Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Re: I cannot get rid of Ping.exe - Vundo?
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 01-06-2008, 07:57 PM   #1 (permalink)
Registered User
 
Join Date: Jan 2008
Location: San Antonio
Posts: 10
OS: XP


Re: I cannot get rid of Ping.exe - Vundo?
I have a constant HourGlass and ping.exe is accounting for 60-70% of my CPU usage. Vundo seems to be the main issue the ulilities are pointing to.
MarkB

Deckard's System Scanner v20071014.68
Run by MarkB on 2008-01-06 20:31:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
103: 2008-01-07 02:31:52 UTC - RP420 - Deckard's System Scanner Restore Point
102: 2008-01-06 07:07:04 UTC - RP419 - Last known good configuration
101: 2008-01-06 0745 UTC - RP418 - System Checkpoint
100: 2008-01-06 0745 UTC - RP417 - Last known good configuration
99: 2008-01-06 0744 UTC - RP416 - Last known good configuration


-- First Restore Point --
1: 2008-01-06 07:05:58 UTC - RP318 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as MarkB.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:49 PM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Router\Router.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\DAEMON Tools\daemon .exe
C:\Program Files\Router\Router .exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\MarkB\Desktop\dss.exe
C:\DOCUME~1\MarkB\Desktop\MarkB.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\vtuts.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {C2A7AA16-678C-3F59-895A-3CE672845892} - C:\WINDOWS\system32\owvq.dll (file missing)
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\cb7294.dll
O2 - BHO: (no name) - {DC93C19C-7CAC-4B1B-89D9-AE17BBBE9412} - C:\WINDOWS\system32\vtuts.dll
O2 - BHO: {11619806-34c7-1d8b-ca24-efc4d9e85eff} - {ffe58e9d-4cfe-42ac-b8d1-7c4360891611} - C:\WINDOWS\system32\eqcyjdbv.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [f49fc3c0] rundll32.exe "C:\WINDOWS\system32\ogurxwit.dll",b
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Trto] "C:\DOCUME~1\MarkB\APPLIC~1\CROSOF~1.NET\ping.exe" -vt yazb
O4 - HKCU\..\Run: [Llsbjso] "C:\Documents and Settings\MarkB\Application Data\?ymbols\w?nlogon.exe"
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1167322382734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1199222661218
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 7294 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 npkcrypt - c:\nexon\maplestory\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S3 GMSIPCI - e:\install\gmsipci.sys (file missing)
S3 NTACCESS - e:\ntaccess.sys (file missing)
S3 SetupNTGLM7X - e:\ntglm7x.sys (file missing)
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_10DE&DEV_0068&SUBSYS_57001462&REV_A3\3&13C0B0C5&0&12
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_10DE&DEV_0068&SUBSYS_57001462&REV_A3\3&13C0B0C5&0&12
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Video Controller
Device ID: PCI\VEN_11DE&DEV_6057&SUBSYS_7EFE1031&REV_02\4&3B1D9AB8&0&3840
Manufacturer:
Name: Multimedia Video Controller
PNP Device ID: PCI\VEN_11DE&DEV_6057&SUBSYS_7EFE1031&REV_02\4&3B1D9AB8&0&3840
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_E159&DEV_0001&SUBSYS_00038086&REV_00\4&3B1D9AB8&0&4040
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_E159&DEV_0001&SUBSYS_00038086&REV_00\4&3B1D9AB8&0&4040
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-01-06 03:00:05 490 --a------ C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job
2008-01-02 13:50:10 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-12-06 and 2008-01-06 -----------------------------

2008-01-06 20:08:26 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-01-06 19:59:53 0 d-------- C:\Program Files\SpywareBlaster
2008-01-06 18:40:41 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-06 18:40:22 8576 --a------ C:\WINDOWS\system32\drivers\vmkyrcnnhiau.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-06 18:02:02 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-06 18:02:01 0 d-------- C:\WINDOWS\LastGood
2008-01-02 20:57:59 28478 --ahs---- C:\WINDOWS\system32\stutv.ini2
2008-01-02 20:57:48 335872 -----n--- C:\WINDOWS\system32\vtuts.dll
2008-01-02 20:55:04 339456 --a------ C:\WINDOWS\system32\vtuts.exe
2008-01-02 20:18:51 0 d-------- C:\VundoFix Backups
2008-01-01 14:39:27 0 d-------- C:\Documents and Settings\MarkB\Application Data\SpywareBot
2008-01-01 14:39:18 0 d-------- C:\Program Files\SpywareBot
2007-12-31 12:54:35 0 d-------- C:\Program Files\Router
2007-12-31 12:49:48 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2007-12-31 12:49:44 0 d--hs---- C:\WINDOWS\TWFyayBCcmFiYW50
2007-12-31 12:43:54 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 1239 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2007-12-31 11:54:53 0 d-------- C:\Program Files\Lavasoft
2007-12-31 11:54:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-31 11:35:58 0 d-------- C:\Program Files\STOPzilla!
2007-12-31 11:35:58 0 d-------- C:\Program Files\Common Files\iS3
2007-12-31 11:35:57 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-12-31 11:14:22 0 d-------- C:\Program Files\Spyware Doctor
2007-12-31 05:25:18 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-12-30 21:49:27 2012 --ah----- C:\Documents and Settings\All Users\Application Data\index0.dat
2007-12-30 21:47:11 0 d-------- C:\WINDOWS\mobgslti
2007-12-30 21:33:43 0 d-------- C:\Program Files\Temporary
2007-12-30 21:30:20 40448 -----n--- C:\WINDOWS\system32\cbxxxxx.dll
2007-12-30 21:30:16 2 --a------ C:\WINDOWS\system32\wapisvit32.exe
2007-12-30 21:30:14 0 d-------- C:\Documents and Settings\MarkB\Application Data\?ymbols
2007-12-30 21:30:08 40183 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2007-12-30 21:30:08 0 d-------- C:\Documents and Settings\MarkB\Application Data\??crosoft.NET
2007-12-28 19:46:01 0 d-------- C:\Program Files\Disney
2007-12-28 10:04:07 19088 --a------ C:\Documents and Settings\MarkB\Application Data\GDIPFONTCACHEV1.DAT
2007-12-20 05:04:32 293888 --a------ C:\WINDOWS\b148.exe
2007-12-15 10:39:12 0 d-------- C:\WINDOWS\.jagex_cache_32


-- Find3M Report ---------------------------------------------------------------

2008-01-06 20:08:46 0 d--h----- C:\Program Files\WindowsUpdate
2008-01-06 18:50:18 0 d-------- C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster
2008-01-06 18:49:38 0 d-------- C:\Program Files\iTunes
2008-01-06 18:47:09 0 d-------- C:\Program Files\DAEMON Tools
2008-01-06 01:08:43 28923 --a------ C:\WINDOWS\hpoins03.dat
2008-01-06 01:05:49 0 d-------- C:\Program Files\QuickTime
2008-01-06 01:05:36 0 d-------- C:\Documents and Settings\MarkB\Application Data\??crosoft.NET
2008-01-06 01:05:35 0 d-------- C:\Program Files\Messenger
2008-01-05 21:48:50 0 d-------- C:\Documents and Settings\MarkB\Application Data\U3
2007-12-31 16:03:00 0 d-------- C:\Documents and Settings\MarkB\Application Data\?ymbols
2007-12-31 12:43:54 0 d-------- C:\Program Files\Common Files
2007-12-31 12:37:22 10 --a------ C:\Program Files\.autoreg


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2A7AA16-678C-3F59-895A-3CE672845892}]
C:\WINDOWS\system32\owvq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}]
12/30/2007 09:30 PM 40448 --------- C:\WINDOWS\system32\cbxxxxx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC93C19C-7CAC-4B1B-89D9-AE17BBBE9412}]
01/02/2008 08:57 PM 335872 --------- C:\WINDOWS\system32\vtuts.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffe58e9d-4cfe-42ac-b8d1-7c4360891611}]
C:\WINDOWS\system32\eqcyjdbv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 11:22 AM]
"nwiz"="nwiz.exe" [10/22/2006 11:22 AM C:\WINDOWS\system32\nwiz.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [01/02/2008 08:54 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [01/02/2008 08:55 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 11:22 AM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [01/02/2008 08:55 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [01/02/2008 08:55 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [01/06/2008 01:05 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/02/2008 08:55 PM]
"f49fc3c0"="C:\WINDOWS\system32\ogurxwit.dll" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [01/06/2008 01:05 AM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [01/06/2008 01:05 AM]
"Trto"="C:\DOCUME~1\MarkB\APPLIC~1\CROSOF~1.NET\ping.exe" [12/31/2007 12:33 PM]
"Llsbjso"="C:\Documents and Settings\MarkB\Application Data\?ymbols\w?nlogon.exe" []
"Router"="C:\Program Files\Router\Router.exe" [01/06/2008 01:05 AM]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [01/06/2008 01:05 AM]

C:\Documents and Settings\MarkB\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [5/23/2006 3:17:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [7/7/2003 1:20:40 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}"= C:\WINDOWS\system32\cbxxxxx.dll [12/30/2007 09:30 PM 40448]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtuts

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1b47c87-3a5d-11dc-89f5-001217699e83}]
AutoRun\command- H:\LaunchU3.exe -a

*Newly Created Service* - GTNDIS5
*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SDTHOOK
*Newly Created Service* - VMKYRCNNHIAU



-- End of Deckard's System Scanner: finished at 2008-01-06 20:33:32 ------------


Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\cbxxxxx.dll
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\MarkB\Application Data\Mozilla\Firefox\Profiles\dai0ln3y.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\MarkB\Application Data\Mozilla\Firefox\Profiles\dai0ln3y.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\MarkB\Application Data\Mozilla\Firefox\Profiles\dai0ln3y.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\MarkB\Application Data\Mozilla\Firefox\Profiles\dai0ln3y.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\MarkB\Application Data\Mozilla\Firefox\Profiles\dai0ln3y.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\MarkB\Application Data\Mozilla\Firefox\Profiles\dai0ln3y.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\MarkB\Application Data\Mozilla\Firefox\Profiles\dai0ln3y.default\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\MarkB\Application Data\Mozilla\Firefox\Profiles\dai0ln3y.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\MarkB\Application Data\Mozilla\Firefox\Profiles\dai0ln3y.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\MarkB\Application Data\Mozilla\Firefox\Profiles\dai0ln3y.default\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\MarkB\Application Data\Mozilla\Firefox\Profiles\dai0ln3y.default\cookies.txt[ad.yieldmanager.com/]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\MarkB\Application Data\??crosoft.NET\ping .exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\MarkB\Cookies\markb@atdmt[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\MarkB\Cookies\markb@ehg-dig.hitbox[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\MarkB\Cookies\markb@go[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\MarkB\Cookies\markb@tribalfusion[1].txt
Virus:Generic Worm Disinfected C:\Documents and Settings\MarkB\Desktop\Supreme.Commander\crack and keygen\crack and keygen\Hatred.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\MarkB\Desktop\VirtumundoBeGone.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\MarkB\Local Settings\Temp\nsn6B.tmp
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\cbxxxxx.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\eqcyjdbv.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\kuvrleyx.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\nvixycow.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ogurxwit.dll.bad
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\b128.exe
Virus:Trj/Downloader.PLQ Disinfected C:\WINDOWS\b138.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\TWFyayBCcmFiYW50\nqIVuV1FwAI2sqcX.vbs
Attached Files
File Type: txt extra.txt (12.5 KB, 5 views)
Gibgab is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 01-08-2008, 05:11 PM   #2 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Dłn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: I cannot get rid of Ping.exe - Vundo?
Hello and welcome to TSF

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

==============================

Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding.Its important that you follow this through until i give you the all clear,a lack of symptoms does not mean that you are clean.

