Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91634 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Vundo Problem


  • This topic is locked This topic is locked
19 replies to this topic

#1 MartyAus

MartyAus

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 06 April 2008 - 09:33 PM

Hi all I was wondering whether some-one could help me. I have a bad infection of spyware on my pc. i have followed the instructions and here is my log. Any help would greatly be appreciated. Marty Perth Australia Malwarebytes' Anti-Malware 1.10 Database version: 598 Scan type: Full Scan (C:\|D:\|) Objects scanned: 118344 Time elapsed: 22 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 2 Registry Keys Infected: 8 Registry Values Infected: 2 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 13 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: c:\WINDOWS\system32\yayaASlj.dll (Trojan.Vundo) -> No action taken. C:\WINDOWS\system32\byXOfCVP.dll (Trojan.Vundo) -> No action taken. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{060bb0ab-4b09-4c51-9ecb-9580a6d08d7f} (Trojan.Vundo) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{060bb0ab-4b09-4c51-9ecb-9580a6d08d7f} (Trojan.Vundo) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayaaslj (Trojan.Vundo) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bd15e24c-7355-4857-8cde-a5ba9bd0d9b3} (Trojan.Vundo) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{bd15e24c-7355-4857-8cde-a5ba9bd0d9b3} (Trojan.Vundo) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft (Trojan.Banker) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{060bb0ab-4b09-4c51-9ecb-9580a6d08d7f} (Trojan.Vundo) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM6314b10c (Trojan.Agent) -> No action taken. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\byxofcvp -> No action taken. Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\yayaASlj.dll (Trojan.Vundo) -> No action taken. C:\WINDOWS\system32\byXOfCVP.dll (Trojan.Vundo) -> No action taken. C:\WINDOWS\system32\PVCfOXyb.ini (Trojan.Vundo) -> No action taken. C:\WINDOWS\system32\PVCfOXyb.ini2 (Trojan.Vundo) -> No action taken. C:\vwhfxvxv.exe (Trojan.Downloader) -> No action taken. C:\WINDOWS\system32\ddcbyyx.dll (Trojan.Vundo) -> No action taken. C:\WINDOWS\system32\nnnnono.dll (Trojan.Vundo) -> No action taken. C:\WINDOWS\system32\qomjijk.dll (Trojan.Vundo) -> No action taken. C:\WINDOWS\system32\urqnnnm.dll (Trojan.Vundo) -> No action taken. C:\WINDOWS\system32\wvUoMdax.dll (Trojan.Vundo) -> No action taken. C:\WINDOWS\system32\cs.dat (Malware.Trace) -> No action taken. C:\WINDOWS\system32\rc.dat (Malware.Trace) -> No action taken. C:\WINDOWS\system32\ps1.dat (Malware.Trace) -> No action taken.

    Advertisements

Register to Remove


#2 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 07 April 2008 - 06:13 AM

Hi

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • If asked to install HijackThis click on Yes
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply

You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#3 MartyAus

MartyAus

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 07 April 2008 - 07:32 AM

:smack: Many thanks for your reply scotty :thumbup:
:pullhair: I have been pulling my hair out.
Like an idiot i didnt wait. I found a program VundoFix ?
Ran that twice. I have rebooted a couple of times and tried firefox the ads arent coming at the moment
However i notice in the avg virus vault i have all this

T Virus name Path Date of detection Filename File size
Trojan horse BHO.DLW C:\WINDOWS\system32\ysdqcmua.dll 7/04/2008 10:25:22 AM ysdqcmua.dll 85 KB
Virus found Vundo C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WBKSD9UJ\c_uz[1] 4/04/2008 10:59:09 AM c_uz[1] 31.5 KB
Trojan horse Downloader.Generic7.CHN C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP336\A0050437.exe 7/04/2008 4:00:35 PM A0050437.exe 36.5 KB
Trojan horse BHO.DLW C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\3F21IAN9\iddqd[1] 7/04/2008 10:52:36 AM iddqd[1] 85 KB
Trojan horse BHO.DLW C:\DOCUME~1\Owner\LOCALS~1\Temp\hjcqdqgv.dll 7/04/2008 10:52:42 AM hjcqdqgv.dll 85 KB
Trojan horse BHO.DKD C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\D3CPDSID\c_uz[1] 7/04/2008 10:55:48 AM c_uz[1] 31.5 KB
Virus found Lop C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WBKSD9UJ\hctp[1] 7/04/2008 10:58:36 AM hctp[1] 83 KB
Virus found Lop C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\3F21IAN9\hctp[1] 5/04/2008 9:36:31 AM hctp[1] 84.5 KB
Virus found Lop C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PXVUDMV5\ptch[1] 5/04/2008 9:36:32 AM ptch[1] 87 KB
Trojan horse Downloader.Generic7.BKO C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP337\A0051500.exe 7/04/2008 11:19:47 AM A0051500.exe 5 KB
Trojan horse Downloader.Generic7.CHN C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP339\A0051800.exe 7/04/2008 11:19:50 AM A0051800.exe 36.5 KB
Trojan horse Downloader.Generic7.CHN C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP339\A0051801.exe 7/04/2008 11:19:54 AM A0051801.exe 36.5 KB
Trojan horse PSW.Banker4.XPC C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP339\A0051802.dll 7/04/2008 11:20:00 AM A0051802.dll 50.5 KB
Trojan horse PSW.Banker4.XPC C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP339\A0051803.dll 7/04/2008 11:20:03 AM A0051803.dll 50.5 KB
Trojan horse BHO.DLI C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP343\A0052041.dll 7/04/2008 11:20:06 AM A0052041.dll 86 KB
Trojan horse BHO.DLW C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP347\A0054338.dll 7/04/2008 11:20:09 AM A0054338.dll 85 KB
Virus found JS/Psyme C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\3F21IAN9\CARZEM1V.htm 6/04/2008 5:32:53 PM CARZEM1V.htm 30.83 KB
Virus found JS/Psyme C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YC168454\index[1].htm 6/04/2008 5:33:05 PM index[1].htm 43 KB
Virus found JS/Psyme C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QK4Q4XCO\CAMCJUTV.htm 7/04/2008 12:02:23 PM CAMCJUTV.htm 2 KB
Virus found JS/Psyme C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GQSWYQVW\index[2].htm 7/04/2008 12:02:33 PM index[2].htm 14.3 KB
Trojan horse BHO.DKD C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QK4Q4XCO\c_uz[1] 6/04/2008 8:30:40 AM c_uz[1] 31.5 KB
Virus found Lop C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WBKSD9UJ\hctp[1] 6/04/2008 8:30:40 AM hctp[1] 81.5 KB

My question on this how do you permanentley delete this ? I i delete them they seem to re-occur and the ads come back.

