Question

secure tools virus infection also known as spywareprotect2009

Asked by: cyborama

Hello there I have been batteling a serious virus infestation and have sizzled it almost completely out except for this one file called Nsrbgxod.bak that seems to be constantly resurfacing in normal mode and getting deleted when computer shots down and not resurfaced in safe mode.  Here is the issue


A friend of mine ended up with secure tools on their computer a rogue antispyware. Anyway come to find out this perticular infection seemed to be the worst of its kind infecting the system with at least 20 virus's, trojans, downloaders, etc.. some of which were backdoor.bot, trojan.zlob.h, trojan.vundo.h, trojan,agent, malware.trace, disabled,security, etc...

Anyway initially this virus locked me down from doing anything and everything even gave me the blue screen of death when attempting to do a fix via safe mode. Finally to make a long story short I penetrated this virus by finding a shortcut to its true location that was generated on the desktop don't know how it happened but it sure helped me to get onto first base.

After spending quite some time in safe mode putting the computer through various iterations of malwarebytes and finally being able to progress to normal mode loading on spy doctor, and finally being able to uninstall and reinstall my norton internet security 2009 and get the latest updates successfully I was able to do extreme injury to this virus.

In fact after scanning it multiple times with malwarebytes,spy doctor, norton antivirus, and lavasoft adaware in normal mode I seemed to get it down to malware bytes telling me I had one infection which happened to be the disabled.security strain.

As of the latest scan I did however I finally saw malwarebytes not showing that infection but showing a low risk one of Trojan.agent at which time I decided to do another session of scans with these antispyware, malware, etc.. programs.

The one thing that does seem persistant and concerning to me is this error I get upon windows load in normal mode which says the following:

----------------------------------------------------------------------------------------

The application or DLL c:\docume~1\networ~1\ntuser.dll is not a valid windows image

error loading c:\docume~1\networ~1\ntuser.dll %1 is not a valid win 32 application.

----------------------------------------------------------------------------------------

Now my guess is from what I have been researching in regards to these viruses I was invested with is that this particular message could indicate that a virus crumb or trojan crumb that steals information is still somehow lodged in my system after all that.

The other interesting tidbit is that when I am about ready to shutdown the computer I get like 3 different critical stops alerting me to memory references that could not be written to particular addresses which I didn't write down here.

I generated a log using hijackthis just after I rebooted from a hopefully cleaned trojan.agent which was found by malwarebytes. I had previously scanned (within the same windows session without reboot) with the latest of norton internet security 2009 as well as spy doctor with its latest definitions and found 0 threats but when I scanned with malware bytes found this one threat which I than restarted the computer generated this hijack log I will post below.

So I am presently doing one more scanning session with these 3 virus scanners I have installed just to double check them.

What I need to know is if you guys know anyway of finding a patching security breaches that this virus may have opened or I should say did open since it was such a nasty virus.

For now here is the hijack this log

------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:08 PM, on 10/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\AOL\1252598573\ee\AOLSoftware.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://amazingdiscoveries.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1252598573\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\NETWOR~1\ntuser.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O20 - AppInit_DLLs: c:\windows\system32\kohumoki.dll
O21 - SSODL: pibogegan - {d338034b-eb35-4041-a1f0-8ebc7d6b04e1} - c:\windows\system32\kohumoki.dll (file missing)
O22 - SharedTaskScheduler: gsajkfh873whdngo8wuidgs4rgfr4 - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)
O22 - SharedTaskScheduler: gahurihor - {d338034b-eb35-4041-a1f0-8ebc7d6b04e1} - c:\windows\system32\kohumoki.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Unknown owner - C:\Program Files\Norton Internet Security\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: COM Host (comHost) - Unknown owner - C:\Program Files\Norton Internet Security\comHost.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
O23 - Service: Norton Protection Center Service (NSCService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: plasservice (ZeppelinService) - Unknown owner - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe (file missing)
--
End of file - 9991 bytes
-----------------------------------------------------------------------------------------

on a side note I am getting rid of the ParetoLogic as it did not settle well in my system in regards to executing or uninstalling so am getting rid of this manually via the registry and files ont he computer. This was suppose to be a special tool to zap this trojan.vundo.h virus but apparently did not work well with my system.

