zewadora.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{44e5e78f-4780-42e7-8a9f-da90ce2a7284} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{44e5e78f-4780-42e7-8a9f-da90ce2a7284} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\f09c90f1 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\kibunikaga (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\cpmf3afa36d (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\zewadora.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\zewadora.dll -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\radafipi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ipifadar.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\zewadora.dll (Trojan.Vundo.H) -> Delete on reboot.
  #2  
Old 17th Dec 2008, 14:03
Malware Group
  
Hi

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.


Combofix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please read all the information carefully!

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

Please include the log C:\ComboFix.txt in your next reply for further review.
__________________
Iain - Defender of the Haggis
Member of ASAP : : Member of UNITE
__________________

My System: It's all mine...

Processor(s):
C2D E6750 2.66Ghz
Motherboard:
Gigabyte P35C-DS3R
RAM Memory:
2 x 1Gb Corsair DDR2 XMS2 PC26400
Graphics Card(s):
GeForce 8600GT
Sound Card:
Creative X-Fi
Hard Drive(s):
Maxtor 320Gb
Optical Drive(s):
Pioneer DVD-RW
Case / PSU:
Antec 900 / Antec TruPower Trio 650
Cooling:
Various Antec + Zalman 92mm
Network / Internet:
ASUS Router/VirginMedia
Monitor(s):
LGL226WQ 22" Widescreen
Operating System(s):
XP Pro SP3
  #3  
Old 18th Dec 2008, 11:45
Member Group
  
Many tahnks for taking the time to respond. I have done as per instructions.

Please find enclosed combo fiz log file:


