Author Topic: VIRUS! VIRUS! VIRUS! WHAT THE!? MORE VIRUSES!?! (Possible Virus Downloader)  (Read 30365 times)

0 Members and 1 Guest are viewing this topic.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Hi

Are you still having problems? If so please explain what is going on with your computer.

We can dig deeper if we have to. The logs so far haven't revealed much.

Thanks

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89033
  • No support PMs thanks
Thanks DavidR. No matter what I try the HTTP keeps getting added to that link. This isn't the only one of my canned that this forum FUBARs

I think it is down to using a URL with Name, when you use that it seems to tack on the http in front which messes up the link. That is why I leave the links to ftp or specifically http (no www) in the url unadulterated.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Confused Computer User

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 700
  • The answer is 42
@Confused Computer User


Any other problems? If not...

Open OTMoveIT3 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt3 It wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

Thank you for the reply Oldman but why me? Also can you provide the link to OTMoveIT3 please?

Cheers
Computer Systems:

Intel Pentium 4 641 / 2GB RAM / Vista Home Basic SP2 / avast! 5.0 Home / SAS Free / MBAM Free / Windows Defender / Windows Firewall / Spyware Blaster/ Secunia PSI / Firefox 3.6 / Opera 10.5

Core2Duo T8300 / 4GB RAM / Vista Home Premium SP2 (32 bit version) / Same Software.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Hi Confused Computer User,

Sorry about that, copied and pasted the wrong name. You can find the link in reply #13. Be careful it can and will take out important files if told to.

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Hi

Are you still having problems? If so please explain what is going on with your computer.

We can dig deeper if we have to. The logs so far haven't revealed much.

Thanks

Whats going on with my computer is that it takes longer to load my account but I'm okay with that! ;D I think the only problem is that I still somehow have is that I think there is a virus downloader on my computer and Avast!, Super Anti-Spyware, and Malwarebytes' Anti-Malware are not detecting. Even when I try Spybot, it doesen't find it but It finds keyloggers. edc... but after it deletes it, and I do a rescan, it finds DIFFERENT viruses. I don't know the filename but I'll look in my system files for anything suspisious.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Ok, let's go deeper.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.   
4. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


Post back with the combofix log and a new HJT log.

Thanks

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
ComboFix 09-04-13.03 - Donovan 2009-04-12 15:17.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.599 [GMT -4:00]
Running from: c:\documents and settings\Donovan\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090411-0] *On-access scanning disabled* (Updated)
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\pack.epk
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\Cache
D:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2009-03-13 to 2009-04-13  )))))))))))))))))))))))))))))))
.

2099-12-15 08:27 . 2003-06-11 19:38   5776   -c--a-w   c:\windows\system32\drivers\fd_dwhnt.sys
2099-12-15 08:27 . 2003-06-11 19:38   5776   -c--a-w   c:\windows\system32\drivers\fd_dwh.sys
2099-12-15 08:27 . 2003-06-11 19:40   6144   -c--a-w   c:\windows\system32\drivers\fd_dcmnt.sys
2099-12-15 08:27 . 2003-06-11 19:40   6144   -c--a-w   c:\windows\system32\drivers\fd_dcm.sys
2099-12-15 08:27 . 2003-06-11 19:39   72912   ----a-w   c:\windows\system32\drivers\fd_dmdm.sys
2099-12-15 08:27 . 2003-06-11 19:39   6000   ----a-w   c:\windows\system32\drivers\fd_dmdfl.sys
2099-12-15 08:27 . 2003-06-11 19:38   44816   ----a-w   c:\windows\system32\drivers\fd_dbus.sys
2009-04-12 05:21 . 2009-04-12 05:21   --------   dc----w   c:\documents and settings\All Users.WINDOWS\Application Data\NortonInstaller
2009-04-11 00:55 . 2009-04-11 00:55   --------   d-----w   C:\_OTMoveIt
2009-04-09 21:29 . 2009-04-09 21:29   --------   d-----w   c:\documents and settings\Donovan\Application Data\Malwarebytes
2009-04-09 21:29 . 2009-04-06 19:32   15504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-04-09 21:29 . 2009-04-06 19:32   38496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 21:16 . 2009-04-09 21:16   --------   d-----w   c:\documents and settings\Donovan\Application Data\Uniblue
2009-04-09 21:15 . 2009-04-09 21:15   --------   dc-h--w   c:\documents and settings\All Users.WINDOWS\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-04-09 20:08 . 2009-04-09 20:10   16283032   ----a-w   C:\jre-6u13-windows-i586-p.exe
2009-04-09 20:07 . 2009-04-09 20:10   --------   d-----w   c:\documents and settings\Donovan\.SunDownloadManager
2009-04-08 20:51 . 2009-04-08 20:51   153104   ----a-w   c:\windows\system32\drivers\tmcomm.sys
2009-04-08 17:26 . 2009-02-13 15:31   55640   ----a-w   c:\windows\system32\drivers\avgntflt.sys
2009-04-08 03:07 . 2009-04-08 03:07   262144   ----a-w   c:\documents and settings\Carmen
2009-04-07 21:27 . 2009-04-07 21:57   --------   d-----w   c:\documents and settings\DCE REVOLG.DELL.000\DoctorWeb
2009-04-07 19:34 . 2009-04-11 16:13   --------   dc----w   c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-04-07 15:48 . 2009-04-08 22:16   --------   d-----w   c:\documents and settings\Default User.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-04-06 21:00 . 2009-04-06 21:00   --------   dc----w   c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-04-06 18:27 . 2009-04-06 18:27   --------   dc----w   c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-03-30 01:59 . 2009-03-30 04:21   --------   d-----w   c:\documents and settings\LocalService.NT AUTHORITY.000\Application Data\SACore
2009-03-19 18:55 . 2009-03-19 19:25   --------   d-----w   C:\PSAA