Here are the two files you asked for you can abuse me now for rushing ahead. :wacko:

I got a bit flustered with all this. And Panicked

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-07 21:11:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
100: 2008-04-07 13:11:53 UTC - RP350 - Deckard's System Scanner Restore Point
99: 2008-04-07 05:35:04 UTC - RP349 - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
98: 2008-04-07 05:15:24 UTC - RP348 - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
97: 2008-04-05 22:16:39 UTC - RP347 - System Checkpoint
96: 2008-04-04 22:02:57 UTC - RP346 - System Checkpoint


-- First Restore Point --
1: 2008-03-30 03:26:35 UTC - RP251 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:36 PM, on 7/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - C:\WINDOWS\system32\yayaASlj.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {185552D6-25CA-42DD-BC78-BD6C03AD33CF} - C:\WINDOWS\system32\awtrPgDT.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {64E9656A-DAF2-4524-BCA6-A8258A4DC10C} - C:\WINDOWS\system32\qoMDtqpp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A900664E-9AA5-488F-AE9A-BA59834EB65C} - C:\WINDOWS\system32\yayvVNhG.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B496564D-A43B-43C1-9959-06950911B3C9} - C:\WINDOWS\system32\opnkiJcD.dll (file missing)
O2 - BHO: (no name) - {D61F88AE-E5C2-43F6-964B-6E43631F2CF0} - C:\WINDOWS\system32\byXOfCVP.dll
O2 - BHO: (no name) - {EB6D0BC7-ADD9-416D-B0F7-5C7AA09BE877} - C:\WINDOWS\system32\rqRKEvVL.dll (file missing)
O2 - BHO: (no name) - {F11EB52C-9683-4DBC-B393-8C468748C74D} - C:\WINDOWS\system32\qoMdETNd.dll (file missing)
O2 - BHO: Gamburg provider - {FFFFFFFF-D71D-41e4-A699-F506DBD097F0} - comd32.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BM6314b10c] Rundll32.exe "C:\WINDOWS\system32\ysdqcmua.dll",s
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: NETGEAR WPN311 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileop...nt/FileOpen.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 10844 bytes

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\NOTEPAD.EXE" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys <Not Verified; VERITAS Software, Inc.; >
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 EpsonBidirectionalService - c:\program files\common files\epson\ebapi\eebsvc.exe
R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: WPN311 RangeMax™ Wireless PCI Adapter
Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_5E001385&REV_01\4&1FAF5EA3&0&10F0
Manufacturer: NETGEAR, Inc.
Name: WPN311 RangeMax™ Wireless PCI Adapter
PNP Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_5E001385&REV_01\4&1FAF5EA3&0&10F0
Service: AR5211


-- Scheduled Tasks -------------------------------------------------------------

2008-04-07 21:09:58 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-03-31 19:06:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-07 and 2008-04-07 -----------------------------

2008-04-07 13:16:21 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-07 13:15:35 0 d-------- C:\Program Files\Common Files\iS3
2008-04-07 13:15:34 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-04-07 13:02:11 0 d-------- C:\VundoFix Backups
2008-04-07 12:38:35 0 d-------- C:\Program Files\Trend Micro
2008-04-07 11:02:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-07 11:02:26 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-07 11:02:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-05 10:53:29 87104 --a------ C:\WINDOWS\system32\ttixaueo.dll
2008-04-03 09:35:16 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-04-03 09:13:12 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-03 09:06:22 88128 --a------ C:\WINDOWS\system32\bcnoprki.dll
2008-04-02 09:53:16 0 d-------- C:\Program Files\Windows Defender
2008-04-02 09:27:46 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-31 09:52:08 0 d-------- C:\Documents and Settings\Owner\Application Data\skypePM
2008-03-31 09:52:08 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-31 09:51:48 0 d-------- C:\Program Files\Common Files\Skype
2008-03-31 09:00:29 88128 --a------ C:\WINDOWS\system32\iycuknqx.dll
2008-03-30 17:13:07 0 dr-h----- C:\$VAULT$.AVG
2008-03-30 16:42:52 226990 --ahs---- C:\WINDOWS\system32\PVCfOXyb.ini2
2008-03-30 16:42:47 267776 --a------ C:\WINDOWS\system32\byXOfCVP.dll
2008-03-30 16:39:49 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-30 16:39:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-30 16:39:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-30 16:39:26 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-30 15:29:46 6427 --ahs---- C:\WINDOWS\system32\dNTEdMoq.ini2
2008-03-30 14:17:22 6513 --ahs---- C:\WINDOWS\system32\LVvEKRqr.ini2
2008-03-30 13:45:56 6490 --ahs---- C:\WINDOWS\system32\GhNVvyay.ini2
2008-03-30 12:46:09 6946 --ahs---- C:\WINDOWS\system32\DcJiknpo.ini2
2008-03-30 11:42:41 1 --a------ C:\WINDOWS\system32\rc.dat
2008-03-30 11:42:41 1 --a------ C:\WINDOWS\system32\ps1.dat
2008-03-30 11:42:41 1 --a------ C:\WINDOWS\system32\cs.dat
2008-03-30 11:34:53 6450 --ahs---- C:\WINDOWS\system32\ppqtDMoq.ini2
2008-03-30 11:26:28 10752 --a------ C:\WINDOWS\DCEBoot.exe
2008-03-30 11:26:24 320 --ahs---- C:\WINDOWS\system32\TDgPrtwa.ini2
2008-03-30 11:26:13 346112 --a------ C:\WINDOWS\system32\ddcbyyx.dll
2008-03-30 11:24:58 346112 --a------ C:\WINDOWS\system32\qomjijk.dll
2008-03-30 11:24:53 346112 --a------ C:\WINDOWS\system32\urqnnnm.dll
2008-03-30 11:23:03 39424 --a------ C:\WINDOWS\system32\wvUoMdax.dll
2008-03-30 11:22:51 346112 --a------ C:\WINDOWS\system32\nnnnono.dll
2008-03-30 11:22:45 6144 --a------ C:\vwhfxvxv.exe
2008-03-29 06:37:17 0 d-------- C:\Documents and Settings\Owner\Application Data\deskPDF
2008-03-29 06:34:26 18790 --a------ C:\WINDOWS\system32\ddmon.dll
2008-03-29 06:34:10 0 d-------- C:\Program Files\Docudesk
2008-03-19 19:27:52 0 d-------- C:\Documents and Settings\Owner\Application Data\iPhoneRingToneMaker
2008-03-19 10:04:49 0 d-------- C:\fts2008
2008-03-07 08:06:26 0 d-------- C:\WINDOWS\Sun
2008-03-07 08:06:26 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun


-- Find3M Report ---------------------------------------------------------------

2008-04-07 21:08:31 0 d-------- C:\Program Files\Steam
2008-04-07 14:46:15 0 d-------- C:\Documents and Settings\Owner\Application Data\Vso
2008-04-07 13:15:35 0 d-------- C:\Program Files\Common Files
2008-04-02 08:41:48 0 d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-03-14 22:21:30 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-03-06 12:36:18 0 d-------- C:\Program Files\Java
2008-03-06 12:34:40 0 d-------- C:\Program Files\Common Files\Java
2008-03-06 12:26:38 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-03-06 12:26:30 1158 --a------ C:\WINDOWS\mozver.dat
2008-03-06 12:16:18 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-06 12:16:17 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-03-04 20:32:40 0 d-------- C:\Program Files\Windows Live
2008-03-04 20:32:13 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-26 08:50:11 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-25 18:34:01 0 d-------- C:\Program Files\iTunes
2008-02-25 18:33:54 0 d-------- C:\Program Files\iPod
2008-02-25 18:32:54 0 d-------- C:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{060BB0AB-4B09-4C51-9ECB-9580A6D08D7F}]
C:\WINDOWS\system32\yayaASlj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{185552D6-25CA-42DD-BC78-BD6C03AD33CF}]
C:\WINDOWS\system32\awtrPgDT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64E9656A-DAF2-4524-BCA6-A8258A4DC10C}]
C:\WINDOWS\system32\qoMDtqpp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A900664E-9AA5-488F-AE9A-BA59834EB65C}]
C:\WINDOWS\system32\yayvVNhG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B496564D-A43B-43C1-9959-06950911B3C9}]
C:\WINDOWS\system32\opnkiJcD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D61F88AE-E5C2-43F6-964B-6E43631F2CF0}]
30/03/2008 04:42 PM 267776 --a------ C:\WINDOWS\system32\byXOfCVP.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB6D0BC7-ADD9-416D-B0F7-5C7AA09BE877}]
C:\WINDOWS\system32\rqRKEvVL.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F11EB52C-9683-4DBC-B393-8C468748C74D}]
C:\WINDOWS\system32\qoMdETNd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-D71D-41e4-A699-F506DBD097F0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [01/05/2006 06:07 PM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [10/04/2006 09:19 AM]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [02/06/2006 04:45 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [12/01/2006 03:40 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [07/12/2005 10:57 PM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [18/05/2006 11:29 AM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [23/01/2007 03:44 PM C:\WINDOWS\KHALMNPR.Exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [09/03/2007 11:09 AM]
"pdfFactory Pro Dispatcher v3"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [25/09/2007 05:32 PM]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [23/01/2007 03:44 PM C:\WINDOWS\KHALMNPR.Exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [10/11/2006 11:35 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [31/01/2008 10:13 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 12:10 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 09:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 03:25 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [30/03/2008 04:39 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 07:20 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 05:25 PM]
"BM6314b10c"="C:\WINDOWS\system32\ysdqcmua.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [28/02/2006 08:00 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [16/11/2007 10:07 AM]
"Steam"="C:\Program Files\Steam\Steam.exe" [29/03/2008 05:22 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 10:34 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [5/03/2006 4:43:54 AM]
EPSON Status Monitor 3 Environment Check(2).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [11/09/2007 6:03:47 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [10/05/2007 9:33:54 AM]
NETGEAR WPN311 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN311\wlancfg5.exe [4/12/2006 11:57:38 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{060BB0AB-4B09-4C51-9ECB-9580A6D08D7F}"= C:\WINDOWS\system32\yayaASlj.dll [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXOfCVP

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"




-- End of Deckard's System Scanner: finished at 2008-04-07 21:14:17 ------------


Scan ID: {9B847944-5A1F-489E-BF5C-14E903506800}

User: CHOPPER\Owner

Name: %CHOPPER271

ID: %CHOPPER272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %CHOPPER276

Alert Type: %CHOPPER278

Detection Type: 1.1.1593.02

Event Record #/Type26471 / Warning
Event Submitted/Written: 04/07/2008 09:13:59 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%CHOPPER27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %CHOPPER27 can't undo changes that you allow.

For more information please see the following:
%CHOPPER275

Scan ID: {69E2A002-F272-4E20-A454-6ACC0165D2F0}

User: CHOPPER\Owner

Name: %CHOPPER271

ID: %CHOPPER272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %CHOPPER276

Alert Type: %CHOPPER278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-04-07 21:14:17 ------------

Do i need to run the Malware again coz i changed the details of the report ?

Cheers Marty

#4 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 07 April 2008 - 08:01 AM

No we will run MBAM later.

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

There is a tutorial on the basic use of Combofix here:
http://www.bleepingc...to-use-combofix


Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

  • Save it to your Desktop.
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
5.Disable your anti-virus and any anti-spyware you have running prior to running Combofix.




In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run

You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#5 MartyAus

MartyAus

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 07 April 2008 - 08:50 AM

Here ya go cotty many thanks for your help

Malwarebytes' Anti-Malware 1.10
Database version: 598

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 111376
Time elapsed: 22 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM6314b10c (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\vwhfxvxv.exe (Trojan.Downloader) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcbyyx.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnnono.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\qomjijk.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\urqnnnm.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\wvUoMdax.dll.vir (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP348\A0054443.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP351\A0054614.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP351\A0054616.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP351\A0054617.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP351\A0054619.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP351\A0054620.dll (Trojan.Vundo) -> No action taken.


