Free Malware Removal Forum

by **gringo_pr** » May 2nd, 2009, 8:01 pm

Hello Fletch101

Yes that worked!!!!

There were some infections that showed up when we ran the Kaspersky scan the other day and a few things that MBAM has found (that I have not fixed - scan only) that I am anxious to get rid of.

C:\Documents and Settings\Jeff\.housecall6.6\Quarantine\beep.sys.bac_a03612 Infected: Backdoor.Win32.UltimateDefender.a 1
C:\Documents and Settings\Jeff\.housecall6.6\Quarantine\karna.dat.bac_a03612 Infected: Backdoor.Win32.Small.gjm 1
C:\Documents and Settings\Jeff\.housecall6.6\Quarantine\svchost.exe.bac_a03612 Infected: Trojan.Win32.Agent.akdq 1
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-6918d4c8.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-44f8f638.zip Infected: Exploit.Java.Gimsh.b 1

The first three things were in the Quarantine folder and is safe there
the last two things we cleaned up in this >poste<

the stuff in the MBAM log was cleaned at the time of the scan. But we will do these scans again to make sure all is clean now

: Malwarebytes' Anti-Malware :

Double-click mbam icon
go to the update tab at the top
click on check for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

b]:Kaspersky scan:[/b]

Kaspersky website

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

:information and logs:

Gringo

by **Fletch101** » May 3rd, 2009, 12:07 pm

MBAM Log:
Malwarebytes' Anti-Malware 1.36
Database version: 2069
Windows 5.1.2600 Service Pack 2

5/2/2009 11:15:37 PM
mbam-log-2009-05-02 (23-15-37).txt

Scan type: Quick Scan
Objects scanned: 74702
Time elapsed: 2 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Kaspersky Log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, May 3, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 03, 2009 06:54:29
Records in database: 2122830
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 141003
Threat name: 5
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 02:26:11

File name / Threat name / Threats count
C:\Documents and Settings\Jeff\.housecall6.6\Quarantine\beep.sys.bac_a03612 Infected: Backdoor.Win32.UltimateDefender.a 1
C:\Documents and Settings\Jeff\.housecall6.6\Quarantine\karna.dat.bac_a03612 Infected: Backdoor.Win32.Small.gjm 1
C:\Documents and Settings\Jeff\.housecall6.6\Quarantine\svchost.exe.bac_a03612 Infected: Trojan.Win32.Agent.akdq 1
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-6918d4c8.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-44f8f638.zip Infected: Exploit.Java.Gimsh.b 1

The selected area was scanned.

HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04 AM, on 5/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 5236 bytes

by **gringo_pr** » May 3rd, 2009, 7:15 pm

Hello Fletch101

That is being stubbern so lets try this

color=blue]:Run CFScript:[/color]

Open Notepad and copy/paste the text in the box into the window:

Code: Select all

File::
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-44f8f638.zip
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-6918d4c8.zip

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

the rest of the logs are clean so if this works we will be done and I can give my all clean speach

let me have the combofix log please

Gringo

by **Fletch101** » May 3rd, 2009, 8:43 pm

ComboFix 09-05-02.4 - Jeff 05/03/2009 19:36.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.661 [GMT -5:00]
Running from: c:\documents and settings\Jeff\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeff\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)

FILE ::
c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-6918d4c8.zip
c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-44f8f638.zip
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-6918d4c8.zip
c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-44f8f638.zip

.
((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-05-02 22:40 . 2009-05-02 22:42 -------- d-----w c:\program files\GCFScape
2009-04-30 02:06 . 2009-04-30 02:06 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-29 04:40 . 2009-04-29 04:43 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-29 04:40 . 2009-04-29 04:40 -------- d-----w c:\program files\Avira
2009-04-29 04:40 . 2009-04-29 04:40 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-27 05:26 . 2009-04-27 05:26 -------- d-----w c:\program files\Trend Micro
2009-04-27 05:21 . 2008-10-22 01:04 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-27 04:51 . 2009-04-27 04:51 -------- d-----w C:\VundoFix Backups
2009-04-04 20:34 . 2009-04-04 20:34 -------- d-----w c:\documents and settings\Jeff\Local Settings\Application Data\Intuit
2009-04-04 20:33 . 2009-04-04 20:33 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 00:36 . 2006-10-31 03:16 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 20:06 . 2006-10-31 03:13 295424 ----a-w c:\windows\system32\termsrv.dll
2009-04-30 04:32 . 2007-07-04 16:29 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-30 02:09 . 2006-10-31 05:44 -------- d-----w c:\program files\Java
2009-04-28 02:18 . 2007-12-01 02:00 -------- d-----w c:\program files\Steam
2009-04-28 01:50 . 2009-04-28 01:50 0 ----a-w c:\documents and settings\Jeff\ntuser.tmp
2009-04-27 02:44 . 2008-10-22 05:52 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 20:32 . 2008-10-22 05:52 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-10-22 05:53 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 20:33 . 2006-10-31 04:53 72880 ----a-w c:\documents and settings\Jeff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 20:31 . 2007-04-14 16:34 -------- d-----w c:\program files\Common Files\Intuit
2009-04-04 20:29 . 2007-04-14 16:33 -------- d-----w c:\program files\TurboTax
2009-03-19 03:35 . 2008-07-03 03:42 -------- d-----w c:\program files\ICQ6
2009-03-17 17:09 . 2009-03-17 17:09 6 ----a-w c:\windows\Fonts\wfonts.key
2009-02-09 01:01 . 2007-05-18 03:33 140216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-09 01:01 . 2007-05-18 03:33 201352 ----a-w c:\windows\system32\PnkBstrB.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-05-01_21.42.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-03 04:17 . 2009-05-03 04:17 16384 c:\windows\temp\Perflib_Perfdata_70.dat
+ 2006-10-31 03:13 . 2009-05-02 20:06 295424 c:\windows\system32\dllcache\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-30 148888]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-06-21 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave7"= Echo3GWrap.dll
"Midi1"= usbmn4x4.dll
"midi2"= ma_cmidn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Unreal Anthology\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Steam\\SteamApps\\fletch_101\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\fletch_101\\counter-strike source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzfs.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzflag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"41952:TCP"= 41952:TCP:TVersity 01
"41952:UDP"= 41952:UDP:TVersity 02
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112