Anyway hopefully that gives you enough information to help me out for the most part to know if my computer is now safe to re enable the internet and go do normal routines of nonsensitive and sensitive computer tasks such as online banking, browsing, etc...

By the way this is fully for my friend though I see I changed into first person here a couple times.

Anyway whatever help you can offer would be great more to know if I can let my friend know if its safe to surf the internet or know for me if its safe for me to go to microsoft site and get the latest service pack without the fear of being redirected by the virus to some malicious site as I have read the one I got seems to have the capability of doing.

Thanks,

Bo

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-10-21 at 11:04:46ID24831740
Topics

Windows XP Operating System

,

HijackThis Software

,

Networking Security Vulnerabilities

Participating Experts
3
Points
500
Comments
16

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. HijackThis log
    Can someone tell me if anything from this hijackthis log needs to be removed? Even with firewall and anti-virus running I still got hit with adware and a virus. I already removed kernels32.exe from a previous hijackthis log and ran ad-aware in safe mode. But I'm still having ...
  2. HiJackThis Help
    Experts, My laptop has been running pretty sluggish lately, and last night I received the dreaded blue screen while using IE 7. I ran hijackthis, this morning, but don't know what the results mean. I am pasted the results, below, and if anyone can tell me whether something...
  3. HijackThis: smitfraud?
    rpggamergirl recently gave a solution to a fellow with a smitfraud problem that sounds just like mine. I was about to follow her instructions but thought I should post my own HijackThis log to be sure I'm not jumping to conclusions. I think the problem is in the Video Activ...
  4. Cant browse after virus infection
    I have a pc that was infected with a virus. I cleaned the virus using symantec ep, malware bytes and combofix. That cleaned the virus but after that I can not browse the internet. I have tried using winsock fix and lspfix also reset the internet explorer settings, flushed...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: David-HowardPosted on 2009-10-21 at 12:01:18ID: 25627150

From your HiJackThis log.
Please remove the following.
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
The above entry is a Trojan entry that is responsible for the ntuser.dll portion of the error message that you listed.

O20 - AppInit_DLLs: c:\windows\system32\kohumoki.dll

O21 - SSODL: pibogegan - {d338034b-eb35-4041-a1f0-8ebc7d6b04e1} - c:\windows\system32\kohumoki.dll (file missing)

O22 - SharedTaskScheduler: gsajkfh873whdngo8wuidgs4rgfr4 - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)

O22 - SharedTaskScheduler: gahurihor - {d338034b-eb35-4041-a1f0-8ebc7d6b04e1} - c:\windows\system32\kohumoki.dll (file missing)

I would also suggest that you do the following.
Download and run Combofix.
The free download and directions can be located here.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
As noted in the directions, prior to running Combofix or any other anti-malware/anti-virus application please stop your anti-virus and anti-malware programs. Combofix should be saved to and run from your desktop.
You should rename Combofix as well as any other anti-malware suites to a different name prior to downloading as some threats can prevent them from running with their default names.
Note: ComboFix should not be run in Safe Mode, unless that is the only mode the affected system will boot to.

 

by: optomaPosted on 2009-10-21 at 12:18:48ID: 25627302

Scan with Dr Web live cd http://www.freedrweb.com/livecd
and
Superantispyware http://www.superantispyware.com/

 

by: cyboramaPosted on 2009-10-21 at 13:03:01ID: 25627735

Hello just did what you said up to the combofix point.  I have spyware doctor on my system as well as internet security 2009 to knock out this virus and I have shutdown the spyware docotr as well as internet security 2009 (siabled) and yet upon executing combofix I get a warning that tells me "ComboFix has detected the following real time scanners to be active:

antivirus: Spyware Doctor with AntiVirus.  

