Firefox crahses and Vundo trojan? hijack this long

granto86 · 07-17-2007, 09:45 PM

For a while now, my firefox has crashed about every 10 minutes or so, and now my Trend Micro PC-cillin constantly gives me a popup that says I have a possible Vundo-1 in my C:\WINDOWS\System32\ddccc.dll file, My computer has also been running extremely sluggishly. Please help me, here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:25 PM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\retadpu572.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Grant Williams\Desktop\HiJackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.miami.edu
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8898 bytes

granto86 · 07-18-2007, 12:46 AM

After reading another post that had a similar problem to mine, ran a DDS report as well, so here is the main.txt with the extra.txt attached:

Deckard's System Scanner v20070711.54
Run by Grant Williams on 2007-07-18 at 01:31:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
25: 2007-07-18 06:32:00 UTC - RP25 - Deckard's System Scanner Restore Point
24: 2007-07-13 09:52:18 UTC - RP24 - System Checkpoint
23: 2007-07-12 08:42:48 UTC - RP23 - Software Distribution Service 3.0
22: 2007-07-10 04:05:49 UTC - RP22 - System Checkpoint
21: 2007-07-09 02:35:40 UTC - RP21 - System Checkpoint

-- First Restore Point --
1: 2007-06-08 01:36:00 UTC - RP1 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Grant Williams.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:25 PM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\retadpu572.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Grant Williams\Desktop\HiJackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.miami.edu
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8898 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R1 tmtdi (Trend Micro TDI Driver) - c:\windows\system32\drivers\tmtdi.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Component 1.0>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.9.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.9.0>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 tm_cfw (Common Firewall Driver) - c:\windows\system32\drivers\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Network Security Component 1.0>
R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S1 Tosrfcom - c:\windows\system32\drivers\tosrfcom.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFCOMM Driver>
S2 DellBIOS - c:\windows\dellbios.sys (file missing)
S3 Tosrfbd (Bluetooth RFBUS from TOSHIBA) - c:\windows\system32\drivers\tosrfbd.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth BUS Driver(WindowsXP,Windows2000)>
S3 Tosrfhid (Bluetooth RFHID from TOSHIBA) - c:\windows\system32\drivers\tosrfhid.sys <Not Verified; TOSHIBA Corporation.; Bluetooth HID Driver from TOSHIBA>
S3 Tosrfusb (Bluetooth USB Controller) - c:\windows\system32\drivers\tosrfusb.sys <Not Verified; TOSHIBA CORPORATION; Microsoft(R) Windows NT(R) Operating System>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 PcCtlCom (Trend Micro Central Control Component) - c:\progra~1\trendm~1\intern~1\pcctlcom.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
R2 RMSvc (Media Center Extender Resource Monitor) - c:\windows\ehome\rmsvc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Tmntsrv (Trend Micro Real-time Service) - c:\progra~1\trendm~1\intern~1\tmntsrv.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
R2 TmPfw (Trend Micro Personal Firewall) - c:\progra~1\trendm~1\intern~1\tmpfw.exe <Not Verified; Trend Micro Inc.; Trend Network Security Component 1.0>
R2 tmproxy (Trend Micro Proxy Service) - c:\progra~1\trendm~1\intern~1\tmproxy.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 1.0>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>
R2 WLANKEEPER (Intel(R) PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel(R) Corporation; SSO Service>

-- Scheduled Tasks -------------------------------------------------------------

2007-06-17 07:50:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-06-18 and 2007-07-18 -----------------------------

2007-07-17 16:49:58 6405 ---hs---- C:\WINDOWS\system32\cccdd.bak1
2007-07-17 16:49:05 31254 --a------ C:\WINDOWS\system32\awtrqpm.dll
2007-07-17 16:48:46 266336 --a------ C:\WINDOWS\system32\ddccc.dll
2007-07-17 16:48:42 0 d-------- C:\Program Files\WinPop
2007-07-17 16:48:40 0 d-------- C:\Program Files\InetGet2
2007-07-17 16:43:44 39424 --a------ C:\WINDOWS\retadpu572.exe
2007-07-17 16:43:42 376832 --a------ C:\WINDOWS\system32\WinNB58.dll <Not Verified; ; MBar IES AFF>
2007-07-17 16:43:31 31254 --a------ C:\WINDOWS\system32\xxyaywv.dll
2007-07-17 10:27:12 56320 --a------ C:\WINDOWS\b122.exe
2007-07-15 22:31:04 0 d-------- C:\Program Files\test
2007-07-14 15:23:39 0 d-------- C:\Program Files\AVI MPEG Video Converter
2007-07-04 01:30:10 0 d-------- C:\MrBigDicksHotChicks.Tiffany_Price
2007-07-04 01:27:49 0 d-------- C:\Documents and Settings\Grant Williams\Application Data\WinRAR

-- Find3M Report ---------------------------------------------------------------

2007-07-10 21:20:07 0 d-------- C:\Program Files\VideoLAN
2007-06-27 11:35:52 0 d-------- C:\Program Files\Messenger
2007-06-22 15:07:23 58520 --ah---c- C:\WINDOWS\system32\mlfcache.dat
2007-06-14 23:54:36 0 d-------- C:\Program Files\DivX
2007-06-13 13:53:49 0 d-------- C:\Program Files\iTunes
2007-06-13 13:53:39 0 d-------- C:\Program Files\iPod
2007-06-13 13:51:56 0 d-------- C:\Program Files\QuickTime
2007-06-07 20:36:22 8224 --a----c- C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-06-07 18:47:42 0 -rahs---- C:\MSDOS.SYS
2007-06-07 18:47:42 0 -rahs---- C:\IO.SYS
2007-06-07 18:40:03 0 d--h----- C:\Program Files\WindowsUpdate
2007-06-07 18:37:33 34380 --a----c- C:\WINDOWS\system32\emptyregdb.dat
2007-06-07 16:56:36 0 d-------- C:\Program Files\CONEXANT
2007-06-03 17:48:09 0 d-------- C:\Program Files\IrfanView
2007-05-30 22:26:55 0 d-------- C:\Program Files\DellConnect
2007-05-19 11:51:58 0 d-------- C:\Program Files\LimeWire

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{53A06508-0234-42A8-A427-A2A975E7B90D} C:\WINDOWS\system32\ddccc.dll
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
{CA6319C0-31B7-401E-A518-A07C3DB8F777} c:\Program Files\BAE\BAE.dll [x]
{DCD53738-C4F9-414A-A03C-C7405A4AC844} C:\WINDOWS\system32\xxyaywv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"ShowLOMControl"=dword:00000001
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\pccguide.exe\""
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"Windows Media Connect 2"="\"C:\\Program Files\\Windows Media Connect 2\\WMCCFG.exe\" /StartQuiet"
"NapsterShell"="C:\\Program Files\\Napster\\napster.exe /systray"
"NWEReboot"=""
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"runner1"="C:\\WINDOWS\\retadpu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"OE_OEM"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\TMAS_OE\\TMAS_OEMon.exe\""
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"AnyDVD"="C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"
"WinPop"="C:\\Program Files\\WinPop\\winpop.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{DCD53738-C4F9-414A-A03C-C7405A4AC844}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyaywv

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
QWAVE REG_MULTI_SZ QWAVE\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
Shell\AutoRun\command E:\setup.exe

-- End of Deckard's System Scanner: finished at 2007-07-18 at 01:41:02 ---------

granto86 · 07-18-2007, 01:19 AM

Here is the combofix log:

"Grant Williams" - 2007-07-18 1:56:30 - ComboFix 07-07-17.8 - Service Pack 2 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\awtrqpm.dll
C:\WINDOWS\system32\awtrqpm.dll
C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\cccdd.ini
C:\WINDOWS\system32\ddccc.dll
C:\WINDOWS\system32\xxyaywv.dll
C:\WINDOWS\system32\xxyaywv.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\3L34N8DM\www.broadcaster.com
C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\3L34N8DM\www.broadcaster.com\played_list.sol
C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\3L34N8DM\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\inetget2
C:\Program Files\inetget2\popinstall.exe
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\Program Files\winpop\winpop.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\retadpu572.exe
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\wr.txt

((((((((((((((((((((((((( Files Created from 2007-06-18 to 2007-07-18 )))))))))))))))))))))))))))))))

2007-07-18 01:55 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-18 01:31 <DIR> d-------- C:\Deckard
2007-07-15 22:31 <DIR> d-------- C:\Program Files\test
2007-07-14 15:23 <DIR> d-------- C:\Program Files\AVI MPEG Video Converter
2007-07-04 01:30 <DIR> d-------- C:\MrBigDicksHotChicks.Tiffany_Price
2007-07-04 01:27 <DIR> d-------- C:\DOCUME~1\GRANTW~1\APPLIC~1\WinRAR
2007-06-22 08:54 99,904 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-06-20 16:08 93,128 --a------ C:\WINDOWS\system32\ElbyCDIO.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-11 02:20:07 -------- d-----w C:\Program Files\VideoLAN
2007-06-27 16:35:52 -------- d-----w C:\Program Files\Messenger
2007-06-22 20:07:23 58,520 -c-ha-w C:\WINDOWS\system32\mlfcache.dat
2007-06-15 04:54:36 -------- d-----w C:\Program Files\DivX
2007-06-13 18:53:49 -------- d-----w C:\Program Files\iTunes
2007-06-13 18:53:39 -------- d-----w C:\Program Files\iPod
2007-06-13 18:51:56 -------- d-----w C:\Program Files\QuickTime
2007-06-13 00:00:54 203,024 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-06-13 00:00:50 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-06-12 23:52:00 1,126,328 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys
2007-06-08 01:36:22 8,224 -c--a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-06-07 23:47:42 0 --sha-r C:\MSDOS.SYS
2007-06-07 23:47:42 0 --sha-r C:\IO.SYS
2007-06-07 23:40:03 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-07 23:37:33 34,380 -c--a-w C:\WINDOWS\system32\emptyregdb.dat
2007-06-07 21:56:36 -------- d-----w C:\Program Files\CONEXANT
2007-06-03 22:48:09 -------- d-----w C:\Program Files\IrfanView
2007-05-31 03:26:55 -------- d-----w C:\Program Files\DellConnect
2007-05-19 16:51:58 -------- d-----w C:\Program Files\LimeWire
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2006-11-16 14:52:36 104 --sha-r C:\WINDOWS\system32\4411F4E09A.sys
2006-11-16 14:52:39 6,580 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-03 14:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2004-12-06 01:05 118842 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-06-23 22:01 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
c:\Program Files\BAE\BAE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56]
"ShowLOMControl"="1 (0x1)" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 18:56]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" []
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-04-11 05:31]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 19:20]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 16:42]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-18 05:13]
"Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\WMCCFG.exe" [2006-10-18 22:58]
"NapsterShell"="C:\Program Files\Napster\napster.exe" []
"NWEReboot"="" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 06:00 C:\WINDOWS\system32\bthprops.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 18:39]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-06-02 01:34]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 22:01]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-06-23 06:13]

C:\DOCUME~1\GRANTW~1\STARTM~1\Programs\Startup
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2006-04-13 19:29:34]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-11 05:25:45]
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18:55:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE QWAVE
Usnsvc usnsvc
bthsvcs BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

Contents of the 'Scheduled Tasks' folder
2007-06-17 12:50:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-18 02:12:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-18 2:14:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-18 02:13

--- E O F ---

Ried · 07-18-2007, 08:18 AM

Hello granto86 and welcome to TSF,

Good work so far.

Before we continue, as there isn't a new HijackThis log I'm going to have to play it safe here based on the initial log.

Run a scan with HijackThis and 'check' the following entries if they still exist:

O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

Click 'Fix Checked' and close HijackThis.

-----------------------------------------------------------------

Now please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

Panda results
New HijackThis log

granto86 · 07-18-2007, 01:48 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:47:14 PM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll (file missing)
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.miami.edu
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

granto86 · 07-18-2007, 01:58 PM

Now my PC-Cillin keeps giving me warnings that I have a virus named TROJ DLOADER.OKL, anyway to fix this as well?

Ried · 07-18-2007, 08:14 PM

Hello granto86,

Run a scan with HijackThis and 'check' the following entry:

O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - (no file)

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Clear Mozilla Firefox cookies:

Open the Mozilla Browser>Tools>Options>Privacy>Cookies>Clear

--------------------------------------------------------------------

What is the location of the trojan? Other than that alert by your AV, how is the system behaving now?

granto86 · 07-18-2007, 08:50 PM

The computer is running quicker, but I still have a constant alert about the trojan, it says it is in C:\QooBox\Quarantine\C\WINDOWS\retadpus572.exe.vir,

Ried · 07-18-2007, 09:05 PM

Ah--no worries. That file is safely tucked away in the ComboFix quarantine. We'll take care of that now.

Using 'My Computer', navigate to and delete the following Folder

C:\ Qoobox

-----------------------------------------------------------------

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

Reset hidden/system files and folders

===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Ensure Windows Auto Update is Enabled
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will flush out previous restore points and create a new restore point. Doing so will prevent reinfection from previous restore points.

**************************************************************************************

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

Spyware Guard to catch and block spyware before it can execute.

IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)

Now navigate to C:\ie-spyad. Double click to open it.
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

granto86 · 07-20-2007, 01:53 PM

That all worked for a while, but now I have the PC-Cillin alert again saying I have the Troj DLOADER and Possible Vundo-1 in the file C:/System Volume INformation\restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP25\A0005041.dll

Can you help Me? Here is my hijack this log again

Logfile of HijackThis v1.99.1
Scan saved at 2:53:21 PM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\iTunes\iTunes.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll (file missing)
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.miami.edu
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

granto86 · 07-20-2007, 02:42 PM

Here is the combo fix log:

"Grant Williams" - 2007-07-20 15:00:18 - ComboFix 07-07-17.8 - Service Pack 2 NTFS

((((((((((((((((((((((((( Files Created from 2007-06-20 to 2007-07-20 )))))))))))))))))))))))))))))))

2007-07-20 02:46 <DIR> d-------- C:\DOCUME~1\GRANTW~1\APPLIC~1\SiteAdvisor
2007-07-20 02:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-07-20 02:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-07-18 12:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-18 12:04 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-18 01:55 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-18 01:31 <DIR> d-------- C:\Deckard
2007-07-15 22:31 <DIR> d-------- C:\Program Files\test
2007-07-14 15:23 <DIR> d-------- C:\Program Files\AVI MPEG Video Converter
2007-07-04 01:27 <DIR> d-------- C:\DOCUME~1\GRANTW~1\APPLIC~1\WinRAR
2007-06-22 08:54 99,904 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-06-20 16:08 93,128 --a------ C:\WINDOWS\system32\ElbyCDIO.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-18 17:51:31 -------- d-----w C:\Program Files\QuickTime
2007-07-18 17:50:40 -------- d-----w C:\Program Files\MSN Messenger
2007-07-18 17:48:47 -------- d-----w C:\Program Files\iTunes
2007-07-18 17:48:03 -------- d-----w C:\Program Files\Digital Line Detect
2007-07-18 17:46:51 -------- d-----w C:\Program Files\America Online 9.0
2007-07-18 17:46:51 -------- d-----w C:\Program Files\AIM
2007-07-11 02:20:07 -------- d-----w C:\Program Files\VideoLAN
2007-06-27 16:35:52 -------- d-----w C:\Program Files\Messenger
2007-06-22 20:07:23 58,520 -c-ha-w C:\WINDOWS\system32\mlfcache.dat
2007-06-15 04:54:36 -------- d-----w C:\Program Files\DivX
2007-06-13 18:53:39 -------- d-----w C:\Program Files\iPod
2007-06-13 00:00:54 203,024 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-06-13 00:00:50 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-06-12 23:52:00 1,126,328 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys
2007-06-08 01:36:22 8,224 -c--a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-06-07 23:47:42 0 --sha-r C:\MSDOS.SYS
2007-06-07 23:47:42 0 --sha-r C:\IO.SYS
2007-06-07 23:40:03 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-07 23:37:33 34,380 -c--a-w C:\WINDOWS\system32\emptyregdb.dat
2007-06-07 21:56:36 -------- d-----w C:\Program Files\CONEXANT
2007-06-03 22:48:09 -------- d-----w C:\Program Files\IrfanView
2007-05-31 03:26:55 -------- d-----w C:\Program Files\DellConnect
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2006-11-16 14:52:36 104 --sha-r C:\WINDOWS\system32\4411F4E09A.sys
2006-11-16 14:52:39 6,580 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-03 14:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2004-12-06 01:05 118842 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-06-23 22:01 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
c:\Program Files\BAE\BAE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56]
"ShowLOMControl"="1 (0x1)" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 18:56]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" []
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-04-11 05:31]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 19:20]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 16:42]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-18 05:13]
"Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\WMCCFG.exe" [2006-10-18 22:58]
"NapsterShell"="C:\Program Files\Napster\napster.exe" []
"NWEReboot"="" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 06:00 C:\WINDOWS\system32\bthprops.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 18:39]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-06-02 01:34]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 22:01]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-06-23 06:13]

C:\DOCUME~1\GRANTW~1\STARTM~1\Programs\Startup
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2006-04-13 19:29:34]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-11 05:25:45]
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18:55:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE QWAVE
Usnsvc usnsvc
bthsvcs BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - EHBSHMVIDHVW
*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SDTHOOK

Contents of the 'Scheduled Tasks' folder
2007-06-17 12:50:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-20 15

53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-20 15:08:42
C:\ComboFix-quarantined-files.txt ... 2007-07-18 02:13
C:\ComboFix2.txt ... 2007-07-18 02:14

--- E O F ---

Ried · 07-20-2007, 05:28 PM

Hi grant

Quote:

That all worked for a while, but now I have the PC-Cillin alert again saying I have the Troj DLOADER and Possible Vundo-1 in the file C:/System Volume INformation\restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP25\A0005041.dll

That is your System Restore--it's harmless there unless you intentionally use System Restore to go back in time.

Once you follow my final instructions which included 'flushing' out those old Restore points, you should no longer get any alerts:

Quote:

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will flush out previous restore points and create a new restore point. Doing so will prevent reinfection from previous restore points.

granto86 · 07-20-2007, 11:01 PM

I did that, but I also have an alert for possible Vundo-1 ain the file C:\WINDOWS\system32\pmnlk.dll

granto86 · 07-20-2007, 11:01 PM

I did that, but I also have an alert for possible Vundo-1 ain the file C:\WINDOWS\system32\pmnlk.dll

granto86 · 07-21-2007, 03:22 AM

Here is my pandascan log:

Ried · 07-21-2007, 08:22 AM

Clear all those nasty cookies:

Clear Mozilla Firefox cookies:

Open the Mozilla Browser>Tools>Options>Privacy>Cookies>Clear

--------------------------------------------------------------------

Clear Internet Explorer Cookies:

Launch Internet Explorer>Tools>Internet Options>Delete Cookies

--------------------------------------------------------------------

Delete this folder:

C:\Documents and Settings\Grant Williams\Favorites\Cool Stuff

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you. Please post the C:\ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

granto86 · 07-22-2007, 12:24 AM

Here is my combo fix log:, I have a constant alert of a TROJ VUNDO.AYD in the file C:\WINDOWS\system32\pmnlk.dll
"Grant Williams" - 2007-07-18 1:56:30 - ComboFix 07-07-17.8 - Service Pack 2 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\awtrqpm.dll
C:\WINDOWS\system32\awtrqpm.dll
C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\cccdd.ini
C:\WINDOWS\system32\ddccc.dll
C:\WINDOWS\system32\xxyaywv.dll
C:\WINDOWS\system32\xxyaywv.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\3L34N8DM\www.broadcaster.com
C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\3L34N8DM\www.broadcaster.com\played_list.sol
C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\3L34N8DM\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\inetget2
C:\Program Files\inetget2\popinstall.exe
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\Program Files\winpop\winpop.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\retadpu572.exe
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\wr.txt

