unruy.d trojan --- I am tired of this stuff!!!

[97tbird]

Originally Posted By: dkryan
tbird,

Combofix, as recommended to me by another BITOGer, was my next step if starting in safe mode and running Malwarebytes from a USB drive did not solve the problem.

I, too, had the same questions as you regarding Combofix, but I wasn't about to wait on a "helper."


so should I try it? after it does its work, does the normal desktop appear (if it goes away during combofix runs) or does it prompt you to restart?
will you be available per PM if i need some advice while I do it tonight?

 

[DragRace]

FWIW,

If your "tired" of getting hit with malware,etc etc,start isolating your browser from the rest of your system!

If you've been infected before,I'd personally reformat.

 

[dkryan]

Originally Posted By: 97tbird
Originally Posted By: dkryan
tbird,

Combofix, as recommended to me by another BITOGer, was my next step if starting in safe mode and running Malwarebytes from a USB drive did not solve the problem.

I, too, had the same questions as you regarding Combofix, but I wasn't about to wait on a "helper."


so should I try it? after it does its work, does the normal desktop appear (if it goes away during combofix runs) or does it prompt you to restart?
will you be available per PM if i need some advice while I do it tonight?


I'll help all that I can. Here is the message I received two weeks ago from Deltona Dave regarding my problem:

"Try ComboFix. Combo Fix site. download it to a thumb drive. Boot up the affected PC in Safe Mode and run it.

Just ran it on my daughter's laptop, she had a similar bug. ComboFix kills the Hijack/Redirect processes, so MBAM or other programs can run."

I wouldn't get too caught up in the ComboFix warnings at this point, as it can't make things any worse than you have it now.

I booted into safe mode in Windows XP with a USB drive attached, then ran Malwarebytes from the USB drive. If you can't accomplish that much, ComboFix is the next logical step.

Frustrating, isn't it?

Be patient, as my limited understanding is ComboFix could take hours to run on your PC. Malwarebytes took just over 2 hours to deep scan my files and find the 17 infected files.

 

[OVERKILL]

Once a Windows PC has had a serious infection, it is very difficult; near impossible at times to get it it COMPLETELY cleaned up. There will always be traces. Modifications made the registry that slip by even the most anal scanner.

I has a NAV 2010 system that was infected last week with Malware that MWB picked-up on. Not a serious infection; it was fake AV software. Norton didn't see it. Using HJT after the fact to clean up other entries, then a manual perusal of the registry had me confident that the vast majority of this program and its traces were removed.

Malware is a huge PITA. And the VERY broad definition of the term allows for all kinds of exciting misconstruing as to what constitutes what; what falls beneath the umbrella and what escapes.

 

[97tbird]

so i can't just download CF onto the laptop and run from it?
how does CF "know" to scan the laptop and not the USB thumb drive if I run it from the thumb drive?

 

[OVERKILL]

It probably scans ALL drives.

 

[97tbird]

well I ran it from the laptop...not safe mode because it needs download and install recovery console from MS during the st up process...

did 50 passes (stages) and IT LOOKS LIKE UNRUY.D TROJAN is GONE !! yay.
MS SE didn't alert me and been running fine since the combo-fix scan...

I might run MWB and MS SE and perhaps even combo fix again in safe mode...(hopefully it only needs to download that recovery console only once...)

THANKS SO MUCH for all who commented...and the COMBO FIX was a great tip !!!

...wonder how much the geek squad would(have) charge for a service like that.

 

[97tbird]

here's the log created by combo fix...any of you guys who are experts can perhaps tell me what went on...
are there any nasty programs that I should get rid of...?

23:18:56.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.809 [GMT -4:00]
Running from: c:\documents and settings\Nishan\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\system volume information\Microsoft
c:\system volume information\Microsoft\services.exe
c:\system volume information\Microsoft\services.exe8157D84D
c:\system volume information\Microsoft\smss.exe
c:\system volume information\Microsoft\smss.exe6D15860A
c:\system volume information\Microsoft\smss.exe9CC3BC35
c:\system volume information\Microsoft\smss.exeC9B99724
c:\windows\TEMP\logishrd\LVPrcInj02.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-17 to 2010-07-17 )))))))))))))))))))))))))))))))
.

