Hello everyone! I was hoping that someone can help me out with this... OK, it is my brother's laptop, XP SP2. He brought it to me with this complain. Whenever he is trying open IE - there is another IE window pops up almost immediately after, preventing doing anything online. I have read some posts here and other places, so I ran SUPERAntiSpyware Free Edition, Malwarebytes' Anti-Malware, Spyware Doctor, and BitDefender. Fist two detected Trojan.Downloader-NewJuan/VM and Adware.Vundo.Variant/Rel. I have tried to remove them using those tools, but they keep coming back after reboot. Now - interesting part - after running those two numerous times - now they show nothing. However, IE behavior did not change. Sorry to keep this long - just want to make sure you'all get the picture. I am not a guru nor am I a newbie but I have never seen anything like this before. Thanks for all replies!
Sorry, vlady1027, but we can’t see what’s on your computer….. Vundo.Variants are extremely difficult to remove but, if you’ll supply us with some logs, maybe someone can help you… Download and Run HijackThis Download HJTInstall.exe to your Desktop. • Doubleclick HJTInstall.exe to install it. • By default it will install to C:\Program Files\Trend Micro\HijackThis . • Click on Install. • It will create a HijackThis icon on the desktop. • Once installed, it will launch Hijackthis. • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. • Copy/Paste the log to your next reply please. Make an uninstall list using HijackThis To access the Uninstall Manager you would do the following: 1. Start HijackThis 2. Click on the Config button 3. Click on the Misc Tools button 4. Click on the Open Uninstall Manager button. 5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply. Reply and post with: HijackThis Log Uninstall List 2OG
Hey vlady1027. It seems that you have a downloader variant of vundo. This means that the malware will download more malware. Therefore, please disable your internet connection while doing scans or fixes, even when you restart your computer. First of all, do what 2oldgeek said. Please remember to rename HijackThis to something like scanner.exe before running it. Secondly, follow the instructions on this page ( http://forums.majorgeeks.com/showthread.php?t=137630 ) about running MGTools. Post the logs here. Third, download both Vundofix and Virtumundobegone. Run both of them and post the logs here. Fourth, run scans with superantispyware and malwarebytes again, except this time in safe mode. Quarantine anything you find Fifth, download Killbox and leave it somewhere safe. We will use it another time. Sixth, download CCleaner and run it after you have done all of the above. Before running it, delete all Internet Temporary Files and Cookies within your browser options. Best Regards
2oldGeek - thank you. Here is the log for HijackThis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:18:54 AM, on 6/12/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal
Hi vlady1027, Download SDFix and save it to your Desktop. • Run the SDFix.exe by double clicking on it. • Allow it to install into the default location which is normally c:\SDFix Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". • When you have booted into safe mode, open the C:\SDFix folder and double click RunThis.bat to start the script. • Type Y to begin the cleanup process. • It will remove any Trojan Services or Registry entries found and then prompt you to press any key to Reboot. • Press any Key and it will restart the PC. • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. • Attach the Report.txt file to your next message. 2OG
OK... cdavfrew 1.Ran Vundofix and Virtumundobegone and the logs are clean - Nothing was found. Here is VBG.txt 2.Ran superantispyware and malwarebytes in Safe Mode. superantispyware did not find anything but malwarebytes did and here is the log: Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken. 3.Downloaded KillBox and will use it per your request. 4.Downloaded CCleaner here is what it found ccleaner_log.txt CLEANING COMPLETE - (56.521 secs) ------------------------------------------------------------------------------------------ 95.7MB removed. ------------------------------------------------------------------------------------------ 2oldGeek I followed your instructions with SDFix as well... Here is the report.txt SDFix: Version 1.191 Run by Administrator on Thu 06/12/2008 at 03:56 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-12 16:01:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000" "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer" "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000" Remaining Files : Files with Hidden Attributes : Tue 10 Jun 2008 267 ..SH. --- "C:\BOOT.BAK" Wed 24 Oct 2007 5,903,928 A..H. --- "C:\Program Files\Picasa2\setup.exe" Mon 9 Jun 2008 384 A.SH. --- "C:\WINDOWS\system32\htmdmtri.tmp" Tue 11 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT1.tmp" Wed 11 Jun 2008 2,585,864 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a2c8f709dd0237a7e496be18e0ba404e\BIT16.tmp" Finished!