((((((((((((((((((((((((( Files Created from 2007-06-18 to 2007-07-18 )))))))))))))))))))))))))))))))

2007-07-18 01:55 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-18 01:31 <DIR> d-------- C:\Deckard
2007-07-15 22:31 <DIR> d-------- C:\Program Files\test
2007-07-14 15:23 <DIR> d-------- C:\Program Files\AVI MPEG Video Converter
2007-07-04 01:30 <DIR> d-------- C:\MrBigDicksHotChicks.Tiffany_Price
2007-07-04 01:27 <DIR> d-------- C:\DOCUME~1\GRANTW~1\APPLIC~1\WinRAR
2007-06-22 08:54 99,904 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-06-20 16:08 93,128 --a------ C:\WINDOWS\system32\ElbyCDIO.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-11 02:20:07 -------- d-----w C:\Program Files\VideoLAN
2007-06-27 16:35:52 -------- d-----w C:\Program Files\Messenger
2007-06-22 20:07:23 58,520 -c-ha-w C:\WINDOWS\system32\mlfcache.dat
2007-06-15 04:54:36 -------- d-----w C:\Program Files\DivX
2007-06-13 18:53:49 -------- d-----w C:\Program Files\iTunes
2007-06-13 18:53:39 -------- d-----w C:\Program Files\iPod
2007-06-13 18:51:56 -------- d-----w C:\Program Files\QuickTime
2007-06-13 00:00:54 203,024 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-06-13 00:00:50 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-06-12 23:52:00 1,126,328 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys
2007-06-08 01:36:22 8,224 -c--a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-06-07 23:47:42 0 --sha-r C:\MSDOS.SYS
2007-06-07 23:47:42 0 --sha-r C:\IO.SYS
2007-06-07 23:40:03 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-07 23:37:33 34,380 -c--a-w C:\WINDOWS\system32\emptyregdb.dat
2007-06-07 21:56:36 -------- d-----w C:\Program Files\CONEXANT
2007-06-03 22:48:09 -------- d-----w C:\Program Files\IrfanView
2007-05-31 03:26:55 -------- d-----w C:\Program Files\DellConnect
2007-05-19 16:51:58 -------- d-----w C:\Program Files\LimeWire
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2006-11-16 14:52:36 104 --sha-r C:\WINDOWS\system32\4411F4E09A.sys
2006-11-16 14:52:39 6,580 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-03 14:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2004-12-06 01:05 118842 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-06-23 22:01 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
c:\Program Files\BAE\BAE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56]
"ShowLOMControl"="1 (0x1)" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 18:56]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" []
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-04-11 05:31]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 19:20]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 16:42]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-18 05:13]
"Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\WMCCFG.exe" [2006-10-18 22:58]
"NapsterShell"="C:\Program Files\Napster\napster.exe" []
"NWEReboot"="" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 06:00 C:\WINDOWS\system32\bthprops.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 18:39]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-06-02 01:34]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 22:01]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-06-23 06:13]

C:\DOCUME~1\GRANTW~1\STARTM~1\Programs\Startup
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2006-04-13 19:29:34]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-11 05:25:45]
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18:55:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE QWAVE
Usnsvc usnsvc
bthsvcs BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

Contents of the 'Scheduled Tasks' folder
2007-06-17 12:50:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-18 02:12:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-18 2:14:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-18 02:13

--- E O F ---

Ried · 07-22-2007, 06:13 AM

Quote:

I have a constant alert of a TROJ VUNDO.AYD in the file C:\WINDOWS\system32\pmnlk.dll

Where is that file now? Did you allow your AV to quarantine that file?

Perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note for Internet Explorer 7 users**

If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

granto86 · 07-22-2007, 11:52 AM

My AV says the quarantine action was unsuccessful. Manually delete the file if you are sure that it is not needed. Can I do that? I have also seen some alerts of stuff in what I think is my temporary files, how do I delete those as well? the other program is scanning now and will be up soon

granto86 · 07-22-2007, 08:23 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, July 22, 2007 9:20:02 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 22/07/2007
Kaspersky Anti-Virus database records: 366624
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 66504
Number of viruses found: 12
Number of infected objects: 51
Number of suspicious objects: 0
Duration of the scan process: 05:48:34

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\Grant Williams\Application Data\Aim\iikcdvfu\Granto86\cert8.db Object is locked skipped
C:\Documents and Settings\Grant Williams\Application Data\Aim\iikcdvfu\Granto86\key3.db Object is locked skipped
C:\Documents and Settings\Grant Williams\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\cert8.db Object is locked skipped
C:\Documents and Settings\Grant Williams\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\history.dat Object is locked skipped
C:\Documents and Settings\Grant Williams\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\key3.db Object is locked skipped
C:\Documents and Settings\Grant Williams\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\parent.lock Object is locked skipped
C:\Documents and Settings\Grant Williams\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Grant Williams\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Grant Williams\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Grant Williams\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Grant Williams\Local Settings\History\History.IE5\MSHist012007072220070723\index.dat Object is locked skipped
C:\Documents and Settings\Grant Williams\Local Settings\Temp\asavuipq.exe Object is locked skipped
C:\Documents and Settings\Grant Williams\Local Settings\Temp\dbmvlctb.exe Object is locked skipped
C:\Documents and Settings\Grant Williams\Local Settings\Temp\iqfohrno.dll Object is locked skipped
C:\Documents and Settings\Grant Williams\Local Settings\Temp\jamduihj.dll Object is locked skipped
C:\Documents and Settings\Grant Williams\Local Settings\Temp\JETC2E.tmp Object is locked skipped
C:\Documents and Settings\Grant Williams\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Grant Williams\My Documents\My Music\iTunes\iTunes Library.itl Object is locked skipped
C:\Documents and Settings\Grant Williams\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Grant Williams\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\hijackthis\backups\backup-20070721-005946-822.dll Infected: not-a-virus:AdWare.Win32.Mirar.e skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\13F3.tmp Infected: Trojan-Downloader.Win32.Zlob.bcl skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\13F4.tmp Infected: Trojan-Downloader.Win32.Zlob.bcl skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\1CB.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\1CC.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\2644.tmp Infected: Exploit.Java.Gimsh.a skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\27EA.tmp Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\2889.tmp Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\488.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\7D6.tmp Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\7F2.tmp Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\817.tmp Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\81B.tmp Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\821.tmp Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\991.tmp/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\991.tmp NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\991.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\995.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\995.tmp NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\995.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\99B.tmp/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\99B.tmp NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\99B.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\99D.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\99D.tmp NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\99D.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\99F.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\99F.tmp NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\99F.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9A1.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9A1.tmp NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9A1.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9DB.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\AD7.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\AD9.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\B4A.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\B4C.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\BB4.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\C63.tmp Infected: Trojan-Downloader.Win32.VB.axa skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\C66.tmp Infected: Trojan-Downloader.Win32.VB.axa skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CE0.tmp Infected: Trojan-Downloader.Win32.VB.axa skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CE3.tmp/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CE3.tmp NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CE3.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CE7.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CE7.tmp NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CE7.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CEA.tmp Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vxhkbnps.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yayvtts.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP27\A0005285.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP28\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{C6CB2825-7A1B-422C-A286-4B60CD67E231}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F810CCBD-39A3-47F7-B7F2-FA947B182B94}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\pmnlk.dll Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6a0.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

