|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
01-18-2008, 12:21 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 12
OS: WinXP
|
Trojan.Vundo found, occasional pop-ups
A few days ago norton antivirus started flashing that it found a trojan vundo in my temp. internet files. I've tried to remove it with the remove vundo tool that norton supplies, but it hasn't worked. So far the only malicious effect I've noticed is that pop-ups will appear randomly about once an hour. Here's the DSS scan
Deckard's System Scanner v20071014.68 Run by Eric Reese on 2008-01-18 14:44:01 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 39: 2008-01-18 19:44:09 UTC - RP226 - Deckard's System Scanner Restore Point 38: 2008-01-18 17:18:18 UTC - RP225 - Last known good configuration 37: 2008-01-18 17:18:10 UTC - RP224 - Last known good configuration 36: 2008-01-18 17:18:10 UTC - RP223 - Last known good configuration 35: 2008-01-18 17:18:10 UTC - RP222 - Software Distribution Service 3.0 -- First Restore Point -- 1: 2008-01-18 17:18:06 UTC - RP188 - System Checkpoint Performed disk cleanup. System Drive C: has 10.57 GiB (less than 15%) free. -- HijackThis (run as Eric Reese.exe) ------------------------------------------ Unable to find log (file not found); running clone. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-01-18 14:48:27 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Hp\QuickPlay\QPService.exe C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Symantec AntiVirus\VPTray.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\AIM6\aim6.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\MDM.EXE C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\ehome\ehrecvr.exe C:\Program Files\Hp\Digital Imaging\bin\hpqste08.exe C:\Program Files\Hp\Digital Imaging\bin\hpqimzone.exe C:\WINDOWS\ehome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\mqsvc.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe C:\WINDOWS\system32\mqtgsvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Eric Reese\Desktop\dss.exe C:\Program Files\Trend Micro\HijackThis\Eric Reese.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {494A104E-6BC7-4FCA-96F6-145B559CB67E} - C:\WINDOWS\system32\jkkjk.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll O2 - BHO: (no name) - {FFF29BE4-24AC-4E31-B99B-45238B764111} - C:\WINDOWS\system32\opnnkih.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Cu...ataManager.CAB O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get...irector/sw.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...sh/swflash.cab O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{1C2124C8-D221-47F9-BF6A-5E341F69D545}: NameServer = 68.87.75.194,68.87.64.146 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: opnnkih - C:\WINDOWS\system32\opnnkih.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: dns cache reader (DNSCacheReader) - Unknown owner - C:\WINDOWS\system32\j1211032.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SavRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 13669 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 SDbgMsg - c:\windows\system32\drivers\sdbgmsg.sys <Not Verified; Syser Software Corporation; Syser Kernel Debugger for Windows> R0 SyserBoot - c:\windows\system32\drivers\sysboot.sys <Not Verified; Syser Software Corporation; Syser Kernel Debugger for Windows> R0 SyserLanguage - c:\windows\system32\drivers\syslang.sys <Not Verified; Syser Software Corporation; Syser Kernel Debugger for Windows> S0 nmfilter (DriverStudio Device Filter) - c:\windows\system32\drivers\nmfilter.sys (file missing) S2 npkcrypt - c:\nexon\maplestory\npkcrypt.sys (file missing) S2 pciinfo (HP Pci Information) - c:\docume~1\ericre~1\locals~1\temp\hpispz\hpdom\pciinfo.sys (file missing) S2 zntport (NTPort Library Driver) - c:\windows\system32\zntport.sys (file missing) S3 catchme - c:\docume~1\ericre~1\locals~1\temp\catchme.sys (file missing) S3 DADriv1 - c:\documents and settings\eric reese\desktop\things i use\cheat engines\da engine\dak32.sys (file missing) S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing) S3 gel90xne - c:\docume~1\ericre~1\locals~1\temp\gel90xne.sys (file missing) S3 IlvMoneyDRIVER53 - c:\documents and settings\eric reese\desktop\things i use\cheat engines\moonlight\ilvmoney1105.sys (file missing) S3 puma1 - c:\documents and settings\eric reese\desktop\things i use\puma engine + [2].ct\puma.sys (file missing) S3 Revolution1 - c:\documents and settings\eric reese\desktop\things i use\cheat engines\rev engine\shak3.sys (file missing) S3 Sex1 - c:\documents and settings\eric reese\desktop\things i use\cheat engines\sex engine\sex.sys (file missing) S3 SoRa1 - c:\documents and settings\eric reese\desktop\things i use\cheat engines\sora engine 2.3\sora23.sys (file missing) S3 sora121 - c:\documents and settings\eric reese\desktop\things i use\cheat engines\sora engine2.90\sora12.sys (file missing) S3 SPCommand (SPCommand.sys) - c:\windows\system32\drivers\plugin\i386\spcommand.sys <Not Verified; Syser Software Corporation; Syser Kernel Debugger for Windows> S3 spuce1 - c:\documents and settings\eric reese\desktop\things i use\cheat engines\spuc3 engine\spuce.sys (file missing) S3 Syser - c:\windows\system32\drivers\syser.sys <Not Verified; Syser Software Corporation; Syser Kernel Debugger for Windows> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service> R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour> R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; > S2 DNSCacheReader (dns cache reader) - c:\windows\system32\j1211032.exe (file missing) -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Cisco Systems VPN Adapter Device ID: ROOT\NET\0000 