Trojan.vb.aft

Hi,
I did the Windows XP Cleaning Procedure and have the results below from Combofix and Malware Anti-Malware.

Just prior, I removed some elements from the reg instructions from an earlier post.

Still believe its present....

Thanks !




Malwarebytes' Anti-Malware 1.10
Database version: 592

Scan type: Quick Scan
Objects scanned: 32384
Time elapsed: 4 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\silc_dll.dll (Spyware.Marketscore) -> No action taken.
C:\WINDOWS\system32\zxdnt3d.cfg (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\model.dat (Spyware.MarketScore) -> No action taken.
C:\WINDOWS\system32\LDPackage.dll (Spyware.MarketScore) -> No action taken.
C:\WINDOWS\tcb.pmw (Malware.Trace) -> No action taken.


ComboFix 07-06-11.3
"JIM" - 2008-04-05 8:57:28 - Service Pack 2
Command switches used :: /killall


((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 )))))))))))))))))))))))))))))))


2008-04-04 22:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-04 22:48 <DIR> d-------- C:\DOCUME~1\JIM\APPLIC~1\Malwarebytes
2008-04-04 22:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
2008-04-04 16:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2008-04-04 16:38 <DIR> d-------- C:\Program Files\Plugins
2008-04-04 16:38 <DIR> d-------- C:\DOCUME~1\JIM\APPLIC~1\SUPERAntiSpyware.com
2008-03-24 13:44 <DIR> d-------- C:\DOCUME~1\JIM\APPLIC~1\FLV Extract
2008-03-18 16:41 <DIR> d-------- C:\DOCUME~1\JIM\APPLIC~1\com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-04-02 13:14:14 1,744 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2008-03-12 00:05:50 1,632 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2008-02-29 20:03:48 8,944 ----a-w C:\Program Files\sasdifsv.sys
2008-02-29 20:03:46 51,440 ----a-w C:\Program Files\SASKUTIL.SYS
2008-02-29 20:03:46 1,481,968 ----a-w C:\Program Files\SUPERAntiSpyware.exe
2008-02-29 20:03:44 146,672 ----a-w C:\Program Files\SSUpdate.exe
2008-02-21 01:05:52 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-02-21 01:05:44 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-02-21 01:05:38 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-02-21 01:05:38 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-02-21 01:05:38 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-02-21 01:05:34 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-02-21 01:05:34 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-02-21 01:04:16 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-02-21 01:04:16 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-02-21 01:04:08 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-02-21 01:04:08 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-02-21 01:04:06 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-02-21 01:04:06 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-02-21 01:04:06 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-02-21 01:04:06 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-02-21 01:04:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-02-21 01:04:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-02-21 01:04:04 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-02-21 01:04:04 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-02-21 01:03:42 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-02-21 01:03:24 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2001-09-10 19:36]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"bbSysTray"="C:\Program Files\Philips\External Drive\Blue Button\bbSysTray.exe" [2002-03-20 11:10]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-01-23 12:09]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"QuickTime Task"="D:\qttask.exe" [2007-12-11 11:56]
"iTunesHelper"="D:\iTunesHelper.exe" [2007-09-05 19:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware.exe" [2008-02-29 16:03]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 07:29]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SASSEH.DLL" [2006-12-20 12:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


Contents of the 'Scheduled Tasks' folder
2005-10-03 23:47:40 C:\WINDOWS\tasks\Registration reminder 2.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 08:59:37
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"
[HKEY_LOCAL_MACHINE\system\Services\SharedAccess]

Completion time: 2008-04-05 9:01:55
C:\ComboFix3.txt ... 2007-10-27 17:50
C:\ComboFix2.txt ... 2007-11-13 09:48
C:\ComboFix-quarantined-files.txt ... 2008-04-05 09:00

--- E O F ---

 

Hi cafemuse,
Welcome to the Malware Forum!

Which reg instructions from an earlier post are you referring to?

Why was No Action Taken in the MalwareBytes scan? Did you not have it fix whatever it found?

We request that your logs be attached rather than posted as inline logs and you are missing the logs produced when you install and run the MGTools. Please complete all of the instructions in the READ & RUN ME FIRST correctly and attach the requested logs with your next post.


