Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Vundo is here (I think)


  • This topic is locked This topic is locked
12 replies to this topic

#1 alamb200

alamb200

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 17 October 2007 - 02:32 AM

Hi,
I have been given my bosses home computer to look at and have it to be shall we say not to healthy, so far I have found evidence of Vundo and Trojan.bho on it.
I am unable to get rid of these permenantly so please can you help?
My Hijackthis log is below

Thanks
alamb200

Logfile of HijackThis v1.99.1
Scan saved at 09:27:35, on 17/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O1 - Hosts: 192.9.200.14 dcmail1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {b63b9b4e-1838-4c96-9498-04936da5be0a} - C:\WINDOWS\system32\cmdhci.dll (file missing)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://dcras1.reflex...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://dcras1.reflex...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://dcras1.reflex...stall/setup.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://dcras1.reflex.../RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1192437781593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1192438137828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = reflexdata.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = reflexdata.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = reflexdata.co.uk
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cmdhci - cmdhci.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qwerty12.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 18 October 2007 - 05:46 PM

Hello and welcome to the forums

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you, combofix.txt. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick while its running. That may cause it to stall

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 alamb200

alamb200

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 19 October 2007 - 04:19 AM

HI

Thanks for your response I have run the applications and the logs are below

Thanks again for your help

alamb200

ComboFix

ComboFix 07-10-19.1 - Family.Robinson 2007-10-19 10:15:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.115 [GMT 1:00]
Running from: C:\Documents and Settings\family.robinson\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\DriveCleaner Free
C:\Documents and Settings\Administrator\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Administrator\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\UPJA4LB7\iforex.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\UPJA4LB7\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\Administrator\err.log
C:\Documents and Settings\Administrator\ResErrors.log
C:\Documents and Settings\family.robinson\Application Data\DriveCleaner Free
C:\Documents and Settings\family.robinson\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\family.robinson\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\family.robinson\Application Data\macromedia\Flash Player\#SharedObjects\EU3UB66B\www.broadcaster.com
C:\Documents and Settings\family.robinson\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\family.robinson\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\family.robinson\err.log
C:\Documents and Settings\family.robinson\ResErrors.log
C:\Documents and Settings\Tim\Application Data\DriveCleaner Free
C:\Documents and Settings\Tim\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Tim\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Tim\Application Data\macromedia\Flash Player\#SharedObjects\R2J6YKW5\iforex.com
C:\Documents and Settings\Tim\Application Data\macromedia\Flash Player\#SharedObjects\R2J6YKW5\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Tim\Application Data\macromedia\Flash Player\#SharedObjects\R2J6YKW5\www.broadcaster.com
C:\Documents and Settings\Tim\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Tim\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\Tim\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Tim\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Tim\Desktop\DriveCleaner Free.lnk
C:\Documents and Settings\Tim\err.log
C:\Documents and Settings\Tim\ResErrors.log
C:\WINDOWS\bdfeeg.ini
C:\WINDOWS\cookies.ini
C:\WINDOWS\feefii.ini
C:\WINDOWS\fehknn.ini
C:\WINDOWS\geefdb.dll
C:\WINDOWS\iifeef.dll
C:\WINDOWS\iijmnn.ini
C:\WINDOWS\jllmlm.ini
C:\WINDOWS\mlmllj.dll
C:\WINDOWS\mmmoqr.ini
C:\WINDOWS\nnkhef.dll
C:\WINDOWS\nnmjii.dll
C:\WINDOWS\ooonoq.ini
C:\WINDOWS\oorrru.ini
C:\WINDOWS\qonooo.dll
C:\WINDOWS\qprtvw.ini
C:\WINDOWS\qrutut.ini
C:\WINDOWS\rqommm.dll
C:\WINDOWS\system32\clcl16.exe
C:\WINDOWS\system32\tmp62E.tmp.dll
C:\WINDOWS\system32\tmp639.tmp.dll
C:\WINDOWS\system32\tmp639.tmp.dll
C:\WINDOWS\system32\tmp645.tmp.dll
C:\WINDOWS\system32\tmp645.tmp.dll
C:\WINDOWS\tuturq.dll
C:\WINDOWS\urrroo.dll
C:\WINDOWS\wvtrpq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-09-19 to 2007-10-19 )))))))))))))))))))))))))))))))
.