Manufacturer: Cisco Systems Name: Cisco Systems VPN Adapter PNP Device ID: ROOT\NET\0000 Service: CVirtA Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318} Description: Printer Port Device ID: ROOT\PORTS\0000 Manufacturer: (Standard port types) Name: Printer Port (LPT3) PNP Device ID: ROOT\PORTS\0000 Service: Parport -- Scheduled Tasks ------------------------------------------------------------- 2008-01-16 20:02:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job 2008-01-11 16:13:13 418 --a------ C:\WINDOWS\Tasks\Norton Security Scan.job -- Files created between 2007-12-18 and 2008-01-18 ----------------------------- 2008-01-18 14:45:24 0 d-------- C:\Program Files\Trend Micro 2008-01-18 12:45:19 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus> 2008-01-18 12:42:23 8576 --a------ C:\WINDOWS\system32\drivers\qmpjayhdebjt.sys <Not Verified; Panda Software International; RKPavProc Driver> 2008-01-18 12:25:02 0 d-------- C:\WINDOWS\LastGood 2008-01-18 12:08:08 327464 --a------ C:\WINDOWS\system32\mljge.dll 2008-01-17 23:46:13 86592 --a------ C:\WINDOWS\system32\jtpeadgh.dll 2008-01-17 23:40:14 217874 ---hs---- C:\WINDOWS\system32\kjkkj.bak2 2008-01-17 21:22:50 6522 ---hs---- C:\WINDOWS\system32\kjkkj.bak1 2008-01-17 21:22:13 327744 --a------ C:\WINDOWS\system32\jkkjk.dll 2008-01-17 19:47:52 327464 --a------ C:\WINDOWS\system32\jkklm.dll 2008-01-17 19:24:41 327464 --a------ C:\WINDOWS\system32\mljgg.dll 2008-01-17 18:23:55 0 dr------- C:\Documents and Settings\LocalService\My Documents 2008-01-17 10:30:29 0 d-------- C:\Program Files\Web Publish 2008-01-17 10:17:44 140048 --a------ C:\WINDOWS\system32\jit.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-01-17 10:17:44 135168 --a------ C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-01-17 10:17:44 313856 --a------ C:\WINDOWS\system32\dx3j.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Java> 2008-01-17 10:17:44 42496 --a------ C:\WINDOWS\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-01-17 10:17:44 6550 --a------ C:\WINDOWS\jautoexp.dat 2008-01-17 10:17:39 147456 --a------ C:\WINDOWS\wjview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-01-17 10:17:39 113 --a------ C:\WINDOWS\system32\zonedon.reg 2008-01-17 10:17:39 113 --a------ C:\WINDOWS\system32\zonedoff.reg 2008-01-17 10:17:39 207872 --a------ C:\WINDOWS\system32\vmhelper.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-01-17 10:17:39 73728 --a------ C:\WINDOWS\system32\msjdbc10.dll <Not Verified; Microsoft Corporation; Microsoft JDBC Bridge> 2008-01-17 10:17:39 843024 --a------ C:\WINDOWS\system32\msjava.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-01-17 10:17:39 155920 --a------ C:\WINDOWS\system32\msawt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-01-17 10:17:39 14848 --a------ C:\WINDOWS\system32\jdbgmgr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-01-17 10:17:39 361744 --a------ C:\WINDOWS\system32\javart.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-01-17 10:17:39 32528 --a------ C:\WINDOWS\system32\javaprxy.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-01-17 10:17:39 154112 --a------ C:\WINDOWS\jview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-01-17 10:17:38 209168 --a------ C:\WINDOWS\system32\javacypt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-01-17 10:17:38 44544 --a------ C:\WINDOWS\clspack.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-01-17 10:17:37 103424 --a------ C:\WINDOWS\extrac32.exe <Not Verified; Microsoft Corporation; Microsoft (R) CAB File Extract Utility> 2008-01-17 10:15:18 0 d-------- C:\Program Files\Common Files\SourceTec 2008-01-17 10:15:17 0 d-------- C:\Program Files\SourceTec 2008-01-17 09:15:12 327464 --a------ C:\WINDOWS\system32\mljgf.dll 2008-01-17 08:15:12 327464 --a------ C:\WINDOWS\system32\ssttr.dll 2008-01-17 07:15:10 327464 --a------ C:\WINDOWS\system32\ddcyv.dll 2008-01-17 05:15:08 327464 --a------ C:\WINDOWS\system32\pmnnn.dll 2008-01-17 04:15:08 327464 --a------ C:\WINDOWS\system32\sstts.dll 2008-01-16 23:15:10 326204 --a------ C:\WINDOWS\system32\vtutu.dll 2008-01-16 23:03:42 0 dr-h----- C:\Documents and Settings\Eric Reese\Recent 2008-01-16 22:43:09 327464 --a------ C:\WINDOWS\system32\geebb.dll 2008-01-16 19:55:36 327464 --a------ C:\WINDOWS\system32\vtstr.dll 2008-01-16 17:07:09 327464 --a------ C:\WINDOWS\system32\vturp.dll 2008-01-16 16:22:03 327464 --a------ C:\WINDOWS\system32\awtqq.dll 2008-01-16 16:17:00 40448 --a------ C:\WINDOWS\system32\opnnkih.dll 2008-01-15 23:30:06 933888 --a------ C:\WINDOWS\system32\drivers\Wisp.dat 2008-01-15 23:30:06 401408 --a------ C:\WINDOWS\system32\drivers\Syser.dat 2008-01-15 23:30:05 869376 --a------ C:\WINDOWS\system32\drivers\SysLang.sys <Not Verified; Syser Software Corporation; Syser Kernel Debugger for Windows> 2008-01-15 23:30:05 1229056 --a------ C:\WINDOWS\system32\drivers\Syser.sys <Not Verified; Syser Software Corporation; Syser Kernel Debugger for Windows> 2008-01-15 23:30:05 23936 --a------ C:\WINDOWS\system32\drivers\SysBoot.sys <Not Verified; Syser Software Corporation; Syser Kernel Debugger for Windows> 2008-01-15 23:30:05 11520 --a------ C:\WINDOWS\system32\drivers\SDbgMsg.sys <Not Verified; Syser Software Corporation; Syser Kernel Debugger for Windows> 2008-01-15 23:30:05 0 d-------- C:\WINDOWS\system32\drivers\plugin 2008-01-15 23:30:04 0 d-------- C:\Program Files\Syser 2008-01-15 21:50:50 0 d-------- C:\Program Files\NuMega 2008-01-15 18:03:12 0 d-------- C:\Program Files\Chaos SD 2008-01-14 23:20:19 0 d-------- C:\Program Files\Ventrilo 2008-01-14 23:18:34 0 d-------- C:\Program Files\VentSrv 2008-01-13 22:32:13 0 d-------- C:\Documents and Settings\Eric Reese\Application Data\Secret of the