Tech Support Forum - View Single Post

Cleffer · 10-02-2007, 12:33 PM

SpyHunter not found in Add/Remove programs list. I *did* find it at C:\Program Files\Enigma Software

Group\SpyHunter.

The only thing the folder contained was a .log file (which I have kept in case you want to see it.) I had to boot

into safe mode to remove the file folder. I removed it, warm booted, and it remained gone.

All other programs in the Add/Remove Programs list appear legit.

~~:~~

Here is the result for the last run of ComboFix.

ComboFix 07-10-02.2 - Administrator 2007-10-02 11:34:39.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.839 [GMT -5:00]
Running from: C:\Documents and Settings\smsmith\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

FILE::
C:\WINDOWS\system32\ddcya.dll
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\geedd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\smsmith\Application Data\Hotbar
C:\Documents and Settings\smsmith\Application Data\SpamBlocker
C:\TEMP\xOe
C:\VundoFix Backups
C:\VundoFix Backups\ghkmp.bak2.bad
C:\VundoFix Backups\ghkmp.ini.bad
C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\ddcya.dll
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\vMW10a
C:\WINDOWS\system32\VundoFixSVC.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_EGXHXEFWZF
-------\EGXHXEFWZF

((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 )))))))))))))))))))))))))))))))
.

2007-10-01 21:17 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-01 17:01 <DIR> d-------- C:\Documents and Settings\engineeradmin\Application Data\HotSync
2007-10-01 17:00 <DIR> d-------- C:\Documents and Settings\engineeradmin\Application Data\Real
2007-10-01 15:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HotSync
2007-09-26 09:26 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-09-25 18:03 <DIR> d-------- C:\WINDOWS\pss
2007-09-25 17:21 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\HotSync
2007-09-25 17:14 <DIR> dr-h----- C:\Documents and Settings\smsmith\Application Data\Andersson Digital

Design
2007-09-25 17:14 <DIR> d--hs---- C:\Documents and Settings\smsmith\UserData
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\SecurityScans
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Contacts
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\XnView
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Sonic
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Share-to-Web

Upload Folder
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Real
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Raptisoft
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Media Player

Classic
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Leadertech
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Lavasoft
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\InterVideo
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\InterTrust
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Help
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Google
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Ethereal
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Apple Computer
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\APC
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\AdobeUM
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\AdobeAUM
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\ActiveState
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\.gaim
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\.lincity
2007-09-25 14:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search

& Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-02 11:39 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-09-28 18:00 --------- d-------- C:\Documents and Settings\All Users\Application

Data\Retrospect
.

((((((((((((((((((((((((((((( snapshot@2007-10-01_21.25.12.25 )))))))))))))))))))))))))))))))))))))))))
.
----atw 16,384 2007-10-02 16:39:02 C:\WINDOWS\Temp\Perflib_Perfdata_1d4.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 05:24]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 05:11]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-01-31 19:49]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2002-05-28 03:37]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2002-08-07 09:24]
"CPQEASYACC"="C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 17:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-06-02 09:47]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-09 08:10]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 20:38]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2006-12-20 13:29]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 00:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQDFWAG"=C:\WINDOWS\Cpqdiag\CpqDfwAg.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 15:16:08]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32]

C:\Documents and Settings\smsmith\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2006-04-09 18:30:45]
Shortcut to ISCAlert.exe.lnk - \\Engineersparexp\c$\Program Files\ISC Alert\ISCAlert.exe [2006-08-14 14:26:27]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 15:16:08]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

R1 EAWDMFD;EAWDMFD;C:\WINDOWS\system32\drivers\EAWDMFD.sys
R2 cpqdfw;Diagnostics Driver;\??\C:\WINDOWS\System32\drivers\cpqdfw.sys
R2 cq_mem;Diagnostics Memory Driver;\??\C:\WINDOWS\System32\drivers\cq_mem.sys
R2 cqcpu;Diagnostics CPU Driver;\??\C:\WINDOWS\System32\drivers\cqcpu.sys
R2 DfwWebAgent;Remote Diagnostics Enabling Agent;C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
R3 eaps2kbd;Compaq Easy Access PS2 Internet Keyboard (Win2K);C:\WINDOWS\system32\DRIVERS\eaps2kbd.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-02 11:39:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-02 11:42:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-02 11:41
C:\ComboFix2.txt ... 2007-10-01 21:25
.
--- E O F ---

(Continued)