ComboFix 08-04-06.1 - Owner 2008-04-07 22:10:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1431 [GMT 8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM6314b10c.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bcnoprki.dll
C:\WINDOWS\system32\byXOfCVP.dll
C:\WINDOWS\system32\cs.dat
C:\WINDOWS\system32\DcJiknpo.ini
C:\WINDOWS\system32\DcJiknpo.ini2
C:\WINDOWS\system32\ddcbyyx.dll
C:\WINDOWS\system32\dNTEdMoq.ini
C:\WINDOWS\system32\dNTEdMoq.ini2
C:\WINDOWS\system32\duis.txt
C:\WINDOWS\system32\GhNVvyay.ini
C:\WINDOWS\system32\GhNVvyay.ini2
C:\WINDOWS\system32\iycuknqx.dll
C:\WINDOWS\system32\LVvEKRqr.ini
C:\WINDOWS\system32\LVvEKRqr.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nnnnono.dll
C:\WINDOWS\system32\ppqtDMoq.ini
C:\WINDOWS\system32\ppqtDMoq.ini2
C:\WINDOWS\system32\ps1.dat
C:\WINDOWS\system32\PVCfOXyb.ini
C:\WINDOWS\system32\PVCfOXyb.ini2
C:\WINDOWS\system32\qomjijk.dll
C:\WINDOWS\system32\rc.dat
C:\WINDOWS\system32\TDgPrtwa.ini
C:\WINDOWS\system32\TDgPrtwa.ini2
C:\WINDOWS\system32\ttixaueo.dll
C:\WINDOWS\system32\urqnnnm.dll
C:\WINDOWS\system32\wvUoMdax.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SZKG5


((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-07 21:11 . 2008-04-07 21:11 <DIR> d-------- C:\Deckard
2008-04-07 13:16 . 2008-04-07 13:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-07 13:15 . 2008-04-07 13:15 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-04-07 13:15 . 2008-04-07 13:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-04-07 13:02 . 2008-04-07 16:09 <DIR> d-------- C:\VundoFix Backups
2008-04-07 12:38 . 2008-04-07 12:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-07 11:02 . 2008-04-07 11:02 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-07 11:02 . 2008-04-07 11:02 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-07 11:02 . 2008-04-07 11:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-03 09:35 . 2008-04-03 09:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-04-03 09:35 . 2007-05-30 20:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-03 09:29 . 2008-04-07 18:20 268 --ah----- C:\sqmdata19.sqm
2008-04-03 09:29 . 2008-04-07 18:20 244 --ah----- C:\sqmnoopt19.sqm
2008-04-03 09:13 . 2008-04-03 09:25 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-03 08:46 . 2008-04-07 16:59 268 --ah----- C:\sqmdata18.sqm
2008-04-03 08:46 . 2008-04-07 16:59 244 --ah----- C:\sqmnoopt18.sqm
2008-04-02 10:34 . 2008-04-07 16:32 268 --ah----- C:\sqmdata17.sqm
2008-04-02 10:34 . 2008-04-07 16:32 244 --ah----- C:\sqmnoopt17.sqm
2008-04-02 09:53 . 2008-04-02 09:53 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-02 09:34 . 2008-04-07 14:55 268 --ah----- C:\sqmdata16.sqm
2008-04-02 09:34 . 2008-04-07 14:55 244 --ah----- C:\sqmnoopt16.sqm
2008-04-02 09:27 . 2008-04-02 09:31 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-01 16:18 . 2008-04-07 13:17 268 --ah----- C:\sqmdata15.sqm
2008-04-01 16:18 . 2008-04-07 13:17 244 --ah----- C:\sqmnoopt15.sqm
2008-04-01 08:30 . 2008-04-07 10:26 268 --ah----- C:\sqmdata14.sqm
2008-04-01 08:30 . 2008-04-07 10:26 244 --ah----- C:\sqmnoopt14.sqm
2008-03-31 09:52 . 2008-03-31 09:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\skypePM
2008-03-31 09:52 . 2008-03-31 09:52 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-31 09:51 . 2008-03-31 09:51 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-30 17:15 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-30 17:15 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-30 17:15 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-30 16:39 . 2008-04-07 12:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-30 16:39 . 2008-03-30 16:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-30 16:39 . 2008-04-03 09:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-30 16:39 . 2008-03-30 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-30 11:26 . 2008-03-30 16:34 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-03-30 11:22 . 2008-03-30 11:22 6,144 --a------ C:\vwhfxvxv.exe
2008-03-29 06:37 . 2008-03-29 06:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\deskPDF
2008-03-29 06:34 . 2008-03-29 06:35 <DIR> d-------- C:\Program Files\Docudesk
2008-03-29 06:34 . 2008-03-21 12:13 18,790 --a------ C:\WINDOWS\system32\ddmon.dll
2008-03-19 19:27 . 2008-03-30 11:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iPhoneRingToneMaker
2008-03-19 10:04 . 2008-03-19 13:01 <DIR> d-------- C:\fts2008
2008-03-17 19:25 . 2008-04-06 23:22 208 --ah----- C:\sqmdata13.sqm
2008-03-17 19:25 . 2008-04-06 23:22 172 --ah----- C:\sqmnoopt13.sqm
2008-03-17 00:17 . 2008-04-06 16:05 244 --ah----- C:\sqmnoopt12.sqm
2008-03-17 00:17 . 2008-04-06 16:05 232 --ah----- C:\sqmdata12.sqm
2008-03-16 14:05 . 2008-04-06 15:43 268 --ah----- C:\sqmdata11.sqm
2008-03-16 14:05 . 2008-04-06 15:43 244 --ah----- C:\sqmnoopt11.sqm
2008-03-16 00:56 . 2008-04-06 09:21 268 --ah----- C:\sqmdata10.sqm
