Tech Support Forum - View Single Post - Infected by vundo.gen.k (trojan) and pop ups abound

ericgarcb · 11-08-2008, 08:30 AM

Hello,

Fresh Combofix and Hijack logs are pasted below.

Thanks again,
Eric

ComboFix 08-11-07.01 - Edlaze500 2008-11-08 1:44:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.221 [GMT -5:00]
Running from: c:\documents and settings\Edlaze500\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
c:\documents and settings\Edlaze500\Application Data\Facegame
c:\documents and settings\Edlaze500\Cookies\mafycu.dl
c:\documents and settings\Edlaze500\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Edlaze500\Local Settings\Temporary Internet Files\ywoxuvihed.exe
C:\e.exe
C:\m.exe
C:\ntldr.exe
C:\p.exe
C:\q.exe
C:\win.txt
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\Readme.txt
c:\windows\system.exe
c:\windows\system\system.exe
c:\windows\system32\DelSelf.bat
c:\windows\system32\egabuwoy.ini
c:\windows\system32\gPAbHRqr.ini
c:\windows\system32\gPAbHRqr.ini2
c:\windows\system32\gQsYHkkj.ini
c:\windows\system32\gQsYHkkj.ini2
c:\windows\system32\jkkhysqg.dll
c:\windows\system32\mcc.exe
c:\windows\system32\mcrh.tmp
c:\windows\system32\msxml71.dll
c:\windows\system32\U3cSBf33.exe.a_a
c:\windows\system32\vloxhjfs.ini
c:\windows\system32\wpv106.cpx
c:\windows\wiaserviv.log
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZESOFT

((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 )))))))))))))))))))))))))))))))
.