07-17-2007, 09:45 PM	#1 (permalink)
granto86 Registered User Join Date: Jul 2007 Posts: 20 OS: WinXP	Firefox crahses and Vundo trojan? hijack this long For a while now, my firefox has crashed about every 10 minutes or so, and now my Trend Micro PC-cillin constantly gives me a popup that says I have a possible Vundo-1 in my C:\WINDOWS\System32\ddccc.dll file, My computer has also been running extremely sluggishly. Please help me, here is my hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:45:25 PM, on 7/17/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\ehome\RMSvc.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\WINDOWS\system32\dllhost.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\AIM\aim.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\retadpu572.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe C:\Program Files\WinPop\winpop.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\ehome\RMSysTry.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Grant Williams\Desktop\HiJackThis.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file) O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [ShowLOMControl] O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139 O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.miami.edu O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 8898 bytes

07-18-2007, 01:19 AM	#3 (permalink)
granto86 Registered User Join Date: Jul 2007 Posts: 20 OS: WinXP	Re: Firefox crahses and Vundo trojan? hijack this long Here is the combofix log: "Grant Williams" - 2007-07-18 1:56:30 - ComboFix 07-07-17.8 - Service Pack 2 NTFS (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\awtrqpm.dll C:\WINDOWS\system32\awtrqpm.dll C:\WINDOWS\system32\cccdd.bak1 C:\WINDOWS\system32\cccdd.ini C:\WINDOWS\system32\ddccc.dll C:\WINDOWS\system32\xxyaywv.dll C:\WINDOWS\system32\xxyaywv.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\3L34N8DM\www.broadcaster.com C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\3L34N8DM\www.broadcaster.com\played_list.sol C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\3L34N8DM\www.broadcaster.com\video_queue.sol C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\Program Files\inetget2 C:\Program Files\inetget2\popinstall.exe C:\Program Files\winpop C:\Program Files\winpop\UnInstall.exe C:\Program Files\winpop\winpop.exe C:\WINDOWS\b122.exe C:\WINDOWS\retadpu572.exe C:\WINDOWS\system32\winnb58.dll C:\WINDOWS\wr.txt ((((((((((((((((((((((((( Files Created from 2007-06-18 to 2007-07-18 ))))))))))))))))))))))))))))))) 2007-07-18 01:55 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-18 01:31 <DIR> d-------- C:\Deckard 2007-07-15 22:31 <DIR> d-------- C:\Program Files\test 2007-07-14 15:23 <DIR> d-------- C:\Program Files\AVI MPEG Video Converter 2007-07-04 01:30 <DIR> d-------- C:\MrBigDicksHotChicks.Tiffany_Price 2007-07-04 01:27 <DIR> d-------- C:\DOCUME~1\GRANTW~1\APPLIC~1\WinRAR 2007-06-22 08:54 99,904 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys 2007-06-20 16:08 93,128 --a------ C:\WINDOWS\system32\ElbyCDIO.dll (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-11 02:20:07 -------- d-----w C:\Program Files\VideoLAN 2007-06-27 16:35:52 -------- d-----w C:\Program Files\Messenger 2007-06-22 20:07:23 58,520 -c-ha-w C:\WINDOWS\system32\mlfcache.dat 2007-06-15 04:54:36 -------- d-----w C:\Program Files\DivX 2007-06-13 18:53:49 -------- d-----w C:\Program Files\iTunes 2007-06-13 18:53:39 -------- d-----w C:\Program Files\iPod 2007-06-13 18:51:56 -------- d-----w C:\Program Files\QuickTime 2007-06-13 00:00:54 203,024 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys 2007-06-13 00:00:50 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys 2007-06-12 23:52:00 1,126,328 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys 2007-06-08 01:36:22 8,224 -c--a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT 2007-06-07 23:47:42 0 --sha-r C:\MSDOS.SYS 2007-06-07 23:47:42 0 --sha-r C:\IO.SYS 2007-06-07 23:40:03 -------- d--h--w C:\Program Files\WindowsUpdate 2007-06-07 23:37:33 34,380 -c--a-w C:\WINDOWS\system32\emptyregdb.dat 2007-06-07 21:56:36 -------- d-----w C:\Program Files\CONEXANT 2007-06-03 22:48:09 -------- d-----w C:\Program Files\IrfanView 2007-05-31 03:26:55 -------- d-----w C:\Program Files\DellConnect 2007-05-19 16:51:58 -------- d-----w C:\Program Files\LimeWire 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2006-11-16 14:52:36 104 --sha-r C:\WINDOWS\system32\4411F4E09A.sys 2006-11-16 14:52:39 6,580 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2003-11-03 14:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}] 2004-12-06 01:05 118842 --a------ C:\WINDOWS\system32\dla\tfswshx.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] 2007-06-23 22:01 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}] c:\Program Files\BAE\BAE.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56] "ShowLOMControl"="1 (0x1)" [] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 18:56] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-04-11 05:31] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 19:20] "pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 16:42] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-18 05:13] "Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\WMCCFG.exe" [2006-10-18 22:58] "NapsterShell"="C:\Program Files\Napster\napster.exe" [] "NWEReboot"="" [] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 06:00 C:\WINDOWS\system32\bthprops.cpl] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 18:39] "AIM"="C:\Program Files\AIM\aim.exe" [2005-06-02 01:34] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 22:01] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [] "AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-06-23 06:13] C:\DOCUME~1\GRANTW~1\STARTM~1\Programs\Startup Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2006-04-13 19:29:34] C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-11 05:25:45] Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18:55:40] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] QWAVE QWAVE Usnsvc usnsvc bthsvcs BthServ [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] AutoRun\command- E:\setup.exe Contents of the 'Scheduled Tasks' folder 2007-06-17 12:50:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job ************************************************************************ catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-18 02:12:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-07-18 2:14:32 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-07-18 02:13 --- E O F ---

07-18-2007, 08:18 AM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,914 OS: WinXP and Vista	Re: Firefox crahses and Vundo trojan? hijack this long Hello granto86 and welcome to TSF, Good work so far. Before we continue, as there isn't a new HijackThis log I'm going to have to play it safe here based on the initial log. Run a scan with HijackThis and 'check' the following entries if they still exist: O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) Click 'Fix Checked' and close HijackThis. ----------------------------------------------------------------- Now please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan -------------------------------------------------------------------- Run a new scan with HijackThis and save the log. -------------------------------------------------------------------- Please include the following in your next reply: Panda results New HijackThis log __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

07-18-2007, 01:58 PM	#6 (permalink)
granto86 Registered User Join Date: Jul 2007 Posts: 20 OS: WinXP	Re: Firefox crahses and Vundo trojan? hijack this long Now my PC-Cillin keeps giving me warnings that I have a virus named TROJ DLOADER.OKL, anyway to fix this as well?

