Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Vundo and Downloader-BDF
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 08-09-2007, 01:43 AM   #1 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 12
OS: XP


Vundo and Downloader-BDF
My computer has been running slow and I've been getting a lot of pop-ups, especially when using IE. so I downloaded McAfee virus scan and it found Vundo Trojans and some kind of Downloader-BDF. I used VundoFix and it showed about 8 Vundo trojans, but that program seemed to remove all but one (geebxxu.dll). My computer is still running slow and I'm still getting a ton of pop-ups. Any help would be appreciated.

Main log:

Deckard's System Scanner v20070807.62
Run by Default on 2007-08-09 at 04:13:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-08-09 08:14:02 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Default.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:08 AM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\qwerty12.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Default\My Documents\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: (no name) - {4A0E7C3B-BE02-4174-940F-7C5CC34220E0} - C:\WINDOWS\system32\mllmj.dll (file missing)
O2 - BHO: SACert Class - {740FE5FB-65F1-46C5-9E54-A19C8A8D7AC2} - C:\WINDOWS\system32\SoftAheadCert.dll
O2 - BHO: (no name) - {d4ff64f9-0d75-4393-8558-f51c0ec6b37f} - C:\WINDOWS\system32\IMGDIT.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [nvchost] C:\WINDOWS\winlogon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...90/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1F66939-8984-49F3-B8FC-6A6C03FDE215}: Domain = domain.invalid
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: c:\windows\system32\geebxxu.dll
O20 - Winlogon Notify: IMGDIT - C:\WINDOWS\SYSTEM32\IMGDIT.dll
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qwerty12.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5368 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 MPFIREWL - c:\windows\system32\drivers\mpfirewall.sys <Not Verified; McAfee; McAfee Personal Firewall>

S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DomainService - c:\windows\system32\qwerty12.exe /service


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-05-30 14:10:31 250 --a------ C:\WINDOWS\Tasks\WebReg psc C3100 series.job


-- Files created between 2007-07-09 and 2007-08-09 -----------------------------

2007-08-09 04:07:10 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-08-09 04:07:10 0 d-------- C:\Program Files\SpywareBlaster
2007-08-09 0455 131425 --a------ C:\WINDOWS\yabyaa.dll
2007-08-09 03:29:34 71 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys
2007-08-09 03:29:34 8704 --a------ C:\WINDOWS\system32\pfdnnt.exe <Not Verified; Panda Software International; Panda Anti-malware>
2007-08-09 03:25:00 131425 -----n--- C:\WINDOWS\pmnomj.dll
2007-08-09 03:22:20 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-09 03:22:17 0 d-------- C:\WINDOWS\LastGood
2007-08-09 02:21:02 38232 --a------ C:\WINDOWS\system32\IMGDIT.dll
2007-08-09 01:04:33 0 d-------- C:\VundoFix Backups
2007-08-09 00:50:04 164 --a------ C:\install.dat
2007-08-08 19:43:26 131426 --a------ C:\WINDOWS\cbxusp.dll
2007-08-08 14:30:20 131426 --a------ C:\WINDOWS\ddaxvs.dll
2007-08-08 13:34:42 75328 --a------ C:\WINDOWS\system32\mqshcefp.exe <Not Verified; ; DDC>
2007-08-06 19:13:59 55235 --a------ C:\WINDOWS\system32\qwerty12.exe
2007-08-06 18:58:06 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-08-06 13:44:32 0 d-------- C:\WINDOWS\McAfee.com
2007-08-06 12:51:58 131421 --a------ C:\WINDOWS\opqpqo.dll
2007-08-06 00:00:42 31254 --a------ C:\WINDOWS\system32\opnnkhg.dll
2007-08-05 22:51:15 245760 --a------ C:\WINDOWS\system32\ImxEx.dll
2007-08-05 22:25:26 0 d-------- C:\Program Files\Astro Gemini Software
2007-08-05 22:22:33 0 --a------ C:\WINDOWS\system32\taskkill.exe
2007-08-05 22:16:00 12494 -----n--- C:\WINDOWS\system32\geebxxu.dll
2007-08-05 22:12:54 31254 --a------ C:\WINDOWS\system32\mljhfcd.dll
2007-08-04 20:00:06 0 d-------- C:\Program Files\NCH Swift Sound
2007-08-04 20:00:06 0 d-------- C:\Documents and Settings\Default\Application Data\NCH Swift Sound
2007-08-04 19:59:34 0 d-------- C:\Program Files\NCH Software
2007-08-04 19:56:00 135168 --a------ C:\WINDOWS\system32\DSKernel2.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS Multimedia Filter Pack>
2007-08-04 19:55:51 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-08-04 19:55:18 0 d-------- C:\Program Files\Replay Converter
2007-08-04 19:52:21 0 d-------- C:\Documents and Settings\Default\Application Data\GetRightToGo
2007-08-04 19:37:31 0 d-------- C:\Program Files\FLVPlayer
2007-08-04 15:40:45 0 d-------- C:\Program Files\uTorrent
2007-08-02 20:56:23 0 d-------- C:\Program Files\Windows Media Connect 2
2007-08-02 20:54:41 0 d-------- C:\WINDOWS\system32\LogFiles
2007-08-02 20:54:41 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-02 20:35:11 98304 --a------ C:\WINDOWS\system32\SoftAheadCert.dll <Not Verified; SoftAhead Inc.; SoftAheadCert Module>
2007-07-26 14:36:09 0 d-------- C:\Documents and Settings\Default\Application Data\Move Networks
2007-07-26 05:08:27 0 d-------- C:\Documents and Settings\Default\Application Data\NewzToolz
2007-07-26 05:08:10 0 d-------- C:\Program Files\NewzToolz
2007-07-26 04:01:18 0 d-------- C:\Documents and Settings\Default\Application Data\PEERNET
2007-07-26 04:00:59 0 --a------ C:\WINDOWS\system32\PNFCC3
2007-07-26 04:00:59 0 d-------- C:\Documents and Settings\All Users\Application Data\PEERNET
2007-07-26 04:00:11 0 d-------- C:\Program Files\PEERNET File Conversion Center 3.0
2007-07-26 03:59:39 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-26 03:54:28 0 d-------- C:\Documents and Settings\Default\Application Data\WinRAR
2007-07-23 03:25:03 1165 --a------ C:\WINDOWS\mozver.dat
2007-07-22 14:52:19 0 d-------- C:\Documents and Settings\Default\Application Data\Talkback
2007-07-22 14:36:46 0 d-------- C:\Documents and Settings\Default\Application Data\Mozilla