2008-11-06 00:24 . 2008-11-08 01:51 6,540,832 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-11-06 00:24 . 2008-11-08 01:58 458,784 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-11-06 00:24 . 2008-11-08 01:51 52,180 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-11-06 00:24 . 2008-11-08 01:58 2,676 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-11-05 23:56 . 2008-11-06 00:39 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-11-05 23:56 . 2008-11-05 23:56 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-11-05 23:51 . 2008-11-08 01:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-05 23:17 . 2008-11-05 23:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-05 19:08 . 2008-11-05 19:08 552 --a------ c:\windows\system32\d3d8caps.dat
2008-11-05 16:42 . 2008-11-05 16:42 68,356 --a------ c:\windows\system32\suwcamwo.dll
2008-11-05 16:38 . 2008-11-05 16:39 74,656 --a------ c:\windows\system32\gopejlke.dll
2008-11-02 13:56 . 2008-11-02 13:58 <DIR> d-------- C:\rsit
2008-11-02 00:41 . 2008-11-02 00:47 250 --a------ c:\windows\gmer.ini
2008-11-01 23:03 . 2008-11-01 23:03 19,694 --a------ c:\windows\system32\loxydo.pif
2008-11-01 23:03 . 2008-11-01 23:03 18,507 --a------ c:\windows\system32\igine.db
2008-11-01 23:03 . 2008-11-01 23:03 13,901 --a------ c:\program files\Common Files\elelahyp.reg
2008-11-01 23:03 . 2008-11-01 23:03 13,081 --a------ c:\program files\Common Files\erib.bin
2008-11-01 22:52 . 2008-11-07 09:19 <DIR> d-------- c:\program files\AntivirusPro2009
2008-11-01 09:31 . 2008-11-05 22:37 <DIR> d-------- C:\quarantine
2008-11-01 03:41 . 2008-11-01 03:41 178,176 --a------ c:\windows\system32\tljcdpkpffbgtpt.dll
2008-10-24 12:14 . 2008-10-15 11:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-23 14:41 . 2008-10-31 16:34 102,172 --a------ c:\windows\system32\cont_offersfortoday-remove.exe
2008-10-23 14:41 . 2008-11-01 09:31 77,947 --a------ c:\windows\system32\mcvowdhmpaic.exe
2008-10-16 10:06 . 2008-09-08 05:41 333,824 --a--c--- c:\windows\system32\dllcache\srv.sys
2008-10-16 10:01 . 2008-08-14 05:11 2,189,184 --a--c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-16 10:01 . 2008-08-14 05:09 2,145,280 --a--c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-16 10:01 . 2008-09-15 07:12 1,846,400 --a--c--- c:\windows\system32\dllcache\win32k.sys
2008-10-16 10:00 . 2008-08-14 04:33 2,066,048 --a--c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-16 10:00 . 2008-08-14 04:33 2,023,936 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 06:57 --------- d-----w c:\program files\QuickTime
2008-11-07 06:55 --------- d-----w c:\program files\Common Files\Real
2008-11-06 04:51 --------- d-----w c:\program files\Kaspersky Lab
2008-11-06 04:42 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-06 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-02 18:57 --------- d-----w c:\program files\Trend Micro
2008-11-02 05:31 --------- d-----w c:\program files\LimeWire
2008-10-23 14:57 --------- d-----w c:\program files\Microsoft Silverlight
2008-09-12 21:33 --------- d-----w c:\documents and settings\Edlaze500\Application Data\Move Networks
2008-09-11 23:23 --------- d-----w c:\documents and settings\Edlaze500\Application Data\Leadertech
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2005-01-27 02:07 0 --sh--r c:\program files\q330994.exe
2005-01-27 02:07 0 --sh--r c:\windows\cvchost.exe
2005-01-27 02:07 0 --sh--r c:\windows\dl.exe
2005-01-27 02:07 0 --sh--r c:\windows\dlm.exe
2005-01-27 02:07 0 --sh--r c:\windows\msstasks.exe
2005-01-27 02:07 0 --sh--r c:\windows\mssys.com
2005-01-27 02:07 0 --sh--r c:\windows\mstasks1.exe
2005-01-27 02:07 0 --sh--r c:\windows\mstaskss.exe
2005-01-27 02:07 0 --sh--r c:\windows\msxmidi.exe
2005-01-27 02:07 0 --sh--r c:\windows\ntldr.exe
2005-01-27 02:07 0 --sh--r c:\windows\reg33.exe
2005-01-27 02:07 0 --sh--r c:\windows\rocky.exe
2005-01-27 02:07 0 --sh--r c:\windows\system\wmscrop.exe
2005-01-27 02:07 0 --sha-r c:\windows\system32\d2kpax.exe
2005-01-27 02:07 0 --sha-r c:\windows\system32\ied.exe
2005-01-27 02:07 0 --sha-r c:\windows\system32\miniport_mp.exe
2005-01-27 02:07 0 --sha-r c:\windows\system32\winproc32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBEF9CDB-E1F7-8D3A-2682-9B6FBD0B9127}]
2008-11-01 03:41 178176 --a------ c:\windows\system32\tljcdpkpffbgtpt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"NVIEW"="nview.dll" [2003-07-28 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-13 50176]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KYE_Showicon"="c:\program files\USB Storage RW\shwicon.exe" [2002-10-25 69632]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 69632]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"WCOLOREAL"="c:\program files\Coloreal\coloreal.exe" [2002-11-26 131072]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]
"ServiceLayer"="c:\program files\Common Files\Nokia\Services\ServiceLayer.exe" [2002-10-16 69632]
"Nokia Tray Application"="c:\program files\Common Files\Nokia\NCLTools\NclTray.exe" [2002-10-22 598016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-07-28 49152]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"DVDTray"="c:\program files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 65536]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"ABBYY Community Agent"="c:\program files\ABBYY FineReader 5.0 Sprint\CAgent.exe" [2002-03-20 253952]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"keocrolkmdtikea"="c:\windows\system32\tljcdpkpffbgtpt.dll" [2008-11-01 178176]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
"nwiz"="nwiz.exe" [2003-07-28 c:\windows\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DIVXc32.dll
"vidc.DIV4"= DIVXc32f.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\vpngui.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
R3 hcwPVRP2;Hauppauge WinTV PVR PCI II (Encoder);c:\windows\system32\DRIVERS\hcwPVRP2.sys [2003-02-19 1031520]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 RimSerPort;RIM Virtual Serial Port;c:\windows\system32\DRIVERS\RimSerial.sys [2004-08-06 17920]
S3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS);c:\windows\system32\DRIVERS\pc22nd5.sys [2001-11-09 17648]
S3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver;c:\windows\system32\DRIVERS\pc22unic.sys [2001-11-09 69744]
S3 PCDRDRV;Pcdr Helper Driver;c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [ ]
.
Contents of the 'Scheduled Tasks' folder