2007-10-19 10:14 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-16 16:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-16 14:33 <DIR> d-------- C:\VundoFix Backups
2007-10-16 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-10-16 09:01 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-10-16 08:57 <DIR> d-------- C:\Documents and Settings\family.robinson\Application Data\AVG7
2007-10-15 16:22 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-15 14:25 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-15 14:24 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-15 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-15 12:43 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-10-15 11:57 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-15 11:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-15 11:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-15 11:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-15 11:57 85,064 --a------ C:\WINDOWS\ljgdbb.dll
2007-10-15 11:31 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-15 11:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-15 11:31 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-15 11:31 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-15 11:31 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-15 11:31 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-15 11:31 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-15 11:31 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-15 11:29 <DIR> d-------- C:\WINDOWS\pss
2007-10-15 11:11 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-10-15 10:45 <DIR> d-------- C:\Program Files\MSBuild
2007-10-15 10:40 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-10-15 10:39 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-10-15 10:38 <DIR> d-------- C:\aad98f9f2d7361d980bb6c
2007-10-15 10:38 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-10-15 10:37 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-10-15 10:35 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-15 10:35 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-15 10:30 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-10-15 10:30 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-10-15 10:30 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-10-15 10:26 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-10-15 10:14 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-15 10:06 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-10-15 10:06 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-10-15 10:06 36,352 --------- C:\WINDOWS\system32\tsgqec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-16 16:37 --------- d-----w C:\Program Files\SMART Board Software
2007-10-16 16:33 --------- d-----w C:\Program Files\MSN Messenger
2007-10-16 16:29 --------- d-----w C:\Program Files\iTunes
2007-10-15 13:46 --------- d-----w C:\Program Files\iPod
2007-10-15 13:38 --------- d-----w C:\Program Files\QuickTime
2007-10-15 13:13 --------- d-----w C:\Program Files\Apple Software Update
2007-10-15 09:35 --------- d-----w C:\Program Files\Windows Media Connect
2007-10-15 08:45 --------- d-----w C:\Program Files\Google
2007-09-04 08:37 --------- d-----w C:\Documents and Settings\Tim\Application Data\Apple Computer
2007-05-30 11:24 21,680 ----a-w C:\Documents and Settings\family.robinson\Application Data\GDIPFONTCACHEV1.DAT
2007-03-09 16:41 21,680 ----a-w C:\Documents and Settings\Tim\Application Data\GDIPFONTCACHEV1.DAT
2005-12-02 17:49 20,328 ----a-w C:\Documents and Settings\Oliver\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 143,360 2003-05-05 07:57:30 C:\Program Files\Analog Devices\SoundMAX\bak\SMTray.exe

----a-w 180,269 2006-08-01 13:47:33 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 256,576 2006-10-30 09:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,064 2007-09-26 13:42:04 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 75,520 2006-12-15 03:23:27 C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe

----a-w 282,624 2006-10-25 18:58:18 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-06-29 05:24:52 C:\Program Files\QuickTime\QTTask.exe

----a-w 106,496 2002-07-12 10:15:12 C:\WINDOWS\bak\SiSUSBrg.exe

----a-w 241,664 2004-02-27 02:06:48 C:\WINDOWS\system32\bak\keyhook.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b63b9b4e-1838-4c96-9498-04936da5be0a}]
C:\WINDOWS\system32\cmdhci.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" []
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 08:56]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-15 11:57]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-08-13 14:44]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-09 17:41:38]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
SMART Board Tools.lnk - C:\Program Files\SMART Board Software\SMARTBoardTools.exe [2005-05-26 16:41:22]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-08-11 13:40:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cmdhci]
cmdhci.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-839522115-1960408961-1417001333-1661\Scripts\Logon\0\0]
"Script"=Network drives.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-839522115-1960408961-1417001333-1661\Scripts\Logon\0\1]
"Script"=Policy.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-839522115-1960408961-1417001333-500\Scripts\Logon\0\0]
"Script"=Network drives.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-839522115-1960408961-1417001333-500\Scripts\Logon\0\1]
"Script"=Policy.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clcl16]
C:\WINDOWS\system32\clcl16.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d4452e07]
rundll32.exe "C:\WINDOWS\ljgdbb.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dcsm]
"C:\Program Files\Common Files\DriveCleaner Free\dcsm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dnse]
"C:\Program Files\Common Files\DriveCleaner Free\dnse.exe" -c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveCleaner Free]
"C:\Program Files\DriveCleaner Free\UDC.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
C:\WINDOWS\System32\keyhook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
C:\WINDOWS\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysRestore]
"C:\DOCUME~1\FAMILY~1.ROB\LOCALS~1\Temp\tmp26E.tmp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UDC6cw]
"C:\Program Files\DriveCleaner Free\UDC6cw.exe" -c