Thanks.
abri

 

link to Windows XP clean up i used
* If you have Windows XP, continue here:Windows XP Cleaning Procedure

http://forums.majorgeeks.com/showthread.php?t=139313


see attached logs
malware bites program said
(No malicious items detected)


anything else?

 

Hi cafemuse,

You didn't answer my questions or follow all the instructions in the READ & RUN ME. My first questions was:

My second question was:

I'm missing the MGlogs which will be produced when you install and run the MGTools. In the first part of the READ & RUN ME FIRST there are instructions for running CCleaner and putting your computer into normal startup mode. I don't know if you did these or went right on to the second page of instructions which are those you mentioned in your last post.


abri

 

hi abri,
the post i think i was referring to was the "trojan horse" which is the latest thread/post in this section.

i have attached the mgtools info.

the malware bites said nothing was detected so no action was taken.

i did the cc cleaner and changed the other setting to normal mode before scans

 

Hi cafemuse,

Be attentive here. Otherwise it's difficult to help you.

1) The SAS log may not have shown anything, but the MalwareBytes shows that a lot was found and No Action Taken. The reason we ask you to run these scans is to have them remove some of the malware. Open up the MalwareBytes log you posted to me in your post 3 by double-clicking on it and look at it. Then run it again and have it fix whatever it finds.

After that, please do the following:

2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [QuickTime Task] "D:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - Startup: Slacker Tray App.lnk = D:\Software Player\slacker.tray.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?

After you click fix, just close hijackthis.

3) The MGlogs you posted are from old versions of the tools. Please go back to the XP Cleaning Instructions and download the MGTools. When it asks if it should install over the ones that are already there, say yes! Then run them as per the instructions and post a new set of MGlogs.zip with your next post along with the new MalwareBytes log.

Thanks.
abri

 

Hi Abri,
I thought i was using the malware bites properly. i saw the log and didnt see a fix button but it did say no malicious files (see log attached).

i found and deleted reg files you said to delete from those found by hijackthis

i updated my mgtools and have attached logs and removed what you said so far.

 

Hi cafemuse,

How did you do this? Did you follow the instructions I gave you to remove these items with HijackThis (analyse.exe)? The reason I ask is because when I look at your HijackThis log in the new set of MGlogs, all the entries I asked you to fix are still present. This means that either they weren't fixed with HijackThis or you ran the MGTools before fixing them, in which case your logs aren't accurate. We have you do the steps in a certain order so that we can check the logs to see if the items are those which can be removed easily or if they are of the type of malware that needs more work to be gotten rid of.

In the new logs, I find one additional item which needs to be removed. Please do the following:

1) Download and install Erunt. Use it to create a backup of your registry.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Let me know if this patch gives a success message.

3) Then please rerun C:\MGTools\GetLogs.bat by double-clicking on the file and allow it to run to completion. Then come back here and attach the new set of logs which can be found at C:\MGlogs.zip with your next post.

Thanks.
abri

 

Hi Abri,

erunt installed

the patch worked when merged with registry

see attached new mglogs


Thanks!

 

Hi cafemuse,
Your logs look good. How is your computer working?
May I recommend that you move some of the files you have on the desktop into folders in a safer place (like My Documents / My Movies / My Music etc.) and link these to your desktop. Also, I encourage you to use CCleaner everytime you get out of the internet. You still have a lot of temp files that are hard to identify.

If you are not having further problems, please do the tinal cleanup instructions in the box:

abri

 

Hi Abri,
It appears that my CPU is still spiking at 100% in spurts which makes me think there's still a good possibility that I still have a problem. Otherwise, it seems ok.

J

 

Hi cafemuse,
Uninstall SuperAntiSpyware. I'm not sure if you have more than one instance of the program, because in your original Combofix log, it appears to have been installed correctly, but in your MGTools logs it's installed wrong.
abri

 

thanks!

I removed that and still need to do this below. it seemed alittle scary at first glance.

# After you've completed the above, please follow the instructions at this link for setting a clean restore point. Disable and Enable System Restore!

 

CPU seems to be ok, no 100% spikes anymore.

THANKS!

 

Hi cafemuse!
I'm glad to hear that! Do read the How to Protect Yourself from Malware, because there are a couple of good things (immunize with Spybot and Spyware Blaster) that are very worth picking up.
abri