2010-07-17 02:31 . 2010-07-17 02:31 -------- d-----w- c:\documents and settings\Nishan\Local Settings\Application Data\WMTools Downloaded Files
2010-07-17 00:18 . 2010-07-17 00:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-07-16 01:45 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-07-16 00:33 . 2010-07-16 00:33 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-14 21:23 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-08 04:08 . 2010-07-08 04:08 452104 ----a-w- c:\documents and settings\Nishan\Application Data\Real\Update\setup3.12\setup.exe
2010-07-06 00:09 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-06 00:00 . 2010-07-06 00:00 -------- d-----w- c:\documents and settings\Nishan\Local Settings\Application Data\PCHealth
2010-07-06 00:00 . 2010-07-06 00:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-07-05 23:59 . 2010-07-05 23:59 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-07-04 00:43 . 2010-07-04 00:43 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-04 00:40 . 2010-07-04 00:40 79488 ----a-w- c:\documents and settings\Nishan\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-06-29 00:30 . 2010-07-04 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-06-25 22:22 . 2010-06-25 22:22 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-06-25 20:45 . 2010-06-25 20:45 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb27C.tmp.exe
2010-06-25 04:16 . 2010-06-25 04:16 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb25D.tmp.exe
2010-06-24 14:13 . 2010-06-24 14:13 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb20A.tmp.exe
2010-06-23 18:22 . 2010-06-23 18:22 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtbCC.tmp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-17 03:28 . 2009-03-29 15:14 117760 ----a-w- c:\documents and settings\Nishan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-17 03:25 . 2010-05-20 22:55 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-17 03:25 . 2010-05-20 22:54 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-07-14 23:15 . 2006-08-20 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-07-04 00:43 . 2006-08-22 13:51 -------- d-----w- c:\program files\Java
2010-06-28 05:54 . 2006-08-18 13:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-28 05:52 . 2006-08-17 22:33 -------- d-----w- c:\program files\CCleaner
2010-06-28 04:34 . 2008-03-12 05:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-28 04:34 . 2006-08-22 23:03 -------- d-----w- c:\program files\SpywareBlaster
2010-06-26 17:23 . 2010-04-25 02:46 -------- d-----w- c:\documents and settings\Nishan\Application Data\Skype
2010-06-26 17:02 . 2010-04-25 02:54 -------- d-----w- c:\documents and settings\Nishan\Application Data\skypePM
2010-06-25 23:04 . 2008-09-27 15:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-23 18:21 . 2006-11-05 00:25 -------- d-----w- c:\program files\RocketDock
2010-06-14 21:28 . 2007-02-13 13:53 -------- d-----w- c:\documents and settings\Nishan\Application Data\Audacity
2010-06-14 14:31 . 2004-08-09 17:52 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-09 22:59 . 2010-06-09 22:59 -------- d-----w- c:\documents and settings\Nishan\Application Data\American Pharmacists Association
2010-06-08 21:04 . 2006-08-16 06:27 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-06-06 20:42 . 2006-08-16 20:15 83424 ----a-w- c:\documents and settings\Nishan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-06 20:41 . 2010-06-06 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-06-06 20:27 . 2010-06-06 20:27 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-06-06 20:24 . 2006-08-16 06:26 -------- d-----w- c:\program files\Microsoft Works
2010-06-03 16:13 . 2010-06-03 16:13 -------- d-----w- c:\documents and settings\Nishan\Application Data\Yahoo!
2010-06-03 16:09 . 2010-06-03 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-06-03 16:09 . 2006-08-17 22:33 -------- d-----w- c:\program files\Yahoo!
2010-05-25 09:23 . 2010-05-25 09:23 503808 ----a-w- c:\documents and settings\Nishan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6786486a-n\msvcp71.dll
2010-05-25 09:23 . 2010-05-25 09:23 499712 ----a-w- c:\documents and settings\Nishan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6786486a-n\jmc.dll
2010-05-25 09:23 . 2010-05-25 09:23 348160 ----a-w- c:\documents and settings\Nishan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6786486a-n\msvcr71.dll
2010-05-25 09:23 . 2010-05-25 09:23 61440 ----a-w- c:\documents and settings\Nishan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-45322ea6-n\decora-sse.dll
2010-05-25 09:23 . 2010-05-25 09:23 12800 ----a-w- c:\documents and settings\Nishan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-45322ea6-n\decora-d3d.dll
2010-05-24 14:56 . 2010-05-20 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-05-21 21:49 . 2010-05-21 21:49 0 --sh--w- c:\windows\S7A408CF9.tmp
2010-05-21 21:47 . 2010-05-21 21:47 -------- d-----w- c:\program files\Elaborate Bytes
2010-05-20 22:55 . 2010-05-20 22:52 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-05-20 22:52 . 2008-04-16 06:35 -------- d-----w- c:\program files\Logitech
2010-05-06 10:41 . 1980-01-01 07:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 1980-01-01 07:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 00:15 . 2009-07-13 16:12 256 ----a-w- c:\windows\system32\pool.bin
2010-04-29 19:39 . 2008-09-27 15:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2008-09-27 15:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-25 02:54 . 2010-04-25 02:54 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-04-24 14:01 . 2009-07-04 23:32 71404 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-20 20:45 . 2010-06-03 16:09 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2010-04-20 05:30 . 1980-01-01 07:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 22:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-01-28 462848]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"Google Update"="c:\documents and settings\Nishan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-17 136176]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-04-29 5248312]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]
"TpShocks"="TpShocks.exe" [2006-03-16 106496]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-24 237568]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2006-03-23 106496]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-03-23 69632]
"cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-22 1996336]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-03-01 196710]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-10-06 110592]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-03-23 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-03-23 208896]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 503808]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-03-18 98304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-02-17 13:54 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-03-23 09:03 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 04:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2009-02-10 18:54 210224 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/3/2008 14:07 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 14:07 55024]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [7/15/2009 20:58 719392]
R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/15/2005 16:11 46142]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [12/21/2005 19:45 3968]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 14:07 7408]
S0 daapto;daapto;c:\windows\system32\drivers\cwofcut.sys --> c:\windows\system32\drivers\cwofcut.sys [?]
S0 uufdja;uufdja;c:\windows\system32\drivers\lmenqyn.sys --> c:\windows\system32\drivers\lmenqyn.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 0:01 135664]
S3 BEHRINGER_2902;usb-audio.de driver for BEHRINGER USB AUDIO;c:\windows\system32\drivers\BUSB2902.sys [9/21/2009 1:20 352256]
S3 BUSB_AUDIO_WDM;BEHRINGER USB WDM AUDIO;c:\windows\system32\drivers\busbwdm.sys [9/21/2009 1:20 33792]
.
Contents of the 'Scheduled Tasks' folder