R1 RCFOX;SonicWALL IPsec Driver;\??\C:\WINDOWS\system32\Drivers\RCFOX.sys
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-19 10:24:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-19 10:29:43 - machine was rebooted
.
--- E O F ---

Hijack this

Logfile of HijackThis v1.99.1
Scan saved at 10:46, on 2007-10-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\logon.scr
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {b63b9b4e-1838-4c96-9498-04936da5be0a} - C:\WINDOWS\system32\cmdhci.dll (file missing)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://dcras1.reflex...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://dcras1.reflex...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://dcras1.reflex...stall/setup.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://dcras1.reflex.../RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1192437781593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1192438137828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = reflexdata.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = reflexdata.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = reflexdata.co.uk
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cmdhci - cmdhci.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 19 October 2007 - 02:35 PM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\cmdhci.dll
C:\WINDOWS\ljgdbb.dll
C:\WINDOWS\system32\bak\keyhook.exe

Folder::
C:\VundoFix Backups
C:\aad98f9f2d7361d980bb6c

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b63b9b4e-1838-4c96-9498-04936da5be0a}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cmdhci]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clcl16]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d4452e07]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dcsm]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dnse]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysRestore]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UDC6cw]


Save this as Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 20 October 2007 - 07:22 PM

You still ned help?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#6 alamb200

alamb200

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 22 October 2007 - 04:44 AM

Hi,
Yes I still need help please the computer is at my office and I am not unfortunately, I have run the test and the results are below:
Thanks again
alamb200

ComboFix 07-10-19.1 - family.robinson 2007-10-22 9:32:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.168 [GMT 1:00]
Running from: C:\Documents and Settings\family.robinson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\family.robinson\Desktop\cfscript.txt
* Created a new restore point

FILE::
C:\WINDOWS\ljgdbb.dll
C:\WINDOWS\system32\bak\keyhook.exe
C:\WINDOWS\system32\cmdhci.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\aad98f9f2d7361d980bb6c
C:\aad98f9f2d7361d980bb6c\C:\DOCUME~1\FAMILY~1.ROB\LOCALS~1\Tempdd_msxml_retMSI.txt
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\tmp638.tmp.dll.bad
C:\WINDOWS\ljgdbb.dll
C:\WINDOWS\system32\bak\keyhook.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-22 to 2007-10-22 )))))))))))))))))))))))))))))))
.

2007-10-16 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-10-16 08:57 <DIR> d-------- C:\Documents and Settings\family.robinson\Application Data\AVG7
2007-10-15 14:24 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-15 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-15 12:43 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-10-15 11:57 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-15 11:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-15 11:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-15 11:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-15 11:11 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-10-15 10:45 <DIR> d-------- C:\Program Files\MSBuild
2007-10-15 10:39 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-10-15 10:37 <DIR> d-------- C:\Program Files\Windows Media Connect 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-16 16:37 --------- d-----w C:\Program Files\SMART Board Software
2007-10-16 16:33 --------- d-----w C:\Program Files\MSN Messenger
2007-10-16 16:29 --------- d-----w C:\Program Files\iTunes
2007-10-15 13:46 --------- d-----w C:\Program Files\iPod
2007-10-15 13:38 --------- d-----w C:\Program Files\QuickTime
2007-10-15 13:13 --------- d-----w C:\Program Files\Apple Software Update
2007-10-15 09:35 --------- d-----w C:\Program Files\Windows Media Connect
2007-10-15 08:45 --------- d-----w C:\Program Files\Google
2007-09-04 08:37 --------- d-----w C:\Documents and Settings\Tim\Application Data\Apple Computer
2007-05-30 11:24 21,680 ----a-w C:\Documents and Settings\family.robinson\Application Data\GDIPFONTCACHEV1.DAT
2007-03-09 16:41 21,680 ----a-w C:\Documents and Settings\Tim\Application Data\GDIPFONTCACHEV1.DAT
2005-12-02 17:49 20,328 ----a-w C:\Documents and Settings\Oliver\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 143,360 2003-05-05 07:57:30 C:\Program Files\Analog Devices\SoundMAX\bak\SMTray.exe