Solstice 2008-01-13 20:25:09 1970176 --a------ C:\WINDOWS\system32\d3dx9.dll 2008-01-13 20:25:09 679936 --a------ C:\WINDOWS\system32\D3DX81ab.dll <Not Verified; Generated by JEDI; D3DX81> 2008-01-13 17:51:04 0 d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser 2008-01-13 17:50:43 0 d-------- C:\Program Files\Canon 2008-01-13 17:46:56 0 d-------- C:\Program Files\Common Files\Canon -- Find3M Report --------------------------------------------------------------- 2008-01-18 14:03:52 0 d-------- C:\Program Files\Symantec AntiVirus 2008-01-18 13:46:44 0 d-------- C:\Program Files\iTunes 2008-01-18 13:43:51 0 d-------- C:\Program Files\Google 2008-01-18 13:43:01 0 d-------- C:\Program Files\Common Files\Symantec Shared 2008-01-18 13:41:59 0 d-------- C:\Program Files\Common Files\LightScribe 2008-01-18 13:40:30 0 d-------- C:\Program Files\Bonjour 2008-01-18 13:40:11 0 d-------- C:\Program Files\AIM6 2008-01-17 22:19:33 0 d-------- C:\Program Files\Warcraft III 2008-01-17 13:09:00 0 d-------- C:\Program Files\Norton Security Scan 2008-01-17 11:21:23 0 d-------- C:\Program Files\SealOnlineUSA 2008-01-17 10:30:47 0 d-------- C:\Program Files\Common Files 2008-01-17 10:01:09 0 d-------- C:\Documents and Settings\Eric Reese\Application Data\uTorrent 2008-01-16 23:00:40 0 d-------- C:\Program Files\SpywareBlaster 2008-01-16 20:43:59 0 d-------- C:\Program Files\Torrent Episode Downloader 2008-01-16 17:21:52 0 d-------- C:\Documents and Settings\Eric Reese\Application Data\Viewpoint 2008-01-16 17:21:35 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-01-14 23:21:02 0 d-------- C:\Documents and Settings\Eric Reese\Application Data\Ventrilo 2008-01-13 22:16:44 0 d-------- C:\Program Files\Outspark 2007-12-13 22:29:01 0 d-------- C:\Program Files\Cheat Engine 2007-12-08 04:12:44 0 d-------- C:\Program Files\DivX 2007-12-03 20:33:18 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?> 2007-12-03 20:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®> 2007-12-03 20:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®> 2007-12-03 20:33:16 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®> 2007-11-29 17:30:28 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-11-29 17:28:24 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100> 2007-11-29 17:28:24 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100> 2007-11-28 16:52:32 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll 2007-11-26 00:49:06 0 d-------- C:\Program Files\MSBuild 2007-11-26 00:28:46 0 d-------- C:\Program Files\Common Files\Real 2007-11-26 00:28:34 0 d-------- C:\Documents and Settings\Eric Reese\Application Data\Real 2007-11-25 18:22:36 0 d-------- C:\Documents and Settings\Eric Reese\Application Data\GetRightToGo 2007-11-22 00:21:54 0 d-------- C:\Program Files\iPod 2007-11-22 00:19:18 0 d-------- C:\Program Files\QuickTime 2007-11-21 01:19:02 0 d-------- C:\Documents and Settings\Eric Reese\Application Data\AdobeUM 2007-11-21 00:16:11 65536 --a------ C:\WINDOWS\IFinst27.exe 2007-11-20 13:46:44 0 d-------- C:\Documents and Settings\Eric Reese\Application Data\Adobe -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{494A104E-6BC7-4FCA-96F6-145B559CB67E}] 01/17/2008 09:22 PM 327744 --a------ C:\WINDOWS\system32\jkkjk.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFF29BE4-24AC-4E31-B99B-45238B764111}] 01/16/2008 04:17 PM 40448 --a------ C:\WINDOWS\system32\opnnkih.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 03:00 AM] "hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [03/01/2007 12:18 PM] "nwiz"="nwiz.exe" [04/15/2006 01:26 PM C:\WINDOWS\system32\nwiz.exe] "MsmqIntCert"="regsvr32 /s mqrt.dll" [] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [04/18/2006 06:29 AM C:\WINDOWS\system32\CHDAudPropShortcut.exe] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03/04/2006 12:46 AM] "QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [04/11/2006 11:54 PM] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12/15/2005 10:18 AM] "@"="" [] "ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [03/20/2006 05:34 PM] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [03/20/2006 05:34 PM] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [03/06/2007 10:28 AM] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [02/22/2006 10:03 AM] "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [03/24/2006 04:14 PM] "vptray"="c:\PROGRA~1\SYMANT~1\VPTray.exe" [06/15/2006 12:40 AM] "SysMetrix"="C:\Program Files\SysMetrix\SysMetrix.exe" [] "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [03/20/2006 05:34 PM] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [11/14/2007 11:43 PM] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/15/2007 01:11 PM] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [04/15/2006 01:26 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/08/2007 11:04 AM] "Aim6"="C:\Program Files\AIM6\aim6.exe" [10/04/2007 10:20 AM] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 10:00 AM] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05/31/2005 01:04 AM] C:\Documents and Settings\Eric Reese\Start Menu\Programs\Startup\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM] ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 11:04:08 AM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM] HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [12/15/2005 10:40:44 AM] HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [9/24/2005 12:39:30 PM] VPN Client.lnk - C:\WINDOWS\Installer\{176130BC-99A1-41FE-A78B-56045E33AD70}\Icon3E5562ED7.ico [4/20/2007 3:00:09 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{FFF29BE4-24AC-4E31-B99B-45238B764111}"= C:\WINDOWS\system32\opnnkih.dll [01/16/2008 04:17 PM 40448] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnkih] opnnkih.dll 01/16/2008 04:17 PM 40448 C:\WINDOWS\system32\opnnkih.