Proud Owner of a Vundo? Windows stops running.

[beaverboy56]

best way I can describe issues with firefox, I'll type in a website and firefox will hang for 5-10 seconds before going to the website, this happens with links too

[beaverboy56]

k, windows defender is pulling up this

Category:
Trojan

Description:
This program displays advertisements and may be difficult to remove.

Advice:
Remove this software immediately.

Resources:
clsid:
HKLM\SOFTWARE\CLASSES\CLSID\{25E7F497-C968-465A-95F8-1699C93DBAA1}

clsid:
HKLM\SOFTWARE\CLASSES\CLSID\{18890D49-3318-4E91-83CA-76FF1309D484}

regkey:
HKLM\SOFTWARE\CLASSES\CLSID\{25E7F497-C968-465A-95F8-1699C93DBAA1}

regkey:
HKLM\SOFTWARE\CLASSES\CLSID\{18890D49-3318-4E91-83CA-76FF1309D484}

file:
C:\Users\Michael\AppData\Local\Temp\ssqNGayY.dll

it did let me remove it however, but everytime the computer seems clear defender pulls up another vundo

[Ried]

Press the Windows Logo key and the letter R on your keyboard to launch the Run command.

Now copy/paste the following into the Run box and click OK:

Combofix /u

Quote:

Also these are the files that I was having error messages with, Panda and everything didn't seem to delete them....

Those are safely tucked away in backups created by dss.exe. Running the above command will clear those for you.

-------------------------------------------------------

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
  
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Save it to your desktop.

Note: Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

Please run a new scan with dss.exe and post the main.txt as well.

[beaverboy56]

Everything showed up fine in Malwarebytes' nothing to report, I guess everything is fine...everything just feels a little sluggish and tends to hang before doing anything, especially web-browsing

[Ried]

beaverboy56, download ComboFix.exe again, from here. It must be saved directly to your desktop.


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/hijackthis-log-help/262451-proud-owner-vundo-windows-stops-running-post1560828.html#post1560828

Collect::
C:\Windows\system32\wvUoNHAP.dll

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
• A browser will open.
• Simply follow the instructions to copy/paste/send the requested file.

Kindly post the C:\ComboFix.txt and let me know if the system performance has improved.

[beaverboy56]

It crashed my computer the first time, after restart ran again and it ran fine, here is that log.

ComboFix 08-06-27.5 - Michael 2008-06-28 14:13:07.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1892 [GMT -10:00]
Running from: C:\Users\Michael\Desktop\ComboFix.exe
Command switches used :: C:\Users\Michael\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.