----a-w 180,269 2006-08-01 13:47:33 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 256,576 2006-10-30 09:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,064 2007-09-26 13:42:04 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 75,520 2006-12-15 03:23:27 C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe

----a-w 282,624 2006-10-25 18:58:18 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-06-29 05:24:52 C:\Program Files\QuickTime\QTTask.exe

----a-w 241,664 2004-02-27 02:06:48 C:\qoobox\Quarantine\C\WINDOWS\system32\bak\keyhook.exe.vir

----a-w 106,496 2002-07-12 10:15:12 C:\WINDOWS\bak\SiSUSBrg.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" []
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 08:56]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-15 11:57]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-08-13 14:44]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-09 17:41:38]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
SMART Board Tools.lnk - C:\Program Files\SMART Board Software\SMARTBoardTools.exe [2005-05-26 16:41:22]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-08-11 13:40:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-839522115-1960408961-1417001333-1661\Scripts\Logon\0\0]
"Script"=Network drives.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-839522115-1960408961-1417001333-1661\Scripts\Logon\0\1]
"Script"=Policy.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-839522115-1960408961-1417001333-500\Scripts\Logon\0\0]
"Script"=Network drives.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-839522115-1960408961-1417001333-500\Scripts\Logon\0\1]
"Script"=Policy.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveCleaner Free]
"C:\Program Files\DriveCleaner Free\UDC.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
C:\WINDOWS\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R1 RCFOX;SonicWALL IPsec Driver;\??\C:\WINDOWS\system32\Drivers\RCFOX.sys
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-22 10:56:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-22 11:02:09 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-19 10:29
.
--- E O F ---

#7 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 22 October 2007 - 10:57 AM

Please download FindAWF:
http://noahdfear.gee...com/FindAWF.exe

Save the file to the Desktop
Double-click: FindAWF.exe

If a Security Alert shows, allow the program to run.

When done, a text file awf.txt is produced.

Please post it in your reply.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#8 alamb200

alamb200

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 26 October 2007 - 07:48 AM

Hi, Sorry about the delayed response I have had a stupid week and have been out of the office most of it, also I did not get the email to tell me you had replied. I have run the application and the result is below Thanks alamb200 Find AWF report by noahdfear 2006 Version 1.40 The current date is: 2007-10-26 The current time is: 14:37:16.05 bak folders found ~~~~~~~~~~~ Directory of C:\WINDOWS\BAK 2002-07-12 11:15 106,496 SiSUSBrg.exe 1 File(s) 106,496 bytes Directory of C:\PROGRA~1\ITUNES\BAK 2006-10-30 10:36 256,576 iTunesHelper.exe 1 File(s) 256,576 bytes Directory of C:\PROGRA~1\MSNMES~1\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK 2006-10-25 19:58 282,624 qttask.exe 1 File(s) 282,624 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK 2003-05-05 08:57 143,360 SMTray.exe 1 File(s) 143,360 bytes Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK 2006-08-01 14:47 180,269 realsched.exe 1 File(s) 180,269 bytes Directory of C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK 2006-12-15 04:23 75,520 jusched.exe 1 File(s) 75,520 bytes Directory of C:\QOOBOX\QUARAN~1\C\WINDOWS\SYSTEM32\BAK 2004-02-27 03:06 241,664 keyhook.exe.vir 1 File(s) 241,664 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 106496 12 Jul 2002 "C:\WINDOWS\bak\SiSUSBrg.exe" 267064 26 Sep 2007 "C:\Program Files\iTunes\iTunesHelper.exe" 256576 30 Oct 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe" 102400 15 Oct 2007 "C:\WINDOWS\Installer\{B045B608-4A47-4C77-9EAD-06C394503306}\iTunesIco.exe" 116024 15 Oct 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.3.1\iTunesSetupAdmin.exe" 286720 29 Jun 2007 "C:\Program Files\QuickTime\QTTask.exe" 282624 25 Oct 2006 "C:\Program Files\QuickTime\bak\qttask.exe" 143360 5 May 2003 "C:\Program Files\Analog Devices\SoundMAX\bak\SMTray.exe" 180269 1 Aug 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" 32881 13 Feb 2006 "C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe" 36975 13 Apr 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" 75520 15 Dec 2006 "C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe" 241664 27 Feb 2004 "C:\qoobox\Quarantine\C\WINDOWS\system32\bak\keyhook.exe.vir" end of report