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" *Newly Created Service* - QMPJAYHDEBJT -- End of Deckard's System Scanner: finished at 2008-01-18 14:49:04 ------------ And the Panda Scan: Incident Status Location Adware:Adware/UltimateCleaner Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\ERICRE~1\LOCALS~1\Temp\looklook.exe Adware:Adware/UltimateCleaner Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\ERICRE~1\LOCALS~1\Temp\looksv.exe Adware:Adware/UltimateCleaner Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\ERICRE~1\LOCALS~1\Temp\lookwin.exe Adware:Adware/UltimateCleaner Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\ERICRE~1\LOCALS~1\Temp\monagent.exe Adware:Adware/UltimateCleaner Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\ERICRE~1\LOCALS~1\Temp\monwin.exe Adware:Adware/UltimateCleaner Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\ERICRE~1\LOCALS~1\Temp\powersyn.exe Adware:Adware/UltimateCleaner Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\ERICRE~1\LOCALS~1\Temp\server16.exe Adware:Adware/UltimateCleaner Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\ERICRE~1\LOCALS~1\Temp\sv32.exe Adware:Adware/UltimateCleaner Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\ERICRE~1\LOCALS~1\Temp\svmon.exe Adware:Adware/UltimateCleaner Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\ERICRE~1\LOCALS~1\Temp\synagent.exe Adware:Adware/UltimateCleaner Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\ERICRE~1\LOCALS~1\Temp\syshost.exe Adware:Adware/UltimateCleaner Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\ERICRE~1\LOCALS~1\Temp\syssyn.exe Adware:Adware/UltimateCleaner Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\ERICRE~1\LOCALS~1\Temp\winwin.exe Virus:Generic Malware Disinfected C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\HGStart9USA.exe Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Eric Reese\Application Data\Mozilla\Firefox\Profiles\u81vzcq5.default\cookies.txt[.atwola.com/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Eric Reese\Application Data\Mozilla\Firefox\Profiles\u81vzcq5.default\cookies.txt[.burstnet.com/] Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Eric Reese\Application Data\Mozilla\Firefox\Profiles\u81vzcq5.default\cookies.txt[www.burstbeacon.com/] Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Eric Reese\Application Data\Mozilla\Firefox\Profiles\u81vzcq5.default\cookies.txt[.adrevolver.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Eric Reese\Application Data\Mozilla\Firefox\Profiles\u81vzcq5.default\cookies.txt[.realmedia.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Eric Reese\Application Data\Mozilla\Firefox\Profiles\u81vzcq5.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Eric Reese\Application Data\Mozilla\Firefox\Profiles\u81vzcq5.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Eric Reese\Application Data\Mozilla\Firefox\Profiles\u81vzcq5.default\cookies.txt[.statcounter.com/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Eric Reese\Application Data\Mozilla\Firefox\Profiles\u81vzcq5.default\cookies.txt[.apmebf.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Eric Reese\Application Data\Mozilla\Firefox\Profiles\u81vzcq5.default\cookies.txt[.zedo.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Eric Reese\Cookies\eric_reese@advertising[2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Eric Reese\Cookies\eric_reese@advertising[3].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Eric Reese\Cookies\eric_reese@atwola[1].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Eric Reese\Cookies\eric_reese@atwola[3].txt Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Eric Reese\Desktop\Desktop Folders\Things I never use\ComboFix.exe[nircmd.exe] Hacktool:Sniffer/WpePro Not disinfected C:\Documents and Settings\Eric Reese\Desktop\Desktop Folders\Things I use\wpe_pro_undectable_326\WpeSpy.dll Hacktool:Sniffer/WpePro Not disinfected C:\Documents and Settings\Eric Reese\Desktop\Desktop Folders\Things I use\wpe_pro_undectable_326\WPE_PRO.exe Hacktool:Sniffer/WpePro Not disinfected C:\Documents and Settings\Eric Reese\Desktop\Desktop Folders\Things I use\wpe_pro_undectable_326\wpe_pro_undectable_326.zip[WPE_PRO.exe] Hacktool:Sniffer/WpePro Not disinfected C:\Documents and Settings\Eric Reese\Desktop\Desktop Folders\Things I use\wpe_pro_undectable_326\wpe_pro_undectable_326.zip[WpeSpy.dll] Spyware:Spyware/PeoplePC Not disinfected C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL Virus:Generic Trojan Disinfected C:\SWSETUP\MedCtrFP\Extras\ESPN\motionsetupmce.exe Virus:Generic Trojan Disinfected C:\SWSETUP\MedCtrFP\Samples\BonusDVD.msi[unk_0029] Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe Thanks in advance for helping me out! |
|
     |
| Sponsored Links |
|
01-20-2008, 03:24 AM
|
#2 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
Re: Trojan.Vundo found, occasional pop-ups
Hi ejr5033
Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. =============================================== Additional Downloads Please download these additional files/programs. Do not run them until instructed to do so. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. ================= Download ComboFix Alternate Link ComboFix and save it to your desktop. **Note: It is important that it is saved directly to your desktop** =============================================== 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. =============================================== Double click on combofix.exe & follow the prompts.
