Fake spyware scanner Malware Bytes cant take out.

[TRIPTEX_CAN]

I'm dealing with a PC that a user's husband manage to infect in his search for "Gundam fan stuff"

This looks like the standard "your PC is infected click here to fix it" popup. I've seen these before a usually never took more than 3h to remove. This one is really persistent and I'm almost leaning towards just reinstalling Windows.

These popups are even happening in Safemode.

So far I've trued the following

Disabled system restore and purged all restore data.

I removed the AV that was installed and installed the new AVG and manually updated it. Scanned and found objects, removed them. rescanning finds nothing

Installed MalwareBytes and updated to latest version. Scanning in safemode always locates stuff, I remove it and reboot but it always comes back after a few minutes.

Installed Windows Defender (getting desperate) scanned and located objects, removed them and restarted. still comes back.

Any suggestions?

 

[JoshBrunelle]

Try booting off a live cd and running some a/v that way infected system files can be properly cleaned. I know UBCD4win can build boot disks with a/v built in. Just make sure you build the disk on a clean system.

 

[BroBQ]

I would use:

1. Combofix http://www.bleepingcomputer.com/combofix/how-to-use-combofix
2. Super antispyware http://www.superantispyware.com/

and if its at all possablie, I would remove the HDD from the computer and install as a slave onto a different PC and scan it that way.

 

[TRIPTEX_CAN]

Try booting off a live cd and running some a/v that way infected system files can be properly cleaned. I know UBCD4win can build boot disks with a/v built in. Just make sure you build the disk on a clean system.

I'll try that after I try what morrison wrote.

I would use:

1. Combofix http://www.bleepingcomputer.com/combofix/how-to-use-combofix
2. Super antispyware http://www.superantispyware.com/

and if its at all possablie, I would remove the HDD from the computer and install as a slave onto a different PC and scan it that way.

I'll try those.

I would have already scanned the HDD in another system if I had the adapter.... I asked for one but they said it "wasn't necessary".

Anyway I have a hijackthis log incase anyone sees anything glaringly obvious.

Scan saved at 11:18:03 AM, on 07/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} (RSClientPrint 2005 Class) - http://10.10.1.14/Reports/Reserved....105&UICulture=9&ReportStack=1&OpType=PrintCab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1206474735226
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Medicom.lan
O17 - HKLM\Software\..\Telephony: DomainName = Medicom.lan
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Medicom.lan
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Medicom.lan
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

[BroBQ]

i'm gonna go through your hijack this log right now...

 

[TRIPTEX_CAN]

Would it be useful to see my combofix log?

 

[Lillebror]

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)

You can Remove those - other than that your log is clean from hijackthis - but your Explore.exe looks suspecious, cause normaly its not written .EXE and not with a big E in explore.

If you got other scanning logs, please post em.

 

[TRIPTEX_CAN]

Combofix log

combofix log]ComboFix 09-04-04.01 - Administrator 2009-04-07 11:53:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1579 [GMT -4:00]
Running from: E:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.