#9 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 28 October 2007 - 03:11 PM

run find AWF & choose option 4 and use this to copy / paste in the fix

"C:\WINDOWS\bak\SiSUSBrg.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Analog Devices\SoundMAX\bak\SMTray.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe"



Then run awf again and select option 1 to check if we got it

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#10 alamb200

alamb200

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 29 October 2007 - 03:35 AM

Hi, It tokk me while to work out what you meant with the copy and paste bit but I got there in the end. The log file is below Thanks again alamb200 Find AWF report by noahdfear 2006 Version 1.40 The current date is: 2007-10-29 The current time is: 9:28:46.57 bak folders found ~~~~~~~~~~~ Directory of C:\WINDOWS\BAK 2002-07-12 10:15 106,496 SiSUSBrg.exe 1 File(s) 106,496 bytes Directory of C:\PROGRA~1\ITUNES\BAK 2006-10-30 09:36 256,576 iTunesHelper.exe 1 File(s) 256,576 bytes Directory of C:\PROGRA~1\MSNMES~1\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK 2006-10-25 18:58 282,624 qttask.exe 1 File(s) 282,624 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK 2003-05-05 07:57 143,360 SMTray.exe 1 File(s) 143,360 bytes Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK 2006-08-01 13:47 180,269 realsched.exe 1 File(s) 180,269 bytes Directory of C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK 2006-12-15 03:23 75,520 jusched.exe 1 File(s) 75,520 bytes Directory of C:\QOOBOX\QUARAN~1\C\WINDOWS\SYSTEM32\BAK 2004-02-27 02:06 241,664 keyhook.exe.vir 1 File(s) 241,664 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 106496 12 Jul 2002 "C:\WINDOWS\bak\SiSUSBrg.exe" 267064 26 Sep 2007 "C:\Program Files\iTunes\iTunesHelper.exe" 256576 30 Oct 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe" 102400 15 Oct 2007 "C:\WINDOWS\Installer\{B045B608-4A47-4C77-9EAD-06C394503306}\iTunesIco.exe" 116024 15 Oct 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.3.1\iTunesSetupAdmin.exe" 286720 29 Jun 2007 "C:\Program Files\QuickTime\QTTask.exe" 282624 25 Oct 2006 "C:\Program Files\QuickTime\bak\qttask.exe" 143360 5 May 2003 "C:\Program Files\Analog Devices\SoundMAX\bak\SMTray.exe" 180269 1 Aug 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" 32881 13 Feb 2006 "C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe" 36975 13 Apr 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" 75520 15 Dec 2006 "C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe" 241664 27 Feb 2004 "C:\qoobox\Quarantine\C\WINDOWS\system32\bak\keyhook.exe.vir" end of report

#11 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 29 October 2007 - 10:31 AM

  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you, combofix.txt. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick while its running. That may cause it to stall

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#12 alamb200

alamb200

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 29 October 2007 - 10:38 AM

Hi LDTate, I am away for a week now so my boss has grabbed his pc back for now, I am going to close the call for now if that is okay because he is happy with how it is working. So thank you very much for your help and I am sorry it has been such a protracted one. Thanks alamb200

#13 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 29 October 2007 - 02:45 PM

You're more then welcome. Glad we were able to help Peace be with you :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users