|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
07-14-2008, 02:53 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jul 2008
Posts: 5
OS: XP Service Pack 2
|
Suspected Vundo Virus
A few days ago I ran an exe I'd downloaded and think I've landed myself with vundo. I'd scanned the file with AVG but it came up clean. Ditched AVG for BitDefender when I noticed I had problems:
FF and IE both refuse to load google results pages, also sites like facebook/myspace/yahoo/hotmail etc. never load. Have the odd pop-up too. PC runs at a snails pace, seems to be due mainly to the lsass.exe process eating 50-99% of my CPU.) BitDefender found the infected files but couldn't move/delete/heal a couple of them. DSS log is below, thanks in advance for any help. Deckard's System Scanner v20071014.68 Run by Dave on 2008-07-14 16:30:55 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 28: 2008-07-14 15:34:43 UTC - RP948 - Deckard's System Scanner Restore Point 27: 2008-07-14 13:32:16 UTC - RP947 - Windows Update V4 26: 2008-07-13 15:26:49 UTC - RP946 - Avira AntiVir Personal - 13/07/2008 16:22 25: 2008-07-12 16:40:24 UTC - RP945 - Installed BitDefender Free Edition v10 24: 2008-07-12 16:02:55 UTC - RP944 - Last known good configuration -- First Restore Point -- 1: 2008-07-12 16:02:34 UTC - RP921 - System Checkpoint Backed up registry hives. Performed disk cleanup. Total Physical Memory: 504 MiB (512 MiB recommended). System Drive C: has 1.43 GiB (less than 15%) free. -- HijackThis (run as Dave.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:44:44, on 14/07/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Apache2\bin\Apache.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE C:\Apache2\bin\Apache.exe C:\mysql\bin\mysqld-nt.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\system32\IoctlSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Softwin\BitDefender10\vsserv.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe C:\WINDOWS\system32\HotfixQ0306270.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\V0220Mon.exe C:\Program Files\Softwin\BitDefender10\bdmcon.exe C:\Program Files\Softwin\BitDefender10\bdagent.exe C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Apache2\bin\ApacheMonitor.exe C:\Program Files\Softwin\BitDefender10\bdlite.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Dave\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Dave.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/ R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file) O2 - BHO: (no name) - {3785A31A-8624-470D-A5AF-2028A270FB5A} - C:\WINDOWS\system32\mlJApMcB.dll (file missing) O2 - BHO: {79d91f6d-1252-6ba8-bf54-4c807dc45634} - {43654cd7-08c4-45fb-8ab6-2521d6f19d97} - C:\WINDOWS\system32\rqykhj.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {788629AF-89BB-40CC-825C-44170578E2CC} - C:\WINDOWS\system32\qoMcbAsQ.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll O2 - BHO: (no name) - {D5C4454E-D035-48EC-87B9-B113D3EF8CA0} - C:\WINDOWS\system32\rqRKBSLd.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe" O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [a04c589b] rundll32.exe "C:\WINDOWS\system32\rurkvboq.dll",b O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [BMa37f6b07] Rundll32.exe "C:\WINDOWS\system32\oqdebjri.dll",s O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache2\bin\ApacheMonitor.exe O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V020...5030/CTPID.cab O20 - Winlogon Notify: qoMcbAsQ - C:\WINDOWS\SYSTEM32\qoMcbAsQ.dll O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apache2 - Apache Software Foundation - C:\Apache2\bin\Apache.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe O23 - Service: MySql (MySQL) - Unknown owner - C:/mysql/bin/mysqld-nt.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe -- End of file - 11813 bytes -- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) ----------- backup-20080713-182916-289 O2 - BHO: (no name) - {788629AF-89BB-40CC-825C-44170578E2CC} - C:\WINDOWS\system32\qoMcbAsQ.dll backup-20080713-182932-507 O20 - Winlogon Notify: qoMcbAsQ - C:\WINDOWS\SYSTEM32\qoMcbAsQ.dll backup-20080713-183904-517 O2 - BHO: (no name) - {3785A31A-8624-470D-A5AF-2028A270FB5A} - C:\WINDOWS\system32\mlJApMcB.dll (file missing) backup-20080713-183904-619 O20 - Winlogon Notify: qoMcbAsQ - C:\WINDOWS\SYSTEM32\qoMcbAsQ.dll backup-20080713-183904-810 O2 - BHO: (no name) - {31CD5253-98CB-4B4F-A98A-3066911F55F2} - C:\WINDOWS\system32\urqPgdcd.dll (file missing) backup-20080713-183904-924 O2 - BHO: (no name) - {788629AF-89BB-40CC-825C-44170578E2CC} - C:\WINDOWS\system32\qoMcbAsQ.dll -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 