07-18-2007, 08:14 PM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,914 OS: WinXP and Vista	Re: Firefox crahses and Vundo trojan? hijack this long Hello granto86, Run a scan with HijackThis and 'check' the following entry: O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - (no file) Click 'Fix Checked' and close HijackThis. -------------------------------------------------------------------- Clear Mozilla Firefox cookies: Open the Mozilla Browser>Tools>Options>Privacy>Cookies>Clear -------------------------------------------------------------------- What is the location of the trojan? Other than that alert by your AV, how is the system behaving now? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

07-18-2007, 08:50 PM	#8 (permalink)
granto86 Registered User Join Date: Jul 2007 Posts: 20 OS: WinXP	Re: Firefox crahses and Vundo trojan? hijack this long The computer is running quicker, but I still have a constant alert about the trojan, it says it is in C:\QooBox\Quarantine\C\WINDOWS\retadpus572.exe.vir, Last edited by granto86; 07-18-2007 at 08:52 PM.

07-18-2007, 09:05 PM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,914 OS: WinXP and Vista	Re: Firefox crahses and Vundo trojan? hijack this long Ah--no worries. That file is safely tucked away in the ComboFix quarantine. We'll take care of that now. Using 'My Computer', navigate to and delete the following Folder C:\ Qoobox ----------------------------------------------------------------- Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links: Reset hidden/system files and folders =============== Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View tab. * Deselect the Show hidden files and folders option. * Select the Hide file extensions for known types option. * Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Ensure Windows Auto Update is Enabled Go to Start>Run* - type wuaucpl.cpl Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Create a new System Restore point* Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK This will flush out previous restore points and create a new restore point. Doing so will prevent reinfection from previous restore points. ************************************************************************************ To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Spyware Guard to catch and block spyware before it can execute. IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD) Now navigate to C:\ie-spyad. Double click to open it. From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list, by typing 2 Then return to the main menu. Select option #4 - Add the old porn sites domain, by typing 4 Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ----------------------------------------------------- Follow the list above and the potential for infection will reduce dramatically. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

07-20-2007, 01:53 PM	#10 (permalink)
granto86 Registered User Join Date: Jul 2007 Posts: 20 OS: WinXP	Re: Firefox crahses and Vundo trojan? hijack this long That all worked for a while, but now I have the PC-Cillin alert again saying I have the Troj DLOADER and Possible Vundo-1 in the file C:/System Volume INformation\restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP25\A0005041.dll Can you help Me? Here is my hijack this log again Logfile of HijackThis v1.99.1 Scan saved at 2:53:21 PM, on 7/20/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\ehome\RMSvc.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\WINDOWS\system32\dllhost.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe C:\Program Files\AIM\aim.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\ehome\RMSysTry.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\iTunes\iTunes.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll (file missing) O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file) O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [ShowLOMControl] O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.miami.edu O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

07-20-2007, 02:42 PM	#11 (permalink)
granto86 Registered User Join Date: Jul 2007 Posts: 20 OS: WinXP	Re: Firefox crahses and Vundo trojan? hijack this long Here is the combo fix log: "Grant Williams" - 2007-07-20 15:00:18 - ComboFix 07-07-17.8 - Service Pack 2 NTFS ((((((((((((((((((((((((( Files Created from 2007-06-20 to 2007-07-20 ))))))))))))))))))))))))))))))) 2007-07-20 02:46 <DIR> d-------- C:\DOCUME~1\GRANTW~1\APPLIC~1\SiteAdvisor 2007-07-20 02:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor 2007-07-20 02:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee 2007-07-18 12:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-07-18 12:04 <DIR> d-------- C:\WINDOWS\LastGood 2007-07-18 01:55 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-18 01:31 <DIR> d-------- C:\Deckard 2007-07-15 22:31 <DIR> d-------- C:\Program Files\test 2007-07-14 15:23 <DIR> d-------- C:\Program Files\AVI MPEG Video Converter 2007-07-04 01:27 <DIR> d-------- C:\DOCUME~1\GRANTW~1\APPLIC~1\WinRAR 2007-06-22 08:54 99,904 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys 2007-06-20 16:08 93,128 --a------ C:\WINDOWS\system32\ElbyCDIO.dll (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-18 17:51:31 -------- d-----w C:\Program Files\QuickTime 2007-07-18 17:50:40 -------- d-----w C:\Program Files\MSN Messenger 2007-07-18 17:48:47 -------- d-----w C:\Program Files\iTunes 2007-07-18 17:48:03 -------- d-----w C:\Program Files\Digital Line Detect 2007-07-18 17:46:51 -------- d-----w C:\Program Files\America Online 9.0 2007-07-18 17:46:51 -------- d-----w C:\Program Files\AIM 2007-07-11 02:20:07 -------- d-----w C:\Program Files\VideoLAN 2007-06-27 16:35:52 -------- d-----w C:\Program Files\Messenger 2007-06-22 20:07:23 58,520 -c-ha-w C:\WINDOWS\system32\mlfcache.dat 2007-06-15 04:54:36 -------- d-----w C:\Program Files\DivX 2007-06-13 18:53:39 -------- d-----w C:\Program Files\iPod 2007-06-13 00:00:54 203,024 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys 2007-06-13 00:00:50 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys 2007-06-12 23:52:00 1,126,328 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys 2007-06-08 01:36:22 8,224 -c--a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT 2007-06-07 23:47:42 0 --sha-r C:\MSDOS.SYS 2007-06-07 23:47:42 0 --sha-r C:\IO.SYS 2007-06-07 23:40:03 -------- d--h--w C:\Program Files\WindowsUpdate 2007-06-07 23:37:33 34,380 -c--a-w C:\WINDOWS\system32\emptyregdb.dat 2007-06-07 21:56:36 -------- d-----w C:\Program Files\CONEXANT 2007-06-03 22:48:09 -------- d-----w C:\Program Files\IrfanView 2007-05-31 03:26:55 -------- d-----w C:\Program Files\DellConnect 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2006-11-16 14:52:36 104 --sha-r C:\WINDOWS\system32\4411F4E09A.sys 2006-11-16 14:52:39 6,580 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2003-11-03 14:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}] 2004-12-06 01:05 118842 --a------ C:\WINDOWS\system32\dla\tfswshx.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] 2007-06-23 22:01 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}] c:\Program Files\BAE\BAE.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56] "ShowLOMControl"="1 (0x1)" [] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 18:56] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-04-11 05:31] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 19:20] "pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 16:42] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-18 05:13] "Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\WMCCFG.exe" [2006-10-18 22:58] "NapsterShell"="C:\Program Files\Napster\napster.exe" [] "NWEReboot"="" [] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 06:00 C:\WINDOWS\system32\bthprops.cpl] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 18:39] "AIM"="C:\Program Files\AIM\aim.exe" [2005-06-02 01:34] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 22:01] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [] "AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-06-23 06:13] C:\DOCUME~1\GRANTW~1\STARTM~1\Programs\Startup Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2006-04-13 19:29:34] C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-11 05:25:45] Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18:55:40] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] QWAVE QWAVE Usnsvc usnsvc bthsvcs BthServ [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] AutoRun\command- E:\setup.exe Newly Created Service - CATCHME Newly Created Service - EHBSHMVIDHVW Newly Created Service - RKPAVPROC Newly Created Service - SDTHOOK Contents of the 'Scheduled Tasks' folder 2007-06-17 12:50:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job ************************************************************************ catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-20 1553 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-07-20 15:08:42 C:\ComboFix-quarantined-files.txt ... 2007-07-18 02:13 C:\ComboFix2.txt ... 2007-07-18 02:14 --- E O F ---