ComboFix 08-12-17.01 - sys 2008-12-18 18:27:14.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.434 [GMT 0:00]
Running from: c:\documents and settings\sys\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\sys\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\vlc-0.9.6-win32.exe
c:\documents and settings\sys\Application Data\Google\T-Scan
c:\windows\Downloaded Program Files\ODCTOOLS
.
((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.
2008-12-08 07:28 . 2008-12-18 07:39 805 --a------ C:\rollback.ini
2008-12-08 07:09 . 2008-12-08 07:09 <DIR> d-------- c:\documents and settings\sys\Application Data\MailFrontier
2008-12-08 07:05 . 2008-12-18 18:30 2,496,288 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-08 07:05 . 2008-12-18 18:30 35,552 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-08 06:42 . 2008-12-08 06:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-08 06:41 . 2008-12-08 06:44 4,212 --ah----- c:\windows\system32\zllictbl.dat
2008-12-08 06:40 . 2008-08-21 20:41 72,592 --a------ c:\windows\zllsputility.exe
2008-12-08 06:39 . 2008-12-08 06:39 <DIR> d-------- c:\windows\system32\ZoneLabs
2008-12-08 06:39 . 2008-12-08 06:39 <DIR> d-------- c:\program files\Zone Labs
2008-12-08 06:39 . 2008-08-21 20:41 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2008-12-08 06:39 . 2008-12-18 18:31 349,222 --a------ c:\windows\system32\vsconfig.xml
2008-12-08 06:38 . 2008-12-08 06:38 <DIR> d-------- c:\windows\Internet Logs
2008-12-08 06:22 . 2008-12-08 06:22 <DIR> d-------- c:\program files\XoftSpySE
2008-12-08 03:01 . 2008-12-08 03:01 <DIR> d-------- c:\program files\Avira
2008-12-08 03:01 . 2008-12-08 03:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-08 01:49 . 2008-12-08 01:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-08 01:49 . 2008-12-08 01:49 <DIR> d-------- c:\documents and settings\sys\Application Data\Malwarebytes
2008-12-08 01:49 . 2008-12-08 01:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 01:49 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-08 01:49 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-08 01:44 . 2008-12-08 01:44 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-04 18:01 . 2008-12-04 18:01 <DIR> d-------- c:\program files\HiYo
2008-12-04 18:01 . 2008-12-04 18:01 <DIR> d-------- c:\documents and settings\sys\Application Data\HiYo
2008-12-04 18:01 . 2008-12-04 18:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\HiYo
2008-12-02 23:40 . 2008-12-02 23:40 29 --a------ c:\windows\LinerUK.ini
2008-11-29 05:13 . 2008-11-29 05:13 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-29 05:07 . 2008-11-29 05:07 <DIR> d-------- c:\windows\system32\LogFiles
2008-11-29 05:07 . 2008-11-29 05:07 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-11-28 18:34 . 2008-11-28 18:34 <DIR> d-------- c:\documents and settings\sys\Application Data\Ahead
2008-11-28 13:34 . 2008-11-28 13:34 0 --a------ c:\windows\p50a_18eto18f.INI
2008-11-28 05:39 . 2008-11-28 05:39 <DIR> d-------- c:\documents and settings\sys\Application Data\Search Settings
2008-11-28 05:35 . 2008-11-28 05:35 <DIR> d-------- c:\program files\Search Settings
2008-11-28 05:34 . 2005-03-11 18:37 1,986,560 --a------ c:\windows\system32\AudFile.dll
2008-11-28 05:34 . 2005-02-24 13:11 1,212,416 --a------ c:\windows\system32\AudioInfos.dll
2008-11-28 05:34 . 2005-02-24 12:51 348,160 --a------ c:\windows\system32\WMAFile.dll
2008-11-28 05:34 . 1998-07-12 22:00 141,312 --a------ c:\windows\system32\MSCMCFR.DLL
2008-11-28 05:34 . 2000-10-01 18:00 119,568 --a------ c:\windows\system32\VB6FR.DLL
2008-11-28 05:34 . 2005-01-10 13:54 116,296 --a------ c:\windows\system32\NCTWMAProfiles.prx
2008-11-28 05:34 . 2000-05-22 14:58 115,920 --a------ c:\windows\system32\msinet.OCX
2008-11-28 05:34 . 1999-03-25 18:00 101,888 --a------ c:\windows\system32\VB6STKIT.DLL
2008-11-28 05:34 . 2003-04-18 15:29 44,544 --a------ c:\windows\system32\msxml4a.dll
2008-11-28 05:34 . 2003-01-26 12:41 40,960 --a------ c:\windows\system32\SSubTmr6.dll
2008-11-28 05:34 . 1998-07-12 18:00 32,768 --a------ c:\windows\system32\CMDLGFR.DLL
2008-11-28 05:34 . 1998-07-12 22:00 15,360 --a------ c:\windows\system32\inetfr.DLL
2008-11-25 15:19 . 2008-04-14 05:42 10,752 --------- c:\windows\system32\smtpapi.dll
2008-11-25 15:19 . 2008-04-14 05:42 9,728 --------- c:\windows\system32\rwnh.dll
2008-11-25 15:18 . 2006-12-29 00:31 19,569 --a------ c:\windows\000001_.tmp
2008-11-20 15:30 . 2008-11-20 15:30 <DIR> d-------- c:\program files\BingoLinerUK
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-13 08:54 640,000 ------w c:\windows\Internet Logs\xDB1.tmp
2008-11-17 15:33 --------- d-----w c:\program files\activePDF
2008-11-12 22:12 --------- d-----w c:\program files\Veoh Networks
2008-11-12 19:45 --------- d-----w c:\program files\DC++
2008-11-12 15:48 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-12 15:48 --------- d-----w c:\program files\Real
2008-11-12 15:48 --------- d-----w c:\program files\Common Files\xing shared
2008-11-12 15:47 --------- d-----w c:\program files\Common Files\Real
2008-11-12 15:34 --------- d-----w c:\program files\Windows Live Toolbar
2008-11-12 15:33 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-11-12 15:31 --------- d-sh--w c:\program files\Common Files\WindowsLiveInstaller
2008-11-12 15:31 --------- d-----w c:\program files\Windows Live
2008-11-12 15:31 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-08 16:44 --------- d-----w c:\documents and settings\sys\Application Data\CyberLink
2008-11-08 16:44 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-16 01:00 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-10-16 01:00 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-10-16 01:00 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-10-16 01:00 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 10:07 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-18 07:14 89,600 --sha-w c:\windows\system32\husekafi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]
"Voipwise"="c:\program files\Voipwise.com\Voipwise\Voipwise.exe" [2008-12-09 8974128]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2008-10-09 3502840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"SoundMAX"="c:\program files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 860160]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 335872]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-12 185872]
"SearchSettings"="c:\program files\Search Settings\SearchSettings.exe" [2008-06-12 991584]
"HiYo"="c:\program files\HiYo\bin\HiYo.exe" [2008-10-23 300336]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-21 981904]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-19 c:\windows\AGRSMMSG.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 565309]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Voipwise.com\\Voipwise\\Voipwise.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-15 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-15 231704]
.
Contents of the 'Scheduled Tasks' folder
2008-12-13 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-12-03 18:05]
2008-12-18 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-12-03 18:05]
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
BHO-{44e5e78f-4780-42e7-8a9f-da90ce2a7284} - c:\windows\system32\zelojive.dll
HKLM-Run-kibunikaga - c:\windows\system32\jowukuyu.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uSearch Page = hxxp://www.google.com
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.msn.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\sys\Application Data\Mozilla\Firefox\Profiles\xykps2o1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.d ll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-18 18:34:08
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\program files\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
c:\program files\AVIRA\ANTIVIR PERSONALEDITION CLASSIC\SCHED.EXE
c:\program files\AVIRA\ANTIVIR PERSONALEDITION CLASSIC\AVGUARD.EXE
c:\program files\AVG\AVG8\AVGWDSVC.EXE
c:\program files\WIDCOMM\BLUETOOTH SOFTWARE\BIN\BTWDINS.EXE
c:\program files\NERO\NERO 7\INCD\INCDSRV.EXE
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\AVG\AVG8\AVGRSX.EXE
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2008-12-18 18:37:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-18 18:37:06
Pre-Run: 2,356,576,256 bytes free
Post-Run: 2,963,701,760 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /fastdetect /NoExecute=OptIn
245 --- E O F --- 2008-12-12 14:19:05