2008-06-28 14:01 . 2008-06-28 14:02 368,219,504 --a------ C:\Windows\MEMORY.DMP
2008-06-27 22:17 . 2008-06-27 22:17 <DIR> d-------- C:\Deckard
2008-06-27 20:59 . 2008-06-27 20:59 <DIR> d-------- C:\Users\Michael\AppData\Roaming\Malwarebytes
2008-06-27 20:59 . 2008-06-27 20:59 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-06-27 20:59 . 2008-06-27 20:59 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-06-27 20:59 . 2008-06-27 20:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-27 20:59 . 2008-06-19 17:48 34,296 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-06-27 20:59 . 2008-06-19 17:47 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-06-27 16:26 . 2008-06-27 16:26 <DIR> d-------- C:\VundoFix Backups
2008-06-24 21:57 . 2008-06-24 21:57 <DIR> d-------- C:\Users\Michael\AppData\Roaming\vmcNetFlix_Data
2008-06-24 21:53 . 2008-06-24 21:53 <DIR> d-------- C:\Users\Mcx2\AppData\Roaming\vmcNetFlix_Data
2008-06-24 21:53 . 2008-06-27 22:40 <DIR> d-------- C:\Users\All Users\vmcNetFlix_Data
2008-06-24 21:53 . 2008-06-27 22:40 <DIR> d-------- C:\ProgramData\vmcNetFlix_Data
2008-06-24 21:36 . 2008-06-24 21:36 <DIR> d-------- C:\Program Files\Netflix
2008-06-24 21:36 . 2003-06-12 23:25 7,062 --a------ C:\Windows\System32\audiopid.vxd
2008-06-24 21:25 . 2008-06-24 21:25 <DIR> d-------- C:\Program Files\Luttmann
2008-06-23 17:59 . 2008-06-27 09:38 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-23 17:53 . 2008-06-23 17:53 <DIR> d-------- C:\Program Files\Panda Security
2008-06-23 17:30 . 2008-06-23 17:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-23 15:58 . 2008-06-23 16:04 <DIR> d-------- C:\Program Files\RegCure
2008-06-23 15:49 . 2004-08-04 07:00 506,368 --a------ C:\Windows\System32\msxml.dll
2008-06-23 01:43 . 2008-06-23 01:43 <DIR> d-------- C:\Users\Michael\AppData\Roaming\Grisoft
2008-06-23 01:43 . 2008-06-23 01:43 <DIR> d-------- C:\Users\All Users\Grisoft
2008-06-23 01:43 . 2008-06-23 01:43 <DIR> d-------- C:\ProgramData\Grisoft
2008-06-23 01:43 . 2007-05-30 02:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys
2008-06-23 01:29 . 2008-06-23 01:29 <DIR> d-------- C:\Users\Michael\AppData\Roaming\Research In Motion
2008-06-23 01:29 . 2008-06-23 01:32 256 --a------ C:\Windows\System32\pool.bin
2008-06-23 01:26 . 2007-01-18 10:24 26,496 --a------ C:\Windows\System32\drivers\RimSerial.sys
2008-06-23 01:25 . 2008-06-23 01:25 <DIR> d-------- C:\Program Files\Research In Motion
2008-06-23 01:25 . 2008-06-23 01:25 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-06-23 01:11 . 2008-06-23 01:11 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-06-22 20:44 . 2008-06-22 21:29 <DIR> d-------- C:\Program Files\clrmamepro
2008-06-20 15:18 . 2008-06-20 15:18 <DIR> d-------- C:\PerfLogs
2008-06-20 15:05 . 2008-01-08 13:10 98,304 --a------ C:\Windows\RTKAUDIOSERVICE.EXE
2008-06-20 00:54 . 2008-06-20 00:54 <DIR> d-------- C:\Users\All Users\IsolatedStorage
2008-06-20 00:54 . 2008-06-20 00:54 <DIR> d-------- C:\ProgramData\IsolatedStorage
2008-06-20 00:53 . 2008-06-23 15:22 <DIR> d-------- C:\Program Files\BinTube
2008-06-19 22:26 . 2008-06-19 22:26 <DIR> d-------- C:\Program Files\RAR Password Cracker
2008-06-14 03:59 . 2008-04-22 18:42 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-06-14 03:59 . 2008-04-22 18:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-06-14 03:59 . 2008-04-22 18:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-14 03:59 . 2008-01-18 21:33 80,896 --a------ C:\Windows\System32\MSNP.ax
2008-06-14 03:59 . 2008-01-18 21:33 69,632 --a------ C:\Windows\System32\Mpeg2Data.ax
2008-06-14 03:59 . 2008-04-22 18:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-13 14:14 . 2008-06-13 14:14 24,112 --a------ C:\Windows\System32\drivers\SymIMV.sys
2008-06-13 14:14 . 2008-06-13 14:14 13,093 --a------ C:\Windows\System32\drivers\SymRedir.cat
2008-06-13 14:14 . 2008-06-13 14:14 1,611 --a------ C:\Windows\System32\drivers\SymRedir.inf
2008-06-13 14:13 . 2008-06-13 14:13 184,240 --a------ C:\Windows\System32\drivers\symtdi.sys
2008-06-13 14:13 . 2008-06-13 14:13 96,432 --a------ C:\Windows\System32\drivers\symfw.sys
2008-06-13 14:13 . 2008-06-13 14:13 41,008 --a------ C:\Windows\System32\drivers\symndisv.sys
2008-06-13 14:13 . 2008-06-13 14:13 38,576 --a------ C:\Windows\System32\drivers\symids.sys
2008-06-13 14:13 . 2008-06-13 14:13 22,320 --a------ C:\Windows\System32\drivers\symredrv.sys
2008-06-13 14:13 . 2008-06-13 14:13 13,616 --a------ C:\Windows\System32\drivers\symdns.sys
2008-06-13 09:38 . 2008-06-13 09:38 <DIR> d-------- C:\Program Files\Red Kawa
2008-06-10 23:23 . 2008-04-24 16:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-06-10 23:23 . 2008-04-25 22:08 1,314,816 --a------ C:\Windows\System32\quartz.dll
2008-06-10 23:23 . 2008-04-24 18:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-10 23:23 . 2008-05-09 15:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-28 23:51 --------- d-----w C:\Users\Michael\AppData\Roaming\Azureus
2008-06-28 21:18 --------- d-----w C:\ProgramData\Symantec
2008-06-27 19:38 --------- d---a-w C:\ProgramData\TEMP
2008-06-25 07:43 --------- d-----w C:\ProgramData\Creative
2008-06-25 07:36 409,600 ----a-w C:\Windows\System32\wrap_oal.dll
2008-06-25 07:36 114,688 ----a-w C:\Windows\System32\OpenAL32.dll
2008-06-25 07:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 03:49 --------- d-----w C:\ProgramData\Viewpoint
2008-06-24 01:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-23 11:22 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-06-23 11:22 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-06-23 11:22 10,671 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-06-23 11:22 --------- d-----w C:\Program Files\Symantec
2008-06-21 01:34 --------- d-----w C:\ProgramData\NVIDIA
2008-06-21 01:31 174 --sha-w C:\Program Files\desktop.ini
2008-06-21 01:22 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-21 01:22 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-06-21 01:22 --------- d-----w C:\Program Files\Windows Mail
2008-06-21 01:22 --------- d-----w C:\Program Files\Windows Journal
2008-06-21 01:22 --------- d-----w C:\Program Files\Windows Defender
2008-06-21 01:22 --------- d-----w C:\Program Files\Windows Collaboration
2008-06-21 01:22 --------- d-----w C:\Program Files\Windows Calendar
2008-06-21 00:22 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-06-21 00:22 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-06-18 05:28 --------- d-----w C:\Program Files\Azureus
2008-06-03 05:41 --------- d-----w C:\Users\Michael\AppData\Roaming\LimeWire
2008-05-20 13:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-14 13:01 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-04 20:48 --------- d-----w C:\ProgramData\Apple Computer
2008-05-01 04:42 --------- d-----w C:\Users\Michael\AppData\Roaming\mIRC
2008-04-30 13:22 --------- d-----w C:\Program Files\Exact Audio Copy
2008-04-30 00:40 --------- d-----w C:\Users\Michael\AppData\Roaming\Vso