2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-11-06 c:\windows\Tasks\At1.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At10.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At11.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At12.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At13.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At14.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At15.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At16.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At17.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At18.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At19.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-06 c:\windows\Tasks\At2.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-03 c:\windows\Tasks\At20.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-03 c:\windows\Tasks\At21.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-03 c:\windows\Tasks\At22.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-06 c:\windows\Tasks\At23.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-06 c:\windows\Tasks\At24.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-08 c:\windows\Tasks\At3.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-08 c:\windows\Tasks\At4.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At5.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At6.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At7.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At8.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At9.job
- c:\windows\system32\U3cSBf33.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{51BCD548-771E-49C8-AC0C-7B7E6B9D35AF} - c:\windows\system32\jkkHYsQg.dll
BHO-{F3AF22D2-7855-43FE-8DA3-ECD8E9C11558} - (no file)
HKCU-Run-Facegame - c:\documents and settings\Edlaze500\Application Data\Facegame\Facegame.exe
HKLM-Run-AutoTBar - c:\hp\bin\autotbar.exe
HKLM-Run-PS2 - c:\windows\system32\ps2.exe
Notify-jkkHBUMF - jkkHBUMF.dll

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Edlaze500\Application Data\Mozilla\Firefox\Profiles\ycjajdb2.default\
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-08 01:53:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\eHome\ehsched.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\regsvr32.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\system32\rundll32.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-11-08 3:13:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-08 08:12:47

Pre-Run: 9,514,356,736 bytes free
Post-Run: 9,938,006,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional Edition" /fastdetect /NoExecute=OptIn

285 --- E O F --- 2008-10-24 22:01:58

Logfile of HijackThis v1.99.1
Scan saved at 10:25:40 AM, on 11/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\regsvr32.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: offersfortoday browser enhancer - {BBEF9CDB-E1F7-8D3A-2682-9B6FBD0B9127} - C:\WINDOWS\system32\tljcdpkpffbgtpt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [keocrolkmdtikea] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\tljcdpkpffbgtpt.dll"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: bdsripcab - https://media.bdsrealtime.com/components/bdsripcab.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174409189328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://reports.kochb2b.com/viewer/ac...ivexviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.6.cab
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