Do not mouseclick combofix's window while it's running. That may cause it to stall ================= Please Run a scan with HiJackThis and save the log If the icon for it isn't on your desktop it can be found here C:\Program Files\Trend Micro\HijackThis\Eric Reese.exe ================= In your next post, please include fresh logs from:
|
|
|
|
|
01-20-2008, 11:16 AM
|
#3 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 12
OS: WinXP
|
Re: Trojan.Vundo found, occasional pop-ups
Here's my ComboFix log:
ComboFix 08-01-20.1 - Eric Reese 2008-01-20 13:54:55.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1377 [GMT -5:00] Running from: C:\Documents and Settings\Eric Reese\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\awtqq.dll C:\WINDOWS\system32\awumclfa.dll C:\WINDOWS\system32\ddcyv.dll C:\WINDOWS\system32\gebcb.dll C:\WINDOWS\system32\geebb.dll C:\WINDOWS\system32\gnocvppq.ini C:\WINDOWS\system32\hgdaeptj.ini C:\WINDOWS\system32\jkhfd.dll C:\WINDOWS\system32\jkkjk.dll C:\WINDOWS\system32\jtpeadgh.dll C:\WINDOWS\system32\kjkkj.bak1 C:\WINDOWS\system32\kjkkj.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mljge.dll C:\WINDOWS\system32\mljgf.dll C:\WINDOWS\system32\mljgg.dll C:\WINDOWS\system32\opnnkih.dll C:\WINDOWS\system32\pmnnn.dll C:\WINDOWS\system32\qppvcong.dll D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_DNSCACHEREADER -------\DNSCacheReader ((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 ))))))))))))))))))))))))))))))) . 2008-01-19 16:34 . 2003-02-28 18:26 172,304 --a------ C:\WINDOWS\system32\jview.exe 2008-01-19 16:34 . 2003-02-28 18:26 171,792 --a------ C:\WINDOWS\system32\wjview.exe 2008-01-19 16:34 . 2003-02-28 18:26 49,424 --a------ C:\WINDOWS\system32\clspack.exe 2008-01-19 11:48 . 2008-01-19 16:42 1,073,352 --ahs---- C:\WINDOWS\system32\fgdmkprr.ini 2008-01-18 14:45 . 2008-01-18 14:45 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-18 12:45 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2008-01-18 12:42 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\qmpjayhdebjt.sys 2008-01-17 10:32 . 2008-01-17 10:32 126 --a------ C:\WINDOWS\mdm.ini 2008-01-17 10:30 . 2008-01-17 10:30 <DIR> d-------- C:\Program Files\Web Publish 2008-01-17 10:15 . 2008-01-17 10:15 <DIR> d-------- C:\Program Files\SourceTec 2008-01-17 10:15 . 2008-01-17 10:15 <DIR> d-------- C:\Program Files\Common Files\SourceTec 2008-01-17 08:15 . 2008-01-17 08:15 327,464 --a------ C:\WINDOWS\system32\ssttr.dll_tobedeleted_old 2008-01-17 04:15 . 2008-01-17 04:15 327,464 --a------ C:\WINDOWS\system32\sstts.dll_tobedeleted_old 2008-01-16 00:02 . 2008-01-17 23:08 253 --a------ C:\WINDOWS\w32demo8.ini 2008-01-15 23:34 . 2008-01-15 23:34 604 --a------ C:\WINDOWS\system32\drivers\Syser.cfg 2008-01-15 23:34 . 2008-01-15 23:34 541 --a------ C:\WINDOWS\system32\drivers\ModExSym.lst 2008-01-15 23:34 . 2008-01-15 23:34 184 --a------ C:\WINDOWS\system32\drivers\SyserColor.cfg 2008-01-15 23:30 . 2008-01-15 23:30 <DIR> d-------- C:\WINDOWS\system32\drivers\plugin 2008-01-15 23:30 . 2008-01-17 12:19 <DIR> d-------- C:\Program Files\Syser 2008-01-15 23:30 . 2007-11-15 07:20 1,229,056 --a------ C:\WINDOWS\system32\drivers\Syser.sys 2008-01-15 23:30 . 2007-07-02 12:15 933,888 --a------ C:\WINDOWS\system32\drivers\Wisp.dat 2008-01-15 23:30 . 2007-11-15 07:18 869,376 --a------ C:\WINDOWS\system32\drivers\SysLang.sys 2008-01-15 23:30 . 2007-06-28 21:49 401,408 --a------ C:\WINDOWS\system32\drivers\Syser.dat 2008-01-15 23:30 . 2007-06-28 21:49 297,121 --a------ C:\WINDOWS\system32\drivers\APIDef.lib 2008-01-15 23:30 . 2007-11-15 07:18 23,936 --a------ C:\WINDOWS\system32\drivers\SysBoot.sys 2008-01-15 23:30 . 2007-11-15 07:18 11,520 --a------ C:\WINDOWS\system32\drivers\SDbgMsg.sys 2008-01-15 21:50 . 2008-01-15 21:50 <DIR> d-------- C:\Program Files\NuMega 2008-01-15 18:03 . 2008-01-15 18:05 <DIR> d-------- C:\Program Files\Chaos SD 2008-01-15 10:37 . 2008-01-17 12:38 321 --a------ C:\WINDOWS\WPE_PRO.INI 2008-01-14 23:20 . 2008-01-14 23:20 <DIR> d-------- C:\Program Files\Ventrilo 2008-01-14 23:18 . 2008-01-16 17:21 <DIR> d-------- C:\Program Files\VentSrv 2008-01-14 14:59 . 2008-01-14 16:44 321 --a------ C:\WINDOWS\WPE PRO.INI 2008-01-13 22:32 . 2008-01-13 22:32 <DIR> d-------- C:\Documents and Settings\Eric Reese\Application Data\Secret of the Solstice 2008-01-13 20:25 . 2007-12-26 17:30 1,970,176 --a------ C:\WINDOWS\system32\d3dx9.dll 2008-01-13 20:25 . 2007-12-26 17:30 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll 2008-01-13 17:51 . 2008-01-13 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser 2008-01-13 17:50 . 2008-01-13 17:51 <DIR> d-------- C:\Program Files\Canon 2008-01-13 17:46 . 2008-01-13 17:46 <DIR> d-------- C:\Program Files\Common Files\Canon . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-20 19:01 --------- d-----w C:\Program Files\Symantec AntiVirus 2008-01-18 20:00 --------- d-----w C:\Program Files\Norton Security Scan 2008-01-18 18:46 --------- d-----w C:\Program Files\iTunes 2008-01-18 18:43 --------- d-----w C:\Program Files\Google 2008-01-18 18:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-18 18:41 --------- d-----w C:\Program Files\Common Files\LightScribe 2008-01-18 18:40 --------- d-----w C:\Program Files\Bonjour 2008-01-18 18:40 --------- d-----w C:\Program Files\AIM6 2008-01-18 04:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-01-18 03:19 --------- d-----w C:\Program Files\Warcraft III 2008-01-17 16:21 --------- d-----w C:\Program Files\SealOnlineUSA 2008-01-17 15:01 --------- d-----w C:\Documents and Settings\Eric Reese\Application Data\uTorrent 2008-01-17 04:00 --------- d-----w C:\Program Files\SpywareBlaster 2008-01-17 01:43 --------- d-----w C:\Program Files\Torrent Episode Downloader 2008-01-16 22:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-01-16 22:21 --------- d-----w C:\Documents and Settings\Eric Reese\Application Data\Viewpoint 2008-01-15 04:21 --------- d-----w C:\Documents and Settings\Eric Reese\Application Data\Ventrilo 2008-01-14 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark 2008-01-14 03:16 --------- d-----w C:\Program Files\Outspark 2007-12-14 03:29 --------- d-----w C:\Program Files\Cheat Engine 2007-12-13 08:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2007-12-08 09:12 --------- d-----w C:\Program Files\DivX 2007-11-26 05:49 --------- d-----w C:\Program Files\MSBuild 2007-11-26 05:28 --------- d-----w C:\Program Files\Common Files\Real 2007-11-25 23:22 --------- d-----w C:\Documents and Settings\Eric Reese\Application Data\GetRightToGo 2007-11-22 05:21 --------- d-----w C:\Program Files\iPod 2007-11-22 05:19 --------- d-----w C:\Program Files\QuickTime 2007-11-21 06:19 --------- d-----w C:\Documents and Settings\Eric Reese\Application Data\AdobeUM 2007-11-21 05:16 65,536 ----a-w C:\WINDOWS\IFinst27.