07-20-2007, 11:01 PM	#13 (permalink)
granto86 Registered User Join Date: Jul 2007 Posts: 20 OS: WinXP	Re: Firefox crahses and Vundo trojan? hijack this long I did that, but I also have an alert for possible Vundo-1 ain the file C:\WINDOWS\system32\pmnlk.dll

07-20-2007, 11:01 PM	#14 (permalink)
granto86 Registered User Join Date: Jul 2007 Posts: 20 OS: WinXP	Re: Firefox crahses and Vundo trojan? hijack this long I did that, but I also have an alert for possible Vundo-1 ain the file C:\WINDOWS\system32\pmnlk.dll

07-21-2007, 08:22 AM	#16 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,914 OS: WinXP and Vista	Re: Firefox crahses and Vundo trojan? hijack this long Clear all those nasty cookies: Clear Mozilla Firefox cookies: Open the Mozilla Browser>Tools>Options>Privacy>Cookies>Clear -------------------------------------------------------------------- Clear Internet Explorer Cookies: Launch Internet Explorer>Tools>Internet Options>Delete Cookies -------------------------------------------------------------------- Delete this folder: C:\Documents and Settings\Grant Williams\Favorites\Cool Stuff -------------------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt in your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

07-22-2007, 12:24 AM	#17 (permalink)
granto86 Registered User Join Date: Jul 2007 Posts: 20 OS: WinXP	Re: Firefox crahses and Vundo trojan? hijack this long Here is my combo fix log:, I have a constant alert of a TROJ VUNDO.AYD in the file C:\WINDOWS\system32\pmnlk.dll "Grant Williams" - 2007-07-18 1:56:30 - ComboFix 07-07-17.8 - Service Pack 2 NTFS (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\awtrqpm.dll C:\WINDOWS\system32\awtrqpm.dll C:\WINDOWS\system32\cccdd.bak1 C:\WINDOWS\system32\cccdd.ini C:\WINDOWS\system32\ddccc.dll C:\WINDOWS\system32\xxyaywv.dll C:\WINDOWS\system32\xxyaywv.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\3L34N8DM\www.broadcaster.com C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\3L34N8DM\www.broadcaster.com\played_list.sol C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\3L34N8DM\www.broadcaster.com\video_queue.sol C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\DOCUME~1\GRANTW~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\Program Files\inetget2 C:\Program Files\inetget2\popinstall.exe C:\Program Files\winpop C:\Program Files\winpop\UnInstall.exe C:\Program Files\winpop\winpop.exe C:\WINDOWS\b122.exe C:\WINDOWS\retadpu572.exe C:\WINDOWS\system32\winnb58.dll C:\WINDOWS\wr.txt ((((((((((((((((((((((((( Files Created from 2007-06-18 to 2007-07-18 ))))))))))))))))))))))))))))))) 2007-07-18 01:55 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-18 01:31 <DIR> d-------- C:\Deckard 2007-07-15 22:31 <DIR> d-------- C:\Program Files\test 2007-07-14 15:23 <DIR> d-------- C:\Program Files\AVI MPEG Video Converter 2007-07-04 01:30 <DIR> d-------- C:\MrBigDicksHotChicks.Tiffany_Price 2007-07-04 01:27 <DIR> d-------- C:\DOCUME~1\GRANTW~1\APPLIC~1\WinRAR 2007-06-22 08:54 99,904 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys 2007-06-20 16:08 93,128 --a------ C:\WINDOWS\system32\ElbyCDIO.dll (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-11 02:20:07 -------- d-----w C:\Program Files\VideoLAN 2007-06-27 16:35:52 -------- d-----w C:\Program Files\Messenger 2007-06-22 20:07:23 58,520 -c-ha-w C:\WINDOWS\system32\mlfcache.dat 2007-06-15 04:54:36 -------- d-----w C:\Program Files\DivX 2007-06-13 18:53:49 -------- d-----w C:\Program Files\iTunes 2007-06-13 18:53:39 -------- d-----w C:\Program Files\iPod 2007-06-13 18:51:56 -------- d-----w C:\Program Files\QuickTime 2007-06-13 00:00:54 203,024 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys 2007-06-13 00:00:50 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys 2007-06-12 23:52:00 1,126,328 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys 2007-06-08 01:36:22 8,224 -c--a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT 2007-06-07 23:47:42 0 --sha-r C:\MSDOS.SYS 2007-06-07 23:47:42 0 --sha-r C:\IO.SYS 2007-06-07 23:40:03 -------- d--h--w C:\Program Files\WindowsUpdate 2007-06-07 23:37:33 34,380 -c--a-w C:\WINDOWS\system32\emptyregdb.dat 2007-06-07 21:56:36 -------- d-----w C:\Program Files\CONEXANT 2007-06-03 22:48:09 -------- d-----w C:\Program Files\IrfanView 2007-05-31 03:26:55 -------- d-----w C:\Program Files\DellConnect 2007-05-19 16:51:58 -------- d-----w C:\Program Files\LimeWire 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2006-11-16 14:52:36 104 --sha-r C:\WINDOWS\system32\4411F4E09A.sys 2006-11-16 14:52:39 6,580 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2003-11-03 14:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}] 2004-12-06 01:05 118842 --a------ C:\WINDOWS\system32\dla\tfswshx.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] 2007-06-23 22:01 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}] c:\Program Files\BAE\BAE.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56] "ShowLOMControl"="1 (0x1)" [] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 18:56] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-04-11 05:31] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 19:20] "pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 16:42] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-18 05:13] "Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\WMCCFG.exe" [2006-10-18 22:58] "NapsterShell"="C:\Program Files\Napster\napster.exe" [] "NWEReboot"="" [] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 06:00 C:\WINDOWS\system32\bthprops.cpl] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 18:39] "AIM"="C:\Program Files\AIM\aim.exe" [2005-06-02 01:34] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 22:01] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [] "AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-06-23 06:13] C:\DOCUME~1\GRANTW~1\STARTM~1\Programs\Startup Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2006-04-13 19:29:34] C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-11 05:25:45] Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18:55:40] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] QWAVE QWAVE Usnsvc usnsvc bthsvcs BthServ [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] AutoRun\command- E:\setup.exe Contents of the 'Scheduled Tasks' folder 2007-06-17 12:50:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job ************************************************************************ catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-18 02:12:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-07-18 2:14:32 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-07-18 02:13 --- E O F ---