11-08-2008, 08:30 AM	#4 (permalink)
ericgarcb Registered User Join Date: Jan 2005 Posts: 30 OS: winxp	Re: Infected by vundo.gen.k (trojan) and pop ups abound Hello, Fresh Combofix and Hijack logs are pasted below. Thanks again, Eric ComboFix 08-11-07.01 - Edlaze500 2008-11-08 1:44:25.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.221 [GMT -5:00] Running from: c:\documents and settings\Edlaze500\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\bold.log c:\documents and settings\Edlaze500\Application Data\Facegame c:\documents and settings\Edlaze500\Cookies\mafycu.dl c:\documents and settings\Edlaze500\Local Settings\Temporary Internet Files\fbk.sts c:\documents and settings\Edlaze500\Local Settings\Temporary Internet Files\ywoxuvihed.exe C:\e.exe C:\m.exe C:\ntldr.exe C:\p.exe C:\q.exe C:\win.txt c:\windows\Fonts\acrsecB.fon c:\windows\Fonts\acrsecI.fon c:\windows\Readme.txt c:\windows\system.exe c:\windows\system\system.exe c:\windows\system32\DelSelf.bat c:\windows\system32\egabuwoy.ini c:\windows\system32\gPAbHRqr.ini c:\windows\system32\gPAbHRqr.ini2 c:\windows\system32\gQsYHkkj.ini c:\windows\system32\gQsYHkkj.ini2 c:\windows\system32\jkkhysqg.dll c:\windows\system32\mcc.exe c:\windows\system32\mcrh.tmp c:\windows\system32\msxml71.dll c:\windows\system32\U3cSBf33.exe.a_a c:\windows\system32\vloxhjfs.ini c:\windows\system32\wpv106.cpx c:\windows\wiaserviv.log D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ZESOFT ((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 ))))))))))))))))))))))))))))))) . 2008-11-06 00:24 . 2008-11-08 01:51 6,540,832 --ahs---- c:\windows\system32\drivers\fidbox.dat 2008-11-06 00:24 . 2008-11-08 01:58 458,784 --ahs---- c:\windows\system32\drivers\fidbox2.dat 2008-11-06 00:24 . 2008-11-08 01:51 52,180 --ahs---- c:\windows\system32\drivers\fidbox.idx 2008-11-06 00:24 . 2008-11-08 01:58 2,676 --ahs---- c:\windows\system32\drivers\fidbox2.idx 2008-11-05 23:56 . 2008-11-06 00:39 96,976 --a------ c:\windows\system32\drivers\klin.dat 2008-11-05 23:56 . 2008-11-05 23:56 87,855 --a------ c:\windows\system32\drivers\klick.dat 2008-11-05 23:51 . 2008-11-08 01:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab 2008-11-05 23:17 . 2008-11-05 23:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2008-11-05 19:08 . 2008-11-05 19:08 552 --a------ c:\windows\system32\d3d8caps.dat 2008-11-05 16:42 . 2008-11-05 16:42 68,356 --a------ c:\windows\system32\suwcamwo.dll 2008-11-05 16:38 . 2008-11-05 16:39 74,656 --a------ c:\windows\system32\gopejlke.dll 2008-11-02 13:56 . 2008-11-02 13:58 <DIR> d-------- C:\rsit 2008-11-02 00:41 . 2008-11-02 00:47 250 --a------ c:\windows\gmer.ini 2008-11-01 23:03 . 2008-11-01 23:03 19,694 --a------ c:\windows\system32\loxydo.pif 2008-11-01 23:03 . 2008-11-01 23:03 18,507 --a------ c:\windows\system32\igine.db 2008-11-01 23:03 . 2008-11-01 23:03 13,901 --a------ c:\program files\Common Files\elelahyp.reg 2008-11-01 23:03 . 2008-11-01 23:03 13,081 --a------ c:\program files\Common Files\erib.bin 2008-11-01 22:52 . 2008-11-07 09:19 <DIR> d-------- c:\program files\AntivirusPro2009 2008-11-01 09:31 . 2008-11-05 22:37 <DIR> d-------- C:\quarantine 2008-11-01 03:41 . 2008-11-01 03:41 178,176 --a------ c:\windows\system32\tljcdpkpffbgtpt.dll 2008-10-24 12:14 . 2008-10-15 11:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll 2008-10-23 14:41 . 2008-10-31 16:34 102,172 --a------ c:\windows\system32\cont_offersfortoday-remove.exe 2008-10-23 14:41 . 2008-11-01 09:31 77,947 --a------ c:\windows\system32\mcvowdhmpaic.exe 2008-10-16 10:06 . 2008-09-08 05:41 333,824 --a--c--- c:\windows\system32\dllcache\srv.sys 2008-10-16 10:01 . 2008-08-14 05:11 2,189,184 --a--c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-16 10:01 . 2008-08-14 05:09 2,145,280 --a--c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-16 10:01 . 2008-09-15 07:12 1,846,400 --a--c--- c:\windows\system32\dllcache\win32k.sys 2008-10-16 10:00 . 2008-08-14 04:33 2,066,048 --a--c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-16 10:00 . 