Again I had shutdown this and was told it was totally disabled and it also left the system tray yet combofix thinks its still active.  

I looked in the processes and in the open applications and didn't see anything that looked like spydoctor but maybe their was a lingering process somehow.

Could spydoctor have a service that wasn't stopped.  I would let this run anyway but am afraid that if combofix message is for real and it spydoctor conflicts with its functioning it could cause for devistation.

Let me know as soon as you can

thanks,

Bo

 

by: David-HowardPosted on 2009-10-21 at 13:34:21ID: 25628081

It won't cause devistation, it might hang the application though.
In order to disable the Spyware Doctor scan on startup, please do the following.
Open Spyware Doctor
Click on the 'Settings' button on the left hand panel
Then click on 'General'
Uncheck the box on the right that says 'Run Scan at Windows Startup'.
Reboot and test.

 

by: cyboramaPosted on 2009-10-21 at 13:50:01ID: 25628249

Hello David,

I just looked and it looks as if this option was already unchecked. hmm.

Well I'll go ahead disable or shutdown the spyware doctor and reboot and run combofix since it won't cause any catastrophic results to the system.

Thanks,

Bo

 

by: cyboramaPosted on 2009-10-21 at 15:14:30ID: 25629063

Hello David,

I don't seem to have those errors any more but I just wanted to post the combofix log anyway just in case there's something in it I need to be concerned about.

Also If this did the trick against the trojan.vundo.h, backdoor.bot, trojan.zlob.h and so forth can I feel free to get the latest windows updates and know my system is no longer compromised.

I know you could dig out a virus and still have a compromised system so just want to verify this.

Here is the log below

ComboFix 09-10-20.03 - DENA 10/21/2009 16:02.1.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1014.688 [GMT -5:00]
Running from: c:\documents and settings\Deena\Desktop\babblebox.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\ntuser.dll
c:\documents and settings\Administrator\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Administrator\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\Deena\ntuser.dll
c:\documents and settings\Deena\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Deena\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\LocalService\ntuser.dll
c:\documents and settings\NetworkService\ntuser.dll
c:\windows\Install.txt
c:\windows\system32\buhedina.exe
c:\windows\system32\Cache
c:\windows\system32\calc.dll
c:\windows\system32\config\systemprofile\ntuser.dll
c:\windows\system32\guwakeba.exe
c:\windows\system32\Install.txt
c:\windows\system32\yujukumi.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_NWCWORKSTATION
-------\Service_Iprip
-------\Service_NWCWorkstation


(((((((((((((((((((((((((   Files Created from 2009-09-21 to 2009-10-21  )))))))))))))))))))))))))))))))
.