2010-07-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 04:01]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 04:01]

2010-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3290715914-1992652385-3690394129-1005Core.job
- c:\documents and settings\Nishan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-25 23:11]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3290715914-1992652385-3690394129-1005UA.job
- c:\documents and settings\Nishan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-25 23:11]

2010-07-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]

2010-07-17 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-07-15 08:13]
.
.
------- Supplementary Scan -------
.
uStart Page = [url=hxxp://www.mail.yahoo.com/][url=hxxp://www.mail.yahoo.com/]hxxp://www.mail.yahoo.com/[/url][/url]
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = [url=hxxp://www.lenovo.com/us/en/][url=hxxp://www.lenovo.com/us/en/]hxxp://www.lenovo.com/us/en/[/url][/url]
uSearchAssistant = [url=hxxp://www.google.com/ie][url=hxxp://www.google.com/ie]hxxp://www.google.com/ie[/url][/url]
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Nishan\Application Data\Mozilla\Firefox\Profiles\g9gyik27.default\
FF - prefs.js: browser.startup.homepage - www.mail.yahoo.com
FF - prefs.js: keyword.URL - [url=hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=][url=hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=]hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=[/url][/url]
FF - plugin: c:\documents and settings\Nishan\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Nishan\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Nishan\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Opera\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\Opera\program\plugins\npican.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Notify-ACNotify - ACNotify.dll
Notify-NavLogon - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-16 23:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\windows\system32\MSVCP71.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\tphklock.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'explorer.exe'(7664)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\RocketDock\RocketDock.dll
c:\windows\system32\PROCHLP.DLL
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\system volume information\Microsoft\services.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\system volume information\Microsoft\smss.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\lenovo\system update\suservice.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\TpKmpSVC.exe
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\TpShocks.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2010-07-16 23:34:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-17 03:34