2008-03-16 00:56 . 2008-04-06 09:21 244 --ah----- C:\sqmnoopt10.sqm
2008-03-14 23:34 . 2008-04-05 23:39 268 --ah----- C:\sqmdata09.sqm
2008-03-14 23:34 . 2008-04-05 23:39 244 --ah----- C:\sqmnoopt09.sqm
2008-03-13 22:12 . 2008-04-05 07:23 268 --ah----- C:\sqmdata08.sqm
2008-03-13 22:12 . 2008-04-05 07:23 244 --ah----- C:\sqmnoopt08.sqm
2008-03-11 22:47 . 2008-04-04 21:30 268 --ah----- C:\sqmdata07.sqm
2008-03-11 22:47 . 2008-04-04 21:30 244 --ah----- C:\sqmnoopt07.sqm
2008-03-10 23:39 . 2008-04-04 08:17 268 --ah----- C:\sqmdata06.sqm
2008-03-10 23:39 . 2008-04-04 08:17 244 --ah----- C:\sqmnoopt06.sqm
2008-03-07 08:06 . 2008-03-07 08:06 <DIR> d-------- C:\WINDOWS\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 13:08 --------- d-----w C:\Program Files\Steam
2008-04-07 06:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-04-02 00:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2008-03-30 08:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-03-14 14:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-03-06 04:36 --------- d-----w C:\Program Files\Java
2008-03-06 04:34 --------- d-----w C:\Program Files\Common Files\Java
2008-03-04 12:32 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-04 12:32 --------- d-----w C:\Program Files\Windows Live
2008-03-04 12:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-26 00:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-25 10:34 --------- d-----w C:\Program Files\iTunes
2008-02-25 10:33 --------- d-----w C:\Program Files\iPod
2008-02-25 10:32 --------- d-----w C:\Program Files\QuickTime
2008-02-15 01:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-02-15 01:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\IM
2007-08-27 16:44 87,608 ----a-w C:\Documents and Settings\Owner\Application Data\inst.exe
2007-08-27 16:44 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2007-05-22 23:15 6,751,232 ----a-w C:\Program Files\NETGEAR WPN311 Wireless Adapter.msi
2007-05-22 23:15 4,107 ----a-w C:\Program Files\0x0409.ini
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{185552D6-25CA-42DD-BC78-BD6C03AD33CF}]
C:\WINDOWS\system32\awtrPgDT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64E9656A-DAF2-4524-BCA6-A8258A4DC10C}]
C:\WINDOWS\system32\qoMDtqpp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A900664E-9AA5-488F-AE9A-BA59834EB65C}]
C:\WINDOWS\system32\yayvVNhG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B496564D-A43B-43C1-9959-06950911B3C9}]
C:\WINDOWS\system32\opnkiJcD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB6D0BC7-ADD9-416D-B0F7-5C7AA09BE877}]
C:\WINDOWS\system32\rqRKEvVL.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F11EB52C-9683-4DBC-B393-8C468748C74D}]
C:\WINDOWS\system32\qoMdETNd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 20:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-16 10:07 68856]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-03-29 05:22 1271032]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 10:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 18:07 843776]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-04-10 09:19 729088]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 16:45 385024]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 11:29 49152]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"pdfFactory Pro Dispatcher v3"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2007-09-25 17:32 507904]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 22:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 12:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:25 144784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-30 16:39 579072]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 17:25 6731312]
"BM6314b10c"="C:\WINDOWS\system32\ysdqcmua.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 20:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-30 16:39 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 04:43:54 11000]
EPSON Status Monitor 3 Environment Check(2).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-09-11 18:03:47 131584]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-05-10 09:33:54 688128]
NETGEAR WPN311 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN311\wlancfg5.exe [2006-12-04 11:57:38 1503232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo8"= VfWWDM32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sony\\Media Manager for PSP 2.0\\MediaManager.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l151x86.sys [2007-12-19 16:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 11:06:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-07 14:17:44 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 22:15:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2008-04-07 22:18:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-07 14:18:29
Pre-Run: 285,305,901,056 bytes free
Post-Run: 285,530,292,224 bytes free
.
2008-03-30 09:25:29 --- E O F ---