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2099-12-15 08:27 . 2099-12-15 08:27   --------   d-----w   c:\program files\FutureDial
2099-12-15 08:27 . 2004-09-08 20:40   --------   d-----w   c:\program files\Common Files\InstallShield
2009-04-12 05:24 . 2006-10-21 12:12   --------   d-----w   c:\program files\Symantec
2009-04-12 05:22 . 2006-02-19 14:41   --------   d-----w   c:\program files\Common Files\Symantec Shared
2009-04-12 04:24 . 2008-01-12 03:09   --------   d-----w   c:\program files\Windows Live
2009-04-12 00:27 . 2009-04-06 20:59   --------   d-----w   c:\program files\SUPERAntiSpyware
2009-04-12 00:27 . 2009-04-09 02:35   --------   d-----w   c:\documents and settings\Donovan\Application Data\SUPERAntiSpyware.com
2009-04-12 00:27 . 2009-04-12 00:27   --------   d-----w   c:\program files\Common Files\Wise Installation Wizard
2009-04-12 00:08 . 2009-03-30 01:57   --------   d-----w   c:\program files\McAfee
2009-04-12 00:06 . 2009-04-07 19:34   --------   d-----w   c:\program files\Spybot - Search & Destroy
2009-04-11 19:48 . 2009-04-11 19:48   --------   d-----w   c:\program files\WOT
2009-04-10 23:58 . 2009-04-08 02:23   --------   d-----w   c:\program files\CCleaner
2009-04-10 21:03 . 2006-02-06 17:03   --------   d-----w   c:\program files\MSN Messenger
2009-04-09 23:45 . 2008-07-14 22:20   --------   dc----w   c:\documents and settings\All Users.WINDOWS\Application Data\eFax Messenger 4.3 Output
2009-04-09 21:29 . 2009-04-09 21:29   --------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-04-09 21:15 . 2009-04-09 21:15   --------   d-----w   c:\program files\Uniblue
2009-04-09 20:28 . 2009-04-09 20:28   --------   d-----w   c:\program files\Trend Micro
2009-04-09 20:04 . 2006-02-06 17:41   --------   d-----w   c:\program files\Java
2009-04-09 03:04 . 2009-04-09 02:45   --------   d-----w   c:\program files\CamStudio
2009-04-08 22:52 . 2004-09-08 20:40   --------   d--h--w   c:\program files\InstallShield Installation Information
2009-04-08 22:39 . 2006-10-21 18:36   --------   dc----w   c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-04-08 22:25 . 2005-03-17 20:45   --------   d-----w   c:\program files\The Learning Company
2009-04-08 22:24 . 2006-10-16 14:02   --------   d-----w   c:\program files\Common Files\Real
2009-04-06 19:55 . 2009-02-21 23:21   --------   d-----w   c:\documents and settings\NetworkService.NT AUTHORITY.000\Application Data\SACore
2009-04-03 19:48 . 2009-04-03 19:48   --------   d-----w   c:\program files\MegaCool
2009-03-30 01:58 . 2009-02-21 23:18   --------   dc----w   c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2009-03-30 01:58 . 2009-03-30 01:58   --------   d-----w   c:\program files\Common Files\McAfee
2009-03-28 17:19 . 2009-03-22 13:20   --------   d-----w   c:\program files\Alwil Software
2009-03-21 17:58 . 2009-03-06 20:03   2048   ----a-w   c:\windows\system32\Tr_sttool.dat
2009-03-02 22:07 . 2008-08-03 06:16   --------   dc--a-w   c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-03-01 20:32 . 2009-03-01 17:35   --------   d-----w   c:\program files\Microsoft Visual Studio 9.0