Pre-Run: 12,214,657,024 bytes free
Post-Run: 12,219,084,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - 8DF34B7FBB5D1EE0CE75870EAFEDF9AB

 

[dkryan]

Originally Posted By: 97tbird
well I ran it from the laptop...not safe mode because it needs download and install recovery console from MS during the st up process...

did 50 passes (stages) and IT LOOKS LIKE UNRUY.D TROJAN is GONE !! yay.
MS SE didn't alert me and been running fine since the combo-fix scan...

I might run MWB and MS SE and perhaps even combo fix again in safe mode...(hopefully it only needs to download that recovery console only once...)

THANKS SO MUCH for all who commented...and the COMBO FIX was a great tip !!!

...wonder how much the geek squad would(have) charge for a service like that.


I'm glad the problem seems to have been resolved.

I would run Malwarebytes in safe mode and see what it finds (deep scan - it will take some time, but it's worth it), then run it once per week minimum as a "quick scan" to provide back-up to your primary "protection suite" or whatever it is you're using.

As for the charge, I'm not qualified to be on the GeekSquad, so I'll settle for one case of Troegs Nugget Nectar and one case of Ultra 5w-20.

 

[97tbird]

Thanks man!
I did run MWB in "full" scan mode...is that not same as "deep scan"? and it and MS SE did find stuff again, and also ran combo fix - took longer in safe mode, (I ran all 3 in safe mode) and rebooted and all is well again... Both MS SE and MWB requested a reboot also, so I guess they got rid of whatever they found. I didn't see any more entries for the Uruy.d trojan, but some other names in MS SE and MWB reports ("trojan.cycler" was the name i believe)

 

[Papa Bear]

Hey 97, thanks for the data sheet ......

I now know your home number, work number, credit card number, social security number and name of your firstborn child (as yet to be conceived) .... j/k

 

[Cutehumor]

tbird, I would seriously start considering surfing using sandboxie.

 

[Drew99GT]

Originally Posted By: Cutehumor
tbird, I would seriously start considering surfing using sandboxie.


I somehow got a virus this afternoon on my machine - confirmed via scans at jotti and virus total. The good thing is, it was trapped in sandboxie! Deleted the sandbox, no more virus. Easy as that!

 

[SrDriver]

These problems are one reason that I have switched to Linux in a dual boot mode. Spend much of my computer time using Linux now but still have the option of using Windows. I have a few programs that I use on ocassion that require Windows.

I have not tried to use them with Wine in Linux and just reboot into Windows when I need them which is only a few times a year.

I have the firewall setup that comes with Linux and have been using some form of Linux now for several years.

No, not perfect. Nothing is. I have considered trying a Mac but the price of their stuff is kind of high in my opinion for what it is worth.

 

[simple_gifts]

Quote:

but the price of their stuff is kind of high in my opinion for what it is worth.


Not if you think your time is worth 0 fixing the above nonsense.

The thread had "I am tired of this stuff!!! " in the title.

 

[Cutehumor]

Originally Posted By: Drew99GT
Originally Posted By: Cutehumor
tbird, I would seriously start considering surfing using sandboxie.


I somehow got a virus this afternoon on my machine - confirmed via scans at jotti and virus total. The good thing is, it was trapped in sandboxie! Deleted the sandbox, no more virus. Easy as that!


sandboxie has saved me at least twice. I watch alot of tv shows online. I find them through google searches, some of these viruses are attached to the shows. one time, I avoided a virus on wisevid.com with sandboxie. I'm glad it's free.
In fact, I'm watching the tv show "early edition" online right now using firefox sandboxed.

 

[DragRace]

Sandboxie wouldnt be without it

With that said,anything that isolates your browser is a winner,as I've used other software simliar to sandboxie with the same results.