2008-08-14 04:33 2,023,936 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-07 06:57 --------- d-----w c:\program files\QuickTime 2008-11-07 06:55 --------- d-----w c:\program files\Common Files\Real 2008-11-06 04:51 --------- d-----w c:\program files\Kaspersky Lab 2008-11-06 04:42 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-11-06 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-02 18:57 --------- d-----w c:\program files\Trend Micro 2008-11-02 05:31 --------- d-----w c:\program files\LimeWire 2008-10-23 14:57 --------- d-----w c:\program files\Microsoft Silverlight 2008-09-12 21:33 --------- d-----w c:\documents and settings\Edlaze500\Application Data\Move Networks 2008-09-11 23:23 --------- d-----w c:\documents and settings\Edlaze500\Application Data\Leadertech 2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys 2005-01-27 02:07 0 --sh--r c:\program files\q330994.exe 2005-01-27 02:07 0 --sh--r c:\windows\cvchost.exe 2005-01-27 02:07 0 --sh--r c:\windows\dl.exe 2005-01-27 02:07 0 --sh--r c:\windows\dlm.exe 2005-01-27 02:07 0 --sh--r c:\windows\msstasks.exe 2005-01-27 02:07 0 --sh--r c:\windows\mssys.com 2005-01-27 02:07 0 --sh--r c:\windows\mstasks1.exe 2005-01-27 02:07 0 --sh--r c:\windows\mstaskss.exe 2005-01-27 02:07 0 --sh--r c:\windows\msxmidi.exe 2005-01-27 02:07 0 --sh--r c:\windows\ntldr.exe 2005-01-27 02:07 0 --sh--r c:\windows\reg33.exe 2005-01-27 02:07 0 --sh--r c:\windows\rocky.exe 2005-01-27 02:07 0 --sh--r c:\windows\system\wmscrop.exe 2005-01-27 02:07 0 --sha-r c:\windows\system32\d2kpax.exe 2005-01-27 02:07 0 --sha-r c:\windows\system32\ied.exe 2005-01-27 02:07 0 --sha-r c:\windows\system32\miniport_mp.exe 2005-01-27 02:07 0 --sha-r c:\windows\system32\winproc32.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBEF9CDB-E1F7-8D3A-2682-9B6FBD0B9127}] 2008-11-01 03:41 178176 --a------ c:\windows\system32\tljcdpkpffbgtpt.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "NVIEW"="nview.dll" [2003-07-28 c:\windows\system32\nview.dll] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-13 50176] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "KYE_Showicon"="c:\program files\USB Storage RW\shwicon.exe" [2002-10-25 69632] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632] "CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 69632] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440] "StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648] "WCOLOREAL"="c:\program files\Coloreal\coloreal.exe" [2002-11-26 131072] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472] "ServiceLayer"="c:\program files\Common Files\Nokia\Services\ServiceLayer.exe" [2002-10-16 69632] "Nokia Tray Application"="c:\program files\Common Files\Nokia\NCLTools\NclTray.exe" [2002-10-22 598016] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-07-28 49152] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344] "DVDTray"="c:\program files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 65536] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048] "ABBYY Community Agent"="c:\program files\ABBYY FineReader 5.0 Sprint\CAgent.exe" [2002-03-20 253952] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "keocrolkmdtikea"="c:\windows\system32\tljcdpkpffbgtpt.dll" [2008-11-01 178176] "AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088] "nwiz"="nwiz.exe" [2003-07-28 c:\windows\system32\nwiz.exe] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.DIV3"= DIVXc32.dll "vidc.DIV4"= DIVXc32f.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Cisco Systems\\VPN Client\\vpngui.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\Program Files\\eMule\\emule.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784] R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544] R3 hcwPVRP2;Hauppauge WinTV PVR PCI II (Encoder);c:\windows\system32\DRIVERS\hcwPVRP2.sys [2003-02-19 1031520] R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592] R3 RimSerPort;RIM Virtual Serial Port;c:\windows\system32\DRIVERS\RimSerial.sys [2004-08-06 17920] S3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS);c:\windows\system32\DRIVERS\pc22nd5.sys [2001-11-09 17648] S3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver;c:\windows\system32\DRIVERS\pc22unic.sys [2001-11-09 69744] S3 PCDRDRV;Pcdr Helper Driver;c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [ ] . Contents of the 'Scheduled Tasks' folder 2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] 2008-11-06 c:\windows\Tasks\At1.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At10.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At11.