2008-04-29 23:46 --------- d-----w C:\ProgramData\DVD Shrink
2008-04-29 23:45 --------- d-----w C:\Program Files\DVD Shrink
2008-04-28 10:16 --------- d-----w C:\Users\Michael\AppData\Roaming\DVDFab
2008-03-31 09:33 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-02-22 05:33 22,328 ----a-w C:\Users\Michael\AppData\Roaming\PnkBstrK.sys
2008-02-18 09:02 47,360 ----a-w C:\Users\Michael\AppData\Roaming\pcouffin.sys
2008-02-17 12:04 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-02-17 12:04 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-02-17 12:04 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2008-02-18 12:04 22 --sha-w C:\Windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-28_13.59.57.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-28 12:56:45 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-29 00:01:42 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-06-28 12:59:02 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-06-29 00:04:29 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-06-29 00:04:29 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-06-28 23:59:26 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-06-29 00:16:09 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-06-29 00:16:09 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-06-28 12:59:18 12,096 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1860259087-2502559841-2233965258-1000_UserData.bin
+ 2008-06-29 00:04:44 12,256 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1860259087-2502559841-2233965258-1000_UserData.bin
- 2008-06-28 12:59:18 90,952 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-29 00:04:44 91,270 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 03:51 316784 --a------ c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-11 12:27 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-18 21:33 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-18 21:33 125952]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872]
"CreativeTaskScheduler"="C:\Program Files\Creative\Shared Files\CTSched.exe" [2006-11-17 17:42 53341]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-18 21:36 2153472 C:\Windows\System32\oobefldr.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 05:01 65536]
"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 06:16 65536]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 01:59 118784]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 14:36 178712]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-04-17 13:22 184320]
"SunJavaUpdateReg"="C:\Windows\system32\jureg.exe" [2007-04-07 00:56 54936]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 14:24 54840]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2008-01-10 19:57 92704]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-01-10 19:57 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-01-10 19:57 88608]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 11:26 4874240 C:\Windows\RtHDVCpl.exe]
"SPIRunE"="SPIRunE.dll" [2007-05-09 01:07 18432 C:\Windows\System32\SpiRunE.dll]
"WD Button Manager"="WDBtnMgr.exe" [2008-03-15 10:40 364544 C:\Windows\System32\WDBtnMgr.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
"msacm.l3fhg"= mp3fhg.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{34E70BB4-CF18-4CAA-A5E0-0AE71DFB5985}"= c:\Program Files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{A4E37B33-5749-4840-A4B4-F7CD43D3D906}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{0E54B1B3-7C5A-4584-B559-A02DF1754926}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{3996FC39-5477-43AD-B353-D7CBFFFF9F10}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A74551F6-29E5-4FAA-B680-B7D960F8D71C}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{8C0D2566-F62C-40D7-8D94-94808AEE796B}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{2A4CF8E1-4C6F-4D55-8955-C70FB95EBA4D}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6CD8133B-7AB7-4655-962A-0B9C590DFC7E}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{74DF1286-AC99-4220-93AA-F4480D8A7C18}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{6EAA2122-FB04-4058-8C8B-2EE7B3CE9A52}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{9A7A617B-4834-4B86-8F71-89B6349AB2DE}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{0549CEE8-C8EB-4897-9FE8-4DB24D58EB15}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{C9B56A98-4999-4FB3-AAAD-4B6DE5BE74F0}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{006565F0-A17A-4792-87DB-CEED359B5DC9}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{CDC41110-B4D1-4E96-A19D-64F3E9E353BB}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{8D98BF12-084D-4B33-905F-03C5EB7C1F36}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{B2E89A8E-9A71-434E-AD90-91EE1CF5221B}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{E3D5209C-E6D8-434B-9D7A-72633DDE450B}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{E1A6576E-71DF-49BB-A47D-666D18159357}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{02E11070-FC24-4A4D-B32B-E24BA78440B9}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{6A1D3C5C-B17A-452A-A394-B9F9751AFE22}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{A37A2D00-CF05-4A81-A23D-1CDE354B9AB5}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{C237B5F9-0C46-4AD4-861A-6A2197D6F1C2}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{C1D8980A-1EE4-4C33-BD9C-4424D7AD821E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20080623.001\IDSvix86.sys [2008-02-14 03:22]
R2 CTAudSvcService;Creative Audio Service;C:\Program Files\Creative\Shared Files\CTAudSvc.exe [2007-11-26 09:22]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 14:13]
R3 t3;Sound Blaster X-Fi Xtreme Audio (Vista);C:\Windows\system32\drivers\t3.sys [2008-01-29 03:03]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);C:\Windows\system32\DRIVERS\xcbda.sys [2007-09-07 04:36]
S3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe" [2007-07-23 13:33]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSONY_MEDIAMGR2 []
S3 NetFlixDownloadManager;VMC NetFlix Download Manager;"C:\Program Files\Luttmann\vmcNetFlix\NetFlixDownloadManager.exe" [2008-06-17 07:16]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2008-01-18 19:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4707fda9-dc7d-11dc-aaf2-001e8c6d8cdb}]
\shell\AutoRun\command - wd_windows_tools\setup.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-24 08:10:19 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Michael.job"
- c:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
"2008-06-29 00:02:33 C:\Windows\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-06-26 13:08:37 C:\Windows\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-28 14:16:15
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-28 14:17:12
ComboFix-quarantined-files.txt 2008-06-29 00:16:59
ComboFix2.txt 2008-06-27 00:16:54