2009-10-21 06:08 . 2009-10-21 06:08      --------      d-----w-      c:\program files\CCleaner
2009-10-20 18:14 . 2009-10-20 18:14      --------      d-----w-      c:\program files\Symantec
2009-10-20 18:14 . 2009-10-20 18:14      60808      ----a-w-      c:\windows\system32\S32EVNT1.DLL
2009-10-20 18:14 . 2009-10-20 18:14      124464      ----a-w-      c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-20 18:13 . 2009-10-20 18:13      --------      d-----w-      c:\windows\system32\drivers\NIS
2009-10-20 18:13 . 2009-10-20 18:13      --------      d-----w-      c:\program files\Norton Internet Security
2009-10-20 18:13 . 2009-10-20 18:13      --------      d-----w-      c:\program files\Windows Sidebar
2009-10-20 18:08 . 2009-09-03 09:17      15688      ----a-w-      c:\windows\system32\lsdelete.exe
2009-10-20 17:32 . 2009-09-23 12:55      64288      ----a-w-      c:\windows\system32\drivers\Lbd.sys
2009-10-20 17:22 . 2009-10-20 17:22      --------      dc-h--w-      c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-20 17:22 . 2009-10-20 17:32      --------      d-----w-      c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-20 17:22 . 2009-10-20 17:22      --------      d-----w-      c:\program files\Lavasoft
2009-10-20 06:02 . 2009-10-20 06:02      --------      d-----w-      c:\documents and settings\Administrator\Local Settings\Application Data\AOL
2009-10-20 05:58 . 2009-10-20 05:58      --------      d-----w-      c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-10-20 05:54 . 2009-10-20 12:20      7200      --sha-w-      c:\windows\system32\drivers\fidbox2.dat
2009-10-20 05:54 . 2009-10-20 12:20      10129440      --sha-w-      c:\windows\system32\drivers\fidbox.dat
2009-10-20 05:31 . 2009-10-08 18:14      59664      --s---w-      c:\windows\system32\drivers\TfSysMon.sys
2009-10-20 05:31 . 2009-10-08 18:14      33552      --s---w-      c:\windows\system32\drivers\TfNetMon.sys
2009-10-20 05:31 . 2009-10-08 18:14      51984      --s---w-      c:\windows\system32\drivers\TfFsMon.sys
2009-10-20 05:30 . 2009-10-20 05:30      --------      d-----w-      c:\documents and settings\Administrator\Local Settings\Application Data\Threat Expert
2009-10-20 05:25 . 2009-10-20 05:25      --------      d-----w-      c:\program files\ParetoLogic
2009-10-20 05:25 . 2009-10-20 05:25      --------      d-----w-      c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-10-20 04:10 . 2009-10-20 04:10      --------      d-----w-      c:\program files\Trend Micro
2009-10-20 03:55 . 2009-10-20 03:55      --------      d-----w-      c:\documents and settings\Administrator\Local Settings\Application Data\Downloaded Installations
2009-10-20 00:04 . 2009-10-20 00:04      --------      d-----w-      c:\documents and settings\Deena\Local Settings\Application Data\Downloaded Installations
2009-10-19 23:53 . 2009-09-24 13:55      229304      ----a-w-      c:\windows\system32\drivers\pctgntdi.sys
2009-10-19 23:53 . 2009-10-06 21:31      87784      ----a-w-      c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-19 23:53 . 2009-09-23 21:10      207280      ----a-w-      c:\windows\system32\drivers\PCTCore.sys
2009-10-19 23:53 . 2009-09-03 14:45      70408      ----a-w-      c:\windows\system32\drivers\pctplsg.sys
2009-10-19 23:53 . 2009-10-21 20:52      --------      d-----w-      c:\program files\Spyware Doctor
2009-10-19 23:53 . 2009-10-20 05:31      --------      d-----w-      c:\documents and settings\All Users\Application Data\PC Tools
2009-10-19 23:53 . 2009-10-20 05:15      --------      d-----w-      c:\program files\Common Files\PC Tools
2009-10-19 23:53 . 2009-10-19 23:53      --------      d-----w-      c:\documents and settings\Deena\Application Data\PC Tools
2009-10-19 23:29 . 2009-10-21 20:53      --------      d---a-w-      c:\documents and settings\All Users\Application Data\TEMP
2009-10-19 17:58 . 2009-09-10 19:54      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 17:58 . 2009-10-19 18:00      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2009-10-19 17:58 . 2009-09-10 19:53      19160      ----a-w-      c:\windows\system32\drivers\mbam.sys
2009-10-19 17:56 . 2009-09-10 19:53      1312080      ----a-w-      C:\mbam.exe
2009-10-19 15:36 . 2009-10-19 15:36      --------      d-----w-      c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-19 14:31 . 2009-10-19 14:31      --------      d-----w-      c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-10-19 03:59 . 2009-10-19 03:59      --------      d-----w-      c:\documents and settings\Deena\Local Settings\Application Data\Symantec
2009-10-19 03:53 . 2009-10-19 03:53      --------      d-----w-      c:\documents and settings\Deena\Application Data\Malwarebytes
2009-10-19 03:53 . 2009-10-19 03:53      --------      d-----w-      c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-19 01:58 . 2009-10-19 01:58      120      ----a-w-      c:\windows\Amabejabive.dat
2009-10-19 01:58 . 2009-10-19 01:58      0      ----a-w-      c:\windows\Tsizifasocuke.bin
2009-10-19 01:58 . 2009-10-19 01:58      --------      d-----w-      c:\documents and settings\Deena\Local Settings\Application Data\{9B9AEECE-EE79-4BD9-85BC-5EE8ED210D12}
2009-10-19 01:41 . 2009-10-19 01:41      --------      d-----w-      C:\NBRT
2009-10-18 23:11 . 2009-10-18 23:11      0      --sha-w-      C:\scandisk.dll
2009-10-18 16:23 . 2009-10-18 16:23      251904      ----a-w-      C:\tfdp.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-21 17:41 . 2007-01-28 00:52      --------      d-----w-      c:\program files\Google
2009-10-21 13:38 . 2007-03-01 21:08      1754      ----a-w-      c:\documents and settings\Deena\Application Data\SAS7_000.DAT
2009-10-20 18:36 . 2007-01-28 00:48      --------      d-----w-      c:\program files\Common Files\Symantec Shared
2009-10-20 18:14 . 2009-10-20 18:14      806      ----a-w-      c:\windows\system32\drivers\SYMEVENT.INF
2009-10-20 18:14 . 2009-10-20 18:14      10635      ----a-w-      c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-20 18:13 . 2009-08-03 04:39      36272      ----a-r-      c:\windows\system32\drivers\SymIM.sys
2009-10-20 18:13 . 2009-08-03 04:38      --------      d-----w-      c:\documents and settings\All Users\Application Data\Norton
2009-10-20 18:12 . 2009-08-03 04:40      --------      d-----w-      c:\documents and settings\All Users\Application Data\Symantec
2009-10-20 12:20 . 2009-10-20 05:54      1748      --sha-w-      c:\windows\system32\drivers\fidbox2.idx
2009-10-20 12:20 . 2009-10-20 05:54      119780      --sha-w-      c:\windows\system32\drivers\fidbox.idx
2009-09-16 08:20 . 2009-10-19 23:53      7383      ----a-w-      c:\windows\system32\drivers\pctcore.cat
2009-09-15 11:20 . 2009-10-19 23:53      7383      ----a-w-      c:\windows\system32\drivers\pctplsg.cat
2009-09-15 07:12 . 2009-10-19 23:53      7412      ----a-w-      c:\windows\system32\drivers\PCTAppEvent.cat
2009-09-15 06:01 . 2009-10-19 23:53      7387      ----a-w-      c:\windows\system32\drivers\pctgntdi.cat
2009-09-10 16:03 . 2007-01-28 00:46      --------      d-----w-      c:\program files\Common Files\AOL
2009-09-10 16:02 . 2007-01-28 00:46      --------      d-----w-      c:\documents and settings\All Users\Application Data\AOL
2009-09-10 16:02 . 2009-09-10 16:02      --------      d-----w-      c:\documents and settings\All Users\Application Data\AOL Downloads
2009-09-10 06:48 . 2008-03-13 06:29      --------      d-----w-      c:\program files\America Online 9.0
2009-08-06 01:37 . 2009-08-06 01:37      411368      ----a-w-      c:\windows\system32\deploytk.dll
2009-08-05 09:11 . 2004-08-11 23:00      204800      ----a-w-      c:\windows\system32\mswebdvd.dll
2009-07-18 16:30 . 2009-07-18 16:30      1083426      --sha-w-      c:\windows\system32\barumoju.exe
2009-07-18 16:30 . 2009-07-18 16:30      24576      --sha-w-      c:\windows\system32\nolomipu.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-28 98304]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 221184]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"HostManager"="c:\program files\Common Files\AOL\1252598573\ee\AOLSoftware.exe" [2006-09-26 50736]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2008-3-13 36954]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=xgusb.cpl

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
path=
backup=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Deena^Start Menu^Programs^Startup^VersionTrackerPro.lnk]
path=c:\documents and settings\Deena\Start Menu\Programs\Startup\VersionTrackerPro.lnk
backup=c:\windows\pss\VersionTrackerPro.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"W3SVC"=2 (0x2)
"MSFtpsvc"=2 (0x2)
"IISADMIN"=2 (0x2)
"Browser Defender Update Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\America Online 9.0\\aol.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\igfxsrvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/20/2009 12:32 PM 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/19/2009 6:53 PM 207280]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1002000.007\SymEFA.sys [10/20/2009 1:13 PM 309296]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [10/20/2009 12:31 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [10/20/2009 12:31 AM 59664]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1002000.007\BHDrvx86.sys [10/20/2009 1:13 PM 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1002000.007\cchpx86.sys [10/20/2009 1:13 PM 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090916.003\IDSXpx86.sys [10/20/2009 1:31 PM 329080]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [10/19/2009 6:53 PM 229304]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1170768]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [10/20/2009 1:13 PM 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/20/2009 3:00 AM 102448]
S2 ZeppelinService;plasservice;"c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe" --> c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe [?]
S3 EraserUtilDrvI9;EraserUtilDrvI9;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [?]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [10/19/2009 6:53 PM 70408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/19/2009 6:53 PM 358600]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [10/20/2009 12:31 AM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc      REG_MULTI_SZ         p2psvc p2pimsvc p2pgasvc PNRPSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-10-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 17:39]