================================

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Disconnect from the internet.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you at C:\ComboFix.txt. I'll need to see that in your next reply, along with a new HijackThis log.


===================
Logs Required
C:\Combofix.txt
Hijackthis log

Any reason why you have no antivirus installed?
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-08-2008, 07:44 PM   #3 (permalink)
Registered User
 
Join Date: Jan 2008
Location: San Antonio
Posts: 10
OS: XP


Re: I cannot get rid of Ping.exe - Vundo?
Hi Bruce, thank you for responding.
Here are the logs.
I have antivirus installed on other PC's on this network.
But not this one. A bad move on my part.
MarkB


ComboFix 08-01-09.2 - MarkB 2008-01-08 20:11:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.411 [GMT -6:00]
Running from: C:\Documents and Settings\MarkB\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\MarkB\APPLIC~1\CROSOF~1.NET\ping.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\MarkB\Application Data\CROSOF~1.NET
C:\Documents and Settings\MarkB\Application Data\CROSOF~1.NET\??crosoft.NET\
C:\Documents and Settings\MarkB\Application Data\CROSOF~1.NET\ping .exe
C:\Documents and Settings\MarkB\Application Data\CROSOF~1.NET\ping.exe
C:\Documents and Settings\MarkB\Application Data\YMBOLS~1
C:\Documents and Settings\MarkB\Start Menu\Programs\Outerinfo
C:\Documents and Settings\MarkB\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\MarkB\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\Router
C:\Program Files\Router\Router .exe
C:\Program Files\Router\Router.exe
C:\Program Files\Router\UnInstall.exe
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\wininstall.exe
C:\WINDOWS\b148.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\default.htm
C:\WINDOWS\system32\cbxxxxx.dll
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\RCX21.tmp
C:\WINDOWS\system32\RCX22.tmp
C:\WINDOWS\system32\RCX24.tmp
C:\WINDOWS\system32\RCX2A.tmp
C:\WINDOWS\system32\RCX2C.tmp
C:\WINDOWS\system32\RCX2D.tmp
C:\WINDOWS\system32\RCX2E.tmp
C:\WINDOWS\system32\RCX37.tmp
C:\WINDOWS\system32\RCX3F.tmp
C:\WINDOWS\system32\RCX47.tmp
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\stutv.ini2
C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\vtuts.exe
C:\WINDOWS\system32\wapisvit32.exe

Code:
 <pre>
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe ---> CLIStart.exe
C:\Program Files\DAEMON Tools\daemon .exe ---> daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd .exe ---> HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe ---> hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper .exe ---> iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe ---> jusched.exe
C:\Program Files\Messenger\msmsgs .exe ---> msmsgs.exe
C:\Program Files\Router\Router .exe ---> Router.exe
C:\Program Files\SpywareBot\SpywareBot .exe ---> SpywareBot.exe
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))
.

2008-01-08 20:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 04:02 . 2004-08-04 01:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-08 03:28 . 2006-08-21 03:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-08 03:28 . 2006-08-21 03:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-08 03:28 . 2006-08-21 06:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-08 03:09 . 2008-01-08 03:09 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-07 19:36 . 2008-01-07 19:36 <DIR> d-------- C:\Program Files\Viewpoint
2008-01-07 19:36 . 2008-01-07 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-07 19:36 . 2008-01-07 19:36 37,027 --a------ C:\WINDOWS\atmoUn.exe
2008-01-07 03:38 . 2007-07-09 07:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-07 03:17 . 2007-06-26 00:08 1,104,896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2008-01-06 20:46 . 2006-05-19 06:59 111,616 -----c--- C:\WINDOWS\system32\dllcache\dhcpcsvc.dll
2008-01-06 20:46 . 2006-05-19 06:59 94,720 -----c--- C:\WINDOWS\system32\dllcache\iphlpapi.dll
2008-01-06 20:45 . 2008-01-08 04:22 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-06 20:45 . 2007-08-21 00:15 683,520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-01-06 20:45 . 2007-04-25 08:21 144,896 -----c--- C:\WINDOWS\system32\dllcache\schannel.dll
2008-01-06 20:31 . 2008-01-06 20:31 <DIR> d-------- C:\Deckard
2008-01-06 20:08 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-06 20:08 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-06 20:08 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-06 20:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-06 20:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-06 20:08 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-06 19:59 . 2008-01-06 19:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-06 19:59 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-06 18:40 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-06 18:40 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\vmkyrcnnhiau.sys
2008-01-06 18:02 . 2008-01-06 19:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-06 18:02 . 2008-01-06 18:02 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-06 18:02 . 2008-01-06 18:02 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-06 18:02 . 2008-01-06 18:02 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-02 20:18 . 2008-01-03 05:28 <DIR> d-------- C:\VundoFix Backups
2008-01-01 14:39 . 2008-01-08 20:19 <DIR> d-------- C:\Program Files\SpywareBot
2008-01-01 14:39 . 2008-01-06 20:42 <DIR> d-------- C:\Documents and Settings\MarkB\Application Data\SpywareBot
2007-12-31 12:49 . 2007-12-31 13:14 <DIR> d--hs---- C:\WINDOWS\TWFyayBCcmFiYW50
2007-12-31 12:43 . 2007-12-31 12:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 12:06 . 2007-12-31 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2007-12-31 11:54 . 2007-12-31 11:54 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-31 11:54 . 2007-12-31 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-31 11:35 . 2007-12-31 12:32 <DIR> d-------- C:\Program Files\STOPzilla!
2007-12-31 11:35 . 2007-12-31 11:35 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-12-31 11:35 . 2007-12-31 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-12-31 11:14 . 2007-12-31 12:31 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-30 21:49 . 2007-12-31 11:08 2,012 --ah----- C:\Documents and Settings\All Users\Application Data\index0.dat
2007-12-30 21:47 . 2007-12-30 21:47 <DIR> d-------- C:\WINDOWS\mobgslti
2007-12-30 21:30 . 2007-12-31 13:27 380,416 --a------ C:\WINDOWS\mrofinu11.exe.tmp
2007-12-28 19:46 . 2007-12-28 19:46 <DIR> d-------- C:\Program Files\Disney
2007-12-28 10:04 . 2007-12-28 10:04 19,088 --a------ C:\Documents and Settings\MarkB\Application Data\GDIPFONTCACHEV1.DAT
2007-12-26 21:24 . 2007-12-26 21:24 3,470,360 --a------ C:\fallout_boy_saturday.mp3
2007-12-15 10:39 . 2007-12-17 18:44 <DIR> d-------- C:\WINDOWS\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 02:19 --------- d-----w C:\Program Files\iTunes
2008-01-09 02:19 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-09 02:18 --------- d-----w C:\Program Files\QuickTime
2008-01-08 01:36 --------- d-----w C:\Documents and Settings\MarkB\Application Data\AdobeUM
2008-01-07 00:50 --------- d-----w C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster
2008-01-06 03:48 --------- d-----w C:\Documents and Settings\MarkB\Application Data\U3
2007-12-31 18:37 10 ----a-w C:\Program Files\.autoreg
2007-11-13 10:25 20,480 ----a-r C:\WINDOWS\system32\drivers\secdrv.sys
2005-07-29 22:24 472 --sha-r C:\WINDOWS\TWFyayBCcmFiYW50\nqIVuV1FwAI2sqcX.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2A7AA16-678C-3F59-895A-3CE672845892}]
C:\WINDOWS\system32\owvq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffe58e9d-4cfe-42ac-b8d1-7c4360891611}]
C:\WINDOWS\system32\eqcyjdbv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-08 05:30 1694208]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-08 05:29 171464]
"Trto"="C:\DOCUME~1\MarkB\APPLIC~1\CROSOF~1.NET\ping.exe" [ ]
"Llsbjso"="C:\Documents and Settings\MarkB\Application Data\?ymbols\w?nlogon.exe" [ ]
"Router"="C:\Program Files\Router\Router.exe" [ ]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2008-01-08 05:30 6362352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2008-01-08 05:29 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2008-01-08 05:29 241664]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-08 05:29 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2008-01-08 05:29 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-08 05:29 271672]
"f49fc3c0"="C:\WINDOWS\system32\ogurxwit.dll" [ ]

C:\Documents and Settings\MarkB\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2006-05-23 15:17:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1b47c87-3a5d-11dc-89f5-001217699e83}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2008-01-02 19:50:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-09 02:20:20 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 20:20:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-08 20:22:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-09 02:22:08
.
2008-01-08 10:24:58 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:06 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\MarkB\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {C2A7AA16-678C-3F59-895A-3CE672845892} - C:\WINDOWS\system32\owvq.dll (file missing)
O2 - BHO: {11619806-34c7-1d8b-ca24-efc4d9e85eff} - {ffe58e9d-4cfe-42ac-b8d1-7c4360891611} - C:\WINDOWS\system32\eqcyjdbv.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [f49fc3c0] rundll32.exe "C:\WINDOWS\system32\ogurxwit.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Trto] "C:\DOCUME~1\MarkB\APPLIC~1\CROSOF~1.NET\ping.exe" -vt yazb
O4 - HKCU\..\Run: [Llsbjso] "C:\Documents and Settings\MarkB\Application Data\?ymbols\w?nlogon.exe"
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1167322382734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1199222661218
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 6347 bytes
Gibgab is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-09-2008, 05:23 AM   #4 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Dłn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: I cannot get rid of Ping.exe - Vundo?
Quote:
<pre>
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe ---> CLIStart.exe
C:\Program Files\DAEMON Tools\daemon .exe ---> daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd .exe ---> HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe ---> hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper .exe ---> iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe ---> jusched.exe
C:\Program Files\Messenger\msmsgs .exe ---> msmsgs.exe
C:\Program Files\Router\Router .exe ---> Router.exe
C:\Program Files\SpywareBot\SpywareBot .exe ---> SpywareBot.exe
</pre>
Can you re-post this part of the log in its entirety, as there is some information missing.