Hope to hear from you soon.

Many thanks,
Tina
  #4  
Old 18th Dec 2008, 13:42
Malware Group
  
Hi again Tina

How is your system running now?


Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.



Please go to: VirusTotal
  • In the middle of the page you'll find a "Browse" button.



    Click the "Browse" button and browse to this file in RED:

    c:\windows\system32\husekafi.dll
  • Click "Open".
  • Then click the "Send File" button at the bottom of the VirusTotal page.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.
Combofix
  • Close any open browsers.
  • Open notepad and copy/paste the text in the box below into it:
Code:
  File::
  c:\windows\p50a_18eto18f.INI
   
  Registry::
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SearchSettings"=-
Looking at the image below as an example



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!


Please post the log C:\ComboFix.txt for further review.
__________________
Iain - Defender of the Haggis
Member of ASAP : : Member of UNITE
  #5  
Old 21st Dec 2008, 11:25
Member Group
  
Hi Iain (hope i hv got ur name right!)

Apologies for not getting back to you earlier. The system is slow at times and painfully slow at other times.

Anyway, I haven't manage to locate c:\windows\system32\husekafi.dll.

I tried to look for it carefully but the file doesn't seem to exist in the system 32 folder.

Please get back to me at ur earliest convenience. I hope to resolve the problem ASAP.

Thanks much,
Tina
  #6  
Old 22nd Dec 2008, 12:38
Member Group
  
Hi!

I went ahead and did Part B (Combo fix bit).

Please find the log enclosed:


ComboFix 08-12-17.01 - sys 2008-12-22 18:10:19.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.431 [GMT 0:00]
Running from: c:\documents and settings\sys\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\sys\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\p50a_18eto18f.INI
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\p50a_18eto18f.INI
c:\windows\system32\a.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.
2008-12-08 07:28 . 2008-12-22 16:57 959 --a------ C:\rollback.ini
2008-12-08 07:09 . 2008-12-08 07:09 <DIR> d-------- c:\documents and settings\sys\Application Data\MailFrontier
2008-12-08 07:05 . 2008-12-22 07:33 2,503,456 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-08 07:05 . 2008-12-22 07:33 35,648 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-08 06:42 . 2008-12-08 06:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-08 06:41 . 2008-12-08 06:44 4,212 --ah----- c:\windows\system32\zllictbl.dat
2008-12-08 06:40 . 2008-08-21 20:41 72,592 --a------ c:\windows\zllsputility.exe
2008-12-08 06:39 . 2008-12-08 06:39 <DIR> d-------- c:\windows\system32\ZoneLabs
2008-12-08 06:39 . 2008-12-08 06:39 <DIR> d-------- c:\program files\Zone Labs
2008-12-08 06:39 . 2008-08-21 20:41 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2008-12-08 06:39 . 2008-12-22 16:50 349,222 --a------ c:\windows\system32\vsconfig.xml
2008-12-08 06:38 . 2008-12-08 06:38 <DIR> d-------- c:\windows\Internet Logs
2008-12-08 06:22 . 2008-12-08 06:22 <DIR> d-------- c:\program files\XoftSpySE
2008-12-08 03:01 . 2008-12-08 03:01 <DIR> d-------- c:\program files\Avira
2008-12-08 03:01 . 2008-12-08 03:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-08 01:49 . 2008-12-08 01:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-08 01:49 . 2008-12-08 01:49 <DIR> d-------- c:\documents and settings\sys\Application Data\Malwarebytes
2008-12-08 01:49 . 2008-12-08 01:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 01:49 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-08 01:49 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-08 01:44 . 2008-12-08 01:44 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-04 18:01 . 2008-12-04 18:01 <DIR> d-------- c:\program files\HiYo
2008-12-04 18:01 . 2008-12-04 18:01 <DIR> d-------- c:\documents and settings\sys\Application Data\HiYo
2008-12-04 18:01 . 2008-12-04 18:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\HiYo
2008-12-02 23:40 . 2008-12-02 23:40 29 --a------ c:\windows\LinerUK.ini
2008-11-29 05:13 . 2008-11-29 05:13 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-29 05:07 . 2008-11-29 05:07 <DIR> d-------- c:\windows\system32\LogFiles
2008-11-29 05:07 . 2008-11-29 05:07 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-11-28 18:34 . 2008-11-28 18:34 <DIR> d-------- c:\documents and settings\sys\Application Data\Ahead
2008-11-28 05:39 . 2008-11-28 05:39 <DIR> d-------- c:\documents and settings\sys\Application Data\Search Settings
2008-11-28 05:35 . 2008-11-28 05:35 <DIR> d-------- c:\program files\Search Settings
2008-11-28 05:34 . 2005-03-11 18:37 1,986,560 --a------ c:\windows\system32\AudFile.dll
2008-11-28 05:34 . 2005-02-24 13:11 1,212,416 --a------ c:\windows\system32\AudioInfos.dll
2008-11-28 05:34 . 2005-02-24 12:51 348,160 --a------ c:\windows\system32\WMAFile.dll
2008-11-28 05:34 . 1998-07-12 22:00 141,312 --a------ c:\windows\system32\MSCMCFR.DLL
2008-11-28 05:34 . 2000-10-01 18:00 119,568 --a------ c:\windows\system32\VB6FR.DLL
2008-11-28 05:34 . 2005-01-10 13:54 116,296 --a------ c:\windows\system32\NCTWMAProfiles.prx
2008-11-28 05:34 . 2000-05-22 14:58 115,920 --a------ c:\windows\system32\msinet.OCX
2008-11-28 05:34 . 1999-03-25 18:00 101,888 --a------ c:\windows\system32\VB6STKIT.DLL
2008-11-28 05:34 . 2003-04-18 15:29 44,544 --a------ c:\windows\system32\msxml4a.dll
2008-11-28 05:34 . 2003-01-26 12:41 40,960 --a------ c:\windows\system32\SSubTmr6.dll
2008-11-28 05:34 . 1998-07-12 18:00 32,768 --a------ c:\windows\system32\CMDLGFR.DLL
2008-11-28 05:34 . 1998-07-12 22:00 15,360 --a------ c:\windows\system32\inetfr.DLL
2008-11-25 15:19 . 2008-04-14 05:42 10,752 --------- c:\windows\system32\smtpapi.dll
2008-11-25 15:19 . 2008-04-14 05:42 9,728 --------- c:\windows\system32\rwnh.dll
2008-11-25 15:18 . 2006-12-29 00:31 19,569 --a------ c:\windows\000001_.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-13 08:54 640,000 ------w c:\windows\Internet Logs\xDB1.tmp
2008-11-20 15:30 --------- d-----w c:\program files\BingoLinerUK
2008-11-17 15:33 --------- d-----w c:\program files\activePDF
2008-11-12 22:12 --------- d-----w c:\program files\Veoh Networks
2008-11-12 19:45 --------- d-----w c:\program files\DC++
2008-11-12 15:48 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-12 15:48 --------- d-----w c:\program files\Real
2008-11-12 15:48 --------- d-----w c:\program files\Common Files\xing shared
2008-11-12 15:47 --------- d-----w c:\program files\Common Files\Real
2008-11-12 15:34 --------- d-----w c:\program files\Windows Live Toolbar
2008-11-12 15:33 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-11-12 15:31 --------- d-sh--w c:\program files\Common Files\WindowsLiveInstaller
2008-11-12 15:31 --------- d-----w c:\program files\Windows Live
2008-11-12 15:31 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-08 16:44 --------- d-----w c:\documents and settings\sys\Application Data\CyberLink
2008-11-08 16:44 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-16 01:00 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-10-16 01:00 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-10-16 01:00 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-10-16 01:00 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 10:07 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
.
((((((((((((((((((((((((((((( snapshot@2008-12-18_18.36.21.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-18 18:31:50 474,668 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-12-22 18:09:38 488,556 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-12-17 19:21:14 10,503,813 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
+ 2008-12-22 16:58:34 10,535,173 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
- 2008-12-18 02:23:06 659,456 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2008-12-20 22:43:36 752,128 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2008-12-22 16:52:44 16,384 ----a-w c:\windows\temp\Perflib_Perfdata_cdc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]
"Voipwise"="c:\program files\Voipwise.com\Voipwise\Voipwise.exe" [2008-12-09 8974128]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2008-10-09 3502840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"SoundMAX"="c:\program files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 860160]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 335872]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-12 185872]
"SearchSettings"="c:\program files\Search Settings\SearchSettings.exe" [2008-06-12 991584]
"HiYo"="c:\program files\HiYo\bin\HiYo.exe" [2008-10-23 300336]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-21 981904]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-19 c:\windows\AGRSMMSG.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 565309]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Voipwise.com\\Voipwise\\Voipwise.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-15 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-15 231704]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uSearch Page = hxxp://www.google.com
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.msn.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\sys\Application Data\Mozilla\Firefox\Profiles\xykps2o1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.d ll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 18:13:25
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2008-12-22 18:14:43
ComboFix-quarantined-files.txt 2008-12-22 18:14:40
ComboFix2.txt 2008-12-18 18:37:14
Pre-Run: 2,689,761,280 bytes free
Post-Run: 3,202,482,176 bytes free
220 --- E O F --- 2008-12-12 14:19:05