2009-10-21 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 19:43]

2009-10-20 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 19:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://amazingdiscoveries.org/
uInternet Connection Wizard,ShellNext = iexplore
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
SharedTaskScheduler-{d338034b-eb35-4041-a1f0-8ebc7d6b04e1} - c:\windows\system32\kohumoki.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 16:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-701474122-2480420773-3031644220-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1328)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(3452)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\mshtml.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\bcmwltry.exe
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\babblebox\CF31680.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\babblebox\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-21 16:13 - machine was rebooted
ComboFix-quarantined-files.txt  2009-10-21 21:13

Pre-Run: 45,790,502,912 bytes free
Post-Run: 51,645,620,224 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 99EB790807E3DED1E304FF7E17541062

 

by: David-HowardPosted on 2009-10-21 at 15:43:35ID: 25629270

Okay, big Combo log! I see where some malware entries normally associated with malware were removed. (Such as kohumoki.dll, and YUJUKUMI.EXE)
You are correct in that it's difficult to be sure that any system is "clean". However, if Malwarebytes, your anti-virus program and Combofix were ran and you are no longer receiving errors you have at a minimum removed the biggest known threats. That said, there is always the chance of rootkits but that is an entirely different animal to detect and remove. Just for future reference, if I know for certain that any system I touch has a rootkit, the data gets removed and the system formatted. The question that I always ask with relation to rootkits is this. Do you feel comfortable sitting at that system and conducting on line banking?
That question usually answers itself.
Just to have a greater degree of piece of mind you might download AVG or COMODO and give your system a scan with either of them. If those scans come up clean, you should be able to download your MS updates without issue.
Just make sure you select the FREE version.
http://free.avg.com/us-en/homepage
http://personalfirewall.comodo.com/

 

by: cyboramaPosted on 2009-10-21 at 16:03:16ID: 25629380

actually I have norton internet security 2009 with the latest updates but interestingly enough at the beginning of this cleaning it only found 6 where as malwarebytes for 53 infections.