It should be like this:

Code:
<pre>
----a-w            39,792 2008-01-02 03:49:15  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w            28,738 2008-01-02 03:49:08  C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
----a-w            68,856 2008-01-02 03:49:21  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe

</pre>
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-09-2008, 09:38 AM   #5 (permalink)
Registered User
 
Join Date: Jan 2008
Location: San Antonio
Posts: 10
OS: XP


Re: I cannot get rid of Ping.exe - Vundo?
It looks like Spybot interfered with the log.
Reran with Spybot out of the startup routine.
MarkB

ComboFix 08-01-09.2 - MarkB 2008-01-09 10:16:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.406 [GMT -6:00]
Running from: C:\Documents and Settings\MarkB\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))
.

2008-01-09 06:41 . 2008-01-09 06:41 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-08 20:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 04:02 . 2004-08-04 01:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-08 03:28 . 2006-08-21 03:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-08 03:28 . 2006-08-21 03:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-08 03:28 . 2006-08-21 06:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-08 03:09 . 2008-01-08 03:09 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-07 19:36 . 2008-01-07 19:36 <DIR> d-------- C:\Program Files\Viewpoint
2008-01-07 19:36 . 2008-01-07 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-07 19:36 . 2008-01-07 19:36 37,027 --a------ C:\WINDOWS\atmoUn.exe
2008-01-07 03:38 . 2007-07-09 07:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-07 03:17 . 2007-06-26 00:08 1,104,896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2008-01-06 20:46 . 2006-05-19 06:59 111,616 -----c--- C:\WINDOWS\system32\dllcache\dhcpcsvc.dll
2008-01-06 20:46 . 2006-05-19 06:59 94,720 -----c--- C:\WINDOWS\system32\dllcache\iphlpapi.dll
2008-01-06 20:45 . 2008-01-09 06:41 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-06 20:45 . 2007-08-21 00:15 683,520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-01-06 20:45 . 2007-04-25 08:21 144,896 -----c--- C:\WINDOWS\system32\dllcache\schannel.dll
2008-01-06 20:31 . 2008-01-06 20:31 <DIR> d-------- C:\Deckard
2008-01-06 20:08 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-06 20:08 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-06 20:08 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-06 20:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-06 20:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-06 20:08 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-06 19:59 . 2008-01-06 19:59 <DIR> d-------- C:\SpywareBlaster
2008-01-06 19:59 . 2008-01-06 19:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-06 19:59 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-06 18:40 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-06 18:40 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\vmkyrcnnhiau.sys
2008-01-06 18:02 . 2008-01-06 19:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-06 18:02 . 2008-01-06 18:02 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-06 18:02 . 2008-01-06 18:02 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-06 18:02 . 2008-01-06 18:02 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-02 20:18 . 2008-01-03 05:28 <DIR> d-------- C:\VundoFix Backups
2008-01-01 14:39 . 2008-01-02 21:09 <DIR> d-------- C:\SpywareBot
2008-01-01 14:39 . 2008-01-08 20:19 <DIR> d-------- C:\Program Files\SpywareBot
2008-01-01 14:39 . 2008-01-06 20:42 <DIR> d-------- C:\Documents and Settings\MarkB\Application Data\SpywareBot
2007-12-31 12:49 . 2007-12-31 13:14 <DIR> d--hs---- C:\WINDOWS\TWFyayBCcmFiYW50
2007-12-31 12:43 . 2007-12-31 12:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 12:06 . 2007-12-31 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2007-12-31 11:54 . 2007-12-31 11:54 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-31 11:54 . 2007-12-31 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-31 11:35 . 2007-12-31 12:32 <DIR> d-------- C:\Program Files\STOPzilla!
2007-12-31 11:35 . 2007-12-31 11:35 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-12-31 11:35 . 2007-12-31 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-12-31 11:14 . 2007-12-31 12:31 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-30 21:49 . 2007-12-31 11:08 2,012 --ah----- C:\Documents and Settings\All Users\Application Data\index0.dat
2007-12-30 21:47 . 2007-12-30 21:47 <DIR> d-------- C:\WINDOWS\mobgslti
2007-12-30 21:30 . 2007-12-31 13:27 380,416 --a------ C:\WINDOWS\mrofinu11.exe.tmp
2007-12-28 19:46 . 2007-12-28 19:46 <DIR> d-------- C:\Program Files\Disney
2007-12-28 10:04 . 2007-12-28 10:04 19,088 --a------ C:\Documents and Settings\MarkB\Application Data\GDIPFONTCACHEV1.DAT
2007-12-26 21:24 . 2007-12-26 21:24 3,470,360 --a------ C:\fallout_boy_saturday.mp3
2007-12-15 10:39 . 2007-12-17 18:44 <DIR> d-------- C:\WINDOWS\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 02:19 --------- d-----w C:\Program Files\iTunes
2008-01-09 02:19 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-09 02:18 --------- d-----w C:\Program Files\QuickTime
2008-01-08 01:36 --------- d-----w C:\Documents and Settings\MarkB\Application Data\AdobeUM
2008-01-07 00:50 --------- d-----w C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster
2008-01-06 03:48 --------- d-----w C:\Documents and Settings\MarkB\Application Data\U3
2007-12-31 18:37 10 ----a-w C:\Program Files\.autoreg
2007-11-13 10:25 20,480 ----a-r C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2005-07-29 22:24 472 --sha-r C:\WINDOWS\TWFyayBCcmFiYW50\nqIVuV1FwAI2sqcX.vbs
.

((((((((((((((((((((((((((((( snapshot@2008-01-08_20.21.56.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-08 09:17:53 1,257,472 ----a-w C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-01-09 09:02:25 1,265,664 ----a-w C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2008-01-08 09:18:01 1,224,704 ----a-w C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2008-01-09 09:02:28 1,232,896 ----a-w C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2008-01-09 09:02:44 61,440 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_5508cc55\CustomMarshalers.dll
+ 2008-01-09 09:03:29 3,391,488 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_14f5e881\mscorlib.dll
+ 2008-01-09 09:03:22 1,470,464 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_88c8d35c\System.Design.dll
+ 2008-01-09 09:02:47 90,112 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_0c06d6dd\System.Drawing.Design.dll
+ 2008-01-09 09:03:25 835,584 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_19c63547\System.Drawing.dll
+ 2008-01-09 09:03:01 3,018,752 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_14ba1c46\System.Windows.Forms.dll
+ 2008-01-09 09:03:13 2,088,960 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_6e185381\System.Xml.dll
+ 2008-01-09 09:02:43 1,966,080 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_9828733d\System.dll
+ 2008-01-08 09:21:56 3,379,200 ------w C:\WINDOWS\assembly\temp\39FLRX39EK\mscorlib.dll
+ 2008-01-08 09:20:06 3,014,656 ------w C:\WINDOWS\assembly\temp\8FKQW28EKQ\System.Windows.Forms.dll
+ 2008-01-08 09:18:58 1,953,792 ------w C:\WINDOWS\assembly\temp\9FLRX39EKQ\System.dll
+ 2008-01-08 09:20:43 2,088,960 ------w C:\WINDOWS\assembly\temp\KQW27DJPV1\System.Xml.dll
+ 2008-01-08 09:21:38 835,584 ------w C:\WINDOWS\assembly\temp\U17CIOU06C\System.Drawing.dll
+ 2008-01-08 09:17:53 1,257,472 ------w C:\WINDOWS\assembly\temp\X49FLRX39E\System.Web.dll
+ 2008-01-08 09:18:01 1,224,704 ------w C:\WINDOWS\assembly\temp\Y5BHNSY4AG\System.dll
- 2008-01-08 22:59:18 28,923 ----a-w C:\WINDOWS\hpoins03.dat
+ 2008-01-09 02:21:32 28,923 ----a-w C:\WINDOWS\hpoins03.dat
- 2004-07-15 07:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2007-04-14 03:30:52 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2004-07-15 07:49:22 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2007-04-14 03:30:52 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2004-07-15 06:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2007-04-14 02:57:52 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2003-02-21 01:09:14 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2007-04-14 02:57:58 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2004-07-15 06:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2007-04-14 02:56:30 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2004-07-15 06:33:04 102,400 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2007-04-14 02:58:00 102,400 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2004-07-15 20:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2007-04-14 02:50:46 2,142,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2003-02-21 01:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2007-04-14 02:58:02 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2004-07-15 06:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2007-04-14 02:57:00 2,523,136 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2004-07-15 06:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2007-04-14 02:57:28 2,514,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2004-08-10 22:20:00 106,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
+ 2007-01-15 22:11:26 73,728 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
+ 2004-07-15 07:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4064\_aspnet_isapi.dll
+ 2004-07-15 06:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4064\_CORPerfMonExt.dll
+ 2004-07-15 06:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4064\_fusion.dll
+ 2004-07-15 06:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4064\_mscorjit.dll
+ 2004-07-15 20:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4064\_mscorlib.dll
+ 2003-02-21 01:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4064\_mscorsn.dll
+ 2004-07-15 06:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4064\_mscorsvr.dll
+ 2004-07-15 06:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4064\_mscorwks.dll
+ 2003-02-21 10:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4064\_msvcr71.dll
+ 2004-07-15 06:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4064\_PerfCounter.dll
- 2004-07-15 20:31:16 1,224,704 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2007-04-14 03:35:38 1,232,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2004-07-15 20:29:00 1,257,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2007-04-14 03:35:46 1,265,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2005-09-23 12:29:00 6,144 ----a-w C:\WINDOWS\system32\mui\0409\mscorees.dll
+ 2006-12-22 19:02:36 6,144 ----a-w C:\WINDOWS\system32\mui\0409\mscorees.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2A7AA16-678C-3F59-895A-3CE672845892}]
C:\WINDOWS\system32\owvq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffe58e9d-4cfe-42ac-b8d1-7c4360891611}]
C:\WINDOWS\system32\eqcyjdbv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-08 05:30 1694208]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-08 05:29 171464]
"Trto"="C:\DOCUME~1\MarkB\APPLIC~1\CROSOF~1.NET\ping.exe" [ ]
"Llsbjso"="C:\Documents and Settings\MarkB\Application Data\?ymbols\w?nlogon.exe" [ ]
"Router"="C:\Program Files\Router\Router.exe" [ ]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2008-01-08 05:30 6362352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2008-01-08 05:29 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2008-01-08 05:29 241664]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-08 05:29 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2008-01-08 05:29 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-08 05:29 271672]
"f49fc3c0"="C:\WINDOWS\system32\ogurxwit.dll" [ ]