Pre-Run: 23,615,549,440 bytes free
Post-Run: 23,641,735,168 bytes free

252 --- E O F --- 2008-06-26 04:42:20

[Ried]

Quote:

It crashed my computer the first time, after restart ran again and it ran fine

I really wanted to see that file. Press the Windows logo key and the letter R to launch the Run command.

Copy/paste the following into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

That report should pop up for you. Kindly copy/paste the contents in your next reply.

How is the system behaving now? Any improvement?

[beaverboy56]

2008-06-28 14:16 108 --a------ C:\Qoobox\Quarantine\catchme.log



thats all that was there

[beaverboy56]

everything seems fine (maybe a little sluggish) but I'm still having problems with browsing, the pages hang for about 5-10 seconds when I try to navigate

[Ried]

I'm seeing that a report was created

Quote:

ComboFix-quarantined-files.txt 2008-06-29 00:16:59

Would you mind looking for that manually?

Press Windows Logo key and the letter E to launch Windows Explorer.

Double-click the C: drive and you'll find the Qoobox folder.

Do you see a ComboFix-quarantined-files.txt in that folder?


------------------------------

No other tools we've run are revealing any malware, is Windows Defender still finding Vundo?

[beaverboy56]

no defender is not finding anything, here is the body of that document.....

2008-06-28 14:16 108 --a------ C:\Qoobox\Quarantine\catchme.log


thats all, I have a Quad core pc with 3gb ram, it just shouldn't be running sluggish

[Ried]

We'll take a look with another tool.

Please download KZTechssuite. Click the Local Download 2 button.

1. Extract it to Desktop & double click SREngPS.exe to run it

2. Look toward the bottom and tick "Verify Digital Signatures".

3. Select 'Smart Scan' &

4. Click on the [Scan] button

5. When finished, click on the [Save Reports] button & save the log to Desktop

5. Attach the log in your next reply. Dont post it.

You may have to rename SREngLOG.log to SREngLOG.txt to upload it.

[beaverboy56]

Ok.... attached is the log