PLFF (USB Flash Disk Driver) - c:\windows\system32\drivers\plff.sys <Not Verified; Prolific Technology Inc.; Prolific Flash Disk> R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver> R1 ISODrive (ISO CD-ROM Device Driver) - c:\program files\ultraiso\drivers\isodrive.sys <Not Verified; EZB Systems, Inc.; ISODrive> R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver> R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu> R1 StyleXPHelper - c:\program files\tgtsoft\stylexp\stylexphelper.exe <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver> R1 vcdrom (Virtual CD-ROM Device Driver) - c:\windows\system32\drivers\vcdrom.sys <Not Verified; Microsoft Corporation; VirtualCdRom> R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT> S3 bdfdll - c:\program files\softwin\bitdefender10\bdfdll.sys (file missing) S3 BDFsDrv - c:\program files\softwin\bitdefender10\bdfsdrv.sys (file missing) S3 BDRsDrv - c:\program files\softwin\bitdefender10\bdrsdrv.sys (file missing) S3 C-Dilla - c:\windows\system32\drivers\cdant.sys <Not Verified; Macrovision; Licence Management System> S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mrendis5.sys (file missing) S3 NSNDIS5 (NSNDIS5 NDIS Protocol Driver) - c:\windows\system32\nsndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); NetStumbler> S3 PEEK5 (PEEK5 Protocol Driver) - c:\docume~1\dave\desktop\aircra~1.9-w\bin\peek5.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 AntiVirScheduler (Avira AntiVir Personal – Free Antivirus Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation> R2 Apache2 - "c:\apache2\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server> R2 C-DillaSrv - c:\windows\system32\drivers\cdantsrv.exe <Not Verified; C-Dilla Ltd; CD-Secure/CD-Compress Windows NT> R2 MySQL - c:/mysql/bin/mysqld-nt.exe R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc> R2 PLFlash DeviceIoControl Service - c:\windows\system32\ioctlsvc.exe <Not Verified; Prolific Technology Inc.; IoctlSvc Application> R2 StyleXPService - "c:\program files\tgtsoft\stylexp\stylexpservice.exe" <Not Verified; ; StyleXPService Module> S4 bgsvcgen (B's Recorder GOLD Library General Service) - c:\windows\system32\bgsvcgen.exe <Not Verified; B.H.A Corporation; B's Recorder GOLD8> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Intel(R) PRO/100 VE Network Connection Device ID: PCI\VEN_8086&DEV_1068&SUBSYS_01A41028&REV_03\4&2FA23535&0&40F0 Manufacturer: Intel Name: Intel(R) PRO/100 VE Network Connection PNP Device ID: PCI\VEN_8086&DEV_1068&SUBSYS_01A41028&REV_03\4&2FA23535&0&40F0 Service: E100B -- Scheduled Tasks ------------------------------------------------------------- 2008-07-14 02:27:01 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job 2008-07-10 17:51:08 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2008-06-14 and 2008-07-14 ----------------------------- 2008-07-14 14:28:41 0 d-------- C:\WUTemp 2008-07-14 01:43:34 0 d-------- C:\Program Files\Panda Security 2008-07-14 00:42:10 78848 --a------ C:\WINDOWS\system32\rurkvboq.dll 2008-07-13 23:33:36 103424 --a------ C:\WINDOWS\system32\rqykhj.dll 2008-07-13 23:33:33 103424 --a------ C:\WINDOWS\system32\qlkcovhp.dll 2008-07-13 23:30:33 91648 --a------ C:\WINDOWS\system32\oqdebjri.dll 2008-07-13 23:27:32 639810 --ahs---- C:\WINDOWS\system32\dLSBKRqr.ini2 2008-07-13 23:27:14 320000 --a------ C:\WINDOWS\system32\rqRKBSLd.dll 2008-07-13 17:58:33 0 d-------- C:\Program Files\Trend Micro 2008-07-13 16:29:04 0 d-------- C:\Program Files\Avira 2008-07-13 16:29:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-07-13 12:03:14 0 d-------- C:\Program Files\Enigma Software Group 2008-07-12 17:02:24 594179 --ahs---- C:\WINDOWS\system32\BcMpAJlm.ini2 2008-07-12 15:38:20 0 d-------- C:\Program Files\GiPo@Utilities 2008-07-12 15:38:20 0 d-------- C:\Program Files\Common Files\Gibinsoft Shared 2008-07-12 11:53:39 0 d-------- C:\Documents and Settings\Dave\Application Data\Bitdefender 2008-07-12 01:17:27 81984 --a------ C:\WINDOWS\system32\bdod.bin 2008-07-12 01:11:48 0 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender 2008-07-12 00:44:47 0 d-------- C:\Program Files\Belkin 2008-07-11 22:58:25 0 d-------- C:\Documents and Settings\Dave\Application Data\MailFrontier 2008-07-11 22:34:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla 2008-07-11 22:28:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Gtek 2008-07-11 22:28:44 0 d-------- C:\Documents and Settings\Administrator\Templates 2008-07-11 22:28:44 0 d-------- C:\Documents and Settings\Administrator\Local Settings 2008-07-11 22:28:44 0 d-------- C:\Documents and Settings\Administrator\Favorites 2008-07-11 22:28:44 