07-22-2007, 11:52 AM	#19 (permalink)
granto86 Registered User Join Date: Jul 2007 Posts: 20 OS: WinXP	Re: Firefox crahses and Vundo trojan? hijack this long My AV says the quarantine action was unsuccessful. Manually delete the file if you are sure that it is not needed. Can I do that? I have also seen some alerts of stuff in what I think is my temporary files, how do I delete those as well? the other program is scanning now and will be up soon

07-22-2007, 08:23 PM	#20 (permalink)
granto86 Registered User Join Date: Jul 2007 Posts: 20 OS: WinXP	Re: Firefox crahses and Vundo trojan? hijack this long ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Sunday, July 22, 2007 9:20:02 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 22/07/2007 Kaspersky Anti-Virus database records: 366624 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ Scan Statistics: Total number of scanned objects: 66504 Number of viruses found: 12 Number of infected objects: 51 Number of suspicious objects: 0 Duration of the scan process: 05:48:34 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped C:\Documents and Settings\Grant Williams\Application Data\Aim\iikcdvfu\Granto86\cert8.db Object is locked skipped C:\Documents and Settings\Grant Williams\Application Data\Aim\iikcdvfu\Granto86\key3.db Object is locked skipped C:\Documents and Settings\Grant Williams\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\cert8.db Object is locked skipped C:\Documents and Settings\Grant Williams\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\history.dat Object is locked skipped C:\Documents and Settings\Grant Williams\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\key3.db Object is locked skipped C:\Documents and Settings\Grant Williams\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\parent.lock Object is locked skipped C:\Documents and Settings\Grant Williams\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\search.sqlite Object is locked skipped C:\Documents and Settings\Grant Williams\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\Grant Williams\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Mozilla\Firefox\Profiles\7v3f6gsq.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped C:\Documents and Settings\Grant Williams\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped C:\Documents and Settings\Grant Williams\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Grant Williams\Local Settings\History\History.IE5\MSHist012007072220070723\index.dat Object is locked skipped C:\Documents and Settings\Grant Williams\Local Settings\Temp\asavuipq.exe Object is locked skipped C:\Documents and Settings\Grant Williams\Local Settings\Temp\dbmvlctb.exe Object is locked skipped C:\Documents and Settings\Grant Williams\Local Settings\Temp\iqfohrno.dll Object is locked skipped C:\Documents and Settings\Grant Williams\Local Settings\Temp\jamduihj.dll Object is locked skipped C:\Documents and Settings\Grant Williams\Local Settings\Temp\JETC2E.tmp Object is locked skipped C:\Documents and Settings\Grant Williams\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Grant Williams\My Documents\My Music\iTunes\iTunes Library.itl Object is locked skipped C:\Documents and Settings\Grant Williams\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Grant Williams\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\hijackthis\backups\backup-20070721-005946-822.dll Infected: not-a-virus:AdWare.Win32.Mirar.e skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\13F3.tmp Infected: Trojan-Downloader.Win32.Zlob.bcl skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\13F4.tmp Infected: Trojan-Downloader.Win32.Zlob.bcl skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\1CB.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\1CC.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\2644.tmp Infected: Exploit.Java.Gimsh.a skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\27EA.tmp Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\2889.tmp Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\488.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\7D6.tmp Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\7F2.tmp Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\817.tmp Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\81B.tmp Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\821.tmp Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\991.tmp/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\991.tmp NSIS: infected - 1 skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\991.tmp CryptFF.b: infected - 1 skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\995.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\995.tmp NSIS: infected - 1 skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\995.tmp CryptFF.b: infected - 1 skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\99B.tmp/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\99B.tmp NSIS: infected - 1 skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\99B.tmp CryptFF.b: infected - 1 skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\99D.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\99D.tmp NSIS: infected - 1 skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\99D.tmp CryptFF.b: infected - 1 skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\99F.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\99F.tmp NSIS: infected - 1 skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\99F.tmp CryptFF.b: infected - 1 skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9A1.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9A1.tmp NSIS: infected - 1 skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9A1.tmp CryptFF.b: infected - 1 skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9DB.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\AD7.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\AD9.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\B4A.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\B4C.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\BB4.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\C63.tmp Infected: Trojan-Downloader.Win32.VB.axa skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\C66.tmp Infected: Trojan-Downloader.Win32.VB.axa skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CE0.tmp Infected: Trojan-Downloader.Win32.VB.axa skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CE3.tmp/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CE3.tmp NSIS: infected - 1 skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CE3.tmp CryptFF.b: infected - 1 skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CE7.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CE7.tmp NSIS: infected - 1 skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CE7.tmp CryptFF.b: infected - 1 skipped C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CEA.tmp Infected: Trojan-Downloader.Win32.Small.eqn skipped C:\QooBox\Quarantine\C\WINDOWS\system32\vxhkbnps.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\QooBox\Quarantine\C\WINDOWS\system32\yayvtts.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP27\A0005285.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP28\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt Object is locked skipped C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{C6CB2825-7A1B-422C-A286-4B60CD67E231}.crmlog Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{F810CCBD-39A3-47F7-B7F2-FA947B182B94}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped C:\WINDOWS\system32\config\sam Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\security Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\pmnlk.dll Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_6a0.dat Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.