Free Malware Removal Forum

[dan12]

We will sort your problem out first and you may have to enter a separate thread for your wife's desktop.
If I have not got much on at that time I will be quite happy to pick it up to run through it with you.
We will concentrate on your issues first. Will catch you tomorrow as it's late here now.
dan

[stumpjumper]

Thanks Dan, I didn't think I would hear from you until at least tomorrow. A separate thread is fine...if you are not too swamped at that time it would be nice for continuity but I'm glad to get the help I'm getting for my computer.
Let me know if it is a bad idea to have both computers plugged into the router while troubleshooting.
Looking forward to working with you again.
John

[dan12]

You should be fine John, will catch you tomorrow as it's late here.
cheers dan

[dan12]

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

kazaa, bittorent

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

--------------------------------


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all

File::
c:\winxp\system32\gafopaji
c:\winxp\system32\rotawugo.dll
c:\winxp\system32\vopeside.dll
c:\winxp\system32\razifazi.dll
c:\winxp\system32\pijelodo.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=-



    

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Can you update malwarebytes and run again please.


Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
   
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
   
3. When the downloads have finished, click on Settings.
   
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
   
6. Once the scan is complete, it will display the results. Click on View Scan Report.
   
7. You will see a list of infected items there. Click on Save Report As....
   
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
   
9. Please post this log in your next reply.

Post:
combofix log
malwarebytes report
Kaspersky scan report

[stumpjumper]

good Morning Dan, right below the "quotebox" in your reply you said to:

"Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe"

I saved and created the CFScript.txt file on my desktop but need clarification of the rest of the sentence above. Please detail your request to "and as Type: All Files (*.*) in the same location as ComboFix.exe".
I haven't seen the *.* command since the old command line way of computing(no windows) and always treated that command with care as it is quite powerful. I just want to make sure exactly what to do with the bolded text.
I have to leave for 3.5 hours but will get on the rest of this then.
Thanks.

[dan12]

Hi, just back in from being out most of the day. Just to clear things up it has to be notepad you have to save the text to.
Then when you save it to your desktop where combofix sits! the second drop down menu in notepad you need to save it as all files not a text document!
does that help?

[stumpjumper]

yes, but while I was waiting I saw another person in this area such as yourself helping someone else with the quotebox and then to ComboFix and saw the detail with "save as" all files and not a txt. What concerned me was the *.* which doesn't show after the "all files" in the 2nd drop down menu. I should have known that "all files" means (*.*). Just wanted to be cautious. I will have the files to you shortly and see from the Malwarebyte report I just got that it only detected Vundo in the various restore points that windows created(I think).

[stumpjumper]

Dan, When I ran Kaspersky it took 2 hours to scan 58 files(I terminated it). They were all Win98 CAB files and I really didn't need them anymore so I deleted them. You hadn't replied yet so I went ahead with those deletions. I know it will take some time to run this scan but I hope there aren't too many other files like the cabs I deleted. I sent them to the recycle bin and then emptied the recycle bin. I restarted the scan and it is moving along much faster now.
I have the the ComboFix and Malwarebyte logs ready to send but am waiting for the Kaspersky scan(it may take quite awhile). Should I send the first two or wait for the Kaspersky scan and send all three.
Thanks.

[dan12]

Send me what you have and I can be reviewing them.

[stumpjumper]

Here are the ComboFix.txt log and Malwarebyte scan results:

ComboFix 09-02-12.03 - John 2009-02-14 11:46:24.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1024.662 [GMT -5:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\winxp\system32\gafopaji
c:\winxp\system32\pijelodo.dll
c:\winxp\system32\razifazi.dll
c:\winxp\system32\rotawugo.dll
c:\winxp\system32\vopeside.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winxp\system32\gafopaji

.
((((((((((((((((((((((((( Files Created from 2009-01-14 to 2009-02-14 )))))))))))))))))))))))))))))))
.

2009-02-13 10:46 . 2009-02-13 10:46 <DIR> d-------- c:\documents and settings\John\Application Data\Malwarebytes
2009-02-13 10:46 . 2009-02-13 10:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-13 10:46 . 2009-02-11 10:19 38,496 --a------ c:\winxp\system32\drivers\mbamswissarmy.sys
2009-02-13 10:46 . 2009-02-11 10:19 15,504 --a------ c:\winxp\system32\drivers\mbam.sys
2009-02-13 10:45 . 2009-02-13 10:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-03 14:17 . 2009-02-03 14:17 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-02-03 14:17 . 2009-02-03 14:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-02-03 14:14 . 2009-02-03 14:14 <DIR> d-------- c:\program files\MagicDisc
2009-02-03 14:14 . 2008-07-28 17:19 116,736 --a------ c:\winxp\system32\drivers\mcdbus.sys
2009-01-26 13:32 . 2009-01-26 13:32 54,156 --ah----- c:\winxp\QTFont.qfn
2009-01-26 13:32 . 2009-01-26 13:32 1,409 --a------ c:\winxp\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 17:01 3,067,904 ------w c:\winxp\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ------w c:\winxp\system32\dllcache\srv.sys
2006-11-04 05:31 32 ----a-w c:\documents and settings\John\o9u.dat
2006-10-24 22:15 266 --sh--w c:\program files\desktop.ini
2006-10-24 22:15 11,079 ---h--w c:\program files\folder.htt
2004-02-01 00:54 331,776 ----a-w c:\winxp\inf\pdfinst2.exe
2002-08-02 13:00 12,348 ----a-w c:\program files\viewsonicinstruct_xp.pdf
2006-02-28 17:00 73,728 --sha-w c:\winxp\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-02-13_15.05.37.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-14 16:50:30 16,384 ----a-w c:\winxp\Temp\Perflib_Perfdata_6a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Norton Ghost 9.0"="c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-07-29 1122304]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-08-08 148760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-28 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-02 185896]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\winxp\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-01 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-08-25 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\John\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\winxp\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2Wire Wireless Manager]
--a------ 2007-10-01 16:56 61440 c:\program files\2Wire Wireless Manager\2Wire.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-08-08 18:00 1945424 c:\program files\Seagate\DiscWizard\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
--a------ 2007-08-08 17:47 1169456 c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2006-05-30 15:22 542208 c:\program files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-03-23 13:20 227328 c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-28 09:16 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-02 09:01 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 17:54 37376 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
-ra------ 2001-10-22 13:24 1216512 c:\winxp\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINXP\\System32\\mmc.exe"=
"c:\\WINXP\\System32\\FXSCLNT.exe"=
"c:\\Program Files\\K-Lite\\kazaa.core"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=