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE3C68DE-CB59-4921-8C79-0E828DAAFE3B}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D785E699-0B52-41EB-954C-0C5AE809A6B8}] C:\WINDOWS\system32\jkhfd.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFF29BE4-24AC-4E31-B99B-45238B764111}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-08 11:04 68856] "Aim6"="" [] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 10:00 15360] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496] "hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 12:18 472776] "nwiz"="nwiz.exe" [2006-04-15 13:26 1519616 C:\WINDOWS\system32\nwiz.exe] "MsmqIntCert"="regsvr32 /s mqrt.dll" [] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 06:29 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 00:46 761948] "QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-04-11 23:54 102400] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 10:18 49152] "ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 17:34 213936] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 17:34 86960] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-03-06 10:28 180224] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 10:03 40960] "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 16:14 53408] "vptray"="c:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 00:40 124656] "SysMetrix"="C:\Program Files\SysMetrix\SysMetrix.exe" [ ] "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 17:34 213936] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-15 13:26 7561216] C:\Documents and Settings\Eric Reese\Start Menu\Programs\Startup\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664] ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 11:04:08 38912] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [2005-12-15 10:40:44 282624] HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-09-24 12:39:30 73728] VPN Client.lnk - C:\WINDOWS\Installer\{176130BC-99A1-41FE-A78B-56045E33AD70}\Icon3E5562ED7.ico [2007-04-20 15:00:09 6144] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnkih] R0 SDbgMsg;SDbgMsg;C:\WINDOWS\system32\drivers\SDbgMsg.sys [2007-11-15 07:18] R0 SyserBoot;SyserBoot;C:\WINDOWS\system32\drivers\SysBoot.sys [2007-11-15 07:18] R0 SyserLanguage;SyserLanguage;C:\WINDOWS\system32\drivers\SysLang.sys [2007-11-15 07:18] R1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 13:05] R3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 13:05] S0 nmfilter;DriverStudio Device Filter;C:\WINDOWS\system32\DRIVERS\nmfilter.sys [] S2 pciinfo;HP Pci Information;C:\DOCUME~1\ERICRE~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [] S3 DADriv1;DADriv1;C:\Documents and Settings\Eric Reese\Desktop\Desktop Folders\Things I use\Cheat Engines\DAEngine\DAK32.sys [2007-07-12 16:55] S3 gel90xne;gel90xne;C:\DOCUME~1\ERICRE~1\LOCALS~1\Temp\gel90xne.sys [] S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\Eric Reese\Desktop\Things I use\Cheat Engines\Moonlight\IlvMoney1105.sys [] S3 puma1;puma1;C:\Documents and Settings\Eric Reese\Desktop\Things I use\Puma Engine + [2].CT\puma.sys [] S3 Revolution1;Revolution1;C:\Documents and Settings\Eric Reese\Desktop\Desktop Folders\Things I use\Cheat Engines\Rev Engine\SHAK3.sys [2007-07-01 22:26] S3 Sex1;Sex1;C:\Documents and Settings\Eric Reese\Desktop\Things I use\Cheat Engines\Sex Engine\Sex.sys [] S3 SoRa1;SoRa1;C:\Documents and Settings\Eric Reese\Desktop\Desktop Folders\Things I use\Cheat Engines\SoRa Engine 2.3\SoRa23.sys [2007-07-20 12:39] S3 sora121;sora121;C:\Documents and Settings\Eric Reese\Desktop\Things I use\Cheat Engines\SoRa Engine2.90\sora12.sys [] S3 SPCommand;SPCommand.sys;C:\WINDOWS\system32\drivers\Plugin\i386\SPCommand.sys [2007-11-15 07:19] S3 spuce1;spuce1;C:\Documents and Settings\Eric Reese\Desktop\Things I use\Cheat Engines\Spuc3 Engine\spuce.sys [] S3 Syser;Syser;C:\WINDOWS\system32\drivers\Syser.sys [2007-11-15 07:20] . Contents of the 'Scheduled Tasks' folder "2008-01-17 01:02:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-01-18 20:00:56 C:\WINDOWS\Tasks\Norton Security Scan.job" - C:\Program Files\Norton Security Scan\Nss.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-20 14:04:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???xL??????(?@???????@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** "ImagePath"="\??\C:\Documents and Settings\Eric Reese\Desktop\Things I use\Puma Engine + [2].CT\puma.sys" . Completion time: 2008-01-20 14:10:18 - machine was rebooted [Eric Reese] ComboFix-quarantined-files.txt 2008-01-20 19:10:13 ComboFix2.txt 2008-01-18 00:46:59 ComboFix3.txt 2007-07-16 16:26:10 . 2008-01-19 21:35:03 --- E O F --- And here's my hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:15:56 PM, on 1/20/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe c:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\eHome\ehRecvr.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\mqsvc.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\mqtgsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\mdm.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: (no name) - {AE3C68DE-CB59-4921-8C79-0E828DAAFE3B} - (no file) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll O2 - BHO: (no name) - {D785E699-0B52-41EB-954C-0C5AE809A6B8} - C:\WINDOWS\system32\jkhfd.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user') O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Cu...ataManager.CAB O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1C2124C8-D221-47F9-BF6A-5E341F69D545}: NameServer = 68.87.75.194,68.87.64.146 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 12521 bytes |
