Recently infected, want to make sure I'm clean

[DoofyScrub]

I recently had an infection, and I just want to make sure that my system is clean. If anyone can help me out I'd appreciate it.

So, I first noticed a problem when SnoopFree Privacy Shield suddenly started getting a ton of keyboard hook alerts from random stuff I've never seen, to a bunch of programs I've never had a problem with (Firefox is one example). Some of the stuff I hadn't seen before was:

fawuruvo.dll
fagometo.dll
fevudufe.dll
verclsid.exe

When I went to run Malwarebytes it couldn't find the .exe; apparently this malware screws it up somehow (or so I've read).

So, I ran SuperAntiSpyware which found and fixed Adware.Vundo (log from that scan is attached), but when I restarted Windows wouldn't load past the login screen. I ended up doing a system restore to the previous day to get it to work properly. After this I could run Malwarebytes, which found a few things (Vundo among them), and cleaned them up. I believe I turned off MWB's log creation quite some time ago, so I don't have a file of that one to share. All new scans are currently showing no infection.

I've also run combofix and attached the log for that as well as attached my Hijackthis log. If someone could take a look and let me know how if there's anything else I need to clean up, I'd greatly appreciate it. Thanks!

 

[JieMan]

You do run an active anti virus right?
If not you can use AVG free or microsoft security essentials free,
as well as spybot search and destroy free ..

 

[DoofyScrub]

I have Spybot, and run Avast! for my antivirus. Had AVG for a long time prior to avast, but it was too much of a resource hog.

 

[kritius]

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  
  • c:\windows\system32\termsrv.dll
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

 

[DoofyScrub]

Just posted a reply, but it doesn't seem to have gone through...in the case of a double post, my apologies. Anyway, thanks for the reply, kritius. Here are the results of the scan:

VirSCAN.org Scanned Report :
Scanned time : 2009/11/06 16:39:39 (MST)
Scanner results: 32% Scanner(s) (12/37) found malware!
File Name : termsrv.dll
File Size : 295424 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : 40ffc19a8d4875e9e19cecdc76ef9201
SHA1 : 519f60808f878f9d0f3d29a0349622ef28b68484
Online report : http://virscan.org/report/15d8e7cf1f7cb0faea1e28f9290a0d60.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091107070122 2009-11-07 3.95 Riskware.Win32.Ursnif!IK
AhnLab V3 2009.11.07.00 2009.11.07 2009-11-07 0.96 -
AntiVir 8.2.1.61 7.1.6.203 2009-11-06 0.32 W32/Ursnif
Antiy 2.0.18 20091105.3216324 2009-11-05 0.12 -
Arcavir 2009 200911061352 2009-11-06 0.06 -
Authentium 5.1.1 200911061734 2009-11-06 2.83 -
AVAST! 4.7.4 091106-2 2009-11-06 0.02 -
AVG 8.5.288 270.14.52/2485 2009-11-07 0.33 -
BitDefender 7.81008.4482047 7.28781 2009-11-07 3.88 Application.TSHack.A
CA (VET) 35.1.0 7107 2009-11-05 8.79 -
ClamAV 0.95.2 9996 2009-11-06 0.06 -
Comodo 3.12 2866 2009-11-06 0.71 UnclassifiedMalware
CP Secure 1.3.0.5 2009.11.07 2009-11-07 0.08 W32.Email.W.Scano.gen
Dr.Web 4.44.0.9170 2009.11.06 2009-11-06 6.53 -
F-Prot 4.4.4.56 20091106 2009-11-06 2.66 -
F-Secure 7.02.73807 2009.11.06.11 2009-11-06 0.11 -
Fortinet 2.81-3.120 11.31 2009-11-06 0.17 W32/Patched.E!tr
GData 19.8746/19.542 20091106 2009-11-06 5.39 -
ViRobot 20091106 2009.11.06 2009-11-06 0.41 -
Ikarus T3.1.01.74 2009.11.06.74468 2009-11-06 3.98 VirTool.Win32.Ursnif
JiangMin 11.0.800 2009.11.06 2009-11-06 4.01 -
Kaspersky 5.5.10 2009.11.06 2009-11-06 0.06 -
KingSoft 2009.2.5.15 2009.11.6.22 2009-11-06 0.51 -
McAfee 5.3.00 5794 2009-11-06 3.37 -
Microsoft 1.5202 2009.11.06 2009-11-06 6.10 VirTool:Win32/Ursnif.B
Norman 6.01.09 6.01.00 2009-11-06 4.01 -
Panda 9.05.01 2009.11.06 2009-11-06 1.87 -
Trend Micro 8.700-1004 6.608.05 2009-11-06 0.03 -
Quick Heal 10.00 2009.11.06 2009-11-06 1.27 -
Rising 20.0 21.54.44.00 2009-11-06 0.82 -
Sophos 3.00.1 4.46 2009-11-07 2.93 Troj/TShack-A
Sunbelt 5491 5491 2009-11-05 1.59 -
Symantec 1.3.0.24 20091106.003 2009-11-06 0.05 Trojan Horse
nProtect 20091106.02 6111738 2009-11-06 7.46 Application.TSHack.A
The Hacker 6.5.0.2 v00063 2009-11-06 0.71 -
VBA32 3.12.10.11 20091106.1612 2009-11-06 2.09 Win32.Spy.Ursnif.A
VirusBuster 4.5.11.10 10.113.9/2003541 2009-11-06 2.55 -