-- Find3M Report ---------------------------------------------------------------

2007-08-09 04:08:55 79536 --a------ C:\Documents and Settings\Default\Application Data\tmp403.tmp.exe
2007-08-09 04:07:20 4608 --a------ C:\Documents and Settings\Default\Application Data\tmp402.tmp.exe
2007-08-09 0455 124499 --a------ C:\Documents and Settings\Default\Application Data\tmp401.tmp.exe
2007-08-09 03:46:53 0 d-------- C:\Program Files\DellSupport
2007-08-09 03:46:45 55330 --a------ C:\Documents and Settings\Default\Application Data\tmp1F0.tmp.exe
2007-08-09 03:31:38 79536 --a------ C:\Documents and Settings\Default\Application Data\tmp1D9.tmp.exe
2007-08-09 03:25:00 124499 --a------ C:\Documents and Settings\Default\Application Data\tmp66.tmp.exe
2007-08-08 19:45:28 55330 --a------ C:\Documents and Settings\Default\Application Data\tmp85.tmp.exe
2007-08-08 19:43:27 79761 --a------ C:\Documents and Settings\Default\Application Data\tmp83.tmp.exe
2007-08-08 19:43:24 124693 --a------ C:\Documents and Settings\Default\Application Data\tmp82.tmp.exe
2007-08-08 19:41:41 55330 --a------ C:\Documents and Settings\Default\Application Data\tmp81.tmp.exe
2007-08-08 19:36:39 79761 --a------ C:\Documents and Settings\Default\Application Data\tmp80.tmp.exe
2007-08-08 19:36:29 124693 --a------ C:\Documents and Settings\Default\Application Data\tmp7F.tmp.exe
2007-08-08 19:36:14 55330 --a------ C:\Documents and Settings\Default\Application Data\tmp7D.tmp.exe
2007-08-08 14:30:20 124693 --a------ C:\Documents and Settings\Default\Application Data\tmpF.tmp.exe
2007-08-08 14:30:08 55330 --a------ C:\Documents and Settings\Default\Application Data\tmpE.tmp.exe
2007-08-08 01:50:54 58798 --a------ C:\Documents and Settings\Default\Application Data\tmp55.tmp.exe
2007-08-08 01:38:43 0 d-------- C:\Documents and Settings\Default\Application Data\uTorrent
2007-08-07 03:52:45 78517 --a------ C:\Documents and Settings\Default\Application Data\tmp54.tmp.exe
2007-08-07 03:52:45 78517 --a------ C:\Documents and Settings\Default\Application Data\tmp53.tmp.exe
2007-08-07 03:52:39 124743 --a------ C:\Documents and Settings\Default\Application Data\tmp52.tmp.exe
2007-08-07 03:52:18 58798 --a------ C:\Documents and Settings\Default\Application Data\tmp51.tmp.exe
2007-08-06 19:21:01 78541 --a------ C:\Documents and Settings\Default\Application Data\tmp8D.tmp.exe
2007-08-06 19:20:48 124774 --a------ C:\Documents and Settings\Default\Application Data\tmp8C.tmp.exe
2007-08-06 19:19:32 58798 --a------ C:\Documents and Settings\Default\Application Data\tmp8B.tmp.exe
2007-08-06 19:16:07 78541 --a------ C:\Documents and Settings\Default\Application Data\tmp89.tmp.exe
2007-08-06 19:16:05 124774 --a------ C:\Documents and Settings\Default\Application Data\tmp88.tmp.exe
2007-08-06 19:13:58 58798 --a------ C:\Documents and Settings\Default\Application Data\tmp87.tmp.exe
2007-08-06 16:04:17 0 d-------- C:\Program Files\McAfee.com
2007-08-06 12:52:46 78541 --a------ C:\Documents and Settings\Default\Application Data\tmpD.tmp.exe
2007-08-06 12:51:58 124774 --a------ C:\Documents and Settings\Default\Application Data\tmpC.tmp.exe
2007-08-06 12:48:57 58798 --a------ C:\Documents and Settings\Default\Application Data\tmpB.tmp.exe
2007-08-04 15:18:04 0 d-------- C:\Program Files\Common Files\Real
2007-07-26 09:22:23 0 d-------- C:\Program Files\Common Files
2007-07-02 11:43:29 0 d-------- C:\Program Files\MSXML 4.0
2007-06-25 12:46:33 0 d-------- C:\Documents and Settings\Default\Application Data\Image Zone Express
2007-05-30 14:09:51 117193 --a----c- C:\WINDOWS\hpoins11.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A0E7C3B-BE02-4174-940F-7C5CC34220E0}]
C:\WINDOWS\system32\mllmj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}]
08/09/2007 04:08 AM 64540 --a------ C:\WINDOWS\system32\tmp403.tmp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d4ff64f9-0d75-4393-8558-f51c0ec6b37f}]
08/09/2007 02:21 AM 38232 --a------ C:\WINDOWS\system32\IMGDIT.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [06/03/2005 03:52 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [06/30/2004 03:33 PM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" []
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [09/22/2005 06:29 PM]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [01/11/2006 12:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/19/2004 01:13 PM]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [11/11/2005 05:00 PM]
"SemanticInsight"="C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe" []
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 10:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 10:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 10:36 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/19/2006 02:41 AM]
"nvchost"="C:\WINDOWS\winlogon.exe" []
"SystemOptimizer"="C:\WINDOWS\yabyaa.dll" [08/09/2007 04:06 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]

C:\Documents and Settings\Default\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 3:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 3:04:12 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IMGDIT]
IMGDIT.dll 08/09/2007 02:21 AM 38232 C:\WINDOWS\SYSTEM32\IMGDIT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\geebxxu.dll




-- Hosts -----------------------------------------------------------------------

66.98.148.65 auto.search.msn.com
66.98.148.65 auto.search.msn.es


-- End of Deckard's System Scanner: finished at 2007-08-09 at 04:18:51 ---------
Attached Files
File Type: txt extra.txt (14.5 KB, 2 views)
Last edited by burnsbabyburns; 08-09-2007 at 01:50 AM.
burnsbabyburns is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 08-09-2007, 02:10 AM   #2 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 12
OS: XP


Re: Vundo and Downloader-BDF
I'm not sure if I was supposed to post my Panda Active scan, but here it is:

Incident Status Location

Virus:Trj/Downloader.PJT Disinfected Operating system
Adware:Adware/PopupSearches Not disinfected C:\WINDOWS\system32\qwerty12.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\IMGDIT.dll
Virus:Trj/ConHook.CV Disinfected Operating system
Potentially unwanted tool:application/altnet Not disinfected c:\windows\smdat32a.sys
Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys
Potentially unwanted tool:application/need2find Not disinfected c:\program files\Need2Find
Dialer:dialer.su Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\clsid\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Virus:Trj/SpaBot.AI Disinfected C:\Documents and Settings\All Users\Documents\Shareaza\Downloads\3d Matrix Screensaver Endless Corridors 1.4.zip[3d Matrix Screensaver Endless Corridors 1.4.exe]
Virus:Trj/SpaBot.AI Disinfected C:\Documents and Settings\All Users\Documents\Shareaza\Downloads\3D Titanic Screensaver + Keygen.zip[3D Titanic Screensaver + Keygen/3dT Keygen.exe]
Virus:Trj/SpaBot.AI Disinfected C:\Documents and Settings\All Users\Documents\Shareaza\Downloads\3D Titanic Screensaver + Keygen.zip[3D Titanic Screensaver + Keygen/titanic.exe]
Virus:Trj/SpaBot.AI Disinfected C:\Documents and Settings\All Users\Documents\Shareaza\Downloads\Christmas Time 3D Screensaver 2007 + PACH.zip[Christmas Time 3D Screensaver 2007 + PACH/christmas3d.exe]
Virus:Trj/SpaBot.AI Disinfected C:\Documents and Settings\All Users\Documents\Shareaza\Downloads\Christmas Time 3D Screensaver 2007 + PACH.zip[Christmas Time 3D Screensaver 2007 + PACH/patch/christmas.time.3d.screensaver.1.1.patch-iNDUCT.exe]
Virus:W32/Gaobot.MJA.worm Disinfected C:\Documents and Settings\All Users\Documents\Shareaza\Downloads\_\xzxzxzxzxzxz.exe
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.gostats.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[www.winantiviruspro.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.advertising.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.zedo.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[winantivirus.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.winantivirus.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[winantivirus.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.winantivirus.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[systemdoctor.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.go.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.com.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.serving-sys.com/]
Virus:Trj/Downloader.PJT Disinfected C:\Documents and Settings\Default\Application Data\tmp10.tmp.exe
Virus:Trj/Downloader.PJT Disinfected C:\Documents and Settings\Default\Application Data\tmp11.tmp.exe
Adware:Adware/PopupSearches Not disinfected C:\Documents and Settings\Default\Application Data\tmp51.tmp.exe
Adware:Adware/PopupSearches Not disinfected C:\Documents and Settings\Default\Application Data\tmp55.tmp.exe
Virus:Trj/Downloader.PJT Disinfected C:\Documents and Settings\Default\Application Data\tmp7E.tmp.exe
Virus:Trj/Downloader.PJT Disinfected C:\Documents and Settings\Default\Application Data\tmp84.tmp.exe
Adware:Adware/PopupSearches Not disinfected C:\Documents and Settings\Default\Application Data\tmp87.tmp.exe
Virus:Trj/Downloader.PJT Disinfected C:\Documents and Settings\Default\Application Data\tmp8A.tmp.exe
Adware:Adware/PopupSearches Not disinfected C:\Documents and Settings\Default\Application Data\tmp8B.tmp.exe
Virus:Trj/Downloader.PJT Disinfected C:\Documents and Settings\Default\Application Data\tmp8E.tmp.exe
Adware:Adware/PopupSearches Not disinfected C:\Documents and Settings\Default\Application Data\tmpB.tmp.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Default\Cookies\default@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Default\Cookies\default@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Default\Cookies\default@adrevolver[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Default\Cookies\default@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Default\Cookies\default@ads.pointroll[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Default\Cookies\default@adultfriendfinder[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Default\Cookies\default@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Default\Cookies\default@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Default\Cookies\default@atwola[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Default\Cookies\default@bluestreak[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Default\Cookies\default@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Default\Cookies\default@casalemedia[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Default\Cookies\default@doubleclick[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Default\Cookies\default@drivecleaner[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Default\Cookies\default@enhance[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Default\Cookies\default@errorsafe[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Default\Cookies\default@fastclick[2].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Default\Cookies\default@findwhat[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Default\Cookies\default@go[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Default\Cookies\default@klik.klikadvertising[1].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Default\Cookies\default@linksynergy[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Default\Cookies\default@mediaplex[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Default\Cookies\default@realmedia[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Default\Cookies\default@statcounter[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Default\Cookies\default@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Default\Cookies\default@stats1.reliablestats[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Default\Cookies\default@systemdoctor[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Default\Cookies\default@tradedoubler[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Default\Cookies\default@tradedoubler[3].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Default\Cookies\default@tradedoubler[4].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Default\Cookies\default@tradedoubler[5].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Default\Cookies\default@trafficmp[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Default\Cookies\default@trafficmp[3].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Default\Cookies\default@tribalfusion[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Default\Cookies\default@www.burstbeacon[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Default\Cookies\default@www.drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Default\Cookies\default@www.errorsafe[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Default\Cookies\default@www.systemdoctor[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Default\Cookies\default@www.winantiviruspro[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Default\Cookies\default@zedo[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Default\Local Settings\Temp\nsbA.tmp
Virus:Trj/Downloader.PNC Disinfected C:\Documents and Settings\Default\Local Settings\Temp\Setup(1).exe
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Default\Local Settings\Temp\Setup(2).exe
Adware:Adware/PopupSearches Not disinfected C:\Documents and Settings\Default\Local Settings\Temp\temp.fr2B1D
Virus:Trj/Agent.ECP Disinfected C:\Documents and Settings\Default\Local Settings\Temp\~DP10.exe
Virus:Trj/Agent.ECP Disinfected C:\Documents and Settings\Default\Local Settings\Temp\~DP12.exe
Virus:Trj/Agent.ECP Disinfected C:\Documents and Settings\Default\Local Settings\Temp\~DP14.exe
Virus:Trj/Agent.ECP Disinfected C:\Documents and Settings\Default\Local Settings\Temp\~DP17.exe
Virus:Trj/Agent.ECP Disinfected C:\Documents and Settings\Default\Local Settings\Temp\~DP1B.exe
Virus:Trj/Agent.ECP Disinfected C:\Documents and Settings\Default\Local Settings\Temp\~DP2.exe
Virus:Trj/Agent.ECP Disinfected C:\Documents and Settings\Default\Local Settings\Temp\~DP20.exe
Virus:Trj/Agent.ECP Disinfected C:\Documents and Settings\Default\Local Settings\Temp\~DP2D.exe
Virus:Trj/Spabot.AK Disinfected C:\Documents and Settings\Default\Local Settings\Temp\~DP30.exe
Virus:Trj/Spammer.AAT Disinfected C:\Documents and Settings\Default\Local Settings\Temp\~DP6.exe
Virus:Trj/Spammer.AAT Disinfected C:\Documents and Settings\Default\Local Settings\Temp\~DP8.exe
Virus:Trj/Agent.ECP Disinfected C:\Documents and Settings\Default\Local Settings\Temp\~DPD.exe
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\30XTFGO8\ErrorSafeFreeInstallW[1].cab[UERS_9999_N91S1502NetInstaller.exe]
Virus:Trj/Downloader.PJT Disinfected C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\3KGWHVR7\kcehc_eicooc20070702[1]
Virus:Trj/Downloader.PJT Disinfected C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\90H1Z9L3\kcehc_eicooc20070702[1]
Adware:Adware/PopupSearches Not disinfected C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\EDYPKT8B\dedamisha[1]
Virus:Generic Malware Disinfected C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\EDYPKT8B\masiyxanidi[1]
Virus:Trj/Downloader.PCQ Disinfected C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\HF7RPXSE\adfcook[1]
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Default\My Documents\My Programs\WinAntiVirusPro2007FreeInstall.exe
Virus:Trj/Downloader.PJT Disinfected C:\VundoFix Backups\cckqvedo.exe.bad
Virus:Trj/ConHook.CV Disinfected C:\VundoFix Backups\geebxxu.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\jkklj.exe.bad
Virus:Trj/Downloader.PJT Disinfected C:\VundoFix Backups\leivchyo.exe.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ssqoopp.dll.bad
Virus:W32/Gaobot.MJA.worm Disinfected C:\WINDOWS\b.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\CHCUSD.dll.vir
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\SYSTEM32\eiwoowil.exe
Virus:Trj/ConHook.CV Disinfected C:\WINDOWS\SYSTEM32\geebxxu.dll
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\SYSTEM32\mcfktmet.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\mljhfcd.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\opnnkhg.dll
burnsbabyburns is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-09-2007, 10:36 PM   #3 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Vundo and Downloader-BDF
1. Download & Save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that & a fresh Hijackthis log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2007, 02:15 AM   #4 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 12
OS: XP


Re: Vundo and Downloader-BDF
I'm not sure if it matters, but I downloaded and ran Spybot since I crated this thread.

Here are the logs:

COMBOFIX LOG:

ComboFix 07-08-10.7 - "Default" 2007-08-10 4:58:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.89 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Default\APPLIC~1\tmp1D9.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp1F0.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp401.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp402.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp403.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp41D.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp52.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp53.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp54.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp66.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp7D.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp7F.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp80.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp81.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp82.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp83.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp85.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp88.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp89.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp8C.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmp8D.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmpC.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmpD.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmpE.tmp.exe
C:\DOCUME~1\Default\APPLIC~1\tmpF.tmp.exe
C:\WINDOWS\cbxusp.dll
C:\WINDOWS\ddaxvs.dll
C:\WINDOWS\llnpqr.ini
C:\WINDOWS\opqpqo.dll
C:\WINDOWS\oqpqpo.ini
C:\WINDOWS\psuxbc.ini
C:\WINDOWS\rqpnll.dll
C:\WINDOWS\svxadd.ini
C:\WINDOWS\system32\IMGDIT.dll
C:\WINDOWS\system32\tmp1D9.tmp.dll
C:\WINDOWS\system32\tmp403.tmp.dll
C:\WINDOWS\system32\tmp53.tmp.dll
C:\WINDOWS\system32\tmp54.tmp.dll
C:\WINDOWS\system32\tmp80.tmp.dll
C:\WINDOWS\system32\tmp89.tmp.dll
C:\WINDOWS\system32\tmp8D.tmp.dll
C:\WINDOWS\system32\tmpD.tmp.dll
C:\WINDOWS\system32\tmpE.tmp.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 )))))))))))))))))))))))))))))))


2007-08-10 04:56 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-10 01:22 <DIR> d-------- C:\Program Files\Google
2007-08-10 01:22 <DIR> d-------- C:\DOCUME~1\Default\APPLIC~1\Google
2007-08-09 04:13 <DIR> d-------- C:\Deckard
2007-08-09 04:07 118,784 --a------ C:\WINDOWS\SYSTEM32\MSSTDFMT.DLL
2007-08-09 04:07 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-09 03:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-08-09 01:04 <DIR> d-------- C:\VundoFix Backups
2007-08-09 00:50 164 --a------ C:\install.dat
2007-08-08 13:34 75,328 --a------ C:\WINDOWS\SYSTEM32\mqshcefp.exe
2007-08-06 18:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com Personal Firewall
2007-08-06 13:44 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-08-05 22:51 245,760 --a------ C:\WINDOWS\SYSTEM32\ImxEx.dll
2007-08-05 22:25 <DIR> d-------- C:\Program Files\Astro Gemini Software
2007-08-05 22:22 0 --a------ C:\WINDOWS\SYSTEM32\taskkill.exe
2007-08-04 20:00 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-08-04 20:00 <DIR> d-------- C:\DOCUME~1\Default\APPLIC~1\NCH Swift Sound
2007-08-04 19:59 <DIR> d-------- C:\Program Files\NCH Software
2007-08-04 19:56 135,168 --a------ C:\WINDOWS\SYSTEM32\DSKernel2.dll
2007-08-04 19:56 1,936,528 --a------ C:\WINDOWS\SYSTEM32\ltmm15.dll
2007-08-04 19:55 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-08-04 19:55 <DIR> d-------- C:\Program Files\Replay Converter
2007-08-04 19:52 <DIR> d-------- C:\DOCUME~1\Default\APPLIC~1\GetRightToGo
2007-08-04 19:37 <DIR> d-------- C:\Program Files\FLVPlayer
2007-08-04 15:40 <DIR> d-------- C:\Program Files\uTorrent
2007-08-02 20:56 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-08-02 20:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2007-08-02 20:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2007-08-02 20:35 98,304 --a------ C:\WINDOWS\SYSTEM32\SoftAheadCert.dll
2007-07-26 14:36 <DIR> d-------- C:\DOCUME~1\Default\APPLIC~1\Move Networks
2007-07-26 05:08 <DIR> d-------- C:\Program Files\NewzToolz
2007-07-26 05:08 <DIR> d-------- C:\DOCUME~1\Default\APPLIC~1\NewzToolz
2007-07-26 04:01 <DIR> d-------- C:\DOCUME~1\Default\APPLIC~1\PEERNET
2007-07-26 04:00 <DIR> d-------- C:\Program Files\PEERNET File Conversion Center 3.0
2007-07-26 04:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PEERNET
2007-07-26 03:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-26 03:54 <DIR> d-------- C:\DOCUME~1\Default\APPLIC~1\WinRAR
2007-07-23 03:25 1,165 --a------ C:\WINDOWS\mozver.dat
2007-07-22 14:52 <DIR> d-------- C:\DOCUME~1\Default\APPLIC~1\Talkback


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 03:49 --------- d-------- C:\Program Files\Messenger
2007-08-09 03:46 --------- d-------- C:\Program Files\DellSupport
2007-08-08 01:38 --------- d-------- C:\DOCUME~1\Default\APPLIC~1\uTorrent
2007-08-06 16:04 --------- d-------- C:\Program Files\McAfee.com
2007-08-04 15:18 --------- d-------- C:\Program Files\Common Files\Real
2007-07-02 11:43 --------- d-------- C:\Program Files\MSXML 4.0
2007-06-25 12:46 --------- d-------- C:\DOCUME~1\Default\APPLIC~1\Image Zone Express
2007-05-16 11:12 86528 --a------ C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --a------ C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --a------ C:\WINDOWS\system32\dllcache\msoe.dll
2005-10-01 19:58:44 332 -csha-r C:\WINDOWS\SYSTEM32\MS4xx0104q.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A0E7C3B-BE02-4174-940F-7C5CC34220E0}]
C:\WINDOWS\system32\mllmj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 15:33]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" []
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-19 13:13]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 17:00]
"SemanticInsight"="C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe" []
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

C:\Documents and Settings\Default\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\geebxxu.dll

R0 RecAgent;RecAgent;C:\WINDOWS\system32\DRIVERS\RecAgent.sys
R1 MPFIREWL;MPFIREWL;C:\WINDOWS\system32\Drivers\MpFirewall.sys
R3 Mtlmnt5;Mtlmnt5;C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys
R3 Slntamr;Smart Link 56K Modem Driver;C:\WINDOWS\system32\DRIVERS\slntamr.sys
R3 SlWdmSup;SlWdmSup;C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys
S3 Mtlstrm;Mtlstrm;C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys
S3 NtMtlFax;NtMtlFax;C:\WINDOWS\system32\DRIVERS\NtMtlFax.sys
S3 SlNtHal;SlNtHal;C:\WINDOWS\system32\DRIVERS\Slnthal.sys


Contents of the 'Scheduled Tasks' folder
2007-05-30 18:10:31 C:\WINDOWS\Tasks\WebReg psc C3100 series.job - C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 05:01:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-10 5:03:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-10 05:02

--- E O F ---





HIJACKTHIS LOG:

Deckard's System Scanner v20070807.62
Run by Default on 2007-08-10 at 05:05:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Default.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:05:56 AM, on 8/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Default\Desktop\dss.exe
C:\DOCUME~1\Default\MYDOCU~1\Default.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {4A0E7C3B-BE02-4174-940F-7C5CC34220E0} - C:\WINDOWS\system32\mllmj.dll (file missing)
O2 - BHO: SACert Class - {740FE5FB-65F1-46C5-9E54-A19C8A8D7AC2} - C:\WINDOWS\system32\SoftAheadCert.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...90/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1F66939-8984-49F3-B8FC-6A6C03FDE215}: Domain = domain.invalid
O20 - AppInit_DLLs: c:\windows\system32\geebxxu.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4914 bytes

-- Files created between 2007-07-10 and 2007-08-10 -----------------------------

2007-08-10 01:22:23 0 d-------- C:\Program Files\Google
2007-08-10 01:22:23 0 d-------- C:\Documents and Settings\Default\Application Data\Google
2007-08-09 04:07:10 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-08-09 04:07:10 0 d-------- C:\Program Files\SpywareBlaster
2007-08-09 03:22:20 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-09 01:04:33 0 d-------- C:\VundoFix Backups
2007-08-09 00:50:04 164 --a------ C:\install.dat
2007-08-08 13:34:42 75328 --a------ C:\WINDOWS\system32\mqshcefp.exe <Not Verified; ; DDC>
2007-08-06 18:58:06 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-08-06 13:44:32 0 d-------- C:\WINDOWS\McAfee.com
2007-08-05 22:51:15 245760 --a------ C:\WINDOWS\system32\ImxEx.dll
2007-08-05 22:25:26 0 d-------- C:\Program Files\Astro Gemini Software
2007-08-05 22:22:33 0 --a------ C:\WINDOWS\system32\taskkill.exe
2007-08-04 20:00:06 0 d-------- C:\Program Files\NCH Swift Sound
2007-08-04 20:00:06 0 d-------- C:\Documents and Settings\Default\Application Data\NCH Swift Sound
2007-08-04 19:59:34 0 d-------- C:\Program Files\NCH Software
2007-08-04 19:56:00 135168 --a------ C:\WINDOWS\system32\DSKernel2.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS Multimedia Filter Pack>
2007-08-04 19:55:51 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-08-04 19:55:18 0 d-------- C:\Program Files\Replay Converter
2007-08-04 19:52:21 0 d-------- C:\Documents and Settings\Default\Application Data\GetRightToGo
2007-08-04 19:37:31 0 d-------- C:\Program Files\FLVPlayer
2007-08-04 15:40:45 0 d-------- C:\Program Files\uTorrent
2007-08-02 20:56:23 0 d-------- C:\Program Files\Windows Media Connect 2
2007-08-02 20:54:41 0 d-------- C:\WINDOWS\system32\LogFiles
2007-08-02 20:54:41 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-02 20:35:11 98304 --a------ C:\WINDOWS\system32\SoftAheadCert.dll <Not Verified; SoftAhead Inc.; SoftAheadCert Module>
2007-07-26 14:36:09 0 d-------- C:\Documents and Settings\Default\Application Data\Move Networks
2007-07-26 05:08:27 0 d-------- C:\Documents and Settings\Default\Application Data\NewzToolz
2007-07-26 05:08:10 0 d-------- C:\Program Files\NewzToolz
2007-07-26 04:01:18 0 d-------- C:\Documents and Settings\Default\Application Data\PEERNET
2007-07-26 04:00:59 0 --a------ C:\WINDOWS\system32\PNFCC3
2007-07-26 04:00:59 0 d-------- C:\Documents and Settings\All Users\Application Data\PEERNET
2007-07-26 04:00:11 0 d-------- C:\Program Files\PEERNET File Conversion Center 3.0
2007-07-26 03:59:39 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-26 03:54:28 0 d-------- C:\Documents and Settings\Default\Application Data\WinRAR
2007-07-23 03:25:03 1165 --a------ C:\WINDOWS\mozver.dat
2007-07-22 14:52:19 0 d-------- C:\Documents and Settings\Default\Application Data\Talkback
2007-07-22 14:36:46 0 d-------- C:\Documents and Settings\Default\Application Data\Mozilla


-- Find3M Report ---------------------------------------------------------------

2007-08-09 03:49:11 0 d-------- C:\Program Files\Messenger
2007-08-09 03:46:53 0 d-------- C:\Program Files\DellSupport
2007-08-08 01:38:43 0 d-------- C:\Documents and Settings\Default\Application Data\uTorrent
2007-08-06 16:04:17 0 d-------- C:\Program Files\McAfee.com
2007-08-04 15:18:04 0 d-------- C:\Program Files\Common Files\Real
2007-07-26 09:22:23 0 d-------- C:\Program Files\Common Files
2007-07-02 11:43:29 0 d-------- C:\Program Files\MSXML 4.0
2007-06-25 12:46:33 0 d-------- C:\Documents and Settings\Default\Application Data\Image Zone Express
2007-05-30 14:09:51 117193 --a----c- C:\WINDOWS\hpoins11.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A0E7C3B-BE02-4174-940F-7C5CC34220E0}]
C:\WINDOWS\system32\mllmj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [06/03/2005 03:52 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [06/30/2004 03:33 PM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" []
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [09/22/2005 06:29 PM]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [01/11/2006 12:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/19/2004 01:13 PM]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [11/11/2005 05:00 PM]
"SemanticInsight"="C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe" []
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 10:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 10:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 10:36 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/19/2006 02:41 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]

C:\Documents and Settings\Default\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 3:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 3:04:12 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\geebxxu.dll

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2007-08-10 at 0517 ---------
burnsbabyburns is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2007, 02:29 AM   #5 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Vundo and Downloader-BDF
Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {4A0E7C3B-BE02-4174-940F-7C5CC34220E0} - C:\WINDOWS\system32\mllmj.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1F66939-8984-49F3-B8FC-6A6C03FDE215}: Domain = domain.invalid
O20 - AppInit_DLLs: c:\windows\system32\geebxxu.dll


---------------


Open notepad and copy/paste the text in the quotebox below into it:

Code:
File::
C:\install.dat
C:\WINDOWS\SYSTEM32\mqshcefp.exe
Folder::
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A0E7C3B-BE02-4174-940F-7C5CC34220E0}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-
Save this as "CFScript"




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


---------------


Click here perform an online scan >> Online Scanner


---------------


In your next post, please include fresh logs from:
  1. Fresh Hijackthis log taken just before replying
  2. Online scan
  3. ComboFix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2007, 02:30 AM   #6 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Vundo and Downloader-BDF
This is to be performed after you have posted the required logs.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1 - http://java.sun.com/javase/downloads/index.jsp
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windowsi586-p.exe to install the newest version.
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2007, 03:27 AM   #7 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 12
OS: XP


Re: Vundo and Downloader-BDF
Here are the logs:

HIJACKTHIS LOG:

Deckard's System Scanner v20070807.62
Run by Default on 2007-08-10 at 06:23:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Default.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:22 AM, on 8/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Default\Desktop\dss.exe
C:\DOCUME~1\Default\MYDOCU~1\Default.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SACert Class - {740FE5FB-65F1-46C5-9E54-A19C8A8D7AC2} - C:\WINDOWS\system32\SoftAheadCert.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...90/mcfscan.cab
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4112 bytes

-- Files created between 2007-07-10 and 2007-08-10 -----------------------------

2007-08-10 01:22:23 0 d-------- C:\Program Files\Google
2007-08-10 01:22:23 0 d-------- C:\Documents and Settings\Default\Application Data\Google
2007-08-09 04:07:10 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-08-09 04:07:10 0 d-------- C:\Program Files\SpywareBlaster
2007-08-09 03:22:20 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-06 18:58:06 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-08-06 13:44:32 0 d-------- C:\WINDOWS\McAfee.com
2007-08-05 22:51:15 245760 --a------ C:\WINDOWS\system32\ImxEx.dll
2007-08-05 22:25:26 0 d-------- C:\Program Files\Astro Gemini Software
2007-08-05 22:22:33 0 --a------ C:\WINDOWS\system32\taskkill.exe
2007-08-04 20:00:06 0 d-------- C:\Program Files\NCH Swift Sound
2007-08-04 20:00:06 0 d-------- C:\Documents and Settings\Default\Application Data\NCH Swift Sound
2007-08-04 19:59:34 0 d-------- C:\Program Files\NCH Software
2007-08-04 19:56:00 135168 --a------ C:\WINDOWS\system32\DSKernel2.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS Multimedia Filter Pack>
2007-08-04 19:55:51 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-08-04 19:55:18 0 d-------- C:\Program Files\Replay Converter
2007-08-04 19:52:21 0 d-------- C:\Documents and Settings\Default\Application Data\GetRightToGo
2007-08-04 19:37:31 0 d-------- C:\Program Files\FLVPlayer
2007-08-04 15:40:45 0 d-------- C:\Program Files\uTorrent
2007-08-02 20:56:23 0 d-------- C:\Program Files\Windows Media Connect 2
2007-08-02 20:54:41 0 d-------- C:\WINDOWS\system32\LogFiles
2007-08-02 20:54:41 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-02 20:35:11 98304 --a------ C:\WINDOWS\system32\SoftAheadCert.dll <Not Verified; SoftAhead Inc.; SoftAheadCert Module>
2007-07-26 14:36:09 0 d-------- C:\Documents and Settings\Default\Application Data\Move Networks
2007-07-26 05:08:27 0 d-------- C:\Documents and Settings\Default\Application Data\NewzToolz
2007-07-26 05:08:10 0 d-------- C:\Program Files\NewzToolz
2007-07-26 04:01:18 0 d-------- C:\Documents and Settings\Default\Application Data\PEERNET
2007-07-26 04:00:59 0 --a------ C:\WINDOWS\system32\PNFCC3
2007-07-26 04:00:59 0 d-------- C:\Documents and Settings\All Users\Application Data\PEERNET
2007-07-26 04:00:11 0 d-------- C:\Program Files\PEERNET File Conversion Center 3.0
2007-07-26 03:59:39 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-26 03:54:28 0 d-------- C:\Documents and Settings\Default\Application Data\WinRAR
2007-07-23 03:25:03 1165 --a------ C:\WINDOWS\mozver.dat
2007-07-22 14:52:19 0 d-------- C:\Documents and Settings\Default\Application Data\Talkback
2007-07-22 14:36:46 0 d-------- C:\Documents and Settings\Default\Application Data\Mozilla


-- Find3M Report ---------------------------------------------------------------

2007-08-10 0613 0 d-------- C:\Program Files\Messenger
2007-08-10 06:03:55 0 d-------- C:\Program Files\DellSupport
2007-08-08 01:38:43 0 d-------- C:\Documents and Settings\Default\Application Data\uTorrent
2007-08-06 16:04:17 0 d-------- C:\Program Files\McAfee.com
2007-08-04 15:18:04 0 d-------- C:\Program Files\Common Files\Real
2007-07-26 09:22:23 0 d-------- C:\Program Files\Common Files
2007-07-02 11:43:29 0 d-------- C:\Program Files\MSXML 4.0
2007-06-25 12:46:33 0 d-------- C:\Documents and Settings\Default\Application Data\Image Zone Express
2007-05-30 14:09:51 117193 --a----c- C:\WINDOWS\hpoins11.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [06/30/2004 03:33 PM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" []
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [09/22/2005 06:29 PM]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [01/11/2006 12:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/19/2004 01:13 PM]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [11/11/2005 05:00 PM]
"SemanticInsight"="C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe" []
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 10:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 10:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 10:36 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/19/2006 02:41 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]

C:\Documents and Settings\Default\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 3:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 3:04:12 PM]




-- End of Deckard's System Scanner: finished at 2007-08-10 at 06:23:43 ---------



ONLINE SCAN:

Incident Status Location

Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys
Potentially unwanted tool:application/need2find Not disinfected c:\program files\Need2Find
Dialer:dialer.su Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\clsid\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\classes\appid\adm.EXE
Potentially unwanted tool:Application/Processor Not disinfected C:\Deckard\System Scanner\20070810050551\backup\DOCUME~1\Default\LOCALS~1\Temp\nsbA.tmp
Adware:Adware/IST.ISTBar Not disinfected C:\Deckard\System Scanner\20070810050551\backup\DOCUME~1\Default\LOCALS~1\Temp\Setup(2).exe
Adware:Adware/PopupSearches Not disinfected C:\Deckard\System Scanner\20070810050551\backup\DOCUME~1\Default\LOCALS~1\Temp\temp.fr2B1D
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.atwola.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.go.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.zedo.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.2o7.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.com.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.gostats.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\cf7mj29r.default\cookies.txt[winantivirus.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Default\Cookies\default@2o7[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Default\Cookies\default@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Default\Cookies\default@atdmt[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Default\Cookies\default@atwola[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Default\Cookies\default@burstnet[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Default\Cookies\default@doubleclick[2].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Default\Cookies\default@enhance[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Default\Cookies\default@go[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Default\Cookies\default@www.burstbeacon[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Default\Desktop\ComboFix.exe[nircmd.exe]
Virus:Trj/Downloader.PJT Disinfected C:\QooBox\Quarantine\C\DOCUME~1\Default\APPLIC~1\tmp402.tmp.exe.vir
Virus:Trj/Downloader.PJT Disinfected C:\QooBox\Quarantine\C\DOCUME~1\Default\APPLIC~1\tmpD.tmp.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\VundoFix Backups\ssqoopp.dll.bad.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\catchme2007-08-10_ 50140.93.zip[IMGDIT.dll]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe



COMBOFIX LOG:


ComboFix 07-08-10.7 - "Default" 2007-08-10 5:40:49.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.65 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Default\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\install.dat
C:\WINDOWS\SYSTEM32\mqshcefp.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\install.dat
C:\VundoFix Backups
C:\VundoFix Backups\jmllm.bak1.bad
C:\VundoFix Backups\jmllm.bak2.bad
C:\VundoFix Backups\jmllm.ini.bad
C:\VundoFix Backups\mllmj.dll.bad
C:\VundoFix Backups\ssqoopp.dll.bad
C:\VundoFix Backups\tmp83.tmp.dll.bad
C:\WINDOWS\SYSTEM32\mqshcefp.exe


((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 )))))))))))))))))))))))))))))))


2007-08-10 04:56 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-10 01:22 <DIR> d-------- C:\Program Files\Google
2007-08-10 01:22 <DIR> d-------- C:\DOCUME~1\Default\APPLIC~1\Google
2007-08-09 04:13 <DIR> d-------- C:\Deckard
2007-08-09 04:07 118,784 --a------ C:\WINDOWS\SYSTEM32\MSSTDFMT.DLL
2007-08-09 04:07 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-09 03:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-08-06 18:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com Personal Firewall
2007-08-06 13:44 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-08-05 22:51 245,760 --a------ C:\WINDOWS\SYSTEM32\ImxEx.dll
2007-08-05 22:25 <DIR> d-------- C:\Program Files\Astro Gemini Software
2007-08-05 22:22 0 --a------ C:\WINDOWS\SYSTEM32\taskkill.exe
2007-08-04 20:00 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-08-04 20:00 <DIR> d-------- C:\DOCUME~1\Default\APPLIC~1\NCH Swift Sound
2007-08-04 19:59 <DIR> d-------- C:\Program Files\NCH Software
2007-08-04 19:56 135,168 --a------ C:\WINDOWS\SYSTEM32\DSKernel2.dll
2007-08-04 19:56 1,936,528 --a------ C:\WINDOWS\SYSTEM32\ltmm15.dll
2007-08-04 19:55 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-08-04 19:55 <DIR> d-------- C:\Program Files\Replay Converter
2007-08-04 19:52 <DIR> d-------- C:\DOCUME~1\Default\APPLIC~1\GetRightToGo
2007-08-04 19:37 <DIR> d-------- C:\Program Files\FLVPlayer
2007-08-04 15:40 <DIR> d-------- C:\Program Files\uTorrent
2007-08-02 20:56 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-08-02 20:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2007-08-02 20:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2007-08-02 20:35 98,304 --a------ C:\WINDOWS\SYSTEM32\SoftAheadCert.dll
2007-07-26 14:36 <DIR> d-------- C:\DOCUME~1\Default\APPLIC~1\Move Networks
2007-07-26 05:08 <DIR> d-------- C:\Program Files\NewzToolz
2007-07-26 05:08 <DIR> d-------- C:\DOCUME~1\Default\APPLIC~1\NewzToolz
2007-07-26 04:01 <DIR> d-------- C:\DOCUME~1\Default\APPLIC~1\PEERNET
2007-07-26 04:00 <DIR> d-------- C:\Program Files\PEERNET File Conversion Center 3.0
2007-07-26 04:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PEERNET
2007-07-26 03:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-26 03:54 <DIR> d-------- C:\DOCUME~1\Default\APPLIC~1\WinRAR
2007-07-23 03:25 1,165 --a------ C:\WINDOWS\mozver.dat
2007-07-22 14:52 <DIR> d-------- C:\DOCUME~1\Default\APPLIC~1\Talkback


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 03:49 --------- d-------- C:\Program Files\Messenger
2007-08-09 03:46 --------- d-------- C:\Program Files\DellSupport
2007-08-08 01:38 --------- d-------- C:\DOCUME~1\Default\APPLIC~1\uTorrent
2007-08-06 16:04 --------- d-------- C:\Program Files\McAfee.com
2007-08-04 15:18 --------- d-------- C:\Program Files\Common Files\Real
2007-07-02 11:43 --------- d-------- C:\Program Files\MSXML 4.0
2007-06-25 12:46 --------- d-------- C:\DOCUME~1\Default\APPLIC~1\Image Zone Express
2007-05-16 11:12 86528 --a------ C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --a------ C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --a------ C:\WINDOWS\system32\dllcache\msoe.dll
2005-10-01 19:58:44 332 -csha-r C:\WINDOWS\SYSTEM32\MS4xx0104q.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 15:33]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" []
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-19 13:13]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 17:00]
"SemanticInsight"="C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe" []
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

C:\Documents and Settings\Default\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

R0 RecAgent;RecAgent;C:\WINDOWS\system32\DRIVERS\RecAgent.sys
R1 MPFIREWL;MPFIREWL;C:\WINDOWS\system32\Drivers\MpFirewall.sys
R3 Mtlmnt5;Mtlmnt5;C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys
R3 Slntamr;Smart Link 56K Modem Driver;C:\WINDOWS\system32\DRIVERS\slntamr.sys
R3 SlWdmSup;SlWdmSup;C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys
S3 Mtlstrm;Mtlstrm;C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys
S3 NtMtlFax;NtMtlFax;C:\WINDOWS\system32\DRIVERS\NtMtlFax.sys
S3 SlNtHal;SlNtHal;C:\WINDOWS\system32\DRIVERS\Slnthal.sys


Contents of the 'Scheduled Tasks' folder
2007-05-30 18:10:31 C:\WINDOWS\Tasks\WebReg psc C3100 series.job - C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 05:43:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-10 5:45:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-10 05:45
C:\ComboFix2.txt ... 2007-08-10 05:03

--- E O F ---
burnsbabyburns is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2007, 03:34 AM   #8 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Vundo and Downloader-BDF
Why are you giving me a Panda online scan report? I specifically asked for a Kaspersky scan. There's a difference
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2007, 04:48 AM   #9 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 12
OS: XP


Re: Vundo and Downloader-BDF
Sorry about that. My computer is still running slow, but I'm not getting constant pop-ups anymore.