0 d-------- C:\Documents and Settings\Administrator\Cookies 2008-07-11 22:28:44 0 d-------- C:\Documents and Settings\Administrator\Application Data 2008-07-11 22:28:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft 2008-07-11 22:28:42 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT 2008-07-11 22:09:22 1379872 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-07-11 21:57:14 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2008-07-11 21:54:28 0 d-------- C:\WINDOWS\system32\ZoneLabs 2008-07-11 21:53:34 0 d-------- C:\WINDOWS\Internet Logs 2008-07-11 21:10:27 0 d-------- C:\Program Files\shcc4cj0ep5g 2008-07-11 21:07:27 0 d-------- C:\Documents and Settings\Dave\.housecall6.6 2008-07-11 20:58:51 584302 --ahs---- C:\WINDOWS\system32\HQBLlnpo.ini2 2008-07-11 20:36:31 0 d-------- C:\Program Files\Belkin(2) 2008-07-11 19:58:00 0 d-------- C:\Documents and Settings\Dave\Application Data\Uniblue 2008-07-11 19:57:33 0 d-------- C:\Program Files\Uniblue 2008-07-11 17:48:40 0 d-------- C:\Program Files\Windows Defender 2008-07-11 12:15:12 0 d-------- C:\Documents and Settings\Guest\Application Data\Macromedia 2008-07-10 14:51:43 233472 --a------ C:\Documents and Settings\LocalService\ntuser.dat 2008-07-10 14:51:23 601117 --ahs---- C:\WINDOWS\system32\dcdgPqru.ini2 2008-07-10 14:45:53 26112 --a------ C:\WINDOWS\system32\qoMcbAsQ.dll 2008-06-21 14  00 0 d-------- C:\Documents and Settings\Dave\Application Data\Gencontrol2008-06-20 13:07:36 0 d-------- C:\Program Files\America's Army Server Manager 2008-06-17 11:07:38 0 d-------- C:\WINDOWS\A8B9466986544126BD28D0D2412CDED6.TMP 2008-06-16 11:46:40 0 d-------- C:\Documents and Settings\All Users\Application Data\CCP -- Find3M Report --------------------------------------------------------------- 2008-07-14 14:07:06 0 d--h----- C:\Program Files\WindowsUpdate 2008-07-12 16:11:43 0 d-------- C:\Documents and Settings\Dave\Application Data\Mozilla 2008-07-12 15:38:20 0 d-------- C:\Program Files\Common Files 2008-07-12 02:05:29 0 d-------- C:\Program Files\CureROM 2008-07-12 00:44:46 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-07-11 20:55:49 0 d-------- C:\Documents and Settings\Dave\Application Data\AVG7 2008-06-20 12:26:20 0 d-------- C:\Program Files\Sierra 2008-06-17 11:15:21 0 d-------- C:\Program Files\Terragen 2008-06-12 17:36:50 0 d-------- C:\Program Files\Common Files\DeskShare Shared 2008-06-12 17:36:31 0 d-------- C:\Documents and Settings\Dave\Application Data\STOIK 2008-06-12 17:35:28 0 d-------- C:\Program Files\STOIK Imaging 2008-05-30 09:31:15 0 d-------- C:\Program Files\Rockstar Games 2008-05-24 15:26:36 0 d-------- C:\Documents and Settings\Dave\Application Data\Real 2008-05-24 14:58:40 0 d-------- C:\Program Files\Common Files\xing shared 2008-05-24 14:58:30 0 d-------- C:\Program Files\Common Files\Real 2008-05-24 14:56:59 0 d-------- C:\Program Files\Real 2008-05-06 13:28:58 45176 --a----c- C:\Documents and Settings\Dave\Application Data\GDIPFONTCACHEV1.DAT 2008-04-25 19:52:17 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; > -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3785A31A-8624-470D-A5AF-2028A270FB5A}] C:\WINDOWS\system32\mlJApMcB.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43654cd7-08c4-45fb-8ab6-2521d6f19d97}] 13/07/2008 23:33 103424 --a------ C:\WINDOWS\system32\rqykhj.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{788629AF-89BB-40CC-825C-44170578E2CC}] 10/07/2008 14:45 26112 --a------ C:\WINDOWS\system32\qoMcbAsQ.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5C4454E-D035-48EC-87B9-B113D3EF8CA0}] 13/07/2008 23:27 320000 --a------ C:\WINDOWS\system32\rqRKBSLd.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [13/05/2004 16:23] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [14/05/2004 06:35] "PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [09/12/2004 19:58] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [15/04/2008 09:09] "Prolific_PLUtil"="C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe" [18/02/2004 18:26] "PLFFAP"="C:\WINDOWS\system32\HotfixQ0306270.exe" [05/08/2003 10:43] "KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" [] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 05:25] "V0220Mon.exe"="C:\WINDOWS\V0220Mon.exe" [28/06/2006 18:01] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 22:32] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/07/2008 09:05] "BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [02/04/2007 16:48] "BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [26/03/2007 15:49] "SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [19/06/2008 16:48] "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [04/08/2004 11:00] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [12/02/2008 10:06] "a04c589b"="C:\WINDOWS\system32\rurkvboq.dll" [14/07/2008 00:42] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [14/10/2005 14:49] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [14/10/2005 14:46] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [14/10/2005 14:50] "BMa37f6b07"="C:\WINDOWS\system32\oqdebjri.dll" [13/07/2008 23:30] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [30/11/2005 20:31] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 11:00] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "RunNarrator"=Narrator.