Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Avira showing a Vundo.Gen
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 10-09-2007, 05:01 AM   #1 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 4
OS: XP sp2


Avira showing a Vundo.Gen
Hello,
I would be grateful for any help - have tried a bit of DIY already with Spybot and deleted malware files from the registry. Before I did this Avira was picking up the trojan Dldr.ConHook.Gen as well as Vundo.Gen
(whose file has renamed itself)- at which stage I Googled and was lucky enough to discover You.
Have been through the five steps.
-Activescan:

Incident Status Location

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Deckard\System Scanner\20071007175231\backup\DOCUME~1\f&sd\LOCALS~1\Temp\NeroDemo12061\Toolbar.exe
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\f&sd\Application Data\Mozilla\Firefox\Profiles\ajz98g5f.default\cookies.txt[.com.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\f&sd\Application Data\Mozilla\Firefox\Profiles\ajz98g5f.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\f&sd\Application Data\Mozilla\Firefox\Profiles\ajz98g5f.default\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\f&sd\Application Data\Mozilla\Firefox\Profiles\ajz98g5f.default\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\f&sd\Application Data\Mozilla\Firefox\Profiles\ajz98g5f.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\f&sd\Application Data\Mozilla\Firefox\Profiles\ajz98g5f.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\f&sd\Application Data\Mozilla\Firefox\Profiles\ajz98g5f.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\f&sd\Application Data\Mozilla\Firefox\Profiles\ajz98g5f.default\cookies.txt[server.iad.liveperson.net/hc/69564061]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\f&sd\Cookies\f&sd@2o7[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\f&sd\Cookies\f&sd@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\f&sd\Cookies\f&sd@bs.serving-sys[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\f&sd\Cookies\f&sd@overture[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\f&sd\Cookies\f&sd@serving-sys[2].txt
Adware:Adware/SaveNow Not disinfected C:\Program Files\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe
Deckard's System Scanner v20070905.67
Run by f&sd on 2007-10-07 17:52:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as f&sd.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:34 PM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\WINDOWS\system32\Rscmpt.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
E:\Widgets\YahooWidgetEngine.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\windows\system32\nvsvc32.exe
C:\windows\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
E:\Widgets\YahooWidgetEngine.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\windows\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\f&sd\Desktop\Unused Desktop Shortcuts\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\f&sd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {BFB6AECC-11E7-4278-8352-DFB3DCF6F713} - C:\windows\system32\gebcc.dll (file missing)
O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\system32\Rscmpt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Yahoo! Widget Engine.lnk = E:\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: KODAK Software Updater.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175383482046
O17 - HKLM\System\CCS\Services\Tcpip\..\{FECA049E-F3A9-4438-968A-0AE2367E9895}: NameServer = 192.168.1.254
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: urqrqpo - C:\windows\SYSTEM32\urqrqpo.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Display Desktop 32 Service - Unknown owner - C:\WINDOWS\system32\vdesk32.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 9173 bytes

-- Files created between 2007-09-07 and 2007-10-07 -----------------------------

2007-10-07 17:23:28 0 d-------- C:\Program Files\Trend Micro
2007-10-05 20:47:06 0 d-------- C:\Documents and Settings\f&sd\.housecall6.6
2007-10-05 19:35:10 6473 --ahs---- C:\windows\system32\ccbeg.bak1
2007-10-05 18:46:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-30 11:32:24 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-30 11:25:17 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-09-26 18:01:29 35328 --a------ C:\windows\system32\awtusqq.dll
2007-09-26 17:59:30 35328 --a------ C:\windows\system32\urqrqpo.dll
2007-09-22 19:38:16 0 d-------- C:\Documents and Settings\f&sd\Application Data\Nero
2007-09-21 16:37:54 0 d-------- C:\Documents and Settings\f&sd\Application Data\Apple Computer
2007-09-21 16:37:44 0 d-------- C:\Program Files\iPod
2007-09-21 16:37:41 0 d-------- C:\Program Files\iTunes
2007-09-21 16:37:10 0 d-------- C:\Program Files\QuickTime
2007-09-21 16:37:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-21 16:36:48 0 d-------- C:\Program Files\Apple Software Update
2007-09-21 16:36:31 0 d-------- C:\Program Files\Common Files\Apple
2007-09-21 16:36:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2007-10-07 17:03:18 0 d-------- C:\Program Files\Canon
2007-10-07 15:13:46 0 d-------- C:\Documents and Settings\f&sd\Application Data\temp
2007-10-07 10:25:28 327526 --a------ C:\logfile
2007-10-07 10:19:03 0 d-------- C:\Program Files\lg_fwupdate
2007-10-05 18:09:58 0 d-------- C:\Documents and Settings\f&sd\Application Data\uTorrent
2007-09-24 17:24:22 0 d-------- C:\Documents and Settings\f&sd\Application Data\Vso
2007-09-21 16:36:31 0 d-------- C:\Program Files\Common Files
2007-09-18 08:19:26 0 d-------- C:\Documents and Settings\f&sd\Application Data\Canon
2007-09-14 20:41:00 0 d-------- C:\Documents and Settings\f&sd\Application Data\Adobe
2007-09-01 22:42:06 0 d-------- C:\Program Files\Bonjour
2007-09-01 22:42:05 0 d-------- C:\Program Files\Common Files\Adobe
2007-09-01 22:35:30 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-25 09:05:31 0 d--h----- C:\Program Files\FX Uninstall Information
2007-08-23 19:51:33 0 d-------- C:\Documents and Settings\f&sd\Application Data\Ahead
2007-08-18 12:11:58 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-08-12 11:28:10 0 d-------- C:\Program Files\SystemRequirementsLab
2007-08-12 11:28:00 0 d-------- C:\Documents and Settings\f&sd\Application Data\SystemRequirementsLab
2007-08-12 11:27:45 4487 --a------ C:\windows\mozver.dat
2007-08-12 11:27:36 0 d-------- C:\Program Files\Java
2007-08-12 11:23:55 0 d-------- C:\Program Files\Common Files\Java
2007-08-11 08:59:51 0 d-------- C:\Documents and Settings\f&sd\Application Data\AdobeUM
2007-08-09 1804 0 dr-h----- C:\Documents and Settings\f&sd\Application Data\SecuROM
2007-08-09 17:55:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-09 17:54:30 0 d-------- C:\Documents and Settings\f&sd\Application Data\InstallShield
2007-08-07 22:04:56 0 d-------- C:\Program Files\DaemonTools_WhenUSaveNow_Installer
2007-08-07 21:05:51 0 d-------- C:\Documents and Settings\f&sd\Application Data\DAEMON Tools Pro
2007-07-25 08:21:08 2850 --a------ C:\windows\system32\ealregsnapshot1.reg


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFB6AECC-11E7-4278-8352-DFB3DCF6F713}]
C:\windows\system32\gebcc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rscmpt"="C:\WINDOWS\system32\Rscmpt.exe" [26/08/2006 05:29 PM]
"NvCplDaemon"="C:\windows\system32\NvCpl.dll" [29/06/2007 12:43 AM]
"nwiz"="nwiz.exe" [29/06/2007 12:43 AM C:\WINDOWS\system32\nwiz.exe]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [12/07/2006 07:58 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [12/01/2006 02:40 PM]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [09/09/2007 07:29 PM]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [28/09/2006 12:16 PM]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [11/10/2006 11:45 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [27/03/2007 09:02 PM]
"RTHDCPL"="RTHDCPL.EXE" [27/05/2006 12:47 PM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [03/05/2005 08:43 PM C:\WINDOWS\Alcmtr.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 04:00 AM]
"NvMediaCenter"="C:\windows\system32\NvMcTray.dll" [29/06/2007 12:43 AM]
"NWEReboot"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [15/01/2007 03:14 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [31/08/2007 04:46 PM]

C:\Documents and Settings\f&sd\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - E:\Widgets\YahooWidgetEngine.exe [21/07/2007 3:57:16 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk.disabled [11/03/2007 2:39:10 PM]
KODAK Software Updater.lnk.disabled [11/03/2007 2:40:44 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2DF26EA8-AAF5-45BD-A107-778EB1D5C0C9}"= C:\windows\system32\urqrqpo.dll [26/09/2007 05:59 PM 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrqpo]
urqrqpo.dll 26/09/2007 05:59 PM 35328 C:\WINDOWS\system32\urqrqpo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\windows\\system32\\gebcc

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
"SkyTel"=SkyTel.EXE
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"




-- End of Deckard's System Scanner: finished at 2007-10-07 17:52:53 ------------

Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
CPU 1: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
Percentage of Memory in Use: 22%
Physical Memory (total/avail): 2047.48 MiB / 1577.3 MiB
Pagefile Memory (total/avail): 3939.56 MiB / 3581.06 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1941.28 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 19.53 GiB total, 4.1 GiB free.
D: is Fixed (NTFS) - 19.53 GiB total, 15.75 GiB free.
E: is Fixed (NTFS) - 48.83 GiB total, 6.99 GiB free.
F: is Fixed (NTFS) - 48.83 GiB total, 48.76 GiB free.
G: is Fixed (NTFS) - 48.83 GiB total, 34.04 GiB free.
H: is Fixed (NTFS) - 112.53 GiB total, 106.68 GiB free.
I: is CDROM (No Media)
J: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3320620AS - 298.09 GiB - 6 partitions
\PARTITION0 (bootable) - Installable File System - 19.53 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 278.55 GiB - D: - E: - F: - G: - H:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: ActiveArmor Firewall v1.0 (NVIDIA Corporation)
AV: Avira AntiVir PersonalEdition v 7.0.0.56
(Avira GmbH)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"="C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe:*:Enabled:Apache HTTP Server"
"E:\\eMule\\emule.exe"="E:\\eMule\\emule.exe:*:Enabled:eMule"
"D:\\Kodak EasyShare software\\bin\\EasyShare.exe"="D:\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"E:\\eMule\\utorrent.exe"="E:\\eMule\\utorrent.exe:*:Enabled:µTorrent"
"E:\\New Folder\\Battlefield Vietnam\\bfvietnam.exe"="E:\\New Folder\\Battlefield Vietnam\\bfvietnam.exe:*:Enabled:bfvietnam"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home"
"E:\\New Folder\\Battlefield 1942\\BF1942.exe"="E:\\New Folder\\Battlefield 1942\\BF1942.exe:*:Enabled:BF1942"
"E:\\addlogo.exe"="E:\\addlogo.exe:*:Enabled:FW2"
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe:*:Enabled:Nero ShowTime"
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe:*:Enabled:Nero ProductSetup"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Disabled:Microsoft Management Console"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\f&sd\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DICKIES
ComSpec=C:\windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\f&sd
LOGONSERVER=\\DICKIES
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\windows\system32;C:\windows;C:\windows\system32\WBEM;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Ahead\Lib\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4b02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\windows
TEMP=C:\DOCUME~1\f&sd\LOCALS~1\Temp
TMP=C:\DOCUME~1\f&sd\LOCALS~1\Temp
USERDOMAIN=DICKIES
USERNAME=f&sd
USERPROFILE=C:\Documents and Settings\f&sd
windir=C:\windows


-- User Profiles ---------------------------------------------------------------

f&sd (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type2336 / Error
Event Submitted/Written: 10/07/2007 0521 PM
Event ID/Source: 2 / Display Desktop 32 Service
Event Description:
SetServiceStatus() failed

Event Record #/Type2333 / Warning
Event Submitted/Written: 10/07/2007 04:56:02 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Vundo.Gen'
in the file
C:\WINDOWS\system32\gebcc.VIR

Event Record #/Type2332 / Warning
Event Submitted/Written: 10/07/2007 04:33:50 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Vundo.Gen'
in the file
C:\Documents and Settings\f&sd\Local Settings\Temporary Internet Files\Content.IE5\0DUFG5MZ\CA2Z0NHU

Event Record #/Type2331 / Warning
Event Submitted/Written: 10/07/2007 04:33:50 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Vundo.Gen'
in the file
C:\WINDOWS\system32\ssttq.dll

Event Record #/Type2330 / Warning
Event Submitted/Written: 10/07/2007 03:35:12 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Vundo.Gen'
in the file
C:\WINDOWS\system32\vtutu.dll



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type22723 / Error
Event Submitted/Written: 10/07/2007 05:19:52 PM
Event ID/Source: 10016 / DCOM
Event Description:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.

Event Record #/Type22722 / Error
Event Submitted/Written: 10/07/2007 05:19:45 PM
Event ID/Source: 10016 / DCOM
Event Description:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.

Event Record #/Type22721 / Error
Event Submitted/Written: 10/07/2007 0552 PM
Event ID/Source: 10016 / DCOM
Event Description:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.

Event Record #/Type22720 / Error
Event Submitted/Written: 10/07/2007 0546 PM
Event ID/Source: 10016 / DCOM
Event Description:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.

Event Record #/Type22719 / Error
Event Submitted/Written: 10/07/2007 0546 PM
Event ID/Source: 10016 / DCOM
Event Description:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.



-- End of Deckard's System Scanner: finished at 2007-10-07 17:24:15 ------------

Hope this info is OK

Thanks again for any advice you can give
Regards
Stuart
tecoma is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 10-14-2007, 07:19 PM   #2 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,596
OS: WinXP and Vista


Re: Avira showing a Vundo.Gen
Hello tecoma and welcome,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-15-2007, 02:00 AM   #3 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 4
OS: XP sp2


Re: Avira showing a Vundo.Gen
Hello Ried,
Thanks for your time.
I was not sure how to shut down Spybot teatime - I hope it did not ruin the report.
Regards Tecoma

ComboFix 07-10-14.5 - f&sd 2007-10-15 17:37:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1527 [GMT 10:00]
Running from: C:\Documents and Settings\f&sd\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt

.
((((((((((((((((((((((((( Files Created from 2007-09-15 to 2007-10-15 )))))))))))))))))))))))))))))))
.

2007-10-15 17:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-13 12:07 <DIR> C:\Documents and Settings\f2007-10-13 12:07 <DIR> sd\Application Data\Nokia Multimedia Player
2007-10-12 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2007-10-12 17:33 <DIR> C:\Documents and Settings\f2007-10-12 17:33 <DIR> sd\Application Data\Nokia
2007-10-12 17:32 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-12 17:32 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-10-12 17:32 <DIR> d-------- C:\Program Files\DIFX
2007-10-12 17:32 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-10-12 17:32 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-10-12 17:32 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-10-12 17:32 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-10-12 17:32 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-10-12 17:32 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-10-12 17:32 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-10-11 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2007-10-11 21:44 <DIR> C:\Documents and Settings\f2007-10-11 21:44 <DIR> sd\Nokia
2007-10-11 21:34 <DIR> C:\Documents and Settings\f2007-10-11 21:34 <DIR> sd\Phone Browser
2007-10-11 21:34 <DIR> C:\Documents and Settings\f2007-10-11 21:34 <DIR> sd\Application Data\PC Suite
2007-10-11 21:33 <DIR> d-------- C:\Program Files\Nokia
2007-10-08 09:37 <DIR> d-------- C:\Program Files\iTunes
2007-10-08 09:37 <DIR> d-------- C:\Program Files\iPod
2007-10-07 20:34 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-07 18:54 <DIR> d-------- C:\VundoFix Backups
2007-10-07 17:23 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-05 20:47 <DIR> C:\Documents and Settings\f2007-10-05 20:47 <DIR> sd\.housecall6.6
2007-10-05 19:35 6,473 --ahs---- C:\WINDOWS\system32\ccbeg.bak1
2007-10-05 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-30 11:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-26 18:01 35,328 --a------ C:\WINDOWS\system32\awtusqq.dll
2007-09-26 17:59 35,328 --------- C:\WINDOWS\system32\urqrqpo.dll
2007-09-22 19:38 <DIR> C:\Documents and Settings\f2007-09-22 19:38 <DIR> sd\Application Data\Nero
2007-09-21 16:37 <DIR> d-------- C:\Program Files\QuickTime
2007-09-21 16:37 <DIR> C:\Documents and Settings\f2007-09-21 16:37 <DIR> sd\Application Data\Apple Computer
2007-09-21 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-21 16:36 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-09-21 16:36 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-21 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-21 16:36 30,336 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-13 08:18 --------- d-----w C:\Documents and Settings\f&sd\Application Data\uTorrent
2007-10-13 02:07 --------- d-----w C:\Documents and Settings\f&sd\Application Data\Nokia Multimedia Player
2007-10-12 08:01 --------- d-----w C:\Documents and Settings\f&sd\Application Data\PC Suite
2007-10-12 07:51 --------- d-----w C:\Documents and Settings\f&sd\Application Data\Nokia
2007-10-12 07:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-09 09:37 --------- d-----w C:\Documents and Settings\f&sd\Application Data\Vso
2007-10-07 20:53 --------- d-----w C:\Program Files\Bonjour
2007-10-07 07:03 --------- d-----w C:\Program Files\Canon
2007-10-07 05:13 --------- d-----w C:\Documents and Settings\f&sd\Application Data\temp
2007-10-07 00:19 --------- d-----w C:\Program Files\lg_fwupdate
2007-09-28 08:54 --------- d-----w C:\Documents and Settings\f&sd\Application Data\Apple Computer
2007-09-22 09:38 --------- d-----w C:\Documents and Settings\f&sd\Application Data\Nero
2007-09-17 22:19 --------- d-----w C:\Documents and Settings\f&sd\Application Data\Canon
2007-09-01 12:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-09-01 12:42 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-01 12:35 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-08-24 23:05 --------- d--h--w C:\Program Files\FX Uninstall Information
2007-08-23 09:51 --------- d-----w C:\Documents and Settings\f&sd\Application Data\Ahead
2007-08-21 06:15 683,520 ----a-w C:\windows\system32\inetcomm.dll
2007-08-18 02:11 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-08-09 08:06 108,144 ----a-w C:\windows\system32\CmdLineExt.dll
2007-07-30 09:19 92,504 ----a-w C:\windows\system32\cdm.dll
2007-07-30 09:19 549,720 ----a-w C:\windows\system32\wuapi.dll
2007-07-30 09:19 53,080 ----a-w C:\windows\system32\wuauclt.exe
2007-07-30 09:19 43,352 ----a-w C:\windows\system32\wups2.dll
2007-07-30 09:19 325,976 ----a-w C:\windows\system32\wucltui.dll
2007-07-30 09:19 203,096 ----a-w C:\windows\system32\wuweb.dll
2007-07-30 09:19 1,712,984 ----a-w C:\windows\system32\wuaueng.dll
2007-07-30 09:18 33,624 ----a-w C:\windows\system32\wups.dll
2007-03-18 02:44 87,608 ----a-w C:\Documents and Settings\f&sd\Application Data\ezpinst.exe
2007-03-18 02:44 47,360 ----a-w C:\Documents and Settings\f&sd\Application Data\pcouffin.sys
2004-10-01 04:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFB6AECC-11E7-4278-8352-DFB3DCF6F713}]
C:\windows\system32\gebcc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rscmpt"="C:\WINDOWS\system32\Rscmpt.exe" [2006-08-26 17:29]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-07-12 19:58]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-11 17:46]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 12:16]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 11:45]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-27 21:02]
"NvCplDaemon"="C:\windows\system32\NvCpl.dll" [2007-06-29 00:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 15:14]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\f&sd\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - E:\Widgets\YahooWidgetEngine.exe [2007-07-21 03:57:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk.disabled [2007-03-11 14:39:10]
KODAK Software Updater.lnk.disabled [2007-03-11 14:40:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrqpo]
urqrqpo.dll 2007-09-26 17:59 35328 C:\WINDOWS\system32\urqrqpo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
"SkyTel"=SkyTel.EXE
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
"NvCplDaemon"=RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NWEReboot"=
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

S2 Display Desktop 32 Service;Display Desktop 32 Service;C:\WINDOWS\system32\vdesk32.exe
S3 USBAAPL;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-07 22:48:01 C:\windows\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-15 17:38:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-15 17:39:23
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:00 PM, on 15/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\WINDOWS\system32\Rscmpt.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\windows\system32\nvsvc32.exe
C:\windows\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\ctfmon.exe
C:\windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {BFB6AECC-11E7-4278-8352-DFB3DCF6F713} - C:\windows\system32\gebcc.dll (file missing)
O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\system32\Rscmpt.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Yahoo! Widget Engine.lnk = E:\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: KODAK Software Updater.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175383482046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FECA049E-F3A9-4438-968A-0AE2367E9895}: NameServer = 192.168.1.254
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: urqrqpo - C:\windows\SYSTEM32\urqrqpo.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Display Desktop 32 Service - Unknown owner - C:\WINDOWS\system32\vdesk32.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 8385 bytes
tecoma is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-15-2007, 07:56 AM   #4 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,596
OS: WinXP and Vista


Re: Avira showing a Vundo.Gen
Hello tecoma,

You can disregard that error by ComboFix. If it happens again in this run, just click the Cancel in that no drive message box--it should only appear 3 times, then go away.

Let's disable TeaTimer now so you don't have to worry about it. We'll re-enable it when we're through.

-----------------------------------------------------------------

Close any open browsers.

-----------------------------------------------------------------

Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
-----------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:
File::
C:\WINDOWS\system32\awtusqq.dll
C:\WINDOWS\system32\urqrqpo.dll
C:\Program Files\Uninstall_CDS.exe
C:\Program Files\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe 

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFB6AECC-11E7-4278-8352-DFB3DCF6F713}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrqpo]
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

Please run another online scan at Panda, using Internet Explorer:

Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Panda results
New HijackThis log
Update on system behavior
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-17-2007, 04:58 AM   #5 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 4
OS: XP sp2


Re: Avira showing a Vundo.Gen
Hello Ried,
Thanks again for your time; in order with TeaTimer disabled:

ComboFix 07-10-17.8 - f&sd 2007-10-17 17:45:50.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1615 [GMT 10:00]
Running from: C:\Documents and Settings\f&sd\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\f&sd\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Program Files\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe
C:\Program Files\Uninstall_CDS.exe
C:\WINDOWS\system32\awtusqq.dll
C:\WINDOWS\system32\urqrqpo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe
C:\Program Files\Uninstall_CDS.exe
C:\WINDOWS\system32\awtusqq.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.

2007-10-15 17:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-13 12:07 <DIR> C:\Documents and Settings\f2007-10-13 12:07 <DIR> sd\Application Data\Nokia Multimedia Player
2007-10-12 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2007-10-12 17:33 <DIR> C:\Documents and Settings\f2007-10-12 17:33 <DIR> sd\Application Data\Nokia
2007-10-12 17:32 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-12 17:32 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-10-12 17:32 <DIR> d-------- C:\Program Files\DIFX
2007-10-12 17:32 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-10-12 17:32 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-10-12 17:32 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-10-12 17:32 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-10-12 17:32 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-10-12 17:32 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-10-12 17:32 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-10-11 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2007-10-11 21:44 <DIR> C:\Documents and Settings\f2007-10-11 21:44 <DIR> sd\Nokia
2007-10-11 21:34 <DIR> C:\Documents and Settings\f2007-10-11 21:34 <DIR> sd\Phone Browser
2007-10-11 21:34 <DIR> C:\Documents and Settings\f2007-10-11 21:34 <DIR> sd\Application Data\PC Suite
2007-10-11 21:33 <DIR> d-------- C:\Program Files\Nokia
2007-10-08 09:37 <DIR> d-------- C:\Program Files\iTunes
2007-10-08 09:37 <DIR> d-------- C:\Program Files\iPod
2007-10-07 20:34 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-07 17:23 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-05 20:47 <DIR> C:\Documents and Settings\f2007-10-05 20:47 <DIR> sd\.housecall6.6
2007-10-05 19:35 6,473 --ahs---- C:\WINDOWS\system32\ccbeg.bak1
2007-10-05 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-30 11:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-22 19:38 <DIR> C:\Documents and Settings\f2007-09-22 19:38 <DIR> sd\Application Data\Nero
2007-09-21 16:37 <DIR> d-------- C:\Program Files\QuickTime
2007-09-21 16:37 <DIR> C:\Documents and Settings\f2007-09-21 16:37 <DIR> sd\Application Data\Apple Computer
2007-09-21 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-21 16:36 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-09-21 16:36 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-21 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-21 16:36 30,336 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 07:46 --------- d-----w C:\Program Files\DaemonTools_WhenUSaveNow_Installer
2007-10-13 08:18 --------- d-----w C:\Documents and Settings\f&sd\Application Data\uTorrent
2007-10-13 02:07 --------- d-----w C:\Documents and Settings\f&sd\Application Data\Nokia Multimedia Player
2007-10-12 08:01 --------- d-----w C:\Documents and Settings\f&sd\Application Data\PC Suite
2007-10-12 07:51 --------- d-----w C:\Documents and Settings\f&sd\Application Data\Nokia
2007-10-12 07:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-09 09:37 --------- d-----w C:\Documents and Settings\f&sd\Application Data\Vso
2007-10-07 20:53 --------- d-----w C:\Program Files\Bonjour
2007-10-07 07:03 --------- d-----w C:\Program Files\Canon
2007-10-07 05:13 --------- d-----w C:\Documents and Settings\f&sd\Application Data\temp
2007-10-07 00:19 --------- d-----w C:\Program Files\lg_fwupdate
2007-09-28 08:54 --------- d-----w C:\Documents and Settings\f&sd\Application Data\Apple Computer
2007-09-22 09:38 --------- d-----w C:\Documents and Settings\f&sd\Application Data\Nero
2007-09-17 22:19 --------- d-----w C:\Documents and Settings\f&sd\Application Data\Canon
2007-09-01 12:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-09-01 12:42 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-01 12:35 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-08-24 23:05 --------- d--h--w C:\Program Files\FX Uninstall Information
2007-08-23 09:51 --------- d-----w C:\Documents and Settings\f&sd\Application Data\Ahead
2007-08-18 02:11 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-03-18 02:44 87,608 ----a-w C:\Documents and Settings\f&sd\Application Data\ezpinst.exe
2007-03-18 02:44 47,360 ----a-w C:\Documents and Settings\f&sd\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rscmpt"="C:\WINDOWS\system32\Rscmpt.exe" [2006-08-26 17:29]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-07-12 19:58]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-11 17:46]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 12:16]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 11:45]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-27 21:02]
"NvCplDaemon"="C:\windows\system32\NvCpl.dll" [2007-06-29 00:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 15:14]

C:\Documents and Settings\f&sd\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - E:\Widgets\YahooWidgetEngine.exe [2007-07-21 03:57:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk.disabled [2007-03-11 14:39:10]
KODAK Software Updater.lnk.disabled [2007-03-11 14:40:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
"SkyTel"=SkyTel.EXE
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
"NvCplDaemon"=RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NWEReboot"=
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

S2 Display Desktop 32 Service;Display Desktop 32 Service;C:\WINDOWS\system32\vdesk32.exe
S3 USBAAPL;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-07 22:48:01 C:\windows\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 17:48:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-17 17:49:40 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-15 17:48
C:\ComboFix3.txt ... 2007-10-15 17:39
.
--- E O F ---


Incident Status Location

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Deckard\System Scanner\20071007175231\backup\DOCUME~1\f&sd\LOCALS~1\Temp\NeroDemo12061\Toolbar.exe
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\f&sd\Application Data\Mozilla\Firefox\Profiles\ajz98g5f.default\cookies.txt[.com.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\f&sd\Application Data\Mozilla\Firefox\Profiles\ajz98g5f.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\f&sd\Application Data\Mozilla\Firefox\Profiles\ajz98g5f.default\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\f&sd\Application Data\Mozilla\Firefox\Profiles\ajz98g5f.default\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\f&sd\Application Data\Mozilla\Firefox\Profiles\ajz98g5f.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\f&sd\Application Data\Mozilla\Firefox\Profiles\ajz98g5f.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\f&sd\Application Data\Mozilla\Firefox\Profiles\ajz98g5f.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\f&sd\Application Data\Mozilla\Firefox\Profiles\ajz98g5f.default\cookies.txt[server.iad.liveperson.net/hc/69564061]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\f&sd\Cookies\f&sd@2o7[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\f&sd\Cookies\f&sd@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\f&sd\Cookies\f&sd@bs.serving-sys[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\f&sd\Cookies\f&sd@overture[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\f&sd\Cookies\f&sd@serving-sys[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\f&sd\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\f&sd\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\f&sd\Local Settings\Application Data\Mozilla\Firefox\Profiles\ajz98g5f.default\Cache\7ED6F4AAd01[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\f&sd\Local Settings\Application Data\Mozilla\Firefox\Profiles\ajz98g5f.default\Cache\7ED6F4AAd01[nircmd.cfexe]
Adware:Adware/SaveNow Not disinfected C:\qoobox\Quarantine\C\Program Files\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:19:14 PM, on 17/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\windows\system32\nvsvc32.exe
C:\windows\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\Rscmpt.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\Widgets\YahooWidgetEngine.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\system32\Rscmpt.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Startup: Yahoo! Widget Engine.lnk = E:\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: KODAK Software Updater.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175383482046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FECA049E-F3A9-4438-968A-0AE2367E9895}: NameServer = 192.168.1.254
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Display Desktop 32 Service - Unknown owner - C:\WINDOWS\system32\vdesk32.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 8601 bytes

System behaviour: Antivir still picking up TR/Vundo.Gen from C:\System Volume Information\_restore{994D7147-D62C·4086·A749·BC446C13AEAB}\A0005081.dll
if that means anything

Regards Tecoma
tecoma is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-17-2007, 08:11 AM   #6 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,596
OS: WinXP and Vista


Re: Avira showing a Vundo.Gen
Hello tecoma,

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. As your logs are now clean, we'll take care of that now.

The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

*Please respond one more time and let us know if we may considered this resolved.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-19-2007, 10:47 PM   #7 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 4
OS: XP sp2


Re: Avira showing a Vundo.Gen
Hello Ried

All seems to be running well now - thank you indeed for this and the advisory

Much regard Tecoma
tecoma is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-19-2007, 10:54 PM   #8 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,596
OS: WinXP and Vista


Re: Avira showing a Vundo.Gen
You're welcome, and best regards to you as well.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 02:52 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85