2009-04-07 09:52 . 2009-04-07 09:52 <DIR> d-------- c:\program files\Windows Defender
2009-04-07 09:50 . 2009-04-07 09:50 <DIR> d--hs---- c:\documents and settings\Administrator\PrivacIE
2009-04-07 09:50 . 2009-04-07 09:50 <DIR> d--hs---- c:\documents and settings\Administrator\IECompatCache
2009-04-07 09:49 . 2009-04-07 09:49 <DIR> d--hs---- c:\documents and settings\Default User\IETldCache
2009-04-07 09:49 . 2009-04-07 09:49 <DIR> d--hs---- c:\documents and settings\Administrator\IETldCache
2009-04-07 09:41 . 2009-04-07 09:44 <DIR> d--h-c--- c:\windows\ie8
2009-04-06 09:45 . 2009-04-06 09:45 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Logitech
2009-04-06 09:31 . 2009-04-06 09:31 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-06 09:04 . 2009-04-07 08:33 <DIR> d--h----- C:\$AVG8.VAULT$
2009-04-06 08:46 . 2009-04-06 08:48 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-04-06 08:46 . 2009-04-06 08:46 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-04-06 08:46 . 2009-04-06 09:14 108,552 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-04-06 08:46 . 2009-04-06 08:46 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-04-06 08:45 . 2009-04-06 08:45 <DIR> d-------- c:\program files\AVG
2009-04-06 08:45 . 2009-04-06 09:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-04-06 08:16 . 2009-04-06 08:16 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-06 08:16 . 2009-04-06 08:16 <DIR> d-------- c:\documents and settings\pxenos\Application Data\Malwarebytes
2009-04-06 08:16 . 2009-04-06 08:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-06 08:16 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 08:16 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-05 00:53 . 2009-04-05 00:53 <DIR> d-------- C:\QUARANTINE
2009-04-05 00:53 . 2009-04-05 00:53 38,912 --a------ c:\windows\promo.exe
2009-04-01 14:08 . 2009-04-01 14:08 25,952 --a------ c:\windows\system32\drivers\wnsdrvr.sys
2009-04-01 14:07 . 2009-04-01 14:07 <DIR> d-------- c:\program files\LG Drivers
2009-03-08 14:22 . 2009-03-08 14:22 49,152 --------- c:\windows\system32\msrating.dll.mui
2009-03-08 14:22 . 2009-03-08 14:22 2,560 --------- c:\windows\system32\mshta.exe.mui
2009-03-08 14:21 . 2009-03-08 14:21 4,096 --------- c:\windows\system32\ie4uinit.exe.mui
2009-03-08 14:20 . 2009-03-08 14:20 81,920 --------- c:\windows\system32\iedkcs32.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 04:53 38,912 ----a-w c:\windows\system32\userinit.exe
2009-04-02 13:16 --------- d-----w c:\program files\Common Files\Dynamics NAV
2009-04-01 18:10 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-08 08:34 914,944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:33 18,944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:32 72,704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 45,568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:31 34,816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:22 156,160 ----a-w c:\windows\system32\msls31.dll
2009-02-16 15:22 --------- d-----w c:\documents and settings\pxenos\Application Data\Logitech
2009-02-16 15:17 --------- d-----w c:\program files\SetPoint
2009-02-16 15:17 --------- d-----w c:\program files\Common Files\Logitech
2009-01-07 22:21 26,144 ----a-w c:\windows\system32\spupdsvc.exe
2009-01-07 22:20 265,720 ----a-w c:\windows\system32\msdbg2.dll
2009-01-07 22:20 26,112 ----a-w c:\windows\system32\idndl.dll
2009-01-07 22:20 24,576 ----a-w c:\windows\system32\nlsdl.dll
2009-01-07 22:20 23,552 ----a-w c:\windows\system32\normaliz.dll
.

------- Sigcheck -------

2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2009-04-05 00:53 38912 c2a4804e69cf44118ec5d556b2201bb0 c:\windows\system32\userinit.exe
2004-08-04 06:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-07_11.47.25.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-04-07 15:37:47 78,248 ----a-w c:\windows\system32\perfc009.dat
+ 2009-04-07 15:55:04 78,248 ----a-w c:\windows\system32\perfc009.dat
- 2009-04-07 15:37:47 447,740 ----a-w c:\windows\system32\perfh009.dat
+ 2009-04-07 15:55:04 447,740 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-06 1932568]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]
"nwiz"="nwiz.exe" [2006-01-19 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-01-19 c:\windows\system32\nvhotkey.dll]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-12-20 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-01-27 25214]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2009-02-16 532480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-06 08:46 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:medicom inc

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-04-06 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-04-06 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-06 298264]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 WnsDrvr;WnsDrvr;c:\windows\system32\drivers\wnsdrvr.sys [2009-04-01 25952]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} - hxxp://10.10.1.14/Reports/Reserved.ReportViewerWebControl.axd?ReportSession=zhywvd55dbtomsaxyzktuwj3&ControlID=f3087c611884479ab80b769bf6c1b07a&Culture=4105&UICulture=9&ReportStack=1&OpType=PrintCab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 11:55:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-1788223648-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,68,a1,3d,e9,d5,c9,de,47,9d,2b,dd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,68,a1,3d,e9,d5,c9,de,47,9d,2b,dd,\

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\* 2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
Completion time: 2009-04-07 11:56:24
ComboFix-quarantined-files.txt 2009-04-07 15:56:22
ComboFix2.txt 2009-04-07 15:48:16

Pre-Run: 67,327,848,448 bytes free
Post-Run: 67,313,635,328 bytes free

158 --- E O F --- 2008-09-10 14:19:20

 

[BroBQ]

I don't see anything suspicious

 

[TRIPTEX_CAN]

You can Remove those - other than that your log is clean from hijackthis - but your Explore.exe looks suspecious, cause normaly its not written .EXE and not with a big E in explore.

If you got other scanning logs, please post em.

I've removed the entries you mentioned. I noticed the .EXE extension on Explorer also but I'm not sure what to do about it.

