Multiple Baddies detected by Microworld Antivirus and Spyware Toolkit...

[rleau21]

Alright, I just "recovered" (or so I thought...) from the vundo virus (just a few threads down, at the moment of this first post in htis thread)...

I thought I was clean, and many of the scanners I used reported as such.
But then, as I have been taking extra extra extra precautions - just to make absolutely positively sure - I used Microworld Antivirus and Spyware Toolkit (suggested by you guys).... And it found 17 pretty bad-looking things.
Actually, it found 100+ problems, but other than those 17, they were just references to invalid objects...for example:
Entry "HKCR\DirectAnimation.Sequence" refers to invalid object "{4F241DB1-EE9F-11D0-9824-006097C99E51}". Action Taken: No Action Taken.

The baddies that this program found are enclosed in the attached log (altered, only to show the 17 bad files, as the full log exceeds the allowed length to attach).

What can I do now???
I will include any and all logs you request, as well as execute any and all procedures you instruct me to do.


Thanks for the help!

[jholland1964]

You gave us incomplete information concerning items found in the scan....what was the location of these items? The scan log DOES show the location and we need to see those.

Delete the previous copy of combofix from your computer.

• Download combofix.exe by sUBs to your computer's Desktop.
• Alternate Download
• (If you already have a previous version, delete it and download a new version).
• Double click combofix.exe & follow the prompts.
  Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

• Produce a log for you. ( C:\ComboFix\ComboFix.txt)
• Restore your Internet connection.

IMPORTANT:

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

[Gizmokid2005]

Please post up a new HJT log also.

[PhilliePhan]

In addition to the above, please try the folowing:

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post back with the MBA-M Scanlog and we'll see what it has to tell us.

-- I am a bit overextended at this time and may not be able to respond in a timely manner.

PP

[rleau21]

Ok, a few things.

1 - HJT log is attached.
2 - Combo Fix log is attached.

3 - Micro World's log is 847kb...far too large to attach, as this forum limits the size of attachements to 97.7kb. What I posted was the most pertinant information I could find. FYI, I have the FREE version... so maybe that's why it doesn't show the filepath. Otherwise, please tell me where in that huuuuge textfile I should look specifically for those destinations...

4. I'm currently running malware bytes... I'll give an update when done.

[jholland1964]

Ok, a few things.



3 - Micro World's log is 847kb...far too large to attach, as this forum limits the size of attachements to 97.7kb. What I posted was the most pertinant information I could find. FYI, I have the FREE version... so maybe that's why it doesn't show the filepath. Otherwise, please tell me where in that huuuuge textfile I should look specifically for those destinations...

4. I'm currently running malware bytes... I'll give an update when done.

You should be able to get filepath. I run Free version and it DOES show the file path. Just highlight the pertinent files, copy/paste.

[rleau21]

Here's the log for Malware Bytes (which seems like a pretty powerful tool for such a non-flashy-looking free device).

Since it seems like malwarebytes removed some stuff, I'm now going to restart, then re-run 'mwav', try and zip it, and get it onboard here, nice and updated.

In fact all 4...
HJT
Mwav
malwarebytes
combofix

I appreciate all your assistance and patience.

[rleau21]

Ok, it took a while, but here are the 4 new logs, after they all ran once, and then I restarted.

Hope you can make something of it...

***

THANKS!!! You guys rock, as usual!

[PhilliePhan]

Here's the log for Malware Bytes (which seems like a pretty powerful tool for such a non-flashy-looking free device).

It is a very nice tool in the fight against the baddies.

Nothing particularly evil in it - Just the rogue app and some registry remnants.

The ComboFix (not the latest one you just posted - haven't looked at that yet) log shows some malware as well as a few items I do not recognize. They are new additions:

2008-03-04 19:31 . 2008-03-04 19:31 0 --a------ C:\23990098.$$$
2008-03-04 19:26 . 2008-03-04 19:26 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-03-04 19:26 . 2008-03-04 19:26 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-03-04 19:26 . 2008-03-04 19:26 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-03-04 19:26 . 2008-03-04 19:26 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-03-04 19:26 . 2008-03-04 19:26 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-03-04 19:26 . 2008-03-04 19:26 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-03-04 14:23 . 2004-08-04 07:00 146,432 --a------ C:\WINDOWS\R.COM
2008-03-04 14:23 . 2008-03-04 19:47 50 --a------ C:\WINDOWS\Lic.xxx
2008-03-03 00:48 . 2004-08-04 07:00 388,608 --a------ C:\CF28307.exe

You may need to submit them at Jotti or VirusTotal for analysis - I'd bet they are all malware and need to be deleted.....

PP

[Gizmokid2005]

For the log, can you zip that to a .rar or .zip file? You can use 7zip to do both, or use Winzip to put it in a zip file. If you you use the best compression you should be able to upload it. If you can't, plase let us know.