Malwarebytes' Anti-Malware 1.10
Database version: 598

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 111376
Time elapsed: 22 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM6314b10c (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)


Files Infected:
C:\vwhfxvxv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcbyyx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnnono.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qomjijk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\urqnnnm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wvUoMdax.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP348\A0054443.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP351\A0054614.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP351\A0054616.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP351\A0054617.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP351\A0054619.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP351\A0054620.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Hope this ok
marty

#6 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 07 April 2008 - 09:14 AM

Hello

Could you stop running Malwarebytes Anti-Malware unless instructed to do so?


We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System, which in your case is SP2

XP Media Centre is based upon XP Professional

Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#7 MartyAus

MartyAus

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 07 April 2008 - 09:40 AM

This as all i got scotty

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

ComboFix 08-04-06.1 - Owner 2008-04-07 23:36:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1408 [GMT 8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-07 21:11 . 2008-04-07 21:11 <DIR> d-------- C:\Deckard
2008-04-07 13:16 . 2008-04-07 13:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-07 13:15 . 2008-04-07 13:15 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-04-07 13:15 . 2008-04-07 13:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-04-07 13:02 . 2008-04-07 16:09 <DIR> d-------- C:\VundoFix Backups
2008-04-07 12:38 . 2008-04-07 12:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-07 11:02 . 2008-04-07 11:02 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-07 11:02 . 2008-04-07 11:02 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-07 11:02 . 2008-04-07 11:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-03 09:35 . 2008-04-03 09:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-04-03 09:35 . 2007-05-30 20:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-03 09:29 . 2008-04-07 18:20 268 --ah----- C:\sqmdata19.sqm
2008-04-03 09:29 . 2008-04-07 18:20 244 --ah----- C:\sqmnoopt19.sqm
2008-04-03 09:13 . 2008-04-03 09:25 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-03 08:46 . 2008-04-07 16:59 268 --ah----- C:\sqmdata18.sqm
2008-04-03 08:46 . 2008-04-07 16:59 244 --ah----- C:\sqmnoopt18.sqm
2008-04-02 10:34 . 2008-04-07 16:32 268 --ah----- C:\sqmdata17.sqm
2008-04-02 10:34 . 2008-04-07 16:32 244 --ah----- C:\sqmnoopt17.sqm
2008-04-02 09:53 . 2008-04-02 09:53 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-02 09:34 . 2008-04-07 14:55 268 --ah----- C:\sqmdata16.sqm
2008-04-02 09:34 . 2008-04-07 14:55 244 --ah----- C:\sqmnoopt16.sqm
2008-04-02 09:27 . 2008-04-02 09:31 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-01 16:18 . 2008-04-07 13:17 268 --ah----- C:\sqmdata15.sqm
2008-04-01 16:18 . 2008-04-07 13:17 244 --ah----- C:\sqmnoopt15.sqm
2008-04-01 08:30 . 2008-04-07 10:26 268 --ah----- C:\sqmdata14.sqm
2008-04-01 08:30 . 2008-04-07 10:26 244 --ah----- C:\sqmnoopt14.sqm
2008-03-31 09:52 . 2008-03-31 09:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\skypePM
2008-03-31 09:52 . 2008-03-31 09:52 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-31 09:51 . 2008-03-31 09:51 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-30 17:15 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-30 17:15 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-30 17:15 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-30 16:39 . 2008-04-07 12:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-30 16:39 . 2008-03-30 16:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-30 16:39 . 2008-04-03 09:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-30 16:39 . 2008-03-30 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-30 11:26 . 2008-03-30 16:34 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-03-29 06:37 . 2008-03-29 06:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\deskPDF
2008-03-29 06:34 . 2008-03-29 06:35 <DIR> d-------- C:\Program Files\Docudesk
2008-03-29 06:34 . 2008-03-21 12:13 18,790 --a------ C:\WINDOWS\system32\ddmon.dll
2008-03-19 19:27 . 2008-03-30 11:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iPhoneRingToneMaker
2008-03-19 10:04 . 2008-03-19 13:01 <DIR> d-------- C:\fts2008
2008-03-17 19:25 . 2008-04-06 23:22 208 --ah----- C:\sqmdata13.sqm
2008-03-17 19:25 . 2008-04-06 23:22 172 --ah----- C:\sqmnoopt13.sqm
2008-03-17 00:17 . 2008-04-06 16:05 244 --ah----- C:\sqmnoopt12.sqm
2008-03-17 00:17 . 2008-04-06 16:05 232 --ah----- C:\sqmdata12.sqm
2008-03-16 14:05 . 2008-04-06 15:43 268 --ah----- C:\sqmdata11.sqm
2008-03-16 14:05 . 2008-04-06 15:43 244 --ah----- C:\sqmnoopt11.sqm
2008-03-16 00:56 . 2008-04-06 09:21 268 --ah----- C:\sqmdata10.sqm
2008-03-16 00:56 . 2008-04-06 09:21 244 --ah----- C:\sqmnoopt10.sqm
2008-03-14 23:34 . 2008-04-05 23:39 268 --ah----- C:\sqmdata09.sqm
2008-03-14 23:34 . 2008-04-05 23:39 244 --ah----- C:\sqmnoopt09.sqm
2008-03-13 22:12 . 2008-04-05 07:23 268 --ah----- C:\sqmdata08.sqm
2008-03-13 22:12 . 2008-04-05 07:23 244 --ah----- C:\sqmnoopt08.sqm
2008-03-11 22:47 . 2008-04-04 21:30 268 --ah----- C:\sqmdata07.sqm
2008-03-11 22:47 . 2008-04-04 21:30 244 --ah----- C:\sqmnoopt07.sqm
2008-03-10 23:39 . 2008-04-04 08:17 268 --ah----- C:\sqmdata06.sqm
2008-03-10 23:39 . 2008-04-04 08:17 244 --ah----- C:\sqmnoopt06.sqm
2008-03-07 08:06 . 2008-03-07 08:06 <DIR> d-------- C:\WINDOWS\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 14:54 --------- d-----w C:\Program Files\Steam
2008-04-07 06:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-04-02 00:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2008-03-30 08:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-03-14 14:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-03-06 04:36 --------- d-----w C:\Program Files\Java
2008-03-06 04:34 --------- d-----w C:\Program Files\Common Files\Java
2008-03-04 12:32 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-04 12:32 --------- d-----w C:\Program Files\Windows Live
2008-03-04 12:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-26 00:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-25 10:34 --------- d-----w C:\Program Files\iTunes
2008-02-25 10:33 --------- d-----w C:\Program Files\iPod
2008-02-25 10:32 --------- d-----w C:\Program Files\QuickTime
2008-02-15 01:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-02-15 01:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\IM
2007-08-27 16:44 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2007-05-22 23:15 6,751,232 ----a-w C:\Program Files\NETGEAR WPN311 Wireless Adapter.msi
2007-05-22 23:15 4,107 ----a-w C:\Program Files\0x0409.ini
2006-07-04 21:33 472,000 ----a-w C:\WINDOWS\inf\WPN311\WPN311.sys
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
2005-01-27 02:59 35,232 ----a-w C:\WINDOWS\inf\WPN311\ME_INST.EXE
2005-01-27 02:59 26,112 ----a-w C:\WINDOWS\inf\WPN311\install.exe
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{185552D6-25CA-42DD-BC78-BD6C03AD33CF}]
C:\WINDOWS\system32\awtrPgDT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64E9656A-DAF2-4524-BCA6-A8258A4DC10C}]
C:\WINDOWS\system32\qoMDtqpp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A900664E-9AA5-488F-AE9A-BA59834EB65C}]
C:\WINDOWS\system32\yayvVNhG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B496564D-A43B-43C1-9959-06950911B3C9}]
C:\WINDOWS\system32\opnkiJcD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB6D0BC7-ADD9-416D-B0F7-5C7AA09BE877}]
C:\WINDOWS\system32\rqRKEvVL.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F11EB52C-9683-4DBC-B393-8C468748C74D}]
C:\WINDOWS\system32\qoMdETNd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 20:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-16 10:07 68856]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-03-29 05:22 1271032]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 10:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 18:07 843776]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-04-10 09:19 729088]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 16:45 385024]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 11:29 49152]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"pdfFactory Pro Dispatcher v3"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2007-09-25 17:32 507904]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 22:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 12:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:25 144784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-30 16:39 579072]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 17:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 20:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-30 16:39 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 04:43:54 11000]
EPSON Status Monitor 3 Environment Check(2).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-09-11 18:03:47 131584]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-05-10 09:33:54 688128]
NETGEAR WPN311 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN311\wlancfg5.exe [2006-12-04 11:57:38 1503232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo8"= VfWWDM32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sony\\Media Manager for PSP 2.0\\MediaManager.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l151x86.sys [2007-12-19 16:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 11:06:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-07 14:56:27 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 23:37:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-07 23:37:55
ComboFix-quarantined-files.txt 2008-04-07 15:37:53
ComboFix2.txt 2008-04-07 14:18:32
Pre-Run: 285,515,186,176 bytes free
Post-Run: 285,503,115,264 bytes free
.
2008-03-30 09:25:29 --- E O F ---

hope this is ok it seemed to stall the first time
Marty

#8 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 07 April 2008 - 10:14 AM

Hi


Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

KillAll::
 
File::
C:\sqmdata19.sqm
C:\sqmnoopt19.sqm
C:\sqmdata18.sqm
C:\sqmnoopt18.sqm
C:\sqmdata17.sqm
C:\sqmnoopt17.sqm
C:\sqmdata16.sqm
C:\sqmnoopt16.sqm
C:\sqmdata15.sqm
C:\sqmnoopt15.sqm
C:\sqmdata14.sqm
C:\sqmnoopt14.sqm
C:\sqmdata13.sqm
C:\sqmnoopt13.sqm
C:\sqmnoopt12.sqm
C:\sqmdata12.sqm
C:\sqmdata11.sqm
C:\sqmnoopt11.sqm
C:\sqmdata10.sqm
C:\sqmnoopt10.sqm
C:\sqmdata09.sqm
C:\sqmnoopt09.sqm
C:\sqmdata08.sqm
C:\sqmnoopt08.sqm
C:\sqmdata07.sqm
C:\sqmnoopt07.sqm
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm

Folder::
C:\VundoFix Backups

DirLook::
C:\fts2008

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{185552D6-25CA-42DD-BC78-BD6C03AD33CF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64E9656A-DAF2-4524-BCA6-A8258A4DC10C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A900664E-9AA5-488F-AE9A-BA59834EB65C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B496564D-A43B-43C1-9959-06950911B3C9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB6D0BC7-ADD9-416D-B0F7-5C7AA09BE877}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F11EB52C-9683-4DBC-B393-8C468748C74D}]

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe


Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

      + Extended(If available otherwise Standard)
    • Scan Options:

      + Scan Archives
      + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed until the scan is complete. This includes your anti-virus. Once you have installed the Scanner, and the updated definitions, you can disconnect from the Internet.Re-enable the anti-virus before reconnecting to the Internet.


In your next reply post:
ComboFix.txt
Kaspersky report
New HijackThis log taken after the above scan has run


Note-When you installed DSS, if you followed my instructions right, there will be a HijackThis icon on your Desktop. Double-click that and select "Scan and save a logfile to get a HijackThis log

Edited by Scotty, 07 April 2008 - 12:52 PM.

You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#9 MartyAus

MartyAus

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 07 April 2008 - 10:24 AM

Scotty the link you gave me for the scanner doesnt work. No scanner there I put the text file in combofix.exe icon do i run it ? Before proceeding Cheers Marty

Edited by MartyAus, 07 April 2008 - 10:34 AM.


#10 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 07 April 2008 - 12:54 PM

Hi Do the Combo script first. When you put the text file onto the Combofix icon the program will run itself. Ive edited the Kaspersky link. It works now. :thumbup:
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

    Advertisements

Register to Remove


#11 MartyAus

MartyAus

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 07 April 2008 - 07:12 PM

Hope this is right Scotty

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-08 09:04:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:42 AM, on 8/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {185552D6-25CA-42DD-BC78-BD6C03AD33CF} - C:\WINDOWS\system32\awtrPgDT.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {64E9656A-DAF2-4524-BCA6-A8258A4DC10C} - C:\WINDOWS\system32\qoMDtqpp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A900664E-9AA5-488F-AE9A-BA59834EB65C} - C:\WINDOWS\system32\yayvVNhG.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B496564D-A43B-43C1-9959-06950911B3C9} - C:\WINDOWS\system32\opnkiJcD.dll (file missing)
O2 - BHO: (no name) - {EB6D0BC7-ADD9-416D-B0F7-5C7AA09BE877} - C:\WINDOWS\system32\rqRKEvVL.dll (file missing)
O2 - BHO: (no name) - {F11EB52C-9683-4DBC-B393-8C468748C74D} - C:\WINDOWS\system32\qoMdETNd.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: NETGEAR WPN311 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileop...nt/FileOpen.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 10603 bytes

-- Files created between 2008-03-08 and 2008-04-08 -----------------------------

2008-04-08 07:08:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-08 07:08:07 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-08 07:08:06 0 d-------- C:\WINDOWS\LastGood
2008-04-08 00:21:50 3898 --a------ C:\Start_.cmd
2008-04-08 00:21:50 0 d-------- C:\327882R2FWJFW
2008-04-07 23:37:56 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-07 23:34:45 0 d-------- C:\cmdcons
2008-04-07 22:09:27 68096 --a------ C:\WINDOWS\zip.exe
2008-04-07 22:09:27 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-07 22:09:27 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-07 22:09:27 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-07 22:09:27 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-07 22:09:27 98816 --a------ C:\WINDOWS\sed.exe
2008-04-07 22:09:27 80412 --a------ C:\WINDOWS\grep.exe
2008-04-07 22:09:27 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-07 13:16:21 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-07 13:15:35 0 d-------- C:\Program Files\Common Files\iS3
2008-04-07 13:15:34 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-04-07 13:02:11 0 d-------- C:\VundoFix Backups
2008-04-07 12:38:35 0 d-------- C:\Program Files\Trend Micro
2008-04-07 11:02:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-07 11:02:26 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-07 11:02:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-03 09:35:16 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-04-03 09:13:12 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-02 09:53:16 0 d-------- C:\Program Files\Windows Defender
2008-04-02 09:27:46 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-31 09:52:08 0 d-------- C:\Documents and Settings\Owner\Application Data\skypePM
2008-03-31 09:52:08 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-31 09:51:48 0 d-------- C:\Program Files\Common Files\Skype
2008-03-30 17:13:07 0 dr-h----- C:\$VAULT$.AVG
2008-03-30 16:39:49 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-30 16:39:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-30 16:39:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-30 16:39:26 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-30 11:26:28 10752 --a------ C:\WINDOWS\DCEBoot.exe
2008-03-29 06:37:17 0 d-------- C:\Documents and Settings\Owner\Application Data\deskPDF
2008-03-29 06:34:26 18790 --a------ C:\WINDOWS\system32\ddmon.dll
2008-03-29 06:34:10 0 d-------- C:\Program Files\Docudesk
2008-03-19 19:27:52 0 d-------- C:\Documents and Settings\Owner\Application Data\iPhoneRingToneMaker
2008-03-19 10:04:49 0 d-------- C:\fts2008


-- Find3M Report ---------------------------------------------------------------

2008-04-07 22:54:01 0 d-------- C:\Program Files\Steam
2008-04-07 14:46:15 0 d-------- C:\Documents and Settings\Owner\Application Data\Vso
2008-04-07 13:15:35 0 d-------- C:\Program Files\Common Files
2008-04-02 08:41:48 0 d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-03-14 22:21:30 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-03-07 08:06:26 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun
2008-03-06 12:36:18 0 d-------- C:\Program Files\Java
2008-03-06 12:34:40 0 d-------- C:\Program Files\Common Files\Java
2008-03-06 12:26:38 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-03-06 12:26:30 1158 --a------ C:\WINDOWS\mozver.dat
2008-03-06 12:16:18 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-06 12:16:17 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-03-04 20:32:40 0 d-------- C:\Program Files\Windows Live
2008-03-04 20:32:13 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-26 08:50:11 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-25 18:34:01 0 d-------- C:\Program Files\iTunes
2008-02-25 18:33:54 0 d-------- C:\Program Files\iPod
2008-02-25 18:32:54 0 d-------- C:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{185552D6-25CA-42DD-BC78-BD6C03AD33CF}]
C:\WINDOWS\system32\awtrPgDT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64E9656A-DAF2-4524-BCA6-A8258A4DC10C}]
C:\WINDOWS\system32\qoMDtqpp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A900664E-9AA5-488F-AE9A-BA59834EB65C}]
C:\WINDOWS\system32\yayvVNhG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B496564D-A43B-43C1-9959-06950911B3C9}]
C:\WINDOWS\system32\opnkiJcD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB6D0BC7-ADD9-416D-B0F7-5C7AA09BE877}]
C:\WINDOWS\system32\rqRKEvVL.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F11EB52C-9683-4DBC-B393-8C468748C74D}]
C:\WINDOWS\system32\qoMdETNd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [01/05/2006 06:07 PM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [10/04/2006 09:19 AM]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [02/06/2006 04:45 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [12/01/2006 03:40 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [07/12/2005 10:57 PM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [18/05/2006 11:29 AM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [23/01/2007 03:44 PM C:\WINDOWS\KHALMNPR.Exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [09/03/2007 11:09 AM]
"pdfFactory Pro Dispatcher v3"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [25/09/2007 05:32 PM]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [23/01/2007 03:44 PM C:\WINDOWS\KHALMNPR.Exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [10/11/2006 11:35 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [31/01/2008 10:13 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 12:10 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 09:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 03:25 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [30/03/2008 04:39 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 07:20 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 05:25 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [28/02/2006 08:00 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [16/11/2007 10:07 AM]
"Steam"="C:\Program Files\Steam\Steam.exe" [29/03/2008 05:22 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 10:34 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [5/03/2006 4:43:54 AM]
EPSON Status Monitor 3 Environment Check(2).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [11/09/2007 6:03:47 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [10/05/2007 9:33:54 AM]
NETGEAR WPN311 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN311\wlancfg5.exe [4/12/2006 11:57:38 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"




-- End of Deckard's System Scanner: finished at 2008-04-08 09:05:10 ------------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 08, 2008 9:00:01 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/04/2008
Kaspersky Anti-Virus database records: 689092
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 83276
Number of viruses found: 5
Number of infected objects: 21
Number of suspicious objects: 0
Duration of the scan process: 00:39:23

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-04022008-095329.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0fy01ele.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0fy01ele.default\GoogleToolbarData\googlesafebrowsing.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0fy01ele.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0fy01ele.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0fy01ele.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0fy01ele.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0fy01ele.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{F732B763-E0DD-4A47-A016-ACD10ABC00B8} Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\0fy01ele.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\0fy01ele.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\0fy01ele.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\0fy01ele.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008040820080409\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF79B8.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF79CD.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bcnoprki.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\iycuknqx.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ttixaueo.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-04-07_221459.14.zip/Documents and Settings/Owner/Desktop/catchme.zip/byXOfCVP.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lrz skipped
C:\QooBox\Quarantine\catchme2008-04-07_221459.14.zip/Documents and Settings/Owner/Desktop/catchme.zip Infected: not-a-virus:AdWare.Win32.Virtumonde.lrz skipped
C:\QooBox\Quarantine\catchme2008-04-07_221459.14.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP337\A0050445.exe Infected: Trojan-Spy.Win32.Banker.klv skipped
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP337\A0051472.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lrz skipped
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP337\A0051498.exe/data.rar/crack.exe Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP337\A0051498.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.iwh skipped
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP337\A0051498.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.tnt skipped
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP337\A0051498.exe/data.rar Infected: Trojan-Downloader.Win32.Small.tnt skipped
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP337\A0051498.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP337\A0051512.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lrz skipped
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP337\A0051534.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lrz skipped
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP338\A0051787.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lrz skipped
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP347\A0054432.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP351\A0054613.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP351\A0054615.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP351\A0054618.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP353\change.log Object is locked skipped
C:\VundoFix Backups\kskruxox.dll.bad Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{16BF058A-2732-42ED-9DD5-09E9C28FC981}\RP353\change.log Object is locked skipped

Scan process completed.

Hope this is i am still logged in to the kaspersky do i let the program delete the infected files ?

Cheers Marty

#12 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 08 April 2008 - 04:11 AM

Hi Kaspersky doesnt delete anything. Did you run the CFScript? You have not posted the new log, and the DSS log you posted shows it hasnt been run.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#13 MartyAus

MartyAus

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 08 April 2008 - 04:14 AM

I did put the script file into the the combo fix i see green bars loading thats it. ? Marty

#14 MartyAus

MartyAus

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 08 April 2008 - 04:21 AM

It didnt create a log i tried it again i had cfscript.txt in lower i changed it too CFSript.text same thing combo has bars showing it loaded didnt create a log Marty

#15 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 08 April 2008 - 04:23 AM

Delete the Combofix icon from your Desktop, then follow these instructions again. Post the resultant log.

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

There is a tutorial on the basic use of Combofix here:
http://www.bleepingc...to-use-combofix


Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

  • Save it to your Desktop.
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



In your next reply post:
ComboFix.txt


By the way, do you have an icon like this on your Desktop?

Posted Image
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users