|
|
|
|
01-20-2008, 11:43 PM
|
#4 (permalink) | |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
Re: Trojan.Vundo found, occasional pop-ups
Hi ejr5033
Before we go any further I would like you to do the following: Quote:
Select the download that's appropriate for your Operating System  Download the file & save it as its originally named, next to ComboFix.exe.  Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log. Please do not reboot your machine until we have reviewed the log. Last edited by alba; 01-20-2008 at 11:49 PM. |
|
|
|
|
|
01-21-2008, 12:28 AM
|
#5 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 12
OS: WinXP
|
Re: Trojan.Vundo found, occasional pop-ups
This is the CF-RC.txt log
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /noguiboot C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons |
|
|
|
|
01-21-2008, 09:13 AM
|
#7 (permalink) | |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
Re: Trojan.Vundo found, occasional pop-ups
Hi ejr5033
Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. You should delete this C:\Documents and Settings\Eric Reese\Desktop\Desktop Folders\Things I use\wpe_pro_undectable_326 folder because of these findings with your Panda Scan Quote:
=============================================== 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. =============================================== Open notepad and carefully copy/paste all the text in the code box below into it: Code:
File::
C:\WINDOWS\system32\fgdmkprr.ini
C:\WINDOWS\system32\drivers\qmpjayhdebjt.sys
C:\WINDOWS\system32\ssttr.dll_tobedeleted_old
C:\WINDOWS\system32\sstts.dll_tobedeleted_old
C:\WINDOWS\IFinst27.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE3C68DE-CB59-4921-8C79-0E828DAAFE3B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D785E699-0B52-41EB-954C-0C5AE809A6B8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFF29BE4-24AC-4E31-B99B-45238B764111}]
 Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. ======================================== I see you have Ccleaner installed 1. Open the program and the "Cleaner" button should be active. (update if required) 2. Click on "Run Cleaner" 3. Once thats done it will clean out the TEMP folder. 4. Click on Applications tab and Click on "Run Cleaner" 5. Now click on "Registry" and then "Scan for Issues" 6. Once it's done checkmark ALL it finds and click "Fix Selected Issues" 7. It will ask you if you want to back up the registry entrys it's removing so please do so. If it removes anything important..just locate the .reg file you saved...double click on it to add the entrys back. Close the program ========================= ESET Online Scanner Please go to the following link ESET Online Scanner Link Tick the box YES, I accept the Terms Of Use Click the Start button Now click the Install button Click Start The scanner engine will initialise and update Do Not tick the box Remove found threats Click the Scan button The scan will now run, please be patient When the scan finishes click the Details tab Copy and paste the contents of the %ProgramFiles%\EsetOnlineScanner\log.txt back here. =========================== Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java:
=============================================== From Control Panel->Add/Remove Programs, uninstall the following programs, if present, :
================= Please reboot your computer Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version. ================= Please Run a scan with HiJackThis and save the log ================= In your next post, please include fresh logs from:
|
|
|
|
|
|
01-24-2008, 05:31 PM
|
#8 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 12
OS: WinXP
|
Re: Trojan.Vundo found, occasional pop-ups
I am very sorry that it took so long to respond to this, but for some reason I didn't get the email saying that I had received a response. I'll make sure that I didn't accidentally lose my subscription to this thread.
Anyway, here's the ComboFix.txt: ComboFix 08-01-20.1 - Eric Reese 2008-01-24 14:47:23.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1369 [GMT -5:00] Running from: C:\Documents and Settings\Eric Reese\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Eric Reese\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\IFinst27.exe C:\WINDOWS\system32\drivers\qmpjayhdebjt.sys C:\WINDOWS\system32\fgdmkprr.ini C:\WINDOWS\system32\ssttr.dll_tobedeleted_old C:\WINDOWS\system32\sstts.dll_tobedeleted_old . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\IFinst27.exe C:\WINDOWS\system32\drivers\qmpjayhdebjt.sys C:\WINDOWS\system32\fgdmkprr.ini C:\WINDOWS\system32\ssttr.dll_tobedeleted_old C:\WINDOWS\system32\sstts.dll_tobedeleted_old . ((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 ))))))))))))))))))))))))))))))) . 2008-01-22 22:02 . 2008-01-22 22:02 <DIR> d-------- C:\Program Files\AutoMacroRecorder 2008-01-22 22:02 . 2008-01-22 22:02 109,440 --a------ C:\WINDOWS\system32\drivers\KbdCap.sys 2008-01-22 20:54 . 2004-02-23 00:00 150,528 --a------ C:\WINDOWS\system32\TLBINF32.DLL 2008-01-22 20:54 . 2004-09-02 09:56 102,912 --a------ C:\WINDOWS\system32\VB6STKIT.DLL 2008-01-22 20:54 . 2005-02-01 03:46 20,480 --a------ C:\WINDOWS\system32\re324224.exe 2008-01-21 12:05 . 2008-01-21 12:05 <DIR> d-------- C:\Program Files\mIRC 2008-01-21 12:05 . 2008-01-21 12:19 <DIR> d-------- C:\Documents and Settings\Eric Reese\Application Data\mIRC 2008-01-21 03:22 . 2004-08-03 23:00 260,272 --a------ C:\cmldr 2008-01-21 03:22 . 2008-01-15 21:51 220 --a------ C:\Boot.bak 2008-01-19 16:34 . 2003-02-28 18:26 172,304 --a------ C:\WINDOWS\system32\jview.exe 2008-01-19 16:34 . 2003-02-28 18:26 171,792 --a------ C:\WINDOWS\system32\wjview.exe 2008-01-19 16:34 . 2003-02-28 18:26 49,424 --a------ C:\WINDOWS\system32\clspack.exe 2008-01-18 14:45 . 2008-01-18 14:45 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-18 12:45 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2008-01-17 10:32 . 2008-01-17 10:32 126 --a------ C:\WINDOWS\mdm.ini 2008-01-17 10:30 . 2008-01-17 10:30 <DIR> d-------- C:\Program Files\Web Publish 2008-01-17 10:15 . 