C:\Documents and Settings\MarkB\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2006-05-23 15:17:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1b47c87-3a5d-11dc-89f5-001217699e83}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2008-01-02 19:50:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-09 09:00:01 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 10:17:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-09 10:18:19
ComboFix-quarantined-files.txt 2008-01-09 16:18:11
ComboFix2.txt 2008-01-09 02:22:18
.
2008-01-09 09:02:35 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:10 AM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\MarkB\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {C2A7AA16-678C-3F59-895A-3CE672845892} - C:\WINDOWS\system32\owvq.dll (file missing)
O2 - BHO: {11619806-34c7-1d8b-ca24-efc4d9e85eff} - {ffe58e9d-4cfe-42ac-b8d1-7c4360891611} - C:\WINDOWS\system32\eqcyjdbv.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [f49fc3c0] rundll32.exe "C:\WINDOWS\system32\ogurxwit.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Trto] "C:\DOCUME~1\MarkB\APPLIC~1\CROSOF~1.NET\ping.exe" -vt yazb
O4 - HKCU\..\Run: [Llsbjso] "C:\Documents and Settings\MarkB\Application Data\?ymbols\w?nlogon.exe"
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1167322382734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1199222661218
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 6333 bytes
Gibgab is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-09-2008, 11:22 AM   #6 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Dłn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: I cannot get rid of Ping.exe - Vundo?
Hello again

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

SpywareBot 1.9.0<--This is considered a rogue programme as it exploits "Spybot Search & Destroy" name, same app as AdwareAlert.
http://spywarewarrior.com/rogue_anti...e.htm#products

==================================

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
KillAll::

File::
C:\WINDOWS\mrofinu11.exe.tmp
C:\Documents and Settings\MarkB\Desktop\VirtumundoBeGone.exe
C:\Documents and Settings\MarkB\Local Settings\Temp\nsn6B.tmp


Folder::
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\VundoFix Backups
C:\Program Files\STOPzilla!
C:\Documents and Settings\All Users\Application Data\STOPzilla!
C:\Program Files\Spyware Doctor
C:\WINDOWS\TWFyayBCcmFiYW50

DirLook::
C:\WINDOWS\mobgslti

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2A7AA16-678C-3F59-895A-3CE672845892}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffe58e9d-4cfe-42ac-b8d1-7c4360891611}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"f49fc3c0"=-
Save this as CFscript







Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

==================================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

===============================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

===============================
Logs Required
C:\Combofix.txt
Kaspersky scan log
Hijackthis log

Can you tell me why you have no Anti-virus programme installed?
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-10-2008, 08:34 AM   #7 (permalink)
Registered User
 
Join Date: Jan 2008
Location: San Antonio
Posts: 10
OS: XP


Re: I cannot get rid of Ping.exe - Vundo?
Hi there, I do not see an online scan on the Kaspersky URL. I only see a download option. I did that, but do not see the scanning options you outline via the Scan Settings button. There is no Scan Settings Button.
Please advise. Thanks,

MarkB
Gibgab is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-10-2008, 09:43 AM   #8 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Dłn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: I cannot get rid of Ping.exe - Vundo?
Try clearing your cookies, i have just tried the link and the online scanner button is there.

Clear IE6 cookies

*Open IE and click Tools
*Click on Internet Options
*Click on General Tab
*Click on Delte Temp Files & Cookies buttons.


Also keep off the internet as much as possible as you have no AV installed.
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-10-2008, 10:02 AM   #9 (permalink)
Registered User
 
Join Date: Jan 2008
Location: San Antonio
Posts: 10
OS: XP


Re: I cannot get rid of Ping.exe - Vundo?
Bruce,
See attached....
MarkB
Attached Files
File Type: doc Kaspersky.doc (377.5 KB, 2 views)
Gibgab is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-10-2008, 11:37 AM   #10 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,353
OS: N/A


Re: I cannot get rid of Ping.exe - Vundo?
Try this link (IE only) > http://www.kaspersky.com/kos/eng/par...avwebscan.html
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-10-2008, 02:30 PM   #11 (permalink)
Registered User
 
Join Date: Jan 2008
Location: San Antonio
Posts: 10
OS: XP


Re: I cannot get rid of Ping.exe - Vundo?
Wow, great, that worked. Thank you. Here are the logs.
Hijacked log and Kaspersky log attached due to line of text exceeded.
MarkB

ComboFix 08-01-09.2 - MarkB 2008-01-10 8:50:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510 [GMT -6:00]
Running from: C:\Documents and Settings\MarkB\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MarkB\Desktop\CFscript.txt
* Created a new restore point

FILE
C:\Documents and Settings\MarkB\Desktop\VirtumundoBeGone.exe
C:\Documents and Settings\MarkB\Local Settings\Temp\nsn6B.tmp
C:\WINDOWS\mrofinu11.exe.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\STOPzilla!
C:\Documents and Settings\All Users\Application Data\STOPzilla!\sb.dat
C:\Documents and Settings\All Users\Application Data\STOPzilla!\sc.dat
C:\Documents and Settings\All Users\Application Data\STOPzilla!\sgdefs.db
C:\Documents and Settings\All Users\Application Data\STOPzilla!\sztrgwc.db
C:\Documents and Settings\All Users\Application Data\STOPzilla!\Target.Log
C:\Documents and Settings\All Users\Application Data\STOPzilla!\targets.db
C:\Documents and Settings\All Users\Application Data\STOPzilla!\userdata.db
C:\Documents and Settings\All Users\Application Data\STOPzilla!\zilla5.log
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Documents and Settings\MarkB\Desktop\VirtumundoBeGone.exe
C:\Program Files\Spyware Doctor
C:\Program Files\Spyware Doctor\alert.wav
C:\Program Files\Spyware Doctor\bpo-sdhelp.chm
C:\Program Files\Spyware Doctor\ChineseSimp.lng
C:\Program Files\Spyware Doctor\ChineseTrad.lng
C:\Program Files\Spyware Doctor\csi-sdhelp.chm
C:\Program Files\Spyware Doctor\ctr-sdhelp.chm
C:\Program Files\Spyware Doctor\czech.chm
C:\Program Files\Spyware Doctor\Czech.lng
C:\Program Files\Spyware Doctor\danish.chm
C:\Program Files\Spyware Doctor\Danish.lng
C:\Program Files\Spyware Doctor\deu-sdhelp.chm
C:\Program Files\Spyware Doctor\Deutsch.lng
C:\Program Files\Spyware Doctor\Dutch.lng
C:\Program Files\Spyware Doctor\eng-sdhelp.chm
C:\Program Files\Spyware Doctor\English.lng
C:\Program Files\Spyware Doctor\EnglishBritish.lng
C:\Program Files\Spyware Doctor\esp-sdhelp.chm
C:\Program Files\Spyware Doctor\euk-sdhelp.chm
C:\Program Files\Spyware Doctor\FileStorage.sdp
C:\Program Files\Spyware Doctor\finnish.chm
C:\Program Files\Spyware Doctor\Finnish.lng
C:\Program Files\Spyware Doctor\fre-sdhelp.chm
C:\Program Files\Spyware Doctor\French.lng
C:\Program Files\Spyware Doctor\greek.chm
C:\Program Files\Spyware Doctor\Greek.lng
C:\Program Files\Spyware Doctor\history\syslog.dad
C:\Program Files\Spyware Doctor\history\syslog.das
C:\Program Files\Spyware Doctor\history\userlog.dad
C:\Program Files\Spyware Doctor\history\userlog.das
C:\Program Files\Spyware Doctor\homepage.url
C:\Program Files\Spyware Doctor\IDBLib.sdp
C:\Program Files\Spyware Doctor\Immunizer.sdp
C:\Program Files\Spyware Doctor\ita-sdhelp.chm
C:\Program Files\Spyware Doctor\Italian.lng
C:\Program Files\Spyware Doctor\jap-sdhelp.chm
C:\Program Files\Spyware Doctor\Japanese.lng
C:\Program Files\Spyware Doctor\klg.dat
C:\Program Files\Spyware Doctor\kor-sdhelp.chm
C:\Program Files\Spyware Doctor\Korean.lng
C:\Program Files\Spyware Doctor\Languages.xml
C:\Program Files\Spyware Doctor\Localizer.sdp
C:\Program Files\Spyware Doctor\LuLng\ChineseSimp.lng
C:\Program Files\Spyware Doctor\LuLng\ChineseTrad.lng
C:\Program Files\Spyware Doctor\LuLng\Czech.lng
C:\Program Files\Spyware Doctor\LuLng\Danish.lng
C:\Program Files\Spyware Doctor\LuLng\Deutsch.lng
C:\Program Files\Spyware Doctor\LuLng\Dutch.lng
C:\Program Files\Spyware Doctor\LuLng\English.lng
C:\Program Files\Spyware Doctor\LuLng\EnglishBritish.lng
C:\Program Files\Spyware Doctor\LuLng\Finnish.lng
C:\Program Files\Spyware Doctor\LuLng\French.lng
C:\Program Files\Spyware Doctor\LuLng\Greek.lng
C:\Program Files\Spyware Doctor\LuLng\Italian.lng
C:\Program Files\Spyware Doctor\LuLng\Japanese.lng
C:\Program Files\Spyware Doctor\LuLng\Korean.lng
C:\Program Files\Spyware Doctor\LuLng\Norwegian.lng
C:\Program Files\Spyware Doctor\LuLng\Polski.lng
C:\Program Files\Spyware Doctor\LuLng\Portuguese.lng
C:\Program Files\Spyware Doctor\LuLng\PortugueseBrazilian.lng
C:\Program Files\Spyware Doctor\LuLng\Russian.lng
C:\Program Files\Spyware Doctor\LuLng\Spanish.lng
C:\Program Files\Spyware Doctor\LuLng\Swedish.lng
C:\Program Files\Spyware Doctor\LuLng\Thai.lng
C:\Program Files\Spyware Doctor\LuLng\Turkish.lng
C:\Program Files\Spyware Doctor\ned-sdhelp.chm
C:\Program Files\Spyware Doctor\NfyMan.sdp
C:\Program Files\Spyware Doctor\norwegian.chm
C:\Program Files\Spyware Doctor\Norwegian.lng
C:\Program Files\Spyware Doctor\PCToolsComponents.bpl
C:\Program Files\Spyware Doctor\plugins\Browsers.SDP
C:\Program Files\Spyware Doctor\plugins\cookie.sdp
C:\Program Files\Spyware Doctor\plugins\grfiles.SDP
C:\Program Files\Spyware Doctor\plugins\grregistry.SDP
C:\Program Files\Spyware Doctor\plugins\KLGuard.SDP
C:\Program Files\Spyware Doctor\plugins\Network.SDP
C:\Program Files\Spyware Doctor\plugins\Process.SDP
C:\Program Files\Spyware Doctor\plugins\ScriptEngine.SDP
C:\Program Files\Spyware Doctor\plugins\SDNET.SDP
C:\Program Files\Spyware Doctor\plugins\StartUp.SDP
C:\Program Files\Spyware Doctor\pol-sdhelp.chm
C:\Program Files\Spyware Doctor\Polski.lng
C:\Program Files\Spyware Doctor\por-sdhelp.chm
C:\Program Files\Spyware Doctor\Portuguese.lng
C:\Program Files\Spyware Doctor\PortugueseBrazilian.lng
C:\Program Files\Spyware Doctor\quarantine.sdp
C:\Program Files\Spyware Doctor\RebootManager.sdp
C:\Program Files\Spyware Doctor\RefDB.bin2
C:\Program Files\Spyware Doctor\rtl100.bpl
C:\Program Files\Spyware Doctor\rus-sdhelp.chm
C:\Program Files\Spyware Doctor\Russian.lng
C:\Program Files\Spyware Doctor\scaneng.sdp
C:\Program Files\Spyware Doctor\sdextra.sdp
C:\Program Files\Spyware Doctor\SDInfo.sdp
C:\Program Files\Spyware Doctor\sdnet\MANIFEST.1
C:\Program Files\Spyware Doctor\sdSTasks.def
C:\Program Files\Spyware Doctor\Settings.sdp
C:\Program Files\Spyware Doctor\Spanish.lng
C:\Program Files\Spyware Doctor\stasks.sdp
C:\Program Files\Spyware Doctor\swedish.chm
C:\Program Files\Spyware Doctor\Swedish.lng
C:\Program Files\Spyware Doctor\SystemMonitor.sdp
C:\Program Files\Spyware Doctor\thai.chm
C:\Program Files\Spyware Doctor\Thai.lng
C:\Program Files\Spyware Doctor\turkish.chm
C:\Program Files\Spyware Doctor\Turkish.lng
C:\Program Files\Spyware Doctor\unins000.dat
C:\Program Files\Spyware Doctor\vcl100.bpl
C:\Program Files\Spyware Doctor\whitelist.sdp
C:\Program Files\STOPzilla!
C:\Program Files\STOPzilla!\roar.wav
C:\Program Files\STOPzilla!\snore.wav
C:\Program Files\STOPzilla!\STOPzillaHelp.chm
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AtmoHWConfig.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AvatarsDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\BookmarksDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\DefaultAvatarIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\DefaultWorldIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\InternetChatHelp.url
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VETsdk.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\AtmoHWConfig.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\Atmosphere.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\AvatarsDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\BlueStreak.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\BookmarksDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\DefaultAvatarIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\DefaultWorldIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\ExtremeShot.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\InternetChatHelp.url
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\LensFlares.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\Mts2Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\ObjectMovie.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\ServiceComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\VectorView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\VETsdk.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\ZoomView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\cbxxxxx.dll.bad
C:\VundoFix Backups\eqcyjdbv.dll.bad
C:\VundoFix Backups\kuvrleyx.dll.bad
C:\VundoFix Backups\mrofinu11.exe.bad
C:\VundoFix Backups\nvixycow.dll.bad
C:\VundoFix Backups\ogurxwit.dll.bad
C:\VundoFix Backups\stutv.ini.bad
C:\VundoFix Backups\stutv.ini2.bad
C:\VundoFix Backups\tiwxrugo.ini.bad
C:\VundoFix Backups\vtuts.dll.bad
C:\VundoFix Backups\vtuts.exe.bad
C:\VundoFix Backups\xyelrvuk.ini.bad
C:\WINDOWS\mrofinu11.exe.tmp
C:\WINDOWS\TWFyayBCcmFiYW50
C:\WINDOWS\TWFyayBCcmFiYW50\nqIVuV1FwAI2sqcX.vbs