Thanks,
Tina
  #7  
Old 31st Dec 2008, 05:10
Malware Group
  
Hi Tina

Hope you had a great Christmas.

It’s been a busy time so apologies for not betting back to you sooner.

How are things running now? Logs are looking much better.


Online Scan
Perform an online scan with Panda ActiveScan
  • Click on Scan Your PC Now
  • A "pop up" window will appear, or a new tab will open.
  • Click on Register
  • Choose the option you like most, but we recommend the Free Registration.
  • Click on Register
  • Enter your e-mail address, and create a password.
  • Select "I do not want to receive any type of information". (unless you want to receive such information)
  • Click on Send
  • Confirm registration, and continue by entering your user name and password, then click on Enter
  • Select Full Scan, then Click on Scan Now
  • Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  • If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
  • Please ignore the offer to buy the program. Click on Export To
  • Export the log and save it to your desktop.
  • Please attach the contents of that log to your reply.
* Turn off the real time scanner of any existing antivirus program while performing the online scan.
__________________
Iain - Defender of the Haggis
Member of ASAP : : Member of UNITE
  #8  
Old 14th Jan 2009, 15:54
Member Group
  
Hi!

Happy New Year!

Many apologies for not getting in touch earlier. I almost stopped checking since I hadn't heard frm you and in the meantime my computer almost crashed...RAM prob..

anyway, I have enclosed the log from PANDA. Also, earlier in the day I ran Malware and found an infection. Attached the log for the same.

I have a couple of questions -

SInce a lot of my system files seem to have been corrupted at some point, will it help if I completley erased everything from my hard drive and reinstalled Windows?

Also, Is tehre a particualr free anti-virus software that you recommend. I have AVG and Alvira installed at the moment and none detected the infection malware detected.