2009-03-01 17:50 . 2009-02-28 23:55   --------   d-----w   c:\program files\Microsoft SQL Server
2009-02-28 23:55 . 2009-02-28 23:55   --------   d-----w   c:\program files\Microsoft Synchronization Services
2009-02-28 23:55 . 2008-01-12 03:19   --------   d-----w   c:\program files\Microsoft SQL Server Compact Edition
2009-02-28 23:16 . 2009-02-28 23:16   --------   d-----w   c:\program files\Microsoft SDKs
2009-02-28 16:56 . 2008-05-03 14:26   --------   d-----w   c:\program files\Microsoft Silverlight
2009-02-21 23:21 . 2009-02-21 23:21   --------   dc----w   c:\documents and settings\All Users.WINDOWS\Application Data\SiteAdvisor
2009-02-09 11:13 . 2006-02-28 12:00   1846784   ----a-w   c:\windows\system32\win32k.sys
2008-06-27 09:54 . 2008-06-07 15:01   2828   -csha-w   c:\documents and settings\All Users.WINDOWS\Application Data\KGyGaAvL.sys
2008-06-27 09:54 . 2008-06-07 15:01   88   -csh--r   c:\documents and settings\All Users.WINDOWS\Application Data\44065AFB61.sys
2006-08-12 22:03 . 2006-08-12 21:54   25600   -c--a-w   c:\documents and settings\Daddy A. Glover.DELL.000\usbsermptxp.sys
2006-08-12 22:03 . 2006-08-12 21:54   22768   -c--a-w   c:\documents and settings\Daddy A. Glover.DELL.000\usbsermpt.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Uniblue RegistryBooster 2009"="c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [2008-08-26 2019624]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bubble"="c:\program files\Windows SteadyState\Bubble.exe" [2007-06-05 64000]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"Windows Media Connect 2"="c:\program files\Windows Media Connect 2\WMCCFG.exe" [2006-10-18 8704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-16 77824]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"avast!"="c:\progra~1\MegaCool\SOMETH~1\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-25 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-09-09 3513344]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2004-12-06 405504]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0VCFCHK.exe \??\C: \??\c:\cache.wdp\0sprestrt\0sprestrt\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windows SteadyState]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Smart Wizard Wireless Settings.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Smart Wizard Wireless Settings.lnk
backup=c:\windows\pss\Smart Wizard Wireless Settings.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^U.S.Robotics WLAN Adapter Configuration Utility.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\U.S.Robotics WLAN Adapter Configuration Utility.lnk
backup=c:\windows\pss\U.S.Robotics WLAN Adapter Configuration Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-16 10:03 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winss"=2 (0x2)
"Sprint PCS v3 Utility Service"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware

R2 ImSaferService;IMSafer;

R2 VCFSVC;VCFSVC;c:\windows\system32\VCFService.exe [2007-06-05 82432]
R3 aswArKrn;aswArKrn;

R3 DIGIRPS;Digi PortServer Driver;c:\windows\system32\DRIVERS\digirlpt.sys [2001-08-17 42432]
R3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\fd_dbus.sys [2003-06-11 44816]
R3 fd_dmdfl;FutureDial USB Modem Filter;c:\windows\system32\DRIVERS\fd_dmdfl.sys [2003-06-11 6000]
R3 fd_dmdm;FutureDial USB Modem Drivers;c:\windows\system32\DRIVERS\fd_dmdm.sys [2003-06-11 72912]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys [2005-11-08 24876]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2007-02-07 194304]
R3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\DRIVERS\slnt7554.sys [2004-08-03 129535]
R3 WPRO_40_755;WinPcap Packet Driver (WPRO_40_755);

S0 VCF;VCF;c:\windows\system32\Drivers\VCFFltr.SYS [2007-06-05 254208]
S1 aswSP;avast! Self Protection;

S1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\Drivers\RCFOX.sys [2007-09-27 101528]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S2 Windows SteadyState;Windows SteadyState Service;c:\program files\Windows SteadyState\SCTSvc.exe [2007-06-05 97280]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S3 USRLN;U.S. Robotics 22Mbps Wireless Lan Adapter;c:\windows\system32\DRIVERS\usrwlan.sys [2003-02-25 155392]


--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2009-04-12 c:\windows\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_DELL_Donovan.job
- c:\windows\system32\mobsync.exe [2008-04-13 20:12]
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{30351346-7B7D-4FCC-81B4-1E394CA267EB} - (no file)
ShellIconOverlayIdentifiers-{30351347-7B7D-4FCC-81B4-1E394CA267EB} - (no file)
ShellIconOverlayIdentifiers-{30351348-7B7D-4FCC-81B4-1E394CA267EB} - (no file)
ShellIconOverlayIdentifiers-{3035134B-7B7D-4FCC-81B4-1E394CA267EB} - (no file)
ShellIconOverlayIdentifiers-{3035134C-7B7D-4FCC-81B4-1E394CA267EB} - (no file)
ShellIconOverlayIdentifiers-{3035134D-7B7D-4FCC-81B4-1E394CA267EB} - (no file)
ShellIconOverlayIdentifiers-{3035134E-7B7D-4FCC-81B4-1E394CA267EB} - (no file)
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
HKCU-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-ANIWZCS2Service - c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
MSConfigStartUp-BarbieGirlsTray - c:\program files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
MSConfigStartUp-D-Link AirPlus G - c:\program files\D-Link\AirPlus G\AirGCFG.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
FF - ProfilePath - c:\documents and settings\Donovan\Application Data\Mozilla\Firefox\Profiles\fkcmylez.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 15:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
Completion time: 2009-04-13 15:26
ComboFix-quarantined-files.txt  2009-04-13 19:26

Pre-Run: 6,810,284,032 bytes free
Post-Run: 7,573,856,256 bytes free

238   --- E O F ---   2009-03-12 21:59
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Hi,

Looks ok, any problems? The only thing besides the bit that combofix removed is the interesting  date 2099-12-15 08:27 for FutureDial USB Modem.

We should do one more scan to see if anything turns up.



Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions.
  • You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases[/b]
  • Click on My Computerr under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Desktop is a good place.
  • Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply along with a new HijackThis log.
Let us know of any problems.

Thanks

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Kaspery Log File:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
 Tuesday, April 14, 2009
 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
 Kaspersky Online Scanner  version: 7.0.26.13
 Program database last update: Tuesday, April 14, 2009 02:40:01
 Records in database: 2042086
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - Folder:
   C:\Program Files\MSN Messenger

Scan statistics:
   Files scanned: 1
   Threat name: 1
   Infected objects: 1
   Suspicious objects: 0
   Duration of the scan: 00:00:01


File name / Threat name / Threats count
C:\Program Files\MSN Messenger\msimg32.dll   Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au   1

The selected area was scanned.

(I did a full scan and it found the virus but I clicked on something and I coulden't save the log file, thats why it says I only selected a area to scan)
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Hi, sorry about the delay, I missed your reply.

The file Kaspersky found is not an MS file but one that another program adds to Messenger. One of them is MessengerPlus.

If you still have OTMOVEIT3 on your desktop use it to remove the file with this fix. If you don't have OTMOVEIT3, please download it again and run it the same way you did before (download link and instructions http://forum.avast.com/index.php?topic=44132.msg369570#msg369570 )


Do not copy the word CODE

Code: [Select]
:Processes
explorer.exe

:Services

:Reg

:Files
C:\Program Files\MSN Messenger\msimg32.dll
:Commands
[start explorer]



Please make an uninstall list
  • Start HijackThis
  • Click the Config button     
  • Click the Misc Tools button     
  • Click the Open Uninstall Manager button.     
  • Click the Save list button and save it to your desktop.
When you press Save, a notepad will open with the contents. Copy/paste the contents of the notepad file in your next reply.


Please post back with
  • OTMOVEIT3 log
  • uninstall list
  • new HJT log