Woah... okay, here's the deal, vlady. I would recommend editing your former posts and deleting all of them, so as to not make this thread huge. I have already got what I needed from them, and you can delete them now. I see that you did not rename HijackThis as I asked you to. Please rename it to scanner.exe or something like that before posting another log. Booting into safe mode, delete the following .ini files in your system32 folder. You may have to use Killbox to remove them. ayaaknpo.ini ayaakn~1.ini gkwwxhhm.ini hikvvxrr.ini htmdmt~1.ini oygxgoqw.ini perfst~1.ini ptbdakvl.ini xiefwxsu.ini Good news is, none of these .ini files were created on the 12th or 13th. Using regedit, manually delete the registry key Malwarebytes detected. Please also do this in safe mode. As for the IE condition, open it, click on Tools > Manage Add-ons > Enable or Disable Add-ons. Within that window, list all the add-ons you do not recognize. Anything slightly suspicious; just post it here. Also, please download A-squared Free and do a scan with it in safe mode. Do not remove anything: only post the log here. Also download GMER, do a scan, and post the log here. Best Regards Hope to solve your brother's problem soon!
cdavfrew - thank you! I hope to solve this problem soon too! My bro's problem is that he lets several people use his machine and I think none of them have any ideas about what is they can catch out there. Especially without firewall. I installed Comodo for him after the fact. 1. Could not find out how to delete a thread. So I just trimmed them. 2. I thought I did rename HJT to CleanerHJT.exe. 3. Booted in Safe Mode and deleted files you mentioned. However, I could not locate files: ayaakn~1.ini htmdmt~1.ini persfst~1.ini I also deleted file ayaaknpo.ini2 - I thought I might as well, I did not have to use KillBox. 4. Went into regedit in Safe Mode and manually removed Juan reg. key. 5. Went in IE and checked for suspicious add-ons. All there were are: Veoh Browser plug-in Diagnose Connection Problems Research Windows Messenger I thought that they are all OK, however, I disabled the Veoh plug- in just because it is not necessary. 6. Downloaded and ran A-Squared in Safe Mode - here is a log: a-squared Free - Version 3.5 Last update: N/A Scan settings: Objects: Memory, Traces, Cookies, C:\ Scan archives: On Heuristics: On ADS Scan: On Scan start: 6/14/2008 12:36:37 PM Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> 1 detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> 10 detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> 2 detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> 4 detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> 5 detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> 6 detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> 7 detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> 9 detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> AdsLastKnownState detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> AppPath detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> BlackjackSounds detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> BlackjackVoice detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> DisableCharacters detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> DisableMouseHelp detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> EnableCallOuts detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> EnableCardAnimations detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> EnableCongratulations detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> EnableSounds detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> FourColourDeck detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> HHEnableLog detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> HHLogDays detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> HHLogSize detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> id detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> InitialPort detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> InstallState detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> MuckLosingHand detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> SearchHiding detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> SL detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> TableType detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming\PartyPoker --> useCount detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming --> AutoLoginToOtherGames detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming --> CFDialogShown detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming --> FreshInstall detected: Trace.Registry.PartyPoker Value: HKEY_CURRENT_USER\Software\PartyGaming --> OldCFformat detected: Trace.Registry.PartyPoker c:\documents and settings\administrator\application data\antispyware detected: Trace.Directory.AntiSpywareApp c:\documents and settings\administrator\application data\antispyware\settings detected: Trace.Directory.AntiSpywareApp c:\documents and settings\administrator\application data\antispyware\rs.dat detected: Trace.File.AntiSpywareApp Value: HKEY_CURRENT_USER\Software\Antispyware\AntiSpyware\Settings --> AllDrives detected: Trace.Registry.AntiSpywareApp Value: HKEY_CURRENT_USER\Software\Antispyware\AntiSpyware\Settings --> DeepScanScheduledScans detected: Trace.Registry.AntiSpywareApp Value: HKEY_CURRENT_USER\Software\Antispyware\AntiSpyware\Settings --> DownloadUpdates detected: Trace.Registry.AntiSpywareApp Value: HKEY_CURRENT_USER\Software\Antispyware\AntiSpyware\Settings --> LastScanTime detected: Trace.Registry.AntiSpywareApp Value: HKEY_CURRENT_USER\Software\Antispyware\AntiSpyware\Settings --> LogActivities detected: Trace.Registry.AntiSpywareApp Value: HKEY_CURRENT_USER\Software\Antispyware\AntiSpyware\Settings --> NumberOfScans detected: Trace.Registry.AntiSpywareApp Value: HKEY_CURRENT_USER\Software\Antispyware\AntiSpyware\Settings --> ScanActiveProcs detected: Trace.Registry.AntiSpywareApp Value: HKEY_CURRENT_USER\Software\Antispyware\AntiSpyware\Settings --> ScanCookie detected: Trace.Registry.AntiSpywareApp Value: HKEY_CURRENT_USER\Software\Antispyware\AntiSpyware\Settings --> ScanDeep detected: Trace.Registry.AntiSpywareApp Value: HKEY_CURRENT_USER\Software\Antispyware\AntiSpyware\Settings --> ScanFiles detected: Trace.Registry.AntiSpywareApp Value: HKEY_CURRENT_USER\Software\Antispyware\AntiSpyware\Settings --> ScanP2P detected: Trace.Registry.AntiSpywareApp Value: HKEY_CURRENT_USER\Software\Antispyware\AntiSpyware\Settings --> ScanWinReg detected: Trace.Registry.AntiSpywareApp Value: HKEY_CURRENT_USER\Software\Antispyware\AntiSpyware\Settings --> Startup detected: Trace.Registry.AntiSpywareApp C:\Documents and Settings\Administrator\Desktop\SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20 C:\Program Files\COMODO\Firewall\s1.tmp detected: Riskware.AdTool.Win32.MyWebSearch.bn C:\SDFix\apps\Process.exe detected: Riskware.RiskTool.Win32.Processor.20 Scanned Files: 41736 Traces: 184681 Cookies: 2 Processes: 12 Found Files: 3 Traces: 50 Cookies: 0 Processes: 0 Registry keys: 0 Scan end: 6/14/2008 1:09:28 PM Scan time: 0:32:51 7. Downloaded and ran GMER - here is a log: GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2008-06-14 13:36:24 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.14 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xB808DC8C] SSDT \??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys ZwClose [0xB578A9AC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwConnectPort [0xB808D3C4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateFile [0xB808D8A0] SSDT \??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys ZwCreateKey [0xB578A95E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreatePort [0xB808D080] SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xB80BB8A2] SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xB80BBE88] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSection [0xB808F084] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xB808DE72] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateThread [0xB808CC50] SSDT \??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys ZwDeleteKey [0xB578AA12] SSDT \??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys ZwDeleteValueKey [0xB578AA3C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDuplicateObject [0xB808CB02] SSDT \??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys ZwEnumerateKey [0xB578AE6A] SSDT \??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys ZwEnumerateValueKey [0xB578AEE0] SSDT \??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys ZwFlushKey [0xB578A9E8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwLoadDriver [0xB808ED24] SSDT \??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys ZwLoadKey [0xB578AF58] SSDT \??\C:\Program Files\Softwin\BitDefender10\bdfsdrv.sys ZwOpenFile [0xB4B7CF1F] SSDT \??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys ZwOpenKey [0xB578A91C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenProcess [0xB808C822] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenSection [0xB808D744] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenThread [0xB808C9AA] SSDT \??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys ZwQueryKey [0xB578AEA6] SSDT \??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys ZwQueryValueKey [0xB578AF1C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRenameKey [0xB808E7F2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xB808D196] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSecureConnectPort [0xB808EAE6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSetSystemInformation [0xB808EEC4] SSDT \??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys ZwSetValueKey [0xB578AAE9] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwShutdownSystem [0xB808D5D2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSystemDebugControl [0xB808D638] SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB7F54F20] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwTerminateThread [0xB808CE18] SSDT \??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys ZwUnloadKey [0xB578AF86] SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xB80BA420] ---- Kernel code sections - GMER 1.0.14 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2BEC 805037EC 12 Bytes [ 80, D0, 08, B8, A2, B8, 0B, ... ] ? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. ! ---- User code sections - GMER 1.0.14 ---- .text C:\Program Files\System Control Manager\edd.exe[448] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\Program Files\System Control Manager\edd.exe[448] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\Program Files\System Control Manager\edd.exe[448] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\nvsvc32.exe[460] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\nvsvc32.exe[460] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\nvsvc32.exe[460] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\Program Files\O2Micro Oz128 Driver\o2flash.exe[540] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\Program Files\O2Micro Oz128 Driver\o2flash.exe[540] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\Program Files\O2Micro Oz128 Driver\o2flash.exe[540] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\WINDOWS\RTHDCPL.EXE[604] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\RTHDCPL.EXE[604] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\RTHDCPL.EXE[604] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\Program Files\Spyware Doctor\SDTrayApp.exe[620] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\Program Files\Spyware Doctor\SDTrayApp.exe[620] kernel32.dll!CreateThread + 1A 7C810849 4 Bytes [ AF, 92, C3, 83 ] .text C:\Program Files\Spyware Doctor\SDTrayApp.exe[620] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Spyware Doctor\SDTrayApp.exe[620] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\ctfmon.exe[660] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\ctfmon.exe[660] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\ctfmon.exe[660] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[664] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[664] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[664] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[732] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[732] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, EF, F4 ] .text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[732] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[732] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\Program Files\Spyware Doctor\svcntaux.exe[796] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\Program Files\Spyware Doctor\svcntaux.exe[796] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Spyware Doctor\svcntaux.exe[796] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\csrss.exe[812] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\csrss.exe[812] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\csrss.exe[812] KERNEL32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\winlogon.exe[844] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\winlogon.exe[844] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\winlogon.exe[844] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\services.exe[888] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\services.exe[888] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\services.exe[888] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\lsass.exe[900] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\lsass.exe[900] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\lsass.exe[900] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe[952] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe[952] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe[952] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[1060] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[1060] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\System32\svchost.exe[1188] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\System32\svchost.exe[1188] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\Program Files\Spyware Doctor\swdsvc.exe[1244] kernel32.dll!CreateThread + 1A 7C810849 4 Bytes [ CF, 9C, C5, 83 ] .text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[1344] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[1344] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[1368] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[1368] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[1428] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[1428] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[1472] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[1472] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[1472] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\spoolsv.exe[1504] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\spoolsv.exe[1504] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\spoolsv.exe[1504] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe[1672] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe[1672] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe[1672] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[1728] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[1728] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[1728] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\Program Files\a-squared Free\a2service.exe[1848] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\Program Files\a-squared Free\a2service.exe[1848] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\Program Files\a-squared Free\a2service.exe[1848] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\Explorer.EXE[1920] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\Explorer.EXE[1920] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\Program Files\COMODO\Firewall\cmdagent.exe[1968] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F08001E .text C:\Program Files\COMODO\Firewall\cmdagent.exe[1968] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0B001E .text C:\Program Files\COMODO\Firewall\cmdagent.exe[1968] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F05001E .text C:\Program Files\Softwin\BitDefender10\vsserv.exe[2192] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\Program Files\Softwin\BitDefender10\vsserv.exe[2192] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Softwin\BitDefender10\vsserv.exe[2192] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\WINDOWS\System32\alg.exe[2848] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\System32\alg.exe[2848] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, EF, F4 ] .text C:\WINDOWS\System32\alg.exe[2848] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\System32\alg.exe[2848] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\wuauclt.exe[3380] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\wuauclt.exe[3380] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\system32\wuauclt.exe[3380] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, EF, F4 ] .text C:\WINDOWS\system32\wuauclt.exe[3380] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\wuauclt.exe[3380] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A ---- Kernel IAT/EAT - GMER 1.0.14 ---- IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [BA60D710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [BA60D770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [BA60D990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [BA60D950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [BA60D950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [BA60D770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [BA60D710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [BA60D990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [BA60D990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [BA60D950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [BA60D770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [BA60D710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BA60D950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BA60D710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BA60D770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BA60D990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BA60D710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BA60D950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BA60D770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BA60D990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BA60D950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BA60D770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BA60D710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [BA60D710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [BA60D770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [BA60D990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [BA60D950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisDeregisterProtocol] [BA60D990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisCloseAdapter] [BA60D710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisOpenAdapter] [BA60D770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisRegisterProtocol] [BA60D950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [BA60D950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [BA60D990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [BA60D710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [BA60D770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO) ---- Devices - GMER 1.0.14 ---- AttachedDevice \FileSystem\Ntfs \Ntfs ikfileflt.sys (PCTools Research Pty Ltd.) AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO) AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO) AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO) AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO) ---- EOF - GMER 1.0.14 ----
Hey vlady. Except for these entries in A-squared, you can remove the rest. C:\Documents and Settings\Administrator\Desktop\SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20 C:\Program Files\COMODO\Firewall\s1.tmp detected: Riskware.AdTool.Win32.MyWebSearch.bn C:\SDFix\apps\Process.exe detected: Riskware.RiskTool.Win32.Processor.20 To entirely rule out this problem as a malware one, we have to do two more steps. 1. Follow Ltangel's instructions on downloading and running Combofix in this thread: http://forums.afterdawn.com/thread_view.cfm/639221 Post the log here. 2. Two alternatives: a. Please download Antivir Rescue CD from here http://dl.antivir.de/down/vdf/rescuecd/rescuecd.exe - download it to a clean system (other than your infected computer) - launch rescuecd.exe file and place a blank CD in your writer unit - choose your burning device from the drop down list and press burn button. Please wait unitl disc is created. At the end you should see a success message - place the rescue disc in the infected computer and boot from it. Choose optiopn 2 (Boot from Rescue CD) - choose English language and watch the progress at the end of the boot, you should see a menu - choose the second option: "Scan your system with AntiVir" b. Download Antivir Free, install it, and update it. In my opinion, Antivir has the best antivirus engine, and superior malware detection. You can read about it on Av-Comparatives.org. After that, right click on the Antivir icon in your task bar, click on Configure Antivir, and make sure Expert Mode is checked. Go to General, Extended Threat Categories, and make sure everything but APPL is checked. Then go to Scanner, Scan, Action for concerning files, and set primary action to quarantine. Do a scan with Antivir, and post the log here. If you still have the internet explorer problem, it probably is a setting set in the registry. We'll figure that out later. Best Regards PS: You've been doing great!