 

[kritius]

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  *termsrv.dll

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[DoofyScrub]

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 06:47 on 07/11/2009 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "*termsrv.dll"
C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll -----c 197632 bytes [06:20 03/02/2006] [19:28 25/06/2002] 344784BB9B02891E813260C192F271DE
C:\WINDOWS\ServicePackFiles\i386\termsrv.dll ------ 295424 bytes [07:56 04/08/2004] [07:56 04/08/2004] B60C877D16D9C880B952FDA04ADF16E6
C:\WINDOWS\system32\termsrv.dll --a--- 295424 bytes [15:36 02/02/2006] [19:15 10/10/2008] 40FFC19A8D4875E9E19CECDC76EF9201

-=End Of File=-

 

[kritius]

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::

Driver::

FCopy::
c:\windows\ServicePackFiles\i386\termsrv.dll | C:\WINDOWS\system32\termsrv.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

[DoofyScrub]

Attached the combofix log.

 

[kritius]

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

 

[DoofyScrub]

Malwarebytes continues to find nothing:


Malwarebytes' Anti-Malware 1.41
Database version: 3132
Windows 5.1.2600 Service Pack 2

11/9/2009 5:48:36 AM
mbam-log-2009-11-09 (05-48-36).txt

Scan type: Quick Scan
Objects scanned: 116488
Time elapsed: 3 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[kritius]

DDS by sUBs
Please download DDS by sUBs from HERE or HERE and save it to your Desktop.

Vista users. Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

• Double click on dds to run it.
• When done, DDS.txt will open.
• You will receive another prompt after a while. Click Yes at the prompt. It will take another few minutes to scan.
• When done, Attach.txt will open.
• Please zip and attach the contents of DDS.txt and Attach.txt in your next reply.

 

[DoofyScrub]

Attached the zipped files.

 

[kritius]

Looks ok.

How are things running?

 

[DoofyScrub]

Thanks, kritius. Everything seems to be running fine. Anything else or is that it?

 

[kritius]

Remove Combofix now that we're done with it.

• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  
  
• Please follow the prompts to uninstall Combofix.
• You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

• Download OTC to your desktop and run it
• Click Yes to beginning the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

 

[DoofyScrub]

Well, I did this. Restarted, and all loooked well. Then I updated malwarebytes and decided to do a quick scan with it...which apparently was stupid, because now my machine won't start. It found 2 problems, needed to reboot to remove them, and now I can't even get to the login screen.

Safe Mode won't work. Neither will Last Known Good Configuration. I see a quick flash of blue with some text before my computer restarts anytime I try any of the above. Disabling automatic restart shows the evil blue screen message of:

A problem has been detected, blah blah blah. Check for viruses, remove newly installed hard drives, run chkdsk /f to check for hard drive corruption, then restart.

Technical information:
Stop: 0x0000007B (0xBA4C7524,0xC0000034),0x00000000,0X00000000)

 

[kritius]

run chkdsk /f