.
((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-10 08:49 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 04:02 . 2004-08-04 01:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-08 03:28 . 2006-08-21 03:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-08 03:28 . 2006-08-21 03:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-08 03:28 . 2006-08-21 06:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-08 03:09 . 2008-01-08 03:09 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-07 19:36 . 2008-01-07 19:36 37,027 --a------ C:\WINDOWS\atmoUn.exe
2008-01-07 03:38 . 2007-07-09 07:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-07 03:17 . 2007-06-26 00:08 1,104,896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2008-01-06 20:46 . 2006-05-19 06:59 111,616 -----c--- C:\WINDOWS\system32\dllcache\dhcpcsvc.dll
2008-01-06 20:46 . 2006-05-19 06:59 94,720 -----c--- C:\WINDOWS\system32\dllcache\iphlpapi.dll
2008-01-06 20:45 . 2008-01-10 03:02 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-06 20:45 . 2007-08-21 00:15 683,520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-01-06 20:45 . 2007-04-25 08:21 144,896 -----c--- C:\WINDOWS\system32\dllcache\schannel.dll
2008-01-06 20:31 . 2008-01-06 20:31 <DIR> d-------- C:\Deckard
2008-01-06 20:08 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-06 20:08 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-06 20:08 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-06 20:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-06 20:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-06 20:08 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-06 19:59 . 2008-01-06 19:59 <DIR> d-------- C:\SpywareBlaster
2008-01-06 19:59 . 2008-01-06 19:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-06 19:59 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-06 18:40 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-06 18:40 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\vmkyrcnnhiau.sys
2008-01-06 18:02 . 2008-01-06 19:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-06 18:02 . 2008-01-06 18:02 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-06 18:02 . 2008-01-06 18:02 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-06 18:02 . 2008-01-06 18:02 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-01 14:39 . 2008-01-02 21:09 <DIR> d-------- C:\SpywareBot
2008-01-01 14:39 . 2008-01-10 03:00 <DIR> d-------- C:\Documents and Settings\MarkB\Application Data\SpywareBot
2007-12-31 12:43 . 2007-12-31 12:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 12:06 . 2007-12-31 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2007-12-31 11:54 . 2007-12-31 11:54 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-31 11:54 . 2007-12-31 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-31 11:35 . 2007-12-31 11:35 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-12-30 21:49 . 2007-12-31 11:08 2,012 --ah----- C:\Documents and Settings\All Users\Application Data\index0.dat
2007-12-30 21:47 . 2007-12-30 21:47 <DIR> d-------- C:\WINDOWS\mobgslti
2007-12-28 19:46 . 2007-12-28 19:46 <DIR> d-------- C:\Program Files\Disney
2007-12-28 10:04 . 2007-12-28 10:04 19,088 --a------ C:\Documents and Settings\MarkB\Application Data\GDIPFONTCACHEV1.DAT
2007-12-26 21:24 . 2007-12-26 21:24 3,470,360 --a------ C:\fallout_boy_saturday.mp3
2007-12-15 10:39 . 2007-12-17 18:44 <DIR> d-------- C:\WINDOWS\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 14:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-10 14:43 --------- d-----w C:\Program Files\StarWarsGalaxies
2008-01-09 02:19 --------- d-----w C:\Program Files\iTunes
2008-01-09 02:19 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-09 02:18 --------- d-----w C:\Program Files\QuickTime
2008-01-08 01:36 --------- d-----w C:\Documents and Settings\MarkB\Application Data\AdobeUM
2008-01-07 00:50 --------- d-----w C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster
2008-01-06 03:48 --------- d-----w C:\Documents and Settings\MarkB\Application Data\U3
2007-12-31 18:37 10 ----a-w C:\Program Files\.autoreg
2007-11-13 10:25 20,480 ----a-r C:\WINDOWS\system32\drivers\secdrv.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\mobgslti ----