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [28/06/2005 21:41:21] Monitor Apache Servers.lnk - C:\Apache2\bin\ApacheMonitor.exe [10/02/2005 06:12:16] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "NoDispCPL"=0 (0x0) "NoDispBackgroundPage"=0 (0x0) "NoDispSettingsPage"=0 (0x0) "NoDispScrSavPage"=0 (0x0) "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "AllowLegacyWebView"=1 (0x1) "AllowUnhashedWebView"=1 (0x1) "NoResolveTrack"=0 (0x0) "NoPropertiesMyComputer"=0 (0x0) "NoViewContextMenu"=0 (0x0) "NoFileAssociate"=0 (0x0) "NoFind"=0 (0x0) "NoRun"=0 (0x0) "NoClose"=0 (0x0) "StartMenuLogoff"=0 (0x0) "NoSMHelp"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoRecentDocsNetHood"=1 (0x1) "NoRecentDocsHistory"=1 (0x1) "ClearRecentDocsOnExit"=0 (0x0) "HideClock"=0 (0x0) "NoTrayItemsDisplay"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{788629AF-89BB-40CC-825C-44170578E2CC}"= C:\WINDOWS\system32\qoMcbAsQ.dll [10/07/2008 14:45 26112] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMcbAsQ] qoMcbAsQ.dll 10/07/2008 14:45 26112 C:\WINDOWS\system32\qoMcbAsQ.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=sockspy.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\rqRKBSLd [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a04c589b] rundll32.exe "C:\WINDOWS\system32\duqtnphw.dll",b [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlarmWiz] C:\Program Files\AlarmWiz\alarmwiz.exe startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMa37f6b07] Rundll32.exe "C:\WINDOWS\system32\hhxkraex.dll",s [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] C:\WINDOWS\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Glass2k] C:\Program Files\TGTSoft\StyleXP\Skins\Glass2k.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb] c:\program files\n-case\msbb.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] "c:\program files\valve\steam\steam.exe" -silent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tunebite] C:\Program Files\RapidSolution\Tunebite\Tunebite.exe -tray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "AOL ACS"=2 (0x2) "bgsvcgen"=2 (0x2) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I] AutoRun\command- I:\Setup.exe *Newly Created Service* - PAVBOOT -- End of Deckard's System Scanner: finished at 2008-07-14 16:51:24 ------------ |
|
     |
|
07-16-2008, 02:24 PM
|
#2 (permalink) |
|
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
|
Re: Suspected Vundo Virus
Hi and welcome to TSF.
My name is Iain and I will be helping you clean your system. You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply. Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please ensure that you follow the instructions in the order I have them listed. Combofix We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix **Note: It is important that ComboFix is saved directly to your desktop** Please ensure you read this guide carefully and install the Recovery Console. This will help us restore your system in the event of a serious crash. It's very simple to complete and will only take a few moments. A quick guide is detailed below. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. See here for a guide to disabling AV, Firewall and Anti-malware programmes. Once you've downloaded the appropriate RC setup package for your system to the desktop, follow these instructions:
Please post the log C:\ComboFix.txt along with a fresh HijackThis log for further review. NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
__________________
Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums.   Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::5 Steps For Infected PCs |
|
|
|
|
07-17-2008, 03:10 AM
|
#3 (permalink) |
|
Registered User
Join Date: Jul 2008
Posts: 5
OS: XP Service Pack 2
|
Re: Suspected Vundo Virus
Hi Iain, thanks for the reply and the welcome. ComboFix and HijackThis logs are below, I had a couple of .dll errors while running ComboFix, and when it rebooted my machine, other than that it seemed to run ok.
________________________ ComboFix ________________________ ComboFix 08-07-14.2 - Dave 2008-07-17 9:22:13.1 - NTFSx86 Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Dave\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\shcc4cj0ep5g C:\WINDOWS\BMa37f6b07.txt C:\WINDOWS\cookies.ini C:\WINDOWS\pskt.ini C:\WINDOWS\system32\BcMpAJlm.ini C:\WINDOWS\system32\BcMpAJlm.ini2 C:\WINDOWS\system32\dcdgPqru.ini C:\WINDOWS\system32\dcdgPqru.ini2 C:\WINDOWS\system32\dLSBKRqr.ini C:\WINDOWS\system32\dLSBKRqr.ini2 C:\WINDOWS\system32\HQBLlnpo.ini2 C:\WINDOWS\system32\jnltfo.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mkvefivd.dll C:\WINDOWS\system32\qlkcovhp.dll C:\WINDOWS\system32\qobvkrur.ini C:\WINDOWS\system32\rqykhj.dll C:\WINDOWS\system32\vbzlib1.dll C:\WINDOWS\system32\whpntqud.ini . ((((((((((((((((((((((((( Files Created from 2008-06-17 to 2008-07-17 ))))))))))))))))))))))))))))))) . 2008-07-15 01:39 . 2008-07-15 01:40 <DIR> d-------- C:\Program Files\Kontiki 2008-07-15 01:39 . 2008-07-15 01:39 <DIR> d-------- C:\logs3 2008-07-15 01:39 . 2008-07-16 04:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kontiki 2008-07-14 22:05 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-07-14 20:51 . 2008-07-14 20:51 <DIR> d-------- C:\VundoFix Backups 2008-07-14 16:30 . 2008-07-14 16:30 <DIR> d-------- C:\Deckard 2008-07-14 15:33 . 2005-10-14 14:45 135,168 --a------ C:\WINDOWS\system32\igfxres.dll 2008-07-14 14:28 . 2008-07-14 14:43 <DIR> d-------- C:\WUTemp 2008-07-14 01:44 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-07-14 01:43 . 2008-07-14 01:43 <DIR> d-------- C:\Program Files\Panda Security 2008-07-14 00:42 . 2008-07-14 00:42 78,848 --a------ C:\WINDOWS\system32\rurkvboq.VIR000 2008-07-13 23:30 . 2008-07-13 23:30 91,648 --a------ C:\WINDOWS\system32\oqdebjri.VIR000 2008-07-13 23:27 . 2008-07-13 23:27 320,000 --a------ C:\WINDOWS\system32\rqRKBSLd.VIR 2008-07-13 17:58 . 2008-07-13 17:58 <DIR> d-------- C:\Program Files\Trend Micro 2008-07-13 16:29 . 2008-07-13 16:29 <DIR> d-------- C:\Program Files\Avira 2008-07-13 16:29 . 2008-07-13 16:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-07-13 12:03 . 2008-07-13 12:03 <DIR> d-------- C:\Program Files\Enigma Software Group 2008-07-12 17:36 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe 2008-07-12 17:28 . 2008-07-09 09:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll 2008-07-12 15:38 . 2008-07-12 15:38 <DIR> d-------- C:\Program Files\GiPo@Utilities 2008-07-12 15:38 . 2008-07-12 15:38 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared 2008-07-12 15:36 . 2006-01-26 20:19 73,728 --a------ C:\WINDOWS\system32\TBD19.tmp 2008-07-12 15:34 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\TBD17.tmp 2008-07-12 15:33 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\TBD15.tmp 2008-07-12 15:33 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\TBD16.tmp 2008-07-12 15:33 . 2006-08-22 16:08 77,824 --a------ C:\WINDOWS\system32\TBD14.tmp 2008-07-12 11:53 . 2008-07-12 11:53 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Bitdefender 2008-07-12 01:17 . 2008-07-17 10:35 81,984 --a------ C:\WINDOWS\system32\bdod.bin 2008-07-12 01:11 . 2008-07-12 01:11 <DIR> d-------- C:\Program Files\Softwin 2008-07-12 01:11 . 2008-07-12 01:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender 2008-07-12 01:09 . 2008-07-12 17:44 <DIR> d-------- C:\Program Files\Common Files\Softwin 2008-07-12 00:44 . 2008-07-12 00:44 <DIR> d-------- C:\Program Files\Belkin 2008-07-11 22:58 . 2008-07-12 00:43 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\MailFrontier 2008-07-11 22:28 . 2005-06-28 21:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek 2008-07-11 22:28 . 2008-07-12 00:44 <DIR> d---s---- C:\Documents and Settings\Administrator 2008-07-11 22:09 . 2008-07-17 10:21 1,596,704 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-07-11 22:09 . 2008-07-17 10:21 9,224 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-07-11 21:57 . 2008-07-14 15:02 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat 2008-07-11 21:54 . 2008-07-12 17:36 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs 2008-07-11 21:54 . 2008-07-11 21:54 <DIR> d-------- C:\Program Files\Zone Labs 2008-07-11 21:54 . 2008-07-17 10:25 352,807 --a------ C:\WINDOWS\system32\vsconfig.xml 2008-07-11 21:53 . 2008-07-17 10:36 <DIR> d-------- C:\WINDOWS\Internet Logs 2008-07-11 21:07 . 2008-07-12 00:44 <DIR> d-------- C:\Documents and Settings\Dave\.housecall6.6 2008-07-11 20:36 . 2008-07-12 00:44 <DIR> d-------- C:\Program Files\Belkin(2) 2008-07-11 19:58 . 2008-07-11 19:58 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Uniblue 2008-07-11 19:57 . 2008-07-13 22:53 <DIR> d-------- C:\Program Files\Uniblue 2008-07-11 17:48 . 2008-07-12 00:46 <DIR> d-------- C:\Program Files\Windows Defender 2008-07-10 14:53 . 2008-07-15 23:31 110,415 --a------ C:\WINDOWS\BMa37f6b07.xml 2008-07-10 14:45 . 2008-07-10 14:45 26,112 --a------ C:\WINDOWS\system32\qoMcbAsQ.VIR 2008-06-21 14:06 . 2008-06-21 14:06 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Gencontrol 2008-06-20 13:07 . 2008-06-20 13:07 <DIR> d-------- C:\Program Files\America's Army Server Manager 2008-06-17 11:07 . 2008-06-17 11:07 <DIR> d-------- C:\WINDOWS\A8B9466986544126BD28D0D2412CDED6.TMP . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-14 21:10 --------- d-----w C:\Program Files\Java 2008-07-12 18:41 1,786,880 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp 2008-07-12 18:13 98,304 ----a-w C:\WINDOWS\DUMPfee2.tmp 2008-07-12 18:11 1,786,368 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp 2008-07-12 18:03 98,304 ----a-w C:\WINDOWS\DUMPf7ec.tmp 2008-07-12 01:05 --------- d-----w C:\Program Files\CureROM 2008-07-11 23:44 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-11 22:27 98,304 ----a-w C:\WINDOWS\DUMP0809.tmp 2008-07-11 22:05 1,823,744 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp 2008-07-11 21:58 48,640 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp 2008-07-11 21:58 1,826,816 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp 2008-07-11 19:55 --------- d-----w C:\Documents and Settings\Dave\Application Data\AVG7 2008-07-11 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7 2008-06-20 11:26 --------- d-----w C:\Program Files\Sierra 2008-06-17 10:15 --------- d-----w C:\Program Files\Terragen 2008-06-16 10:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\CCP 2008-06-12 16:36 --------- d-----w C:\Program Files\Common Files\DeskShare Shared 2008-06-12 16:36 --------- d-----w C:\Documents and Settings\Dave\Application Data\STOIK 2008-06-12 16:35 --------- d-----w C:\Program Files\STOIK Imaging 2008-05-30 08:31 --------- d-----w C:\Program Files\Rockstar Games 2008-05-24 13:58 --------- d-----w C:\Program Files\Common Files\xing shared 2008-05-24 13:58 --------- d-----w C:\Program Files\Common Files\Real 2008-05-24 13:56 --------- d-----w C:\Program Files\Real 2008-05-06 12:28 45,176 -c--a-w C:\Documents and Settings\Dave\Application Data\GDIPFONTCACHEV1.DAT 2008-04-25 18:52 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2008-04-02 17:03 6,656 --sha-w C:\Program Files\Thumbs.db 2007-03-03 06:13 706 ----a-w C:\Program Files\INSTALL.LOG 2003-12-18 11:33 20,102 ----a-w C:\Program Files\Readme.txt 2003-12-04 23:37 729,088 -c--a-r C:\Documents and Settings\Dave\ccrunch.exe 2003-12-04 23:37 192,566 -c--a-r C:\Documents and Settings\Dave\makevbm.exe 2003-12-04 23:37 1,712,197 -c--a-r C:\Documents and Settings\Dave\mvfreduce.exe 2003-09-03 07:46 10,960 ----a-w C:\Program Files\EULA.txt 2003-02-11 09:03 4,316 ----a-w C:\Program Files\Read me First!!!.txt . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2005-11-30 20:31 1355776] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 16:23 98304] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 06:35 536576] "PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 19:58 86016] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 09:09 579584] "Prolific_PLUtil"="C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe" [2004-02-18 18:26 90112] "PLFFAP"="C:\WINDOWS\system32\HotfixQ0306270.exe" [2003-08-05 10:43 45056] "V0220Mon.exe"="C:\WINDOWS\V0220Mon.exe" [2006-06-28 18:01 32768] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016] "BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [2007-04-02 16:48 290816] "BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49 69632] "SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-06-19 16:48 851968] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 11:00 15360] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 09:09 219136] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2004-08-04 11:00 53760 C:\WINDOWS\system32\narrator.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-06-28 21:41:21 24576] Monitor Apache Servers.lnk - C:\Apache2\bin\ApacheMonitor.exe [2005-02-10 06:12:16 41042] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "AllowLegacyWebView"= 1 (0x1) "AllowUnhashedWebView"= 1 (0x1) "NoResolveTrack"= 0 (0x0) "NoFileAssociate"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoRecentDocsNetHood"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="C:\\Program Files\\TGTSoft\\StyleXP\\Logon\\CurrentLogon.EXE" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=sockspy.