cdavfrew - many thanks! 1. Removed all entries except the three mentioned. 2. Downloaded and installed ComboFix as per instructions. I ran it and then realized that I have Bit Defender still running in the background. So I disabled all the AV and Firewalls and ran it again Here is the log: ComboFix 08-06-15.1 - Administrator 2008-06-15 17:12:21.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1682 [GMT -7:00] Running from: C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\WINDOWS\BM4b85e646.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\mcrh.tmp . ((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 ))))))))))))))))))))))))))))))) . 2008-06-14 13:19 . 2008-06-15 16:06 250 --a------ C:\WINDOWS\gmer.ini 2008-06-14 12:30 . 2008-06-14 13:09 <DIR> d-------- C:\Program Files\a-squared Free 2008-06-14 12:26 . 2008-06-14 12:26 <DIR> d-------- C:\!KillBox 2008-06-12 17:22 . 2008-06-12 17:29 <DIR> d-------- C:\Program Files\CCleaner 2008-06-12 15:53 . 2008-06-12 15:54 <DIR> d-------- C:\WINDOWS\ERUNT 2008-06-12 15:49 . 2008-06-12 16:03 <DIR> d-------- C:\SDFix 2008-06-12 15:40 . 2008-06-12 15:40 <DIR> d-------- C:\VundoFix Backups 2008-06-12 11:16 . 2008-06-12 11:20 <DIR> d-------- C:\MGtools 2008-06-12 11:11 . 2005-01-13 19:41 11,254 --a------ C:\WINDOWS\system32\locate.com 2008-06-12 11:09 . 2008-06-12 11:20 34,779 --a------ C:\MGlogs.zip 2008-06-12 10:17 . 2008-06-12 10:17 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-11 22:42 . 2008-06-11 22:43 <DIR> d-------- C:\ComboFix 2008-06-11 13:40 . 2008-06-11 13:40 143,104 --a------ C:\WINDOWS\system32\guard32.dll 2008-06-11 13:40 . 2008-06-11 13:40 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys 2008-06-11 13:40 . 2008-06-11 13:40 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys 2008-06-11 12:14 . 2008-06-11 12:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-06-11 12:14 . 2008-06-11 12:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-11 12:14 . 2008-06-11 12:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes 2008-06-11 12:14 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-11 12:14 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-06-11 07:49 . 2008-06-11 07:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-06-11 07:49 . 2008-06-11 07:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-06-11 07:49 . 2008-06-11 07:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com 2008-06-11 07:48 . 2008-06-11 07:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-11 07:11 . 2008-06-14 12:34 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-06-11 07:11 . 2008-06-11 07:11 <DIR> d-------- C:\Program Files\Common Files\PC Tools 2008-06-11 07:11 . 2008-06-11 07:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools 2008-06-11 07:11 . 2008-06-11 07:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools 2008-06-11 07:11 . 2008-06-11 07:17 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2008-06-11 07:11 . 2008-06-11 07:16 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2008-06-11 07:11 . 2008-06-11 07:15 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2008-06-11 07:11 . 2008-06-11 07:15 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys 2008-06-11 07:11 . 2008-06-11 07:15 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2008-06-10 02:50 . 2006-02-28 05:00 10,129,408 --a--c--- C:\WINDOWS\system32\dllcache\hwxkor.dll 2008-06-10 02:49 . 2006-02-28 05:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll 2008-06-10 02:48 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll 2008-06-10 02:44 . 2008-06-10 02:44 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-06-10 02:44 . 2008-06-10 02:44 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest 2008-06-10 02:44 . 2008-06-10 02:44 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest 2008-06-10 02:44 . 2008-06-10 02:44 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest 2008-06-10 02:44 . 2008-06-10 02:44 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest 2008-06-10 02:44 . 2008-06-10 02:44 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest 2008-06-10 02:43 . 2006-02-28 05:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe 2008-06-10 01:57 . 2006-02-28 05:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2008-06-10 01:57 . 2006-02-28 05:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll 2008-06-10 01:57 . 2006-02-28 05:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2008-06-10 01:57 . 2006-02-28 05:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll 2008-06-10 01:36 . 2008-06-10 01:36 <DIR> d-------- C:\$WIN_NT$.~BT 2008-06-10 01:25 . 2006-02-28 05:00 471,971 -ra------ C:\txtsetup.sif 2008-06-10 01:25 . 2006-02-28 05:00 260,272 -ra------ C:\$LDR$ 2008-06-10 01:14 . 2008-06-10 01:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero 2008-06-10 01:14 . 2008-06-12 10:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-06-10 01:14 . 