Anyway just out of curiousity and for future reference what are some indications that I might have a rootkit virus so I would know to leave it alone.  Here are a list of the viruses detected by malwarebytes originally

Trojan.vundo.h
Trojan.zlob.h
backdoor.bot
trojan.agent
rogue.window
backdoor.bot
rogue.advance
trojan.fakealert
trojan.download
malware.trace
disabled.decurity
hijack.displayP

Also spy doctor found one like something .sysguard and a couple others such as something aobut packaged.gen.

Anyway that said in the future when scanning for viruses should I research each one to see if it tells me it is a root kit or is there a easier tool to use to determine this before spending a long time attempting a clean up

Thanks,

Bo

 

by: David-HowardPosted on 2009-10-21 at 16:12:42ID: 25629421

Most antimalware and antivirus suites do not scan for rootkits. There are various reasons for this. Some rootkits are detectabel while within the OS others run at boot and are loaded into memory.
There is some very good background and tools available here for rootkits.
http://www.belowgotham.com/index.htm
As for indications that you have a rootkit, it all depends on the type. Meaning, if you have a keylogger installed you most likely won't "notice" anything as they are designed for stealth. No pop up's etc.
The vundo, zlog, etc. that you posted are known files and more times than not Malwarebytes will detect and remove them.

 

by: cyboramaPosted on 2009-10-21 at 16:15:52ID: 25629442

thanks for all your help and for doing so very quickly

 

by: cyboramaPosted on 2009-10-21 at 16:17:38ID: 31644103

Very helpful, very good.  He deserves more points than I can give for this question because the answers were absolutely accurate, prompt and a pleasing person to deal with.

Thanks again David for your help in this area.

 

by: David-HowardPosted on 2009-10-22 at 07:23:10ID: 25634542

You're very welcome. Be careful out there.
David

 

by: chhsitPosted on 2009-10-24 at 08:08:15ID: 25652539

As an addendum, before you jump head-first into cleaning up a system you may want to perform a cost-benefit analysis of the time and resources that you're going to invest. In some cases, it may be more efficient simply to adopt a scorched earth policy: reboot, flash the BIOS/firmware, reinstall, patch, and pull out your data backups. Here's what an expert (Jamie Butler) has to say:

"Once a rootkit is found, there is no good solution to get rid of it. Usually, a complete format and re-install of the computer is suggested because it is unknown how deeply the rootkit has compromised the machine."

Keep in mind that this is an arms race we're talking about. The security software people are usually a couple of steps behind the Black Hats. You simply can't depend on A.V. products to catch everything (companies that claim they can detect everything are selling you snake oil).

Hope this helps.

-Bill Blunden
Principal Investigator
Below Gotham Labs

 

by: cyboramaPosted on 2009-10-25 at 15:56:11ID: 25658885

Thanks chhsit for that addendum,

Also I have heard that their are some trojan's that once they get in you can't give it a 100% guarantee against malicious activity without a reformat such is the case with trojan.backdoor.bot.  I certainly will take this to heart for the next time I run into a serious viral infection.  Once again thank you.

Bo

 

by: cyboramaPosted on 2009-10-25 at 16:00:51ID: 25658921

Actually cchsit,

Just out of curiousity why would one need to flash the bios in some cases.  I understand the reboot, format, install windows, patch and pull out backups but is it possible for a virus to attack say the cmos of your system.  

I have heard of bootkit viruses but not necessarily cmos ones.

Thanks,

Bo

 

by: chhsitPosted on 2009-10-30 at 16:40:41ID: 25707488

Firmware-embedded rootkits are an evolving threat (as are rogue hypervisors and SMM-based malware). Check out the most recent Black Hat media downloads from the 2009 USA conference. The Invisible Things Lab from Poland has done some impressive work in this area.  

I wouldn't at all be surprised if some of the heavy hitters in this playing field (the ones who prefer to stay out of the spotlight) already have a working prototype of a firmware rootkit.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...