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.iv41"= ir41_32.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVFX Engine] --------- 2006-06-09 01:11 24576 C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Live! Cam Manager] --------- 2006-05-31 16:00 143360 C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeTaskScheduler] --------- 2006-01-09 03:43 53340 C:\Program Files\Creative\Shared Files\CTSched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2006-09-14 21:09 157592 C:\Program Files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] --a------ 2005-03-04 17:26 606208 C:\Program Files\Dell\QuickSet\quickset.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] --a------ 2004-12-06 07:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] --a--c--- 2005-01-27 07:02 86016 C:\Program Files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] --a--c--- 2005-02-23 22:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Glass2k] --a------ 2004-04-02 01:56 56325 C:\Program Files\TGTSoft\StyleXP\Skins\Glass2k.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2007-06-01 16:51 257088 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] --a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2] --a------ 2007-04-15 07:31 1291264 C:\Program Files\Rainlendar2\Rainlendar2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] --a------ 2008-05-24 14:57 214296 C:\Program Files\Real\RealPlayer\realplay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2008-03-28 06:38 1271032 c:\Program Files\Valve\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysMetrix] --a------ 2006-02-25 21:09 2637824 C:\Program Files\SysMetrix\SysMetrix.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "AOL ACS"=2 (0x2) "bgsvcgen"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Games\\Red Faction\\RedFaction.exe"= "C:\\Games\\Red Faction\\rf.exe"= "C:\\Games\\Red Faction\\LazyBan2.exe"= "C:\\Apache2\\bin\\Apache.exe"= "C:\\Program Files\\Valve\\Steam\\SteamApps\\rfgrimreaper\\half-life\\hl.exe"= "C:\\Program Files\\LeapFTP\\LeapFTP.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\FlashFXP\\flashfxp.exe"= "C:\\3dsmax4\\3dsmax.exe"= "C:\\WINDOWS\\system32\\dplaysvr.exe"= "C:\\Program Files\\NetMeeting\\conf.exe"= "C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"= "C:\\WINDOWS\\system32\\dpnsvr.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\Program Files\\BitTorrent\\bittorrent.exe"= "C:\\Games\\Red Faction\\LazyBan130.exe"= "C:\\Program Files\\BitLord\\BitLord.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\GameSpy Arcade\\Aphex.exe"= "C:\\Program Files\\mIRC\\mirc.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\Valve\\Steam\\SteamApps\\rfgrimreaper\\counter-strike\\hl.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "J:\\CCP\\EVE\\bin\\ExeFile.exe"= "J:\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe"= "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "J:\\ST legacy\\Legacy.exe"= "C:\\Program Files\\Valve\\Steam\\Steam.exe"= "C:\\Program Files\\Valve\\Steam\\SteamApps\\rfgrimreaper\\half-life 2\\hl2.exe"= "J:\\Star Wars Empire at War\\GameData\\sweaw.exe"= "J:\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "J:\\Activision\\EF2\\EF2.exe"= "J:\\America's Army\\System\\ArmyOps.exe"= "C:\\WINDOWS\\system32\\mmc.exe"= "C:\\Program Files\\Kontiki\\KService.exe"= R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] R0 PLFF;USB Flash Disk Driver;C:\WINDOWS\system32\Drivers\PLFF.sys [2003-10-06 11:29] R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 12:45] S3 DIGIRPS;Digi PortServer Driver;C:\WINDOWS\system32\DRIVERS\digirlpt.sys [2001-08-17 12:17] S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-24 03:12] S3 PEEK5;PEEK5 Protocol Driver;C:\DOCUME~1\Dave\Desktop\AIRCRA~1.9-W\bin\PEEK5.SYS [] S3 V0220Dev;Live! Cam Video IM;C:\WINDOWS\system32\DRIVERS\V0220Dev.sys [2006-06-29 06:58] S3 V0220Vfx;V0220VFX;C:\WINDOWS\system32\DRIVERS\V0220Vfx.sys [2006-06-08 09:00] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I] \Shell\AutoRun\command - I:\Setup.exe . Contents of the 'Scheduled Tasks' folder "2008-07-10 16:51:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-07-16 01:27:03 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe . - - - - ORPHANS REMOVED - - - - BHO-{3785A31A-8624-470D-A5AF-2028A270FB5A} - C:\WINDOWS\system32\mlJApMcB.dll BHO-{788629AF-89BB-40CC-825C-44170578E2CC} - C:\WINDOWS\system32\qoMcbAsQ.dll BHO-{D5C4454E-D035-48EC-87B9-B113D3EF8CA0} - C:\WINDOWS\system32\rqRKBSLd.dll HKLM-Run-a04c589b - C:\WINDOWS\system32\rurkvboq.dll HKLM-Run-BMa37f6b07 - C:\WINDOWS\system32\oqdebjri.dll