R0 FGXSCSI;FGXSCSI; [x]
R3 USB44LDR;M-Audio USB MIDISPORT 4x4 Loader;c:\windows\system32\drivers\usb44ldr.sys [2007-11-14 23080]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-29 108289]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-02-25 13088]
S3 echo3g;Echo3G Service;c:\windows\system32\drivers\echo3g.sys [2006-08-17 221696]
S3 USBMN4X4;M-Audio USB MidiSport 4x4;c:\windows\system32\drivers\usbmn4x4.sys [2008-01-06 22304]

.
Contents of the 'Scheduled Tasks' folder

2009-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\dtklt8bm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 19:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-04 19:39
ComboFix-quarantined-files.txt 2009-05-04 00:39
ComboFix2.txt 2009-05-02 22:15
ComboFix3.txt 2009-05-02 20:14
ComboFix4.txt 2009-05-01 21:43
ComboFix5.txt 2009-05-04 00:34

Pre-Run: 12,761,071,616 bytes free
Post-Run: 12,884,905,984 bytes free

150 --- E O F --- 2008-07-09 08:00

by **gringo_pr** » May 3rd, 2009, 10:38 pm

This is my general post for when your logs show no more signs of malware

- Please let me know if you still are having problems with your computer and what these problems are

:Time for some housekeeping:

Click START then RUN
Now type Combofix /u in the runbox and click OK

:remove tools:

Let's clear out the programmes we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.

OTCleanIt

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Note:

OTCleanIt

:Make your Internet Explorer more secure:

http://surfthenetsafely.com/ieseczone8.htm

:Turn On Automatic Updates:

Start

Run,

sysdm.cpl

ENTER

Automatic Updates

Automatic (recommended)

http://www.windowsupdate.com

:antispyware programs:

and the updating of them regularly

WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
Malwarebytes' Anti-Malware- Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee.
Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.

Consider a custom hosts file

This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.

Download HostsXpert and unzip it to your computer, somewhere where you can find it.

Double click on HostsXpert.exe to launch the programme.
Check to see if top button on left hand side says Make Writable ?
- If it does. click on it then proceed to next instruction.
- If not, just proceed to next instruction
Click on the Download button (lower left hand side)
- Click on MVPs Hosts... button.
- Click on Replace button.
- Press OK in the box that pops up. (HostsXpert will now download and update your Hosts file)
When finished.
- Click on File Handling button.
- Click on Make Read Only ? to secure it against infection.
Exit the programme.

If you use the host file you should disable the DNS Client

In XP

DnsDisabled.bat

please read this great article by miekiemoes How to prevent Malware:
and
this great article by Tony Klein So How Did I Get Infected In First Place

Now you have followed my advice - it's time to lodge a complaint against what you have suffered.........

Malware Complaints
If you were infected .... Stand Up and be Counted.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

Gringo

by **Fletch101** » May 4th, 2009, 1:12 am

Gringo,

Thanks for all your help. I sent a small donation to the site to show my appreciation. I am still reading through all the information in your last post and still have yet to install everything you recommended, but I'm working on it. I have two questions for you:

1. Can I remove the termsrv.dll from my desktop?
2. I was going to post on Malware Complaints, but I'm not sure exactly which malware(s) I had. Was it Vundo.H, something else, or both?

Fletch

by **gringo_pr** » May 4th, 2009, 6:03 am

hello Fletch101

Thanks for all your help. I sent a small donation to the site to show my appreciation. I am still reading through all the information in your last post and still have yet to install everything you recommended, but I'm working on it. I have two questions for you:

thank you very much

1. Can I remove the termsrv.dll from my desktop?

yes you can

.

I was going to post on Malware Complaints, but I'm not sure exactly which malware(s) I had. Was it Vundo.H, something else, or both?

vundo with W32.Tidserv

gringo

by **Fletch101** » May 4th, 2009, 10:15 am

Great. Thanks.

by **NonSuch** » May 5th, 2009, 7:41 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.

Free Malware Removal Forum

Problem with Vundo.H and possibly more.

Re: Problem with Vundo.H and possibly more.

Re: Problem with Vundo.H and possibly more.

Re: Problem with Vundo.H and possibly more.

Re: Problem with Vundo.H and possibly more.

Re: Problem with Vundo.H and possibly more.

Re: Problem with Vundo.H and possibly more.

Re: Problem with Vundo.H and possibly more.

Re: Problem with Vundo.H and possibly more.

Re: Problem with Vundo.H and possibly more.

Who is online