Thanks much,
Tina






;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2009-01-14 22:34:07
PROTECTIONS: 3
MALWARE: 34
SUSPECTS: 0
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
AVG Anti-Virus Free 8.0 Yes Yes
ZoneAlarm Security Suite Antivirus 8.0.020.000 No Yes
Avira AntiVir PersonalEdition 8.0.1.30 Yes Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@trafficmp[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Cookies\sys@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Cookies\sys@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Local Settings\Temp\Cookies\sys@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Local Settings\Temp\Cookies\sys@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Cookies\sys@atdmt[3].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@atdmt[2].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Local Settings\Temp\Cookies\sys@tradedoubler[2].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Cookies\sys@tradedoubler[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Cookies\sys@247realmedia[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@fastclick[2].txt
00145466 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@servedby.advertising[1].txt
00145466 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@servedby.advertising[2].txt
00145466 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@servedby.advertising[3].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Cookies\sys@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Local Settings\Temp\Cookies\sys@mediaplex[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Cookies\sys@mediaplex[2].txt
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Cookies\sys@anm.co[1].txt
00167726 Cookie/Tickle TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@tickle[1].txt
00167733 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@z1.adserver[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Cookies\sys@ad.yieldmanager[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Local Settings\Temp\Cookies\sys@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Local Settings\Temp\Cookies\sys@apmebf[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Cookies\sys@serving-sys[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Local Settings\Temp\Cookies\sys@serving-sys[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Cookies\sys@bs.serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Local Settings\Temp\Cookies\sys@bs.serving-sys[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Cookies\sys@adtech[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@advertising[3].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Cookies\sys@advertising[1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Local Settings\Temp\Cookies\sys@adrevolver[3].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Cookies\sys@media.adrevolver[3].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Local Settings\Temp\Cookies\sys@statse.webtrendslive[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@ads.pointroll[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@zedo[2].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Local Settings\Temp\Cookies\sys@bluestreak[2].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@bluestreak[2].txt
00173905 Cookie/Xmts TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@xmts[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Local Settings\Temp\Cookies\sys@adrevolver[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Cookies\sys@adrevolver[2].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@bravenet[2].txt
00199983 Cookie/Valueclick TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@valueclick[1].txt
00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Cookies\sys@adviva[1].txt
00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Local Settings\Temp\Cookies\sys@adviva[2].txt
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@citi.bridgetrack[2].txt
01196326 Cookie/GoClick TrackingCookie No 0 Yes No C:\Documents and Settings\SYS\Desktop\SAVE\BACK UP 2\R mohan essex inbox more\PC\Cookies\rmohan@goclick[1].txt
04426062 Generic Trojan Virus/Trojan No 0 Yes Yes C:\Documents and Settings\SYS\Desktop\ComboFix.exe
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location CN
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description CN
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================





------------------------------------------



Malwarebytes' Anti-Malware 1.32
Database version: 1650
Windows 5.1.2600 Service Pack 3
1/14/2009 3:18:26 PM
mbam-log-2009-01-14 (15-18-26).txt
Scan type: Quick Scan
Objects scanned: 54610
Time elapsed: 13 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\rn.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
  #9  
Old 15th Jan 2009, 13:25
Malware Group
  
Hi

Logs are clean. How is your system running now?

You can reformat & re-install at any time, although I would consider that a last resort. System files can be replaced easily:-

Click Start>Run and type in sfc /scannow (there is a space between sfc and /) and let it scan for missing/corrupt files. This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem. If it finds any problems, it will prompt you for the Windows XP Install disc so have it handy.

Once all is running well, I'll provide information for keeping you safe and secure.
__________________
Iain - Defender of the Haggis
Member of ASAP : : Member of UNITE
  #10  
Old 18th Feb 2009, 13:58
Member Group
  
Hi!


Im terribly sorry for not writing to you earlier. The system has been very temperamental and this time I think its the RAM.

I did check for missing windows files and I think the system has done it.


As mentioned earlier, I have two anti-virus software installed since I was not pleased when AVG didnt pick up the virus last time. I have Alvira as well but I am not sure they are really any good. Cant complain too much since they are free.

There has been a problem with AVG since the last 10 days or so where the resident shild has been disabled and I hvnt been able to enable it. Is this cause for concern?


I would really appreciate receiving any information you may have on how to maintain the system.

Also, do you know of any place that is not as expensive as pcworld for buying the RAM in the UK?

Many thanks for your time and patience.
Tina
Reply
Page 1 of 2 1 2

Register
Thread Tools



Arabic Bulgarian Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Latvian Lithuanian Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Thai Turkish Ukrainian

Copyright ©2006 - 2009 Computer Juice.
Contact - Privacy - Sitemap - Top

Powered by vBulletin® Copyright ©2000 - 2009 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.