2007-12-31 08:47 857 --a------ C:\WINDOWS\mobgslti\poloska3.png
2007-12-31 08:47 839 --a------ C:\WINDOWS\mobgslti\8.png
2007-12-31 08:47 835 --a------ C:\WINDOWS\mobgslti\9.png
2007-12-31 08:47 822 --a------ C:\WINDOWS\mobgslti\6.png
2007-12-31 08:47 810 --a------ C:\WINDOWS\mobgslti\5.png
2007-12-31 08:47 800 --a------ C:\WINDOWS\mobgslti\frame-h1bg.gif
2007-12-31 08:47 794 --a------ C:\WINDOWS\mobgslti\7.png
2007-12-31 08:47 721 --a------ C:\WINDOWS\mobgslti\frame-bg.gif
2007-12-31 08:47 670 --a------ C:\WINDOWS\mobgslti\3.png
2007-12-31 08:47 667 --a------ C:\WINDOWS\mobgslti\2.png
2007-12-31 08:47 663 --a------ C:\WINDOWS\mobgslti\4.png
2007-12-31 08:47 662 --a------ C:\WINDOWS\mobgslti\1.png
2007-12-31 08:47 5228 --a------ C:\WINDOWS\mobgslti\promo13.html
2007-12-31 08:47 4907 --a------ C:\WINDOWS\mobgslti\promo11.html
2007-12-31 08:47 4819 --a------ C:\WINDOWS\mobgslti\frame-bottom-left.gif
2007-12-31 08:47 4763 --a------ C:\WINDOWS\mobgslti\promo5.html
2007-12-31 08:47 4525 --a------ C:\WINDOWS\mobgslti\promo18.html
2007-12-31 08:47 4319 --a------ C:\WINDOWS\mobgslti\promo15.html
2007-12-31 08:47 4001 --a------ C:\WINDOWS\mobgslti\promo6.html
2007-12-31 08:47 3917 --a------ C:\WINDOWS\mobgslti\head.png
2007-12-31 08:47 3913 --a------ C:\WINDOWS\mobgslti\main.css
2007-12-31 08:47 3600 --a------ C:\WINDOWS\mobgslti\promo1.html
2007-12-31 08:47 3595 --a------ C:\WINDOWS\mobgslti\download.gif
2007-12-31 08:47 3493 --a------ C:\WINDOWS\mobgslti\promo3.html
2007-12-31 08:47 3405 --a------ C:\WINDOWS\mobgslti\promo8.html
2007-12-31 08:47 3282 --a------ C:\WINDOWS\mobgslti\promo14.html
2007-12-31 08:47 3175 --a------ C:\WINDOWS\mobgslti\promo2.html
2007-12-31 08:47 314 --a------ C:\WINDOWS\mobgslti\bottom-rc.gif
2007-12-31 08:47 2994 --a------ C:\WINDOWS\mobgslti\promo17.html
2007-12-31 08:47 2830 --a------ C:\WINDOWS\mobgslti\memory-prots.png
2007-12-31 08:47 2539 --a------ C:\WINDOWS\mobgslti\config.png
2007-12-31 08:47 2527 --a------ C:\WINDOWS\mobgslti\reg.png
2007-12-31 08:47 2400 --a------ C:\WINDOWS\mobgslti\net.png
2007-12-31 08:47 2332 --a------ C:\WINDOWS\mobgslti\promo4.html
2007-12-31 08:47 2281 --a------ C:\WINDOWS\mobgslti\pc.gif
2007-12-31 08:47 2252 --a------ C:\WINDOWS\mobgslti\promo9.html
2007-12-31 08:47 225 --a------ C:\WINDOWS\mobgslti\repair.png
2007-12-31 08:47 21564 --a------ C:\WINDOWS\mobgslti\scr-1.png
2007-12-31 08:47 2112 --a------ C:\WINDOWS\mobgslti\promo7.html
2007-12-31 08:47 2053 --a------ C:\WINDOWS\mobgslti\content.png
2007-12-31 08:47 2038 --a------ C:\WINDOWS\mobgslti\styles.css
2007-12-31 08:47 1956 --a------ C:\WINDOWS\mobgslti\promo10.html
2007-12-31 08:47 19371 --a------ C:\WINDOWS\mobgslti\scr-2.png
2007-12-31 08:47 1931 --a------ C:\WINDOWS\mobgslti\vline.gif
2007-12-31 08:47 1928 --a------ C:\WINDOWS\mobgslti\pc-mag.gif
2007-12-31 08:47 1855 --a------ C:\WINDOWS\mobgslti\promo16.html
2007-12-31 08:47 1814 --a------ C:\WINDOWS\mobgslti\promo12.html
2007-12-31 08:47 17396 --a------ C:\WINDOWS\mobgslti\index.html
2007-12-31 08:47 1638 --a------ C:\WINDOWS\mobgslti\icon.png
2007-12-31 08:47 1616 --a------ C:\WINDOWS\mobgslti\wp.png
2007-12-31 08:47 1582 --a------ C:\WINDOWS\mobgslti\poloska1.png
2007-12-31 08:47 1499 --a------ C:\WINDOWS\mobgslti\poloska2.png
2007-12-31 08:47 1470 --a------ C:\WINDOWS\mobgslti\start.png
2007-12-31 08:47 128 --a------ C:\WINDOWS\mobgslti\top-rc.gif


((((((((((((((((((((((((((((( snapshot_2008-01-09_10.17.59.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-30 16:53:32 360,832 ----a-w C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941644\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941644\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\updspapi.dll
+ 2007-11-07 09:50:47 727,040 ----a-w C:\WINDOWS\$hf_mig$\KB943485\SP2QFE\lsasrv.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB943485\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB943485\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\updspapi.dll
- 2008-01-09 02:10:38 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-10 14:49:53 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-09 02:10:39 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-10 14:49:53 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-09 02:10:39 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-10 14:49:53 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-09 02:10:39 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-10 14:49:53 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-09 02:10:39 1,843,200 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-10 14:49:53 1,900,544 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-09 02:10:40 172,032 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-10 14:49:53 172,032 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-09 02:21:32 28,923 ----a-w C:\WINDOWS\hpoins03.dat
+ 2008-01-10 11:28:41 28,923 ----a-w C:\WINDOWS\hpoins03.dat
- 2006-08-17 12:28:27 721,920 -c----w C:\WINDOWS\system32\dllcache\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 -c----w C:\WINDOWS\system32\dllcache\lsasrv.dll
- 2006-04-20 11:51:50 359,808 -c----w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2007-10-30 17:20:55 360,064 -c----w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2006-04-20 11:51:50 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2007-10-30 17:20:55 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
- 2006-08-17 12:28:27 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
- 2007-12-02 21:00:06 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-01-02 18:21:36 17,642,616 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-01-19 19:29:19 14,048 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-03-06 01:22:33 14,048 ------w C:\WINDOWS\system32\spmsg.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-08 05:30 1694208]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-08 05:29 171464]
"Trto"="C:\DOCUME~1\MarkB\APPLIC~1\CROSOF~1.NET\ping.exe" [ ]
"Llsbjso"="C:\Documents and Settings\MarkB\Application Data\?ymbols\w?nlogon.exe" [ ]
"Router"="C:\Program Files\Router\Router.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2008-01-08 05:29 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2008-01-08 05:29 241664]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-08 05:29 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2008-01-08 05:29 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-08 05:29 271672]

C:\Documents and Settings\MarkB\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2006-05-23 15:17:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1b47c87-3a5d-11dc-89f5-001217699e83}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-09 19:50:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-10 11:28:03 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 08:54:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-10 8:56:11 - machine was rebooted [MarkB]
ComboFix-quarantined-files.txt 2008-01-10 14:56:02
ComboFix2.txt 2008-01-09 16:18:20
ComboFix3.txt 2008-01-09 02:22:18
.
2008-01-10 09:04:58 --- E O F ---
Attached Files
File Type: txt hijackthis_1_10_08.txt (6.2 KB, 1 views)
File Type: txt Kaspersky.txt (158.2 KB, 2 views)
Gibgab is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-10-2008, 06:02 PM   #12 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Dłn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: I cannot get rid of Ping.exe - Vundo?
Thank you sUBs for your assistance.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
KillAll::

File::
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job

Folder::
C:\SpywareBot
C:\Program Files\SpywareBot
C:\Documents and Settings\MarkB\Application Data\SpywareBot
C:\WINDOWS\mobgslti

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Trto"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Llsbjso"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Router"=-
Save this as CFscript





Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

=============================

No AntiVirus Onboard

I see no evidence of an AntiVirus program on your system. This must be resolved. Here are a few very good free Antivirus products which are available:Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan.

================================

JAVA OUTDATED


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 U3.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version.

================================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

=================================
Logs Required
C:\Combofix.txt
Scan log from you installed AV
Hijackthis log
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-10-2008, 07:38 PM   #13 (permalink)
Registered User
 
Join Date: Jan 2008
Location: San Antonio
Posts: 10
OS: XP


Re: I cannot get rid of Ping.exe - Vundo?
Hey there, all tasks complete.
See attached logs.

MarkB

ComboFix 08-01-09.2 - MarkB 2008-01-10 19:56:28.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.406 [GMT -6:00]
Running from: C:\Documents and Settings\MarkB\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MarkB\Desktop\CFscript.txt
* Created a new restore point

FILE
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\MarkB\Application Data\SpywareBot
C:\Documents and Settings\MarkB\Application Data\SpywareBot\Log\2008 Jan 10 - 03_00_00 AM_609.log
C:\Documents and Settings\MarkB\Application Data\SpywareBot\Log\2008 Jan 10 - 03_00_00 AM_890.log
C:\Documents and Settings\MarkB\Application Data\SpywareBot\Log\2008 Jan 10 - 05_28_03 AM_203.log
C:\Documents and Settings\MarkB\Application Data\SpywareBot\rs.dat
C:\Documents and Settings\MarkB\Application Data\SpywareBot\Settings\ScanResults.pie
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\SpywareBot
C:\SpywareBot\SpywareBot on the Web.lnk
C:\SpywareBot\SpywareBot.lnk
C:\SpywareBot\Uninstall SpywareBot.lnk
C:\WINDOWS\mobgslti
C:\WINDOWS\mobgslti\1.png
C:\WINDOWS\mobgslti\2.png
C:\WINDOWS\mobgslti\3.png
C:\WINDOWS\mobgslti\4.png
C:\WINDOWS\mobgslti\5.png
C:\WINDOWS\mobgslti\6.png
C:\WINDOWS\mobgslti\7.png
C:\WINDOWS\mobgslti\8.png
C:\WINDOWS\mobgslti\9.png
C:\WINDOWS\mobgslti\bottom-rc.gif
C:\WINDOWS\mobgslti\config.png
C:\WINDOWS\mobgslti\content.png
C:\WINDOWS\mobgslti\download.gif
C:\WINDOWS\mobgslti\frame-bg.gif
C:\WINDOWS\mobgslti\frame-bottom-left.gif
C:\WINDOWS\mobgslti\frame-h1bg.gif
C:\WINDOWS\mobgslti\head.png
C:\WINDOWS\mobgslti\icon.png
C:\WINDOWS\mobgslti\index.html
C:\WINDOWS\mobgslti\main.css
C:\WINDOWS\mobgslti\memory-prots.png
C:\WINDOWS\mobgslti\net.png
C:\WINDOWS\mobgslti\pc-mag.gif
C:\WINDOWS\mobgslti\pc.gif
C:\WINDOWS\mobgslti\poloska1.png
C:\WINDOWS\mobgslti\poloska2.png
C:\WINDOWS\mobgslti\poloska3.png
C:\WINDOWS\mobgslti\promo1.html
C:\WINDOWS\mobgslti\promo10.html
C:\WINDOWS\mobgslti\promo11.html
C:\WINDOWS\mobgslti\promo12.html
C:\WINDOWS\mobgslti\promo13.html
C:\WINDOWS\mobgslti\promo14.html
C:\WINDOWS\mobgslti\promo15.html
C:\WINDOWS\mobgslti\promo16.html
C:\WINDOWS\mobgslti\promo17.html
C:\WINDOWS\mobgslti\promo18.html
C:\WINDOWS\mobgslti\promo2.html
C:\WINDOWS\mobgslti\promo3.html
C:\WINDOWS\mobgslti\promo4.html
C:\WINDOWS\mobgslti\promo5.html
C:\WINDOWS\mobgslti\promo6.html
C:\WINDOWS\mobgslti\promo7.html
C:\WINDOWS\mobgslti\promo8.html
C:\WINDOWS\mobgslti\promo9.html
C:\WINDOWS\mobgslti\reg.png
C:\WINDOWS\mobgslti\repair.png
C:\WINDOWS\mobgslti\scr-1.png
C:\WINDOWS\mobgslti\scr-2.png
C:\WINDOWS\mobgslti\start.png
C:\WINDOWS\mobgslti\styles.css
C:\WINDOWS\mobgslti\top-rc.gif
C:\WINDOWS\mobgslti\vline.gif
C:\WINDOWS\mobgslti\wp.png
C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.