2008-06-10 01:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nero 2008-06-03 22:14 . 2008-06-11 14:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo 2008-06-03 22:14 . 2008-06-03 22:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Comodo 2008-06-03 22:13 . 2008-06-03 22:13 <DIR> d-------- C:\Program Files\COMODO 2008-05-28 04:20 . 2008-05-28 04:20 36,708 --ah----- C:\WINDOWS\system32\mlfcache.dat 2008-05-24 03:04 . 2008-05-24 03:06 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live 2008-05-24 02:04 . 2008-05-24 02:04 <DIR> d-------- C:\Program Files\Magellan 2008-05-24 01:27 . 2008-05-24 02:04 <DIR> d-------- C:\Program Files\Common Files\Nero 2008-05-22 21:49 . 2008-05-22 21:49 7,680 --ahs---- C:\WINDOWS\Thumbs.db 2008-05-21 15:16 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll 2008-05-21 15:16 . 2008-05-21 15:16 376 --a------ C:\WINDOWS\ODBC.INI 2008-05-21 15:15 . 2008-05-21 15:15 <DIR> d-------- C:\Program Files\Microsoft.NET 2008-05-21 15:14 . 2008-05-21 15:15 <DIR> d--h----- C:\WINDOWS\ShellNew 2008-05-21 15:14 . 2008-05-21 15:14 <DIR> d-------- C:\Program Files\Microsoft ActiveSync 2008-05-21 15:10 . 2008-05-21 15:10 <DIR> dr-h----- C:\MSOCache 2008-05-21 15:03 . 2008-06-10 00:50 <DIR> d-------- C:\Program Files\uTorrent . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-16 00:13 81,984 ----a-w C:\WINDOWS\system32\bdod.bin 2008-06-15 22:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-11 20:14 --------- d-----w C:\Program Files\Google 2008-06-11 12:25 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo! 2008-05-28 07:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer 2008-05-27 10:06 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-05-27 10:06 --------- d-----w C:\Program Files\DivX 2008-05-24 07:21 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-23 22:00 --------- d-----w C:\Program Files\Norton Security Scan 2008-05-21 22:04 --------- d-----w C:\Program Files\Common Files\Adobe 2008-05-13 01:53 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2008-05-13 01:53 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2008-05-13 01:51 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2008-05-13 01:51 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2008-05-13 01:49 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2008-05-13 01:49 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2008-05-08 09:24 --------- d-----w C:\Program Files\VideoLAN 2008-05-08 09:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\vlc 2008-05-01 05:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DivX . 3. Downloaded and ran AntiVir Free. Followed all your directions. The only thing here is that during the run it prompted me to choose the action couple of times and I chose to Quarantine. Here is the log: Avira AntiVir Personal Report file date: 2008-06-15 18:00 Scanning for 1165085 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Boot mode: Normally booted Username: SYSTEM Computer name: YOUR-0D78F39FCD Version information: BUILD.DAT : 8.1.00.295 16479 Bytes 2008-04-09 16:24:00 AVSCAN.EXE : 8.1.2.12 311553 Bytes 2008-03-18 18:02:56 AVSCAN.DLL : 8.1.1.0 53505 Bytes 2008-02-07 17:43:37 LUKE.DLL : 8.1.2.9 151809 Bytes 2008-02-28 17:41:23 LUKERES.DLL : 8.1.2.1 12033 Bytes 2008-02-21 17:28:40 ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 2007-07-18 19:33:34 ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 2008-03-07 22:08:58 ANTIVIR2.VDF : 7.0.3.62 337408 Bytes 2008-03-21 04:12:34 ANTIVIR3.VDF : 7.0.3.68 57856 Bytes 2008-03-25 17:27:50 Engineversion : 8.1.0.28 AEVDF.DLL : 8.1.0.5 102772 Bytes 2008-02-25 18:58:21 AESCRIPT.DLL : 8.1.0.19 229754 Bytes 2008-04-08 00:34:44 AESCN.DLL : 8.1.0.12 115060 Bytes 2008-04-08 00:34:44 AERDL.DLL : 8.1.0.19 418164 Bytes 2008-04-08 00:34:44 AEPACK.DLL : 8.1.1.0 364918 Bytes 2008-03-18 20:20:42 AEOFFICE.DLL : 8.1.0.15 192889 Bytes 2008-04-08 00:34:44 AEHEUR.DLL : 8.1.0.15 1147253 Bytes 2008-04-08 00:34:44 AEHELP.DLL : 8.1.0.11 115061 Bytes 2008-04-08 00:34:43 AEGEN.DLL : 8.1.0.15 299379 Bytes 2008-04-08 00:34:43 AEEMU.DLL : 8.1.0.5 430450 Bytes 2008-04-08 00:34:43 AECORE.DLL : 8.1.0.25 168309 Bytes 2008-04-08 18:58:32 AVWINLL.DLL : 1.0.0.7 14593 Bytes 2008-01-24 02:07:53 AVPREF.DLL : 8.0.0.1 25857 Bytes 2008-02-18 19:37:50 AVREP.DLL : 7.0.0.1 155688 Bytes 2007-04-16 22:26:47 AVREG.DLL : 8.0.0.0 30977 Bytes 2008-01-24 02:07:49 AVARKT.DLL : 1.0.0.23 307457 Bytes 2008-02-12 17:29:23 AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2008-02-28 17:31:31 SQLITE3.DLL : 3.3.17.1 339968 Bytes 2008-01-23 02:28:02 SMTPLIB.DLL : 1.2.0.19 28929 Bytes 2008-01-24 02:08:39 NETNT.DLL : 8.0.0.1 7937 Bytes 2008-01-25 21:05:10 RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 2008-03-10 23:37:25 RCTEXT.DLL : 8.0.32.0 86273 Bytes 2008-03-06 21:02:11 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: C:\Program Files\Avira\AntiVir PersonalEdition Classic\sysscan.avp Logging..........................: low Primary action...................: quarantine Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: C:, Scan memory......................: on Process scan.....................: on Scan registry....................: on Search for rootkits..............: off Scan all files...................: All files Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: medium Deviating risk categories........: +GAME,+JOKE,+PCK,+SPR, Start of the scan: 2008-06-15 18:00 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'wuauclt.exe' - '1' Module(s) have been scanned Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'vsserv.exe' - '1' Module(s) have been scanned Scan process 'livesrv.exe' - '1' Module(s) have been scanned Scan process 'bdss.exe' - '1' Module(s) have been scanned Scan process 'xcommsvr.exe' - '1' Module(s) have been scanned Scan process 'TosBtSrv.