 

[TheMailMan78]

That thing is a sum-bitch man. We had the rip into our networks at my job. Nothing at first could get rid of it. However we did find something. Download the Microsoft Onecare demo. It was the only thing that fixed it. Fast too.

 

[Lillebror]

Try download Spybot - search and destroy, update it and immunize and scan.
After that, reboot, scan with it again, and when thats done, scan with avg - post a log if it makes one.

 

[TheMailMan78]

Try download Spybot - search and destroy, update it and immunize and scan.
After that, reboot, scan with it again, and when thats done, scan with avg - post a log if it makes one.

That wont work with this one.

 

[newtekie1]

Try running AutoRuns and see what is attached to Explorer, Processes Explorer is nice to have too.

 

[TRIPTEX_CAN]

Try running AutoRuns and see what is attached to Explorer, Processes Explorer is nice to have too.

AutoRuns?

@ Mailman.. ill try MS onecare now.

 

[TheMailMan78]

AutoRuns?

@ Mailman.. ill try MS onecare now.

I just PMed you a link. That thing is NASTY what you got. Nice job

 

[newtekie1]

AutoRuns?

@ Mailman.. ill try MS onecare now.

Yes, you can read about it here: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Great little tool put out by SysInternals, it will tell you every dll and extension that is attached to the critical processes of Windows, and a whole lot more. You can then disable them, without deleting them, to see what is causing your problem. When you narrow it down, you can then just delete it.

I just PMed you a link. That thing is NASTY what you got. Nice job

Definitely, I've seen it way to much on customer machines. I real pain in the ass to get rid of, especially if you get one of the varients that blocks most cleaning tools from even running...

 

[TheMailMan78]

FYI if you're running VIsta you will have to download the demo. The web based scanner kinda sucks for Onecare.

 

[TRIPTEX_CAN]

Its an XP machine.

Definitely, I've seen it way to much on customer machines. I real pain in the ass to get rid of, especially if you get one of the varients that blocks most cleaning tools from even running...

This one hasnt blocked anything from running.. usually they do. This one lets everything run and if it gets caught it just doesnt get removed.. nothing has removed it and almost all scanners find something in the system.

 

[TheMailMan78]

Its an XP machine.

Its up to you then. Personally I like the demo more than the browser scan. You can always uninstall it ya know

This one hasnt blocked anything from running.. usually they do. This one lets everything run and if it gets caught it just doesnt get removed.. nothing has removed it and almost all scanners find something in the system.

Yeah this thing is a work of art. No doubt.

 

[TRIPTEX_CAN]

Im about 99% sure the issue was resolved with running SuperAntiSpyware and Microsoft One Care. I didnt try Spybot so I dont know if it would have worked.

This virus was impervious to AVG, MalwareBytes, ComboFix, Vundo fix, and a host of other things I tried.


I hate Malware.. but it keeps me busy.

 

[troyrae360]

yea, avg dosnt really help alot, other than slowing down your computer i

If i were you id use NOD32 its the best av around has been for years, it has no notisable inpact on your system preformance eather.

Use Superantispy free edition with NOD32, you wont regret it

 

[Psychoholic]

If malwarebytes cant remove it, good luck.. lol

 

[TRIPTEX_CAN]

yea, avg dosnt really help alot, other than slowing down your computer i

If i were you id use NOD32 its the best av around has been for years, it has no notisable inpact on your system preformance eather.

Use Superantispy free edition with NOD32, you wont regret it

I've had only good experiences wtih AVG. If AVG had been the main AV installed before the Virus came along I'm confident it would have prevented the infection.

It's not the best as a pure removal tool, but it works for prevention.

 

[troyrae360]

I've had only good experiences wtih AVG. If AVG had been the main AV installed before the Virus came along I'm confident it would have prevented the infection.

It's not the best as a pure removal tool, but it works for prevention.

I wouldnt trust it, After Working in the IT industry as a technician i can tell you with full
confordence that its crap, the amount of people that come in with fully infested computers that have AVG is alot more than any other av.
also when avg8 came out the amount of calls we got saying my computers broke or my computers going very slow, the first thing id do was to check to make sure they wernt using AVG 8, if they were id uninstall it and at least 90% of the time it would be running good again.

All in All avg is bad, it lets way to many viruses through and criples some computers, its overheads are too high,
If you want a good AV download the demo of Nod32 and give it a go, trust me, im not just writing this for fun im trying to help you. At least read the reviews on nod32

Remember you pay penuts, youll get monkeys