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At12.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At13.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At14.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At15.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At16.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At17.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At18.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At19.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-06 c:\windows\Tasks\At2.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-03 c:\windows\Tasks\At20.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-03 c:\windows\Tasks\At21.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-03 c:\windows\Tasks\At22.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-06 c:\windows\Tasks\At23.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-06 c:\windows\Tasks\At24.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-08 c:\windows\Tasks\At3.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-08 c:\windows\Tasks\At4.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At5.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At6.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At7.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At8.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At9.job - c:\windows\system32\U3cSBf33.exe [] . - - - - ORPHANS REMOVED - - - - BHO-{51BCD548-771E-49C8-AC0C-7B7E6B9D35AF} - c:\windows\system32\jkkHYsQg.dll BHO-{F3AF22D2-7855-43FE-8DA3-ECD8E9C11558} - (no file) HKCU-Run-Facegame - c:\documents and settings\Edlaze500\Application Data\Facegame\Facegame.exe HKLM-Run-AutoTBar - c:\hp\bin\autotbar.exe HKLM-Run-PS2 - c:\windows\system32\ps2.exe Notify-jkkHBUMF - jkkHBUMF.dll . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Edlaze500\Application Data\Mozilla\Firefox\Profiles\ycjajdb2.default\ FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-08 01:53:31 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\windows\eHome\ehsched.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\rundll32.exe c:\windows\system32\regsvr32.exe c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe c:\program files\Internet Explorer\iexplore.exe c:\windows\system32\rundll32.exe c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe c:\program files\iPod\bin\iPodService.exe c:\windows\eHome\ehmsas.exe . ************************************************************************ . Completion time: 2008-11-08 3:13:00 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-08 08:12:47 Pre-Run: 9,514,356,736 bytes free Post-Run: 9,938,006,016 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional Edition" /fastdetect /NoExecute=OptIn 285 --- E O F --- 2008-10-24 22:01:58 Logfile of HijackThis v1.99.1 Scan saved at 10:25:40 AM, on 11/8/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\ehome\ehSched.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\System32\svchost.exe C:\windows\system\hpsysdrv.exe C:\Program Files\USB Storage RW\shwicon.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\HP DVD\Umbrella\DVDTray.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\regsvr32.exe c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\ehome\ehmsas.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: offersfortoday browser enhancer - {BBEF9CDB-E1F7-8D3A-2682-9B6FBD0B9127} - C:\WINDOWS\system32\tljcdpkpffbgtpt.dll O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW" O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [keocrolkmdtikea] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\tljcdpkpffbgtpt.dll" O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: VPN Client.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU) O11 - Options group: [INTERNATIONAL] International* O16 - DPF: bdsripcab - https://media.bdsrealtime.com/components/bdsripcab.cab O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174409189328 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://reports.kochb2b.com/viewer/ac...ivexviewer.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.6.cab O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Kaspersky Internet Security (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r (file missing) O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe