Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Pc tools finds virtumonde but vundo fix doesn't
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 12-31-2007, 02:55 AM   #1 (permalink)
Registered User
 
Join Date: Jun 2006
Location: Bronx, NY
Posts: 25
OS: Windows XP Pro


Pc tools finds virtumonde but vundo fix doesn't
Hi,
I'm hoping someone can help me with this. For the past few months I've been plagued with something called Real Spy Monitor. Only System MEchanic can find it and delete it but it keeps coming back. And no, my husband isn't spying on me. Heh. Anyhow, I got PC Tools Spyware doctor in a google pack download. Just wanted the search engine for IE but somehow, I got PC Tools too. I figured I'd use it's SCAN feature and it found something called Trojan Virtumonde. I selected "remove" but it wasn't removed cause I did another scan a few minutes later and it showed up again. Then I removed it again and scanned a third time and the scan result was clean. Anyhow, got another trojan at 5:30am Saturday morning (crap) from clicking a link on a website. Avast caught that one and I moved it to the chest and then deleted it. But something of it was left behind. And afterwards, AVast was prevented from updating. Also Spywareguard couldn't update. (is this too much detail?) Anyhow, ddayv.exe and ddayv.dll were in my system32 folder created at 5:30am Saturday morning so I knew it was connected. I downloaded Vundofix.exe and it found about 6 files but couldn't get rid of one of them and froze my PC. (I finally got out of the freeze and got rid of the file in safemode). Still couldn't update Avast though so I finally reformatted the hard drive (destructive restore) to start fresh. After the reformat and reinstall of a bunch of programs, Real spy monitor was back on my PC. Got rid of it with System Mechanic and downloaded Spyware Doctor again and it reported 11 instances of infections due to Virtumunde but wouldn't remove them this time. I downloaded Vundofix.exe again and ran a scan and it didn't find any files this time. Is Spyware Doctor jerking me around to get me to buy the program or am I infected again?

Thanks for your help.

Hyjackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:35:55 AM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\American Systems\EZ Scheduler\ezscheduler.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Not Programs\hijackthis\HijackThis.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [EZ Scheduler] C:\Program Files\American Systems\EZ Scheduler\ezscheduler.exe /m
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1199027622015
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
Last edited by intanet; 12-31-2007 at 02:58 AM.
intanet is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 12-31-2007, 08:47 AM   #2 (permalink)
Registered User
 
Join Date: Jun 2006
Location: Bronx, NY
Posts: 25
OS: Windows XP Pro


Re: Pc tools finds virtumonde but vundo fix doesn't
Anyone?
intanet is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-31-2007, 10:14 AM   #3 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,948
OS: Windows 7 Ultimate


Re: Pc tools finds virtumonde but vundo fix doesn't
Hello intanet,

Have you taken the time to familiarize yourself with the following sticky before posting? Please go through the 5 steps outlined in the link below and post back the requested logs in this thread.

(Updated!) IMPORTANT - Read This Before Posting A Log

Note: We are extremely busy in this section of the forum, so please be patient while you wait for an analyst to review your thread.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-31-2007, 11:08 AM   #4 (permalink)
Registered User
 
Join Date: Jun 2006
Location: Bronx, NY
Posts: 25
OS: Windows XP Pro


Re: Pc tools finds virtumonde but vundo fix doesn't
No. Sorry. I did not read the sticky thing. Thank you so much for the link to the 5 steps. I had one of those programs installed called "Viewpoint Media". I uninstalled it and followed the other steps except for the Panda Scan which I'll have to do later. And yes, I will be patient. I am very appreciative that there is a site like this who has people who take the time to help others.
Last edited by intanet; 12-31-2007 at 11:15 AM.
intanet is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-31-2007, 11:58 PM   #5 (permalink)
Registered User
 
Join Date: Jun 2006
Location: Bronx, NY
Posts: 25
OS: Windows XP Pro


Re: Pc tools finds virtumonde but vundo fix doesn't
Got a clean bill of health from Panda Scan. Problem though. I couldn't get the report. I had to turn Avast off for the reasons mentioned in the thread you gave me the link to. I also turned off my DSL modem (since I was not protected by AV program during the Panda Scan). But after the scan, which said that "no viruses or other malicious software have been found!" there was no option to get the report. I connected to the internet again but couldn't find a link for the report. I then clicked "refresh" on the browser and lost the page altogether and it starts from scratch again. Anyhow they assured there were no viruses etc. I scanned all my drives, including my external one. (I have the C partitioned into C and D and also an external one).


Again, thank you for your help.

P.S. I'm not sure if I am supposed to post the Deckard's Hijackthis log also so I'll post it just in case you need that one too After that, I will post the Deckard main.txt log and attach the extra.txt.

HIJACKTHIS LOG:


Logfile of HijackThis v1.99.1
Scan saved at 1:38:05 AM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\American Systems\EZ Scheduler\ezscheduler.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\Downloads\Deckard's System Scanner\dss.exe
C:\NOTPRO~1\HIJACK~1\Owner.exe
C:\WINDOWS\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [EZ Scheduler] C:\Program Files\American Systems\EZ Scheduler\ezscheduler.exe /m
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1199027622015
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS



Here is the main.txt report from DECKARD:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-01-01 01:34:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
9: 2008-01-01 06:34:51 UTC - RP21 - Deckard's System Scanner Restore Point
8: 2007-12-31 18:13:15 UTC - RP20 - Installed Ad-Aware 2007
7: 2007-12-31 16:46:52 UTC - RP19 - Installed Windows Media Player 10
6: 2007-12-31 13:09:04 UTC - RP18 - Installed Windows Media Format 9 Series Runtime Setup
5: 2007-12-31 12:20:16 UTC - RP17 - Installed Java(TM) 6 Update 3


-- First Restore Point --
1: 2007-12-31 13:18:03 UTC - RP13 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-01 01:36:16
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconEM.exe
C:\Program Files\American Systems\EZ Scheduler\EZScheduler.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\Downloads\Deckard's System Scanner\dss.exe
C:\NOT PROGRAMS\hijackthis\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [EZ Scheduler] C:\Program Files\American Systems\EZ Scheduler\ezscheduler.exe /m
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - CmdMapping - (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1199027622015
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


--
End of file - 5479 bytes

-- HijackThis Fixed Entries (C:\NOTPRO~1\HIJACK~1\backups\) --------------------

backup-20050822-040133-463 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
backup-20050822-040246-774 O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
backup-20070429-060323-710 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

-- File Associations -----------------------------------------------------------

.txt - txtfile - DefaultIcon - C:\Not Programs\Metapad 2\metapad 2.exe,0
.txt - txtfile - shell\open\command - "C:\Not Programs\Metapad 2\metapad 2.exe" %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 CDRPDACC (Quinnware CDDA Driver (by InfinaDyne)) - c:\program files\quintessential player\cdrpdacc.sys <Not Verified; Arrowkey; CD Device Access>
R3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>

S3 SunkFilt39 (Alcor Micro Corp - 3239) - c:\windows\system32\drivers\sunkfilt39.sys <Not Verified; Alcor Micro Corp.; SunkFilt39>
S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-12-30 08:56:14 390 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1199022921.job
2007-12-30 08:21:45 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 3.job
2007-12-30 08:21:45 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 2.job


-- Files created between 2007-12-01 and 2008-01-01 -----------------------------

2007-12-31 22:16:56 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-31 22:16:54 0 d-------- C:\WINDOWS\LastGood
2007-12-31 13:19:00 0 dr-h----- C:\Documents and Settings\Owner\Recent
2007-12-31 13:13:16 0 d-------- C:\Program Files\Lavasoft
2007-12-31 13:13:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-31 13:12:35 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 13:07:13 0 d--h----- C:\WINDOWS\PIF
2007-12-31 12:58:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-31 12:37:12 0 d-------- C:\ie-spyad_zo
2007-12-31 11:46:53 0 d-------- C:\WINDOWS\RegisteredPackages
2007-12-31 08:09:11 101888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic pour Windows>
2007-12-31 08:09:11 119568 --a------ C:\WINDOWS\system32\VB6FR.DLL <Not Verified; Microsoft Corporation; Environnement Visual Basic>
2007-12-31 08:09:11 21504 --a------ C:\WINDOWS\system32\TABCTFR.DLL <Not Verified; Microsoft Corporation; Bibliothèque d'objets TabCtl32>
2007-12-31 08:09:11 141312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL <Not Verified; Microsoft Corporation; COMCTL>
2007-12-31 08:09:11 59904 --a------ C:\WINDOWS\system32\Mscc2fr.dll <Not Verified; Microsoft Corporation; Bibliothèque d'objets de Microsoft Common Controls 2>
2007-12-31 08:09:11 15360 --a------ C:\WINDOWS\system32\inetfr.DLL <Not Verified; Microsoft Corporation; DLL du contrôle Microsoft Internet Transfer>
2007-12-31 08:09:10 32768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL <Not Verified; Microsoft Corporation; CMDIALOG>
2007-12-31 08:09:10 0 d-------- C:\Program Files\Free Audio Pack
2007-12-31 08:05:27 0 d-------- C:\Program Files\Common Files\xing shared
2007-12-31 08:04:13 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2007-12-31 07:43:27 0 d-------- C:\Drivers
2007-12-31 07:20:21 0 d-------- C:\Program Files\Java
2007-12-31 07:20:19 0 d-------- C:\Program Files\Common Files\Java
2007-12-31 07:12:54 164352 --a------ C:\WINDOWS\system32\unrar.dll
2007-12-31 07:12:51 217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2007-12-31 07:12:51 564224 --a------ C:\WINDOWS\system32\x264vfw.dll
2007-12-31 07:12:51 630784 --a------ C:\WINDOWS\system32\vp7vfw.dll <Not Verified; On2.com; On2_VP70>
2007-12-31 07:12:51 438272 --a------ C:\WINDOWS\system32\vp6vfw.dll <Not Verified; On2.com; On2_VP6>
2007-12-31 07:12:51 144384 --a------ C:\WINDOWS\system32\Iacenc.dll <Not Verified; Intel Corporation; Indeo® audio software>
2007-12-31 07:12:51 39936 --a------ C:\WINDOWS\system32\huffyuv.dll <Not Verified; Disappearing Inc.; Huffyuv>
2007-12-31 07:12:50 282624 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-12-31 07:12:50 1559040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-12-31 07:12:49 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-31 07:12:49 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-12-31 07:12:49 682496 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-31 07:12:48 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-12-31 07:12:46 0 d-------- C:\Program Files\K-Lite Codec Pack
2007-12-31 07:08:06 0 d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2007-12-31 05:25:22 0 d-------- C:\VundoFix Backups
2007-12-31 05:08:19 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
2007-12-31 05:01:14 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-31 04:57:21 0 d-------- C:\Program Files\Google
2007-12-31 02:29:25 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-12-31 02:29:09 0 d-------- C:\Program Files\Common Files\Adobe
2007-12-31 00:07:57 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2007-12-31 00:07:56 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2007-12-31 00:07:46 1158 --a------ C:\WINDOWS\mozver.dat
2007-12-30 13:54:52 0 d-------- C:\Documents and Settings\Owner\Application Data\Opera
2007-12-30 13:54:45 0 d-------- C:\Program Files\Opera
2007-12-30 12:48:48 113664 --a------ C:\WINDOWS\system32\ThesDb32.dll <Not Verified; Wintertree Software Inc.; ThesDB Thesaurus Engine>
2007-12-30 12:48:48 115712 --a------ C:\WINDOWS\system32\Ssce4132.dll <Not Verified; Wintertree Software Inc.; Sentry Spelling-Checker Engine>
2007-12-30 12:48:47 0 d-------- C:\Cetus
2007-12-30 12:48:08 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2007-12-30 12:42:31 0 d-------- C:\Program Files\SpywareBlaster
2007-12-30 12:41:38 0 d-------- C:\Program Files\SpywareGuard
2007-12-30 11:50:01 0 d-------- C:\Program Files\e-Sword
2007-12-30 11:46:27 0 d-------- C:\BIBLE
2007-12-30 11:42:52 702464 --a------ C:\WINDOWS\system32\Incinerator.dll <Not Verified; iolo technologies, LLC; incinerator>
2007-12-30 11:42:52 17857 --a------ C:\WINDOWS\system32\drivers\SGuard.sys <Not Verified; iolo technologies, LLC; Startup Guard™ Registry Driver>
2007-12-30 11:42:48 25264 --a------ C:\WINDOWS\system32\smrgdf.exe
2007-12-30 11:42:48 30942 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2007-12-30 11:42:47 0 d-------- C:\Program Files\iolo
2007-12-30 11:41:45 0 d-------- C:\SAVED DOWNLOADS
2007-12-30 11:12:10 0 d-------- C:\Program Files\IrfanView
2007-12-30 11:11:31 0 d-------- C:\Documents and Settings\Owner\Application Data\XnView
2007-12-30 11:10:05 0 d-------- C:\Program Files\Quintessential Player
2007-12-30 10:48:07 0 d-------- C:\Program Files\Audacity
2007-12-30 10:42:38 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2007-12-30 10:36:06 0 d---s---- C:\My Songs
2007-12-30 10:19:52 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-30 10:19:48 0 d-------- C:\Program Files\Windows Live
2007-12-30 10:19:37 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-30 10:14:49 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-12-30 10:05:45 0 d---s---- C:\Documents and Settings\Owner\UserData
2007-12-30 09:50:13 0 d-------- C:\Program Files\Alwil Software
2007-12-30 09:33:51 209920 --a------ C:\WINDOWS\amuninst.exe <Not Verified; American Systems; SETUP Application>
2007-12-30 09:33:51 0 d-------- C:\Program Files\American Systems
2007-12-30 09:31:25 0 d-------- C:\Program Files\WinAVI Video Converter
2007-12-30 09:22:22 0 d-------- C:\Program Files\Online Bible
2007-12-30 09:18:26 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2007-12-30 09:02:36 0 d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2007-12-30 09:01:41 0 d-------- C:\WINDOWS\pss
2007-12-30 09:01:23 0 d-------- C:\Program Files\OpenOffice.org 2.2
2007-12-30 09:00:57 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun
2007-12-30 08:57:25 0 d-------- C:\NOT PROGRAMS
2007-12-30 08:56:10 0 d-------- C:\Documents and Settings\Owner\Application Data\Hewlett-Packard
2007-12-30 08:53:52 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-12-30 08:53:04 0 d-------- C:\Program Files\Hewlett-Packard
2007-12-30 08:52:17 16606 --------- C:\WINDOWS\hpomdl01.dat
2007-12-30 08:52:17 19558 --a------ C:\WINDOWS\hpoins01.dat
2007-12-30 08:21:43 0 d-------- C:\Documents and Settings\Default User\WINDOWS
2007-12-30 08:21:43 0 d-------- C:\Documents and Settings\Default User\Application Data\SampleView
2007-12-30 08:21:43 0 d-------- C:\Documents and Settings\Default User\Application Data\McAfee
2007-12-30 08:21:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Identities
2007-12-30 08:15:56 0 d-------- C:\Documents and Settings\Owner\Application Data\SampleView
2007-12-30 08:15:18 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-30 08:15:09 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-30 08:14:16 0 d-------- C:\Program Files\Digital Media Reader
2007-12-30 08:14:06 0 d-------- C:\WINDOWS\Downloaded Installations
2007-12-30 08:13:52 67072 --a------ C:\WINDOWS\POWERCFG.EXE <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-30 08:13:51 20480 --a------ C:\WINDOWS\system32\Marker32.exe <Not Verified; Gateway; Marker32>
2007-12-30 08:12:38 262144 --a------ C:\Documents and Settings\All Users\NTUSER.DAT
2007-12-30 08:12:19 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-30 08:12:17 0 d-------- C:\Program Files\CyberLink
2007-12-30 08:11:56 471300 --a------ C:\WINDOWS\wallpe.exe <Not Verified; ; wallpe>
2007-12-30 08:11:39 76288 -ra------ C:\WINDOWS\system32\PUBOLE32.DLL <Not Verified; Microsoft Corporation; Microsoft Publisher for Windows>
2007-12-30 08:11:39 212480 -ra------ C:\WINDOWS\system32\PCDLIB32.DLL <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit>
2007-12-30 08:11:39 37888 -ra------ C:\WINDOWS\system32\ochlp30e.dll <Not Verified; Microsoft Corporation; Microsoft Multimedia Controls>
2007-12-30 08:11:39 82432 --a------ C:\WINDOWS\system32\msxml4r.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP1>
2007-12-30 08:11:39 1233920 --a------ C:\WINDOWS\system32\msxml4.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP 2>
2007-12-30 08:11:39 91136 -ra------ C:\WINDOWS\system32\msls2.dll <Not Verified; Microsoft Corporation; Microsoft® Line Services>
2007-12-30 08:11:39 31744 -ra------ C:\WINDOWS\system32\hlp95en.dll <Not Verified; Microsoft Corporation; Microsoft Office>
2007-12-30 08:11:23 0 d-------- C:\Program Files\Microsoft Works
2007-12-30 08:11:19 0 d-------- C:\Program Files\Common Files\New Boundary
2007-12-30 08:11:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Prism Deploy
2007-12-30 08:11:03 18000 --a------ C:\WINDOWS\BigFixClientOverride.dll <Not Verified; BigFix, Inc.; BigFix>
2007-12-30 08:10:53 53248 --a------ C:\WINDOWS\system32\NeroCo.dll <Not Verified; Ahead Software AG
im Stoeckmaedle 18
76307 Karlsbad, Germany
Fax: ++49-7248-911-888
e-mail: info@nero.com; Nero Burning Rom>
2007-12-30 08:10:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks
2007-12-30 08:10:29 368912 --a------ C:\WINDOWS\system32\vbar332.dll <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications>
2007-12-30 08:10:29 102400 --a------ C:\WINDOWS\system32\SimpleRegistry.dll <Not Verified; 4Developers LLC; SimpleRegistry Control>
2007-12-30 08:10:29 118784 --a------ C:\WINDOWS\system32\Msstdfmt.dll <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-12-30 08:10:29 10752 --a------ C:\WINDOWS\system32\aamd532.dll <Not Verified; Almeida & Andrade Ltda; MD5 Maker DLL>
2007-12-30 08:10:25 106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2007-12-30 08:10:25 0 d-------- C:\WINDOWS\occache
2007-12-30 08:10:25 0 d-------- C:\Program Files\Learn2.com
2007-12-30 08:10:23 38912 --a------ C:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS>
2007-12-30 08:10:23 544768 --a------ C:\WINDOWS\system32\imagx5.dll <Not Verified; Pegasus Software, LLC; ImagXpress>
2007-12-30 08:10:23 569344 --a------ C:\WINDOWS\system32\imagr5.dll <Not Verified; Pegasus Software,LLC; ImagXpress>
2007-12-30 08:10:22 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2007-12-30 08:10:22 0 d-------- C:\Program Files\Common Files\Ahead
2007-12-30 08:10:18 0 d-------- C:\Program Files\Ahead
2007-12-30 08:10:15 86016 --a------ C:\WINDOWS\unvise32qt.exe <Not Verified; MindVision; Installer VISE 2.8.3>
2007-12-30 08:10:10 0 d-------- C:\WINDOWS\system32\QuickTime
2007-12-30 08:10:10 0 d-------- C:\Program Files\QuickTime
2007-12-30 08:10:10 0 d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2007-12-30 08:10:07 0 d-------- C:\Program Files\Common Files\Nullsoft
2007-12-30 08:10:02 8552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
2007-12-30 08:10:02 0 d---s---- C:\My Music
2007-12-30 08:10:00 0 d-------- C:\Program Files\Real
2007-12-30 08:10:00 0 d-------- C:\Program Files\Common Files\Real
2007-12-30 08:09:42 1044480 --a------ C:\WINDOWS\system32\roboex32.dll <Not Verified; eHelp Corporation.; RoboHELP for WinHelp 9>
2007-12-30 08:09:42 54784 --a------ C:\WINDOWS\system32\Inetwh32.dll <Not Verified; Blue Sky Software Corporation.; Blue Sky Software - INETWH32>
2007-12-30 08:09:27 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-12-30 08:09:19 0 d-------- C:\Program Files\Common Files\AOL
2007-12-30 08:09:18 335 --a------ C:\WINDOWS\nsreg.dat
2007-12-30 08:08:35 0 d-------- C:\WINDOWS\system32\URTTemp
2007-12-30 08:08:13 0 d-------- C:\Program Files\Microsoft Money
2007-12-30 08:08:01 0 d-------- C:\Program Files\MSN Encarta Plus
2007-12-30 08:05:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-30 08:05:25 0 d-------- C:\Program Files\Intel
2007-12-30 08:04:53 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-12-30 08:04:52 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-30 08:04:50 0 d-------- C:\Program Files\Common Files\InstallShield
2007-12-30 08:03:22 0 d-------- C:\Program Files\CONEXANT
2007-12-30 08:01:41 0 d--hs---- C:\System Volume Information
2007-12-30 08:00:08 60 --a------ C:\WINDOWS\system32\SYSDRV.DAT
2007-12-30 08:00:07 0 d-------- C:\WINDOWS\creator
2007-12-30 08:00:04 0 d-------- C:\WINDOWS\SMINST
2007-12-30 07:59:45 0 dr------- C:\Program Files
2007-12-30 07:59:38 0 dr------- C:\Documents and Settings\Owner\Start Menu
2007-12-30 07:59:38 0 dr-h----- C:\Documents and Settings\Owner\SendTo
2007-12-30 07:59:38 0 dr------- C:\Documents and Settings\Owner\My Documents
2007-12-30 07:59:37 0 dr------- C:\Documents and Settings\Owner\Favorites
2007-12-30 07:59:37 0 dr-h----- C:\Documents and Settings\Owner\Application Data
2007-12-30 07:59:37 0 dr------- C:\Documents and Settings\Default User\Start Menu
2007-12-30 07:59:37 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-12-30 07:59:37 0 d--h----- C:\Documents and Settings\Default User\Local Settings
2007-12-30 07:59:37 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-12-30 07:59:36 0 dr------- C:\Documents and Settings\All Users\Start Menu
2007-12-30 07:59:36 0 dr------- C:\Documents and Settings\All Users\Documents
2007-12-30 07:59:36 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-12-30 07:59:22 0 dr------- C:\WINDOWS\Offline Web Pages
2007-12-30 07:57:26 0 dr-hs--c- C:\WINDOWS\system32\dllcache


-- Find3M Report ---------------------------------------------------------------

2007-12-31 13:12:35 0 d-------- C:\Program Files\Common Files
2007-11-29 16:50:20 4096 --a------ C:\WINDOWS\system32\sysres.dll
2007-11-29 16:50:20 38567 --a------ C:\WINDOWS\system32\pcpbios.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/13/2002 03:42 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 02:50 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 10:42 PM]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [10/18/2004 05:05 PM]
"@"="" []
"EZ Scheduler"="C:\Program Files\American Systems\EZ Scheduler\ezscheduler.exe" [04/03/2001 03:34 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 08:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/31/2007 08:05 AM]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

*Newly Created Service* - RKPAVPROC
*Newly Created Service* - UMWDF



-- End of Deckard's System Scanner: finished at 2008-01-01 01:38:52 ------------
Attached Files
File Type: txt extra.txt (11.1 KB, 1 views)
intanet is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-01-2008, 09:38 PM   #6 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,948
OS: Windows 7 Ultimate


Re: Pc tools finds virtumonde but vundo fix doesn't
Hi intanet,

Panda won't give you a log if your system is clean. I'm only seeing a few things in your logs, which need to be taken care of. Also, is System Mechanic still finding "Real Spy Monitor", and where does it say it is located on your system?

--------------------------------------------------------------

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

--------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O9 - Extra button: (no name) - CmdMapping - (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

--------------------------------------------------------------

Download Combofix from Here or Alternate link

**Save it directly to your desktop**

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

A log will be produced that will ultimately be named C:\ComboFix.txt I'll need that in your next reply

--------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------

Please reply back with the following logs:

Answer to question
C:\ComboFix.txt
Kaspersky Online Scan Results
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-02-2008, 03:11 AM   #7 (permalink)
Registered User
 
Join Date: Jun 2006
Location: Bronx, NY
Posts: 25
OS: Windows XP Pro


Re: Pc tools finds virtumonde but vundo fix doesn't
Thank you for your very clear instructions as well as the time you took to post all that information. Ok, here's the lowdown...

To answer your question:
System Mechanic finds Real Spy Monitor from time to time and lists it as "Miscellenous" although once I think it listed it in the "Keylogger" category. I ran a check on the internet and it is, in fact, a keylogger. System Mechanic doesn't tell you where it is. It just offers to remove it. Sometimes it's there and sometimes it's not. Hasn't been back in the last 4 scans which I did yesterday and today. I have to scan at least 4 times a week to check for it but, because of my recent problems, I have been checking for it more often. System Mech tell you to close all opened programs and then remove it otherwise it can get integrated or something like that. I do my best closing programs but apparently, it gets back on from somewhere. I even close my antivirus and internet connection when having them remove it. Another thing, it's odd to me that Spybot never finds it.


Hijackthis:

I found only one of the keys you asked me to check for in Hijackthis. It was the key named:
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

I selected "fix it".

RO - HKCU ....about:blank wasn't there in the HyjackThis scan and neither was the CmdMapping Extra button one. Another thing, Spywareguard alerted me about a BHO attempting to change in my search engine choice in IE while Combofix was just beginning it's scan. I didn't know what to do so I made no selection and just closed the Spywareguare window. Anyhow...

Following is the Combofix log and after that the Kaspersky results.


Thanks again.


ComboFix 08-01-02.1 - Owner 2008-01-02 0:46:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.688 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\Tech support Forum\Combofix.exe\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.

2008-01-02 00:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 11:30 . 2008-01-01 11:30 <DIR> d-------- C:\Program Files\WordWeb
2008-01-01 11:30 . 2007-03-02 20:25 1,042,304 --a------ C:\WINDOWS\wweb32.dll
2008-01-01 11:29 . 2008-01-01 11:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Jarte
2008-01-01 11:28 . 2008-01-01 11:28 <DIR> d-------- C:\Program Files\Jarte
2008-01-01 11:24 . 2008-01-01 11:24 <DIR> d-------- C:\Program Files\CrossWire
2008-01-01 11:22 . 2008-01-01 11:22 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Arcsoft
2008-01-01 11:16 . 2008-01-01 11:18 <DIR> d-------- C:\Program Files\OpenOffice.org 2.3
2008-01-01 10:49 . 2008-01-01 10:56 522 --a------ C:\hpfr3420.xml
2008-01-01 08:00 . 2008-01-01 08:14 <DIR> d-------- C:\Program Files\KeyScrambler
2008-01-01 08:00 . 2007-03-12 23:24 113,128 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys
2008-01-01 02:30 . 2007-12-31 07:49 57,151 --a------ C:\WINDOWS\system32\igfx.hlp
2008-01-01 01:34 . 2008-01-01 01:34 <DIR> d-------- C:\Deckard
2007-12-31 22:17 . 2007-12-31 22:23 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-31 22:17 . 2007-12-31 22:23 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-31 22:16 . 2008-01-01 00:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-31 22:16 . 2007-12-31 22:23 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-31 13:13 . 2007-12-31 13:13 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-31 13:13 . 2007-12-31 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-31 13:12 . 2007-12-31 13:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 13:07 . 2007-12-31 13:07 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-31 12:58 . 2008-01-01 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-31 12:37 . 2007-12-31 12:37 <DIR> d-------- C:\ie-spyad_zo
2007-12-31 12:19 . 2007-12-31 07:49 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2007-12-31 08:09 . 2007-12-31 08:09 <DIR> d-------- C:\Program Files\Free Audio Pack
2007-12-31 08:05 . 2007-12-31 08:05 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-12-31 07:43 . 2007-12-31 07:43 <DIR> d-------- C:\Drivers
2007-12-31 07:20 . 2007-12-31 07:20 <DIR> d-------- C:\Program Files\Java
2007-12-31 07:20 . 2007-12-31 07:20 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-31 07:20 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-31 07:12 . 2007-12-31 07:12 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-12-31 07:08 . 2007-12-31 07:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2007-12-31 05:25 . 2007-12-31 05:25 <DIR> d-------- C:\VundoFix Backups
2007-12-31 05:01 . 2007-12-31 05:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-31 04:57 . 2007-12-31 05:12 <DIR> d-------- C:\Program Files\Google
2007-12-31 04:44 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-31 02:29 . 2007-12-31 02:29 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-31 02:29 . 2007-12-31 02:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-12-31 00:07 . 2007-12-31 00:07 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-30 13:54 . 2007-12-30 13:54 <DIR> d-------- C:\Program Files\Opera
2007-12-30 12:59 . 2007-12-31 11:48 49 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-30 12:56 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-30 12:56 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-12-30 12:42 . 2008-01-01 07:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-30 12:41 . 2008-01-01 07:13 <DIR> d-------- C:\Program Files\SpywareGuard
2007-12-30 11:50 . 2007-12-30 11:55 <DIR> d-------- C:\Program Files\e-Sword
2007-12-30 11:42 . 2007-12-30 11:42 <DIR> d-------- C:\Program Files\iolo
2007-12-30 11:42 . 2005-02-17 14:10 702,464 --a------ C:\WINDOWS\system32\Incinerator.dll
2007-12-30 11:42 . 2004-10-04 15:45 30,942 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2007-12-30 11:42 . 2004-08-28 14:18 25,264 --a------ C:\WINDOWS\system32\smrgdf.exe
2007-12-30 11:42 . 2005-01-21 08:17 17,857 --a------ C:\WINDOWS\system32\drivers\SGuard.sys
2007-12-30 11:41 . 2007-12-30 11:44 <DIR> d-------- C:\SAVED DOWNLOADS
2007-12-30 11:12 . 2007-12-30 11:12 <DIR> d-------- C:\Program Files\IrfanView
2007-12-30 11:11 . 2007-12-30 11:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\XnView
2007-12-30 11:10 . 2007-12-30 11:10 <DIR> d-------- C:\Program Files\Quintessential Player
2007-12-30 10:48 . 2007-12-30 10:48 <DIR> d-------- C:\Program Files\Audacity
2007-12-30 10:36 . 2007-12-30 10:55 <DIR> d---s---- C:\My Songs
2007-12-30 10:19 . 2007-12-30 10:24 <DIR> d-------- C:\Program Files\Windows Live
2007-12-30 10:19 . 2007-12-30 11:07 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-30 10:19 . 2007-12-30 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-30 10:18 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2007-12-30 10:18 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2007-12-30 10:14 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-12-30 10:14 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-30 10:14 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-30 10:14 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-30 10:14 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-30 10:05 . 2007-12-30 10:05 <DIR> d---s---- C:\Documents and Settings\Owner\UserData
2007-12-30 09:54 . 2007-12-30 09:54 2 --a------ C:\WINDOWS\msoffice.ini
2007-12-30 09:50 . 2007-12-30 09:50 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-30 09:50 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-30 09:50 . 2004-01-09 05:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-30 09:50 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-30 09:50 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-30 09:50 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-30 09:50 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-30 09:50 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-30 09:50 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-30 09:33 . 2007-12-30 09:33 <DIR> d-------- C:\Program Files\American Systems
2007-12-30 09:33 . 1998-04-06 08:32 209,920 --a------ C:\WINDOWS\amuninst.exe
2007-12-30 09:33 . 2007-12-30 09:33 317 --a------ C:\WINDOWS\unezsched.ini
2007-12-30 09:33 . 2008-01-01 22:44 39 --a------ C:\WINDOWS\ezscheduler.INI
2007-12-30 09:31 . 2007-12-30 09:31 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2007-12-30 09:22 . 2008-01-01 05:32 <DIR> d-------- C:\Program Files\Online Bible
2007-12-30 09:18 . 2007-12-30 09:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2007-12-30 09:02 . 2008-01-01 11:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2007-12-30 08:57 . 2007-12-30 12:46 <DIR> d-------- C:\NOT PROGRAMS
2007-12-30 08:56 . 2007-12-30 08:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Hewlett-Packard
2007-12-30 08:54 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-12-30 08:54 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-12-30 08:54 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-12-30 08:54 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-12-30 08:54 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-12-30 08:54 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-12-30 08:53 . 2007-12-30 08:53 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-12-30 08:53 . 2007-12-30 08:53 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-12-30 08:52 . 2007-12-30 08:52 <DIR> d-------- C:\TEMP\HP All-in-One Series Web Release
2007-12-30 08:52 . 2007-12-30 08:55 19,558 --a------ C:\WINDOWS\hpoins01.dat
2007-12-30 08:52 . 2003-04-22 10:24 16,606 --------- C:\WINDOWS\hpomdl01.dat
2007-12-30 08:22 . 2004-08-04 14:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 12:49 86,016 ----a-w C:\WINDOWS\system32\igfxdo.dll
2007-12-31 12:49 766,576 ----a-w C:\WINDOWS\system32\ialmdd5.dll
2007-12-31 12:49 737,874 ----a-w C:\WINDOWS\system32\drivers\ialmnt5.sys
2007-12-31 12:49 61,440 ----a-w C:\WINDOWS\system32\iAlmCoIn_v3889.dll
2007-12-31 12:49 495,616 ----a-w C:\WINDOWS\system32\igfxcfg.exe
2007-12-31 12:49 495,616 ----a-w C:\WINDOWS\system32\ialmgdev.dll
2007-12-31 12:49 49,152 ----a-w C:\WINDOWS\system32\ialmrem.dll
2007-12-31 12:49 45,056 ----a-w C:\WINDOWS\system32\igfxdgps.dll
2007-12-31 12:49 37,951 ----a-w C:\WINDOWS\system32\ialmrnt5.dll
2007-12-31 12:49 36,864 ----a-w C:\WINDOWS\system32\igfxexps.dll
2007-12-31 12:49 344,064 ----a-w C:\WINDOWS\system32\igfxsrvc.dll
2007-12-31 12:49 225,280 ----a-w C:\WINDOWS\system32\igfxpph.dll
2007-12-31 12:49 225,280 ----a-w C:\WINDOWS\system32\igfxeud.dll
2007-12-31 12:49 2,289,664 ----a-w C:\WINDOWS\system32\ialmgicd.dll
2007-12-31 12:49 155,648 ----a-w C:\WINDOWS\system32\igfxtray.exe
2007-12-31 12:49 153,008 ----a-w C:\WINDOWS\system32\ialmdev5.dll
2007-12-31 12:49 151,552 ----a-w C:\WINDOWS\system32\igfxdiag.exe
2007-12-31 12:49 139,264 ----a-w C:\WINDOWS\system32\igfxdev.dll
2007-12-31 12:49 126,976 ----a-w C:\WINDOWS\system32\igfxhk.dll
2007-12-31 12:49 118,784 ----a-w C:\WINDOWS\system32\hkcmd.exe
2007-12-31 12:49 118,784 ----a-w C:\WINDOWS\system32\hccutils.dll
2007-12-31 12:49 114,688 ----a-w C:\WINDOWS\system32\igfxzoom.exe
2007-12-31 12:49 110,592 ----a-w C:\WINDOWS\system32\igfxext.exe
2007-12-31 12:49 100,924 ----a-w C:\WINDOWS\system32\ialmdnt5.dll
2007-12-31 12:49 1,245,184 ----a-w C:\WINDOWS\system32\igfxress.dll
2007-12-30 13:10 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2007-12-07 23:28 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-04 07:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-30 04:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-30 04:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 21:50 4,096 ----a-w C:\WINDOWS\system32\sysres.dll
2007-11-29 21:50 38,567 ----a-w C:\WINDOWS\system32\pcpbios.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 15:42 212992]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 14:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 22:42 32768]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-10-18 17:05 135168]
"EZ Scheduler"="C:\Program Files\American Systems\EZ Scheduler\ezscheduler.exe" [2001-04-03 15:34 331776]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2008-01-01 11:30:41]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-12-31 07:49 118784 --a------ C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-12-31 07:49 155648 --a------ C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2007-03-12 23:24]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-30 13:56:14 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1199022921.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2007-12-30 13:21:45 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-12-30 13:21:45 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-02 00:47:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-02 0:48:31
ComboFix-quarantined-files.txt 2008-01-02 05:48:16


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 02, 2008 4:56:48 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/01/2008
Kaspersky Anti-Virus database records: 501328
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
M:\

Scan Statistics:
Total number of scanned objects: 183994
Number of viruses found: 1
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 03:19:51

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\7tig9mb7.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\7tig9mb7.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\7tig9mb7.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\7tig9mb7.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\7tig9mb7.default\XUL.mfl Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008010220080103\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFB5BF.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFDC68.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\SAVED DOWNLOADS\Done\Online Bible installed 3 07\install.exe/rapi.dll Infected: not-a-virus:PSWTool.Win32.OpenPass.b skipped
C:\SAVED DOWNLOADS\Done\Online Bible installed 3 07\install.exe ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP24\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_598.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP24\change.log Object is locked skipped
M:\Saved Downloads\Done\Online Bible installed 3 07\install.exe/rapi.dll Infected: not-a-virus:PSWTool.Win32.OpenPass.b skipped
M:\Saved Downloads\Done\Online Bible installed 3 07\install.exe ZIP: infected - 1 skipped
M:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
intanet is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-02-2008, 01:35 PM   #8 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,948
OS: Windows 7 Ultimate


Re: Pc tools finds virtumonde but vundo fix doesn't
Hi intanet,

I've never really used System Mechanic. Too bad it doesn't give you the exact location of where the files are located.. As far as your logs go you are clean, but I'd like to bring in a different scanner just to make sure. Also, I should've told you to allow any changes made that SpywareGuard prompts you for when carrying out these instructions.

You can delete the following files if you wish:

M:\Saved Downloads\Done\Online Bible installed 3 07\install.exe
C:\SAVED DOWNLOADS\Done\Online Bible installed 3 07\install.exe

--------------------------------------------------------

Download GMER Rootkit Scanner from here or here.

Unzip it to your Desktop and double-click gmer.exe

Run the program and select the Rootkit tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. It will produce a log. Copy the log using the Copy button , Open Notepad and paste the log into a new text file (Using Ctrl + V), save it somewhere you can find it, and post the log in this thread.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-02-2008, 08:28 PM   #9 (permalink)
Registered User
 
Join Date: Jun 2006
Location: Bronx, NY
Posts: 25
OS: Windows XP Pro


Re: Pc tools finds virtumonde but vundo fix doesn't
Hi forhockey, (my husband just told me hockey is really bit up in your neighborhood.)

That's great news you gave me. Thank you SOOOO much! I deleted those two folders that came up in the last scan.

Here's the gmer.log

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2008-01-02 21:58:59
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [EDF74F76] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [EDF73812] aswMon2.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F77FA2C0] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F77FA2C0] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F77FA2C0] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F77FA2C0] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F77FA8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F77FA8E6] aswTdi.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [EDF74F76] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [EDF73812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [EDF73812] aswMon2.SYS

---- EOF - GMER 1.0.13 ----
intanet is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-03-2008, 01:33 AM   #10 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,948
OS: Windows 7 Ultimate


Re: Pc tools finds virtumonde but vundo fix doesn't
Hi intanet,

Well it was actually huge in your state a few days ago. The "NHL Winter Classic" was hosted at the Ralph Wilson Stadium in ORCHARD PARK, NY. 71,217 fans showed up to watch the game. I wonder how much the tickets went for? Looked like everyone had a blast who was on TV.

Anyways... Back on topic

Well done, your logs are clean! There are just a few more things I would like you to do.


The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

----------------------------------------------------------------

Microsoft Updates

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Malware Prevention Tools

These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.
  • SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
  • IE-Spyad - Here is an installation guide -> http://www.techsupportforum.com/cont...ticles/63.html
  • MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
  • McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.
  • SpywareGuard - real-time protection that detects and blocks spyware before it can execute.

Alternative Web Browsers

Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

Firewalls

If you do not have a firewall, here are a few free ones available for personal use:

Understanding and Using Firewalls


Informational Reading

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:
Please respond to this thread one more time so we can mark this thread as resolved.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-03-2008, 05:39 AM   #11 (permalink)
Registered User
 
Join Date: Jun 2006
Location: Bronx, NY
Posts: 25
OS: Windows XP Pro


Re: Pc tools finds virtumonde but vundo fix doesn't
Thank you so much for all you've done. I feel like I was in such great hands. This site is lucky to have you here.

I just installed the Mcafee Site Advisor on both IE and Firefox and carried out all the other instructions except for checking for any recent Windows updates. I'll go do that now.

If you get a chance, check out my website at myspace. I have some of my songs and a few videos posted there.

http://www.myspace.com/AnnettesMusic

All the best to you and yours,
Annette
intanet is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-03-2008, 07:01 PM   #12 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,948
OS: Windows 7 Ultimate


Re: Pc tools finds virtumonde but vundo fix doesn't
You're welcome, and thanks for the kind words .

I wish I could sing that well. I'll leave my singing for the showers

All the best in the New Year and Safe surfing!
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-04-2008, 02:40 AM   #13 (permalink)
Registered User
 
Join Date: Jun 2006
Location: Bronx, NY
Posts: 25
OS: Windows XP Pro


Re: Pc tools finds virtumonde but vundo fix doesn't
Nice of you to say. Thanks. And likewise. All the best in the New Year for us all!
intanet is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 04:40 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85