ShellExecuteHooks-{788629AF-89BB-40CC-825C-44170578E2CC} - C:\WINDOWS\system32\qoMcbAsQ.dll Notify-qoMcbAsQ - qoMcbAsQ.dll MSConfigStartUp-a04c589b - C:\WINDOWS\system32\duqtnphw.dll MSConfigStartUp-AlarmWiz - C:\Program Files\AlarmWiz\alarmwiz.exe MSConfigStartUp-AOL Spyware Protection - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe MSConfigStartUp-BMa37f6b07 - C:\WINDOWS\system32\hhxkraex.dll MSConfigStartUp-msbb - c:\program files\n-case\msbb.exe MSConfigStartUp-Tunebite - C:\Program Files\RapidSolution\Tunebite\Tunebite.exe ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-17 10:28:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL] "ImagePath"="C:/mysql/bin/mysqld-nt.exe" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL] "ImagePath"="C:/mysql/bin/mysqld-nt.exe" . ------------------------ Other Running Processes ------------------------ . C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\wltrysvc.exe C:\WINDOWS\system32\bcmwltry.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Apache2\bin\Apache.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\drivers\CDANTSRV.EXE C:\Apache2\bin\Apache.exe C:\mysql\bin\mysqld-nt.exe C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe C:\WINDOWS\system32\IoctlSvc.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\Program Files\Softwin\BitDefender10\vsserv.exe C:\WINDOWS\system32\igfxsrvc.exe . ************************************************************************** . Completion time: 2008-07-17 10:48:30 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-17 09:48:12 Pre-Run: 1,097,101,312 bytes free Post-Run: 1,052,409,856 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 334 --- E O F --- 2008-01-09 11:58:40 ________________________ HijackThis ________________________ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:55:34, on 17/07/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Apache2\bin\Apache.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE C:\Apache2\bin\Apache.exe C:\mysql\bin\mysqld-nt.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\system32\IoctlSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\Program Files\Softwin\BitDefender10\vsserv.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe C:\WINDOWS\system32\HotfixQ0306270.exe C:\WINDOWS\V0220Mon.exe C:\Program Files\Softwin\BitDefender10\bdmcon.exe C:\Program Files\Softwin\BitDefender10\bdagent.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Apache2\bin\ApacheMonitor.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/ R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe" O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache2\bin\ApacheMonitor.exe O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V020...5030/CTPID.cab O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apache2 - Apache Software Foundation - C:\Apache2\bin\Apache.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe O23 - Service: MySql (MySQL) - Unknown owner - C:/mysql/bin/mysqld-nt.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe -- End of file - 10100 bytes |
|
|
|
|
07-17-2008, 02:19 PM
|
#4 (permalink) |
|
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
|
Re: Suspected Vundo Virus
Hi again
Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. Please go to: VirusTotal
Combofix
Code:
File:: C:\WINDOWS\system32\rurkvboq.VIR000 C:\WINDOWS\system32\oqdebjri.VIR000 C:\WINDOWS\system32\rqRKBSLd.VIR C:\WINDOWS\system32\TBD19.tmp C:\WINDOWS\system32\TBD17.tmp C:\WINDOWS\system32\TBD15.tmp C:\WINDOWS\system32\TBD16.tmp C:\WINDOWS\system32\TBD14.tmp C:\WINDOWS\BMa37f6b07.xml C:\WINDOWS\system32\qoMcbAsQ.VIR C:\WINDOWS\A8B9466986544126BD28D0D2412CDED6.TMP C:\WINDOWS\DUMPfee2.tmp C:\WINDOWS\DUMPf7ec.tmp C:\WINDOWS\DUMP0809.tmp  Save this as CFScript.txt, in the same location as ComboFix.exe  Refering to the picture above, drag CFScript onto ComboFix.exe. When finished, it will produce a log for you at "C:\ComboFix.txt" Do not mouseclick combofix's window whilst it's running. This may cause it to stall. CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows! Online Scan Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner. Click Accept, when prompted to download and install the program files and database of malware definitions.
This animation will guide you through the process:  **Note** To optimise scanning time and produce a more sensible report for review:
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%. Please post back with the Kaspersky Log, C:\combofix.txt and a fresh HijackThis Log.
__________________
Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::5 Steps For Infected PCs |
|
|
|