10-02-2007, 12:33 PM	#8 (permalink)
Cleffer Registered User Join Date: Dec 2004 Location: Mid-West Posts: 180 OS: 2003/XP/Vista	Re: Need a binary shotgun for Trojan.Vundo SpyHunter not found in Add/Remove programs list. I did find it at C:\Program Files\Enigma Software Group\SpyHunter. The only thing the folder contained was a .log file (which I have kept in case you want to see it.) I had to boot into safe mode to remove the file folder. I removed it, warm booted, and it remained gone. All other programs in the Add/Remove Programs list appear legit. ~~:~~ Here is the result for the last run of ComboFix. ComboFix 07-10-02.2 - Administrator 2007-10-02 11:34:39.2 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.839 [GMT -5:00] Running from: C:\Documents and Settings\smsmith\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt FILE:: C:\WINDOWS\system32\ddcya.dll C:\WINDOWS\system32\VundoFixSVC.exe C:\WINDOWS\system32\awtqq.dll C:\WINDOWS\system32\geedd.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\smsmith\Application Data\Hotbar C:\Documents and Settings\smsmith\Application Data\SpamBlocker C:\TEMP\xOe C:\VundoFix Backups C:\VundoFix Backups\ghkmp.bak2.bad C:\VundoFix Backups\ghkmp.ini.bad C:\WINDOWS\system32\awtqq.dll C:\WINDOWS\system32\ddcya.dll C:\WINDOWS\system32\geedd.dll C:\WINDOWS\system32\vMW10a C:\WINDOWS\system32\VundoFixSVC.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_EGXHXEFWZF -------\EGXHXEFWZF ((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 ))))))))))))))))))))))))))))))) . 2007-10-01 21:17 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-01 17:01 <DIR> d-------- C:\Documents and Settings\engineeradmin\Application Data\HotSync 2007-10-01 17:00 <DIR> d-------- C:\Documents and Settings\engineeradmin\Application Data\Real 2007-10-01 15:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HotSync 2007-09-26 09:26 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys 2007-09-25 18:03 <DIR> d-------- C:\WINDOWS\pss 2007-09-25 17:21 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\HotSync 2007-09-25 17:14 <DIR> dr-h----- C:\Documents and Settings\smsmith\Application Data\Andersson Digital Design 2007-09-25 17:14 <DIR> d--hs---- C:\Documents and Settings\smsmith\UserData 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\SecurityScans 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Contacts 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\XnView 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Sonic 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Share-to-Web Upload Folder 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Real 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Raptisoft 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Media Player Classic 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Leadertech 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Lavasoft 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\InterVideo 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\InterTrust 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Help 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Google 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Ethereal 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Apple Computer 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\APC 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\AdobeUM 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\AdobeAUM 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\ActiveState 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\.gaim 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\.lincity 2007-09-25 14:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-02 11:39 --------- d-------- C:\Program Files\Symantec AntiVirus 2007-09-28 18:00 --------- d-------- C:\Documents and Settings\All Users\Application Data\Retrospect . ((((((((((((((((((((((((((((( snapshot@2007-10-01_21.25.12.25 ))))))))))))))))))))))))))))))))))))))))) . ----atw 16,384 2007-10-02 16:39:02 C:\WINDOWS\Temp\Perflib_Perfdata_1d4.dat . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 05:24] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 05:11] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48] "Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-01-31 19:49] "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2002-05-28 03:37] "srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34] "SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2002-08-07 09:24] "CPQEASYACC"="C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 17:01] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-06-02 09:47] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-09 08:10] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 20:38] "vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2006-12-20 13:29] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 00:56] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] "CPQDFWAG"=C:\WINDOWS\Cpqdiag\CpqDfwAg.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 15:16:08] Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32] C:\Documents and Settings\smsmith\Start Menu\Programs\Startup\ PowerReg Scheduler.exe [2006-04-09 18:30:45] Shortcut to ISCAlert.exe.lnk - \\Engineersparexp\c$\Program Files\ISC Alert\ISCAlert.exe [2006-08-14 14:26:27] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 15:16:08] Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "disablecad"=0 (0x0) R1 EAWDMFD;EAWDMFD;C:\WINDOWS\system32\drivers\EAWDMFD.sys R2 cpqdfw;Diagnostics Driver;\??\C:\WINDOWS\System32\drivers\cpqdfw.sys R2 cq_mem;Diagnostics Memory Driver;\??\C:\WINDOWS\System32\drivers\cq_mem.sys R2 cqcpu;Diagnostics CPU Driver;\??\C:\WINDOWS\System32\drivers\cqcpu.sys R2 DfwWebAgent;Remote Diagnostics Enabling Agent;C:\WINDOWS\Cpqdiag\Cpqdfwag.exe R3 eaps2kbd;Compaq Easy Access PS2 Internet Keyboard (Win2K);C:\WINDOWS\system32\DRIVERS\eaps2kbd.sys . ************************************************************************ catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-02 11:39:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-10-02 11:42:19 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-10-02 11:41 C:\ComboFix2.txt ... 2007-10-01 21:25 . --- E O F --- (Continued)