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'o2flash.exe' - '1' Module(s) have been scanned Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned Scan process 'edd.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'cmdagent.exe' - '1' Module(s) have been scanned Scan process 'a2service.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 33 processes with 33 modules were scanned Starting master boot sector scan: Master boot sector HD0 [INFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [INFO] No virus was found! Starting to scan the registry. The registry was scanned ( '23' files ). Starting the file scan: Begin scan in 'C:\' C:\pagefile.sys [WARNING] The file could not be opened! C:\Combo-Fix\pv.cfexe [DETECTION] Contains detection pattern of the SPR/Tool.PV program [WARNING] An error has occurred and the file was not deleted. ErrorID: 26003 [WARNING] C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe [DETECTION] Contains detection pattern of the SPR/Tool.PV program [NOTE] The file was moved to '48c2bbd2.qua'! C:\System Volume Information\_restore{C2ABF6B2-AAE1-4CFF-A1C7-9163185EF5CE}\RP12\A0007156.exe [DETECTION] Contains detection pattern of the SPR/Tool.PV program [NOTE] The file was moved to '4885bfe7.qua'! C:\System Volume Information\_restore{C2ABF6B2-AAE1-4CFF-A1C7-9163185EF5CE}\RP8\A0002221.dll [DETECTION] Is the Trojan horse TR/Trash.Gen [WARNING] An error has occurred and the file was not deleted. ErrorID: 26003 [WARNING] C:\System Volume Information\_restore{C2ABF6B2-AAE1-4CFF-A1C7-9163185EF5CE}\RP8\A0002222.dll [DETECTION] Is the Trojan horse TR/Trash.Gen [WARNING] An error has occurred and the file was not deleted. ErrorID: 26003 [WARNING] End of the scan: 2008-06-15 18:39 Used time: 39:08 min The scan has been done completely. 3570 Scanning directories 166475 Files were scanned 5 viruses and/or unwanted programs were found 0 Files were classified as suspicious: 0 files were deleted 0 files were repaired 2 files were moved to quarantine 0 files were renamed 1 Files cannot be scanned 166470 Files not concerned 870 Archives were scanned 4 Warnings 2 Notes Thanks for sticking around!
Hey vlady. You're welcome. From the way you are doing, you deserve the help. We've now officially ruled out the problem as malware. Apparently, Vundo did something to your system, and we have to find out what that is. Please note that it might never be able to be removed, or reversed, and even a format would be necessary, but we'll try our best. First of all, upgrade Internet Explorer 6 to 7. This will close many security holes in your browser, preventing more infection, and also, the reinstall of a browser may do it good. Secondly, download Advanced Windowscare Personal, update it fully, and scan your computer with it. This program scans for problems in system settings, security, and such. Third, I don't suppose you have a system restore from before this entire infection. If you do, that will be worth a try. Best Regards
Hello cdavfrew! I enabled internet connection on infected machine. All the symptoms remained. I am able to connect to the home page and that's about it. Every time I try to go to a different website - there is another blank window pops up and prevents me of going anywhere else. I think from now on I think it is safe to say that the only solution to the problem is to format and reinstall the OS. I think that's the way I am going to go about it. Especially after you mentioned that there is a possibility of a virus remaining in the system after all the clean up. I will recommend my brother to buy an XP disk and start from the scratch. Better yet I will have him install Ubuntu Hardy along with XP - just like I do. Anyways! Thanks for all your help!
Hey vlady. Sorry to hear about the choice to format. However, there are some things your brother can do to prevent another infection! I recommend Antivir as a free antivirus, which has superb detection, fast scan speeds, and low memory consumption. Check AV-Comparatives. For spyware protection, Superantispyware Free is a good choice. Even though there isn't the real-time protection which is offered in the Professional version and other free antispywares, it has a superior protection rate than the others and is great as an on-demand scanner. Firewalls are important too. Comodo, Online Armor, and Zonealarm all make great free alternatives. However, if you are looking for something less memory consuming, I would say that Filseclab Firewall is the next best. Combined with Windows Firewall, they make a great team. Internet Explorer probably is a secure enough browser, but you can make it even safer by immunizing it, which inclues SpywareBlaster, Spybot SDHelper, and a good hosts file like MVPS and HP Hosts files, all of which you can use to block bad websites. The website immunization feature in Advanced Windowscare is pretty good as well. Hope to have given you some useful information for the new system setup of your brother's laptop! Best Regards