2008-01-10 20:04 . 2008-01-10 20:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-10 20:04 . 2008-01-10 20:04 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-10 19:23 . 2008-01-10 19:25 <DIR> d-------- C:\Documents and Settings\MarkB\Application Data\AVG7
2008-01-10 19:23 . 2008-01-10 19:23 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-10 19:23 . 2008-01-10 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-10 19:23 . 2008-01-10 19:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-10 14:16 . 2008-01-10 14:16 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-10 09:09 . 2008-01-10 20:03 609,312 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-10 09:09 . 2008-01-10 20:03 16,160 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-10 09:09 . 2008-01-10 20:02 10,256 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-10 09:09 . 2008-01-10 20:02 2,564 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-10 09:06 . 2008-01-10 09:06 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-10 09:06 . 2008-01-10 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-10 08:49 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 04:02 . 2004-08-04 01:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-08 03:28 . 2006-08-21 03:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-08 03:28 . 2006-08-21 03:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-08 03:28 . 2006-08-21 06:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-08 03:09 . 2008-01-08 03:09 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-07 19:36 . 2008-01-07 19:36 37,027 --a------ C:\WINDOWS\atmoUn.exe
2008-01-07 03:38 . 2007-07-09 07:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-07 03:17 . 2007-06-26 00:08 1,104,896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2008-01-06 20:46 . 2006-05-19 06:59 111,616 -----c--- C:\WINDOWS\system32\dllcache\dhcpcsvc.dll
2008-01-06 20:46 . 2006-05-19 06:59 94,720 -----c--- C:\WINDOWS\system32\dllcache\iphlpapi.dll
2008-01-06 20:45 . 2008-01-10 03:02 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-06 20:45 . 2007-08-21 00:15 683,520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-01-06 20:45 . 2007-04-25 08:21 144,896 -----c--- C:\WINDOWS\system32\dllcache\schannel.dll
2008-01-06 20:31 . 2008-01-06 20:31 <DIR> d-------- C:\Deckard
2008-01-06 20:08 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-06 20:08 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-06 20:08 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-06 20:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-06 20:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-06 20:08 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-06 19:59 . 2008-01-06 19:59 <DIR> d-------- C:\SpywareBlaster
2008-01-06 19:59 . 2008-01-06 19:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-06 19:59 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-06 18:40 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-06 18:40 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\vmkyrcnnhiau.sys
2008-01-06 18:02 . 2008-01-06 19:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-06 18:02 . 2008-01-06 18:02 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-06 18:02 . 2008-01-06 18:02 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-06 18:02 . 2008-01-06 18:02 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-31 12:43 . 2007-12-31 12:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 12:06 . 2007-12-31 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2007-12-31 11:54 . 2007-12-31 11:54 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-31 11:54 . 2007-12-31 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-31 11:35 . 2007-12-31 11:35 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-12-30 21:49 . 2007-12-31 11:08 2,012 --ah----- C:\Documents and Settings\All Users\Application Data\index0.dat
2007-12-28 19:46 . 2007-12-28 19:46 <DIR> d-------- C:\Program Files\Disney
2007-12-28 10:04 . 2007-12-28 10:04 19,088 --a------ C:\Documents and Settings\MarkB\Application Data\GDIPFONTCACHEV1.DAT
2007-12-26 21:24 . 2007-12-26 21:24 3,470,360 --a------ C:\fallout_boy_saturday.mp3
2007-12-15 10:39 . 2007-12-17 18:44 <DIR> d-------- C:\WINDOWS\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 02:02 --------- d-----w C:\Program Files\Apple Software Update
2008-01-11 01:48 --------- d-----w C:\Program Files\QuickTime
2008-01-10 14:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-10 14:43 --------- d-----w C:\Program Files\StarWarsGalaxies
2008-01-09 02:19 --------- d-----w C:\Program Files\iTunes
2008-01-09 02:19 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-08 01:36 --------- d-----w C:\Documents and Settings\MarkB\Application Data\AdobeUM
2008-01-07 00:50 --------- d-----w C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster
2008-01-06 03:48 --------- d-----w C:\Documents and Settings\MarkB\Application Data\U3
2007-12-31 18:37 10 ----a-w C:\Program Files\.autoreg
2007-11-13 10:25 20,480 ----a-r C:\WINDOWS\system32\drivers\secdrv.sys
.

((((((((((((((((((((((((((((( snapshot_2008-01-10_ 8.55.50.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-10 14:49:53 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-11 01:56:04 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-10 14:49:53 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-11 01:56:04 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-10 14:49:53 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-11 01:56:04 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-10 14:49:53 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-11 01:56:05 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-10 14:49:53 1,900,544 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-11 01:56:05 1,912,832 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-10 14:49:53 172,032 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-11 01:56:05 172,032 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-10 11:28:41 28,923 ----a-w C:\WINDOWS\hpoins03.dat
+ 2008-01-10 15:13:45 28,923 ----a-w C:\WINDOWS\hpoins03.dat
- 2006-12-28 20:30:18 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-10 15:08:05 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2006-12-28 20:30:18 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-10 15:08:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-12-28 20:30:18 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-10 15:08:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-11 01:23:37 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2008-01-11 01:23:40 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2008-01-11 01:23:41 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2008-01-11 01:23:43 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-01-11 01:23:42 19,904 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-01-11 01:23:42 4,960 ----a-w C:\WINDOWS\system32\drivers\avgtdi.sys
+ 2008-01-10 15:09:06 194,320 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-08 05:30 1694208]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-08 05:29 171464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2008-01-08 05:29 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2008-01-08 05:29 241664]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-08 05:29 90112]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-08 05:29 271672]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-10 19:23 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-10 19:23 219136]

C:\Documents and Settings\MarkB\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2006-05-23 15:17:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1b47c87-3a5d-11dc-89f5-001217699e83}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-09 19:50:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 20:04:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-10 20:07:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-11 0258
ComboFix2.txt 2008-01-10 14:56:11
ComboFix3.txt 2008-01-09 16:18:20
ComboFix4.txt 2008-01-09 02:22:18
.
2008-01-10 09:04:58 --- E O F ---