R0 PQV2i;PQV2i;c:\winxp\system32\drivers\PQV2i.sys [2004-07-29 138780]
R1 epfwtdir;epfwtdir;c:\winxp\system32\drivers\epfwtdir.sys [2008-03-13 33800]
R1 PQIMount;PQIMount;c:\winxp\system32\drivers\PQIMount.sys [2004-07-29 46779]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-03-13 472320]
S3 OlCamudp;OLYMPUS Digital Camera;c:\winxp\system32\drivers\olcamudp.sys [2006-11-13 10379]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66f2e300-66b1-11db-b68d-0040f4416052}]
\Shell\AutoRun\command - E:\StartPortableApps.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Download all by YouTube Robot - c:\program files\YouTubeRobot\RobotExt.ocx/ALL.HTM
IE: Download by YouTube Robot - c:\program files\YouTubeRobot\RobotExt.ocx/LINK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {03A89EFD-E023-8000-A22D-45F77558EB4C} - hxxps://lm-learnlinc-6.ilinc.com/download/ilinci80.dll
DPF: {413D6754-BFD4-47FE-9346-319559290BFA} - hxxp://www.webpcfos.com/webpcfos/websabre/HTEweb.cab
DPF: {C7C7152F-6E85-44F3-A14B-A7F85FDDEA3B} - hxxp://www.tellmemore-online.com/bin/tol7inst.cab
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\dgchrfgn.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-14 11:51:20
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(832)
c:\winxp\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMMON FILES\SEAGATE\SCHEDULE2\SCHEDUL2.EXE
c:\program files\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
c:\winxp\SYSTEM32\GEARSEC.EXE
c:\program files\GOOGLE\COMMON\GOOGLE UPDATER\GOOGLEUPDATERSERVICE.EXE
c:\program files\NERO\NERO 7\INCD\INCDSRV.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
c:\program files\SYMANTEC\NORTON GHOST\AGENT\PQV2ISVC.EXE
c:\program files\PC CONNECTIVITY SOLUTION\SERVICELAYER.EXE
c:\program files\COMMON FILES\LOGISHRD\KHAL2\KHALMNPR.EXE
c:\winxp\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-14 11:54:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-14 16:54:04
ComboFix2.txt 2009-02-13 20:06:48

Pre-Run: 20,403,748,864 bytes free
Post-Run: 20,393,295,872 bytes free

174 --- E O F --- 2009-02-11 08:02:49


_________________________________

Malwarebyte Scan Results


Malwarebytes' Anti-Malware 1.34
Database version: 1761
Windows 5.1.2600 Service Pack 3

2/14/2009 12:49:56 PM
mbam-log-2009-02-14 (12-49-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 233415
Time elapsed: 33 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{8906CF86-5B8F-469A-8BB8-94026E37EC53}\RP669\A0092695.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{8906CF86-5B8F-469A-8BB8-94026E37EC53}\RP669\A0092696.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{8906CF86-5B8F-469A-8BB8-94026E37EC53}\RP669\A0092704.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{8906CF86-5B8F-469A-8BB8-94026E37EC53}\RP669\A0092708.dll (Trojan.Vundo) -> No action taken.


That is it and I will send the Kaspersky log when finished. Its been running for 40 minutes and is only 15% done.
Thanks,
John

[dan12]

Hi John when you run malwarebytes you need to click "fix selected items"!
Don't worry about items flagged as will deal with them later.

[stumpjumper]

I have since shut the Malwarebyte program down. If I remember correctly, I think after I select fix selected items, it asks for a reboot. I didn't know if you wanted me to reboot or not, so I just got a copy of the logfile.
Once Kaspersky(now 67% done) is finished, do you want me to rerun Malwarebyte again? Also, should I do a quick scan or full scan. The log I sent was from a full scan.
Thanks.
John

[dan12]

I think we will be ok, as items are in system restore which I will deal with later.

[stumpjumper]

Am I correct that the system restore files won't get deleted with Malwarebyte because they only have system level access and not user level access? I know we are not to that step yet but I want to understand this better and learn something in the process rather than just execute a series of steps not really understanding what I'm doing.
Kaspersky is only to 71% now...its hit some large files and has really slowed.
If I understand you, send only the Kaspersky results and do not run another Malwarebyte scan, right?

[dan12]

If I understand you, send only the Kaspersky results and do not run another Malwarebyte scan, right?

Correct.
When I clean the tools up that I've used it will take care of the system restore items and reset restore points but we always leave till last, when I'm happy that we have no more issues,I instruct for this to be carried out.
It's always better to go back to a bad restore point than No restore point should we hit problems.
In combo fix I also have backups should I need them. When and only when issues have gone will we delete them.
Malwarebytes would of quarantined them had you clicked fix selected items however we will address this anyway so there was no need for you to run again.
Hope that's cleared up a little for you.