Online Scan Report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, August 10, 2007 7:40:57 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 10/08/2007
Kaspersky Anti-Virus database records: 377930
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 36123
Number of viruses found: 8
Number of infected objects: 30
Number of suspicious objects: 0
Duration of the scan process: 00:42:45

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20070810050551\backup\DOCUME~1\Default\LOCALS~1\Temp\Setup(0).exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Deckard\System Scanner\20070810050551\backup\DOCUME~1\Default\LOCALS~1\Temp\Setup(2).exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Deckard\System Scanner\20070810050551\backup\DOCUME~1\Default\LOCALS~1\Temp\temp.fr2B1D Infected: Trojan.Win32.Agent.aoy skipped
C:\Deckard\System Scanner\20070810050551\backup\DOCUME~1\Default\LOCALS~1\Temp\Temporary Directory 1 for @ winter screen saver 3d @ [SVCD].zip\Setup.exe Infected: Trojan-Dropper.Win32.Mudrop.du skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd002.log Object is locked skipped
C:\Documents and Settings\Default\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Default\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Default\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Default\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Default\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Default\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Default\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Default\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ssqoopp.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\cbxusp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\QooBox\Quarantine\C\WINDOWS\ddaxvs.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\QooBox\Quarantine\C\WINDOWS\opqpqo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\QooBox\Quarantine\C\WINDOWS\rqpnll.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\IMGDIT.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
C:\QooBox\Quarantine\catchme2007-08-10_ 50140.93.zip/IMGDIT.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
C:\QooBox\Quarantine\catchme2007-08-10_ 50140.93.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000010.dll Infected: Trojan-Downloader.Win32.ConHook.bg skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000013.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000053.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000065.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000067.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000068.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000069.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000070.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000071.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000072.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000073.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000174.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000193.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000205.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000206.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000207.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000208.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000221.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
burnsbabyburns is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2007, 04:53 AM   #10 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Vundo and Downloader-BDF
Quote:
My computer is still running slow
How much RAM do you have on this machine. Please take note that you require 512MB for XP to run reasonably well. Seems to me that you have less than that


Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
c:\windows\smdat32m.sys
) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)

for %%g in (
c:\program files\Need2Find
%systemdrive%\Deckard
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Disable("")>SR.vbs
echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Enable("")>>SR.vbs
wscript SR.vbs

(
echo.REGEDIT4&echo.
echo.[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Switch]
echo.[-HKEY_CLASSES_ROOT\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}]
echo.[-HKEY_LOCAL_MACHINE\Software\classes\appid\adm.EXE]
echo.[hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced]
echo."hidden"=dword:00000002
echo."hidefileext"=dword:00000001
echo."showsuperhidden"=dword:00000000
)>rehide.reg

regedit /s rehide.reg
del rehide.reg SR.vbs
nircmd wait 7000
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2007, 05:01 AM   #11 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 12
OS: XP


Re: Vundo and Downloader-BDF
Quote:
Originally Posted by sUBs View Post
How much RAM do you have on this machine. Please take note that you require 512MB for XP to run reasonably well. Seems to me that you have less than that
Yeah, I think I have 256, but I've had this computer for over 2 years and it's never ran this slow. I'm having a hard time even searching eBay without getting a "firefox not responding" message.


Here you go


@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
c:\windows\smdat32m.sys
) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)

for %%g in (
c:\program files\Need2Find
%systemdrive%\Deckard
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Disable("")>SR.vbs
echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Enable("")>>SR.vbs
wscript SR.vbs

(
echo.REGEDIT4&echo.
echo.[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Switch]
echo.[-HKEY_CLASSES_ROOT\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}]
echo.[-HKEY_LOCAL_MACHINE\Software\classes\appid\adm.EXE]
echo.[hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced]
echo."hidden"=dword:00000002
echo."hidefileext"=dword:00000001
echo."showsuperhidden"=dword:00000000
)>rehide.reg

regedit /s rehide.reg
del rehide.reg SR.vbs
nircmd wait 7000
del %0
burnsbabyburns is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2007, 05:03 AM   #12 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 12
OS: XP


Re: Vundo and Downloader-BDF
Is that right?
burnsbabyburns is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2007, 05:03 AM   #13 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Vundo and Downloader-BDF
When you saved the fix.bat file, did it look like this -->
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2007, 05:04 AM   #14 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 12
OS: XP


Re: Vundo and Downloader-BDF
It said Deleted Successfully.
burnsbabyburns is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2007, 05:11 AM   #15 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 12
OS: XP


Re: Vundo and Downloader-BDF
Quote:
Originally Posted by sUBs View Post
When you saved the fix.bat file, did it look like this -->
Yes
burnsbabyburns is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2007, 05:18 AM   #16 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Vundo and Downloader-BDF
Quote:
I've had this computer for over 2 years and it's never ran this slow
Have you installed any new programs recently? McAfee perhaps?
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2007, 05:23 AM   #17 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 12
OS: XP


Re: Vundo and Downloader-BDF
Quote:
Originally Posted by sUBs View Post
Have you installed any new programs recently? McAfee perhaps?
I've always had McAfee on this computer, but I only recently (maybe 3-4 days ago) installed the virus scan when my computer started sucking.

Am I Virus/Malware free right now?
burnsbabyburns is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2007, 05:29 AM   #18 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Vundo and Downloader-BDF
You're clean.

Try uninstalling the McAfee's VirusScan. It should restore your limited speed
__________________
Last edited by sUBs; 08-10-2007 at 05:30 AM.
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2007, 05:35 AM   #19 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 12
OS: XP


Re: Vundo and Downloader-BDF
Can I remove these from my computer now?

dss
combofix

Also, should I buy an Anti-Virus program for my computer?
burnsbabyburns is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2007, 05:38 AM   #20 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: Vundo and Downloader-BDF
DSS & Combofix can be deleted.

You should always have an antivirus program. Get a freeware program like AntiVir. http://www.free-av.com/antivirus/allinonen.html .With the money saved, you can invest in new RAM stock.
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 01:04 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84