========================

Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX10.tmp 1/10/2008 19:48 RCX10.tmp 6.45 MB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX11.tmp 1/10/2008 19:48 RCX11.tmp 380.5 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX12.tmp 1/10/2008 19:48 RCX12.tmp 380.5 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX13.tmp 1/10/2008 19:48 RCX13.tmp 380.5 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX14.tmp 1/10/2008 19:48 RCX14.tmp 570 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX15.tmp 1/10/2008 19:48 RCX15.tmp 570 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX16.tmp 1/10/2008 19:48 RCX16.tmp 570 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX17.tmp 1/10/2008 19:48 RCX17.tmp 466.5 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX18.tmp 1/10/2008 19:48 RCX18.tmp 466.5 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX19.tmp 1/10/2008 19:48 RCX19.tmp 466.5 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX1A.tmp 1/10/2008 19:48 RCX1A.tmp 465 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX1B.tmp 1/10/2008 19:48 RCX1B.tmp 465 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX1C.tmp 1/10/2008 19:48 RCX1C.tmp 465 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX1E.tmp 1/10/2008 19:48 RCX1E.tmp 638 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX20.tmp 1/10/2008 19:48 RCX20.tmp 380.5 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX21.tmp 1/10/2008 19:48 RCX21.tmp 686 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX22.tmp 1/10/2008 19:48 RCX22.tmp 686 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX23.tmp 1/10/2008 19:48 RCX23.tmp 686 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX24.tmp 1/10/2008 19:48 RCX24.tmp 570 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX27.tmp 1/10/2008 19:48 RCX27.tmp 466.5 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX2A.tmp 1/10/2008 19:48 RCX2A.tmp 465 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX2D.tmp 1/10/2008 19:48 RCX2D.tmp 638 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX30.tmp 1/10/2008 19:48 RCX30.tmp 686 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX4.tmp 1/10/2008 19:48 RCX4.tmp 2.1 MB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCX7.tmp 1/10/2008 19:48 RCX7.tmp 507.5 KB
Trojan horse Dropper.Agent.GIT C:\Deckard\System Scanner\backup\DOCUME~1\MarkB\LOCALS~1\Temp\RCXC.tmp 1/10/2008 19:48 RCXC.tmp 466 KB
Trojan horse Downloader.Generic6.ABJX C:\Documents and Settings\MarkB\Application Data\SpywareBot\Quarantine\02-01-2008-11-31-43\79.qit 1/10/2008 19:48 79.qit 60 KB
Trojan horse Downloader.Small.60.L C:\Documents and Settings\MarkB\Application Data\SpywareBot\Quarantine\02-01-2008-11-31-43\80.qit 1/10/2008 19:48 80.qit 94 KB
Trojan horse Dropper.Agent.GIT C:\Program Files\QuickTime\QTTask.exe 1/10/2008 19:48 QTTask.exe 638 KB
Trojan horse Downloader.Generic5.KA C:\QooBox\Quarantine\C\Documents and Settings\MarkB\Application Data\CROSOF~1.NET\ping .exe.vir 1/10/2008 19:48 ping .exe.vir 71 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\DOCUME~1\MarkB\APPLIC~1\CROSOF~1.NET\ping.exe.vir 1/10/2008 19:48 ping.exe.vir 402.5 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe.vir 1/10/2008 19:48 CLIStart.exe.vir 466.5 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\DAEMON Tools\daemon.exe.vir 1/10/2008 19:48 daemon.exe.vir 507.5 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\HP\HP Software Update\HPWuSchd.exe.vir 1/10/2008 19:48 HPWuSchd.exe.vir 380.5 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\HP\hpcoretech\hpcmpmgr.exe.vir 1/10/2008 19:48 hpcmpmgr.exe.vir 570 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\iTunes\iTunesHelper.exe.vir 1/10/2008 19:48 iTunesHelper.exe.vir 686 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\Java\jre1.6.0_02\bin\jusched.exe.vir 1/10/2008 19:48 jusched.exe.vir 465 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\Messenger\msmsgs.exe.vir 1/10/2008 19:48 msmsgs.exe.vir 2.12 MB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\QuickTime\QTTask .exe.vir 1/10/2008 19:48 QTTask .exe.vir 638 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\QuickTime\QTTask .exe.vir 1/10/2008 19:48 QTTask .exe.vir 638 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\QuickTime\QTTask .exe.vir 1/10/2008 19:48 QTTask .exe.vir 638 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\QuickTime\QTTask .exe.vir 1/10/2008 19:48 QTTask .exe.vir 638 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\QuickTime\QTTask .exe.vir 1/10/2008 19:48 QTTask .exe.vir 638 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\QuickTime\QTTask .exe.vir 1/10/2008 19:48 QTTask .exe.vir 638 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\QuickTime\QTTask .exe.vir 1/10/2008 19:48 QTTask .exe.vir 638 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\QuickTime\QTTask .exe.vir 1/10/2008 19:48 QTTask .exe.vir 638 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\QuickTime\QTTask .exe.vir 1/10/2008 19:48 QTTask .exe.vir 638 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\QuickTime\QTTask .exe.vir 1/10/2008 19:48 QTTask .exe.vir 638 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\QuickTime\QTTask .exe.vir 1/10/2008 19:48 QTTask .exe.vir 638 KB
Trojan horse Downloader.Agent.WPG C:\QooBox\Quarantine\C\Program Files\Router\Router .exe.vir 1/10/2008 19:48 Router .exe.vir 134.5 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\Router\Router.exe.vir 1/10/2008 19:48 Router.exe.vir 466 KB
Trojan horse Downloader.Generic6.AASG C:\QooBox\Quarantine\C\Program Files\Router\UnInstall.exe.vir 1/10/2008 19:48 UnInstall.exe.vir 10.5 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\Program Files\SpywareBot\SpywareBot.exe.vir 1/10/2008 19:48 SpywareBot.exe.vir 6.45 MB
Trojan horse Agent.MFK C:\QooBox\Quarantine\C\Program Files\Temporary\wininstall.exe.vir 1/10/2008 19:48 wininstall.exe.vir 46 KB
Trojan horse Generic9.AHRD C:\QooBox\Quarantine\C\VundoFix Backups\cbxxxxx.dll.bad.vir 1/10/2008 19:48 cbxxxxx.dll.bad.vir 39.5 KB
Virus found Lop C:\QooBox\Quarantine\C\VundoFix Backups\eqcyjdbv.dll.bad.vir 1/10/2008 19:48 eqcyjdbv.dll.bad.vir 77 KB
Virus found Lop C:\QooBox\Quarantine\C\VundoFix Backups\kuvrleyx.dll.bad.vir 1/10/2008 19:48 kuvrleyx.dll.bad.vir 88 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\VundoFix Backups\mrofinu11.exe.bad.vir 1/10/2008 19:48 mrofinu11.exe.bad.vir 371.5 KB
Virus found Lop C:\QooBox\Quarantine\C\VundoFix Backups\nvixycow.dll.bad.vir 1/10/2008 19:49 nvixycow.dll.bad.vir 77 KB
Virus found Lop C:\QooBox\Quarantine\C\VundoFix Backups\ogurxwit.dll.bad.vir 1/10/2008 19:49 ogurxwit.dll.bad.vir 88 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\VundoFix Backups\vtuts.exe.bad.vir 1/10/2008 19:49 vtuts.exe.bad.vir 331.5 KB
Trojan horse Downloader.Small.60.L C:\QooBox\Quarantine\C\WINDOWS\b148.exe.vir 1/10/2008 19:49 b148.exe.vir 287 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\WINDOWS\mrofinu11.exe.tmp.vir 1/10/2008 19:49 mrofinu11.exe.tmp.vir 371.5 KB
Trojan horse Generic9.AHRD C:\QooBox\Quarantine\C\WINDOWS\system32\cbxxxxx.dll.vir 1/10/2008 19:49 cbxxxxx.dll.vir 39.5 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\WINDOWS\system32\RCX21.tmp.vir 1/10/2008 19:49 RCX21.tmp.vir 331.5 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\WINDOWS\system32\RCX22.tmp.vir 1/10/2008 19:49 RCX22.tmp.vir 331.5 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\WINDOWS\system32\RCX24.tmp.vir 1/10/2008 19:49 RCX24.tmp.vir 331.5 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\WINDOWS\system32\RCX2A.tmp.vir 1/10/2008 19:49 RCX2A.tmp.vir 331.5 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\WINDOWS\system32\RCX2C.tmp.vir 1/10/2008 19:49 RCX2C.tmp.vir 331.5 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\WINDOWS\system32\RCX2D.tmp.vir 1/10/2008 19:49 RCX2D.tmp.vir 331.5 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\WINDOWS\system32\RCX2E.tmp.vir 1/10/2008 19:49 RCX2E.tmp.vir 331.5 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\WINDOWS\system32\RCX37.tmp.vir 1/10/2008 19:49 RCX37.tmp.vir 331.5 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\WINDOWS\system32\RCX3F.tmp.vir 1/10/2008 19:49 RCX3F.tmp.vir 331.5 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\WINDOWS\system32\RCX47.tmp.vir 1/10/2008 19:49 RCX47.tmp.vir 331.5 KB
Trojan horse Dropper.Agent.GIT C:\QooBox\Quarantine\C\WINDOWS\system32\vtuts.exe.vir 1/10/2008 19:49 vtuts.exe.vir 331.5 KB
Trojan horse Dropper.Agent.GIT C:\WINDOWS\$NtUninstallKB887472$\msmsgs.exe 1/10/2008 19:49 msmsgs.exe 2.1 MB

===========================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:10 PM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\MarkB\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1167322382734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1199222661218
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 7056 bytes
Attached Files
File Type: txt combofixlog.txt (14.8 KB, 1 views)
File Type: txt hijackthis.txt (6.9 KB, 1 views)
File Type: txt avg.txt (10.1 KB, 1 views)
Last edited by TheBruce1; 01-11-2008 at 06:35 AM.
Gibgab is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-11-2008, 06:51 AM   #14 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Dłn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: I cannot get rid of Ping.exe - Vundo?
Uninstall then reinstall Quicktime as it is infected.

----------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\$NtUninstallKB887472$\msmsgs.exe

If it resists boot into safe mode and delete there.

------------------------------

How to boot into safe mode

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

================================

No Firewall Onboard

You don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:.

==================================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

==================================
Log Required
Hijackthis log

Also an update on how your system is behaving.
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-11-2008, 02:35 PM   #15 (permalink)
Registered User
 
Join Date: Jan 2008
Location: San Antonio
Posts: 10
OS: XP


Re: I cannot get rid of Ping.exe - Vundo?
Bruce, I did the Quicktime jettison and reinsertion....
C:\WINDOWS\$NtUninstallKB887472$\msmsgs.exe did not exsist. Nothing done.
Installed Zone Alarm per you instructions.
I am not sure when it occured but the hourglass is gone and Ping.exe
is not sucking up CPU time as before. The only thing happening at the moment
that started happening after the attack in my CD drive opens upon boot up.
Other than that all is looking good.
MarkB


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:42 PM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\MarkB\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1167322382734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1199222661218
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 7378 bytes
Gibgab is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-11-2008, 03:38 PM   #16 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Dłn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: I cannot get rid of Ping.exe - Vundo?
Good job.

As to your CD drive opening on boot up, as this issue does not appear to be malware related and our focus in this section is malware removal, you would be better served discussing your issues in the Windows XP section of this forum. Please let them know you've been cleared by the HijackThis Log Help section.

==================

Well done,your logs are clean.

Click start>run>type(or copy/paste command into run box):

ComboFix /u

Click ok.

===================

Clear IE6 cookies

*Open IE and click Tools
*Click on Internet Options
*Click on General Tab
*Click on Delte Temp Files & Cookies buttons.


Clear IE7 cookies

*On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab.
*On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too].
*Click OK, and then click OK again.

===========================

MICROSOFT UPDATES

1.Click Start,Run, type sysdm.cpl, and then press OK.
2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended).

Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday".

------------------------------------------------------------------------------------------

Useful Information and Programs to keep you safe.

TrendProtect is a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages:

* Content category
* Phishing scam detection
* Site reputation
* Page reputation

WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites.

WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites.
Note:Only compatible with Firefox 1.5 and higher.

--------------------------------------------------------------------------------------

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Avant
Firefox
Opera
K-Meleon

------------------------------------------------------------------------------------------

Free Antispyware Products
SuperAntiSpyware
AVG Antispyware Free
Ad-Aware
Spybot S&D
Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
Download Spyware Guard to catch and block spyware before it can execute.

------------------------------------------------------------------

IE-Spyad™ is a freeware utility that places more than 4000 dubious websites and domains in the Internet Explorer Restricted List.

Download and installation instructions for IE-Spyad™ Here

-----------------------------------------

The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

If your having trouble downloading & extracting,see link below for guidance:
http://www.mvps.org/winhelp2002/hosts2.htm

Once you have extracted the host file,double click on it and a new window will open.

Double-click on mvps.batand follow the prompts

---------------------------------------------------------------

Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

----------------------------------------

SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users.

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

==============================================

Also, please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Please reply to this thread once more,as we may mark this as resolved,thanks.
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
Last edited by TheBruce1; 01-11-2008 at 03:40 PM.
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-11-2008, 06:05 PM   #17 (permalink)
Registered User
 
Join Date: Jan 2008
Location: San Antonio
Posts: 10
OS: XP


Re: I cannot get rid of Ping.exe - Vundo?
Thanks Bruce1, all tasks complete and looking good here.
Stay safe, alert, and healthy.
Donation on the way.

MarkB
Gibgab is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-12-2008, 12:22 PM   #18 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Dłn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: I cannot get rid of Ping.exe - Vundo?
Thank you for your donation and safe surfing
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 12:15 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85