2008-01-17 10:15 <DIR> d-------- C:\Program Files\SourceTec 2008-01-17 10:15 . 2008-01-17 10:15 <DIR> d-------- C:\Program Files\Common Files\SourceTec 2008-01-16 00:02 . 2008-01-17 23:08 253 --a------ C:\WINDOWS\w32demo8.ini 2008-01-15 23:34 . 2008-01-15 23:34 604 --a------ C:\WINDOWS\system32\drivers\Syser.cfg 2008-01-15 23:34 . 2008-01-15 23:34 541 --a------ C:\WINDOWS\system32\drivers\ModExSym.lst 2008-01-15 23:34 . 2008-01-15 23:34 184 --a------ C:\WINDOWS\system32\drivers\SyserColor.cfg 2008-01-15 23:30 . 2008-01-15 23:30 <DIR> d-------- C:\WINDOWS\system32\drivers\plugin 2008-01-15 23:30 . 2008-01-17 12:19 <DIR> d-------- C:\Program Files\Syser 2008-01-15 23:30 . 2007-11-15 07:20 1,229,056 --a------ C:\WINDOWS\system32\drivers\Syser.sys 2008-01-15 23:30 . 2007-07-02 12:15 933,888 --a------ C:\WINDOWS\system32\drivers\Wisp.dat 2008-01-15 23:30 . 2007-11-15 07:18 869,376 --a------ C:\WINDOWS\system32\drivers\SysLang.sys 2008-01-15 23:30 . 2007-06-28 21:49 401,408 --a------ C:\WINDOWS\system32\drivers\Syser.dat 2008-01-15 23:30 . 2007-06-28 21:49 297,121 --a------ C:\WINDOWS\system32\drivers\APIDef.lib 2008-01-15 23:30 . 2007-11-15 07:18 23,936 --a------ C:\WINDOWS\system32\drivers\SysBoot.sys 2008-01-15 23:30 . 2007-11-15 07:18 11,520 --a------ C:\WINDOWS\system32\drivers\SDbgMsg.sys 2008-01-15 21:50 . 2008-01-15 21:50 <DIR> d-------- C:\Program Files\NuMega 2008-01-15 18:03 . 2008-01-15 18:05 <DIR> d-------- C:\Program Files\Chaos SD 2008-01-15 10:37 . 2008-01-17 12:38 321 --a------ C:\WINDOWS\WPE_PRO.INI 2008-01-14 23:20 . 2008-01-14 23:20 <DIR> d-------- C:\Program Files\Ventrilo 2008-01-14 23:18 . 2008-01-16 17:21 <DIR> d-------- C:\Program Files\VentSrv 2008-01-14 14:59 . 2008-01-14 16:44 321 --a------ C:\WINDOWS\WPE PRO.INI 2008-01-13 22:32 . 2008-01-13 22:32 <DIR> d-------- C:\Documents and Settings\Eric Reese\Application Data\Secret of the Solstice 2008-01-13 20:25 . 2007-12-26 17:30 1,970,176 --a------ C:\WINDOWS\system32\d3dx9.dll 2008-01-13 20:25 . 2007-12-26 17:30 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll 2008-01-13 17:51 . 2008-01-13 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser 2008-01-13 17:50 . 2008-01-13 17:51 <DIR> d-------- C:\Program Files\Canon 2008-01-13 17:46 . 2008-01-13 17:46 <DIR> d-------- C:\Program Files\Common Files\Canon . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-24 19:46 --------- d-----w C:\Program Files\Symantec AntiVirus 2008-01-22 01:28 --------- d-----w C:\Program Files\Warcraft III 2008-01-21 06:22 --------- d-----w C:\Documents and Settings\Eric Reese\Application Data\uTorrent 2008-01-21 00:11 --------- d-----w C:\Program Files\Outspark 2008-01-21 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark 2008-01-19 21:39 155,995 ----a-w C:\WINDOWS\java\Packages\6LBFPRTV.ZIP 2008-01-18 20:00 --------- d-----w C:\Program Files\Norton Security Scan 2008-01-18 18:46 --------- d-----w C:\Program Files\iTunes 2008-01-18 18:43 --------- d-----w C:\Program Files\Google 2008-01-18 18:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-18 18:41 --------- d-----w C:\Program Files\Common Files\LightScribe 2008-01-18 18:40 --------- d-----w C:\Program Files\Bonjour 2008-01-18 18:40 --------- d-----w C:\Program Files\AIM6 2008-01-18 04:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-01-17 16:21 --------- d-----w C:\Program Files\SealOnlineUSA 2008-01-17 04:00 --------- d-----w C:\Program Files\SpywareBlaster 2008-01-17 01:43 --------- d-----w C:\Program Files\Torrent Episode Downloader 2008-01-16 22:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-01-16 22:21 --------- d-----w C:\Documents and Settings\Eric Reese\Application Data\Viewpoint 2008-01-15 04:21 --------- d-----w C:\Documents and Settings\Eric Reese\Application Data\Ventrilo 2007-12-14 03:29 --------- d-----w C:\Program Files\Cheat Engine 2007-12-13 08:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2007-12-08 09:12 --------- d-----w C:\Program Files\DivX 2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll 2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll 2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll 2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll 2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll 2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll 2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll 2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll 2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll 2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll 2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll 2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll 2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2007-11-26 05:49 --------- d-----w C:\Program Files\MSBuild 2007-11-26 05:28 --------- d-----w C:\Program Files\Common Files\Real 2007-11-25 23:22 --------- d-----w C:\Documents and Settings\Eric Reese\Application Data\GetRightToGo 2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll 2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll 2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys 2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll 2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-10-27 22:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll 2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll 2005-09-24 16:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll . ((((((((((((((((((((((((((((( snapshot@2008-01-20_14.10.01.28 ))))))))))))))))))))))))))))))))))))))))) . + 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-20-2008\ERDNT.EXE + 2008-01-20 22:50:28 8,536,064 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-20-2008\Users\00000001\NTUSER.DAT + 2008-01-20 22:50:28 249,856 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-20-2008\Users\00000002\UsrClass.dat + 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-21-2008\ERDNT.EXE + 2008-01-21 07:13:10 8,540,160 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-21-2008\Users\00000001\NTUSER.DAT + 2008-01-21 07:13:11 249,856 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-21-2008\Users\00000002\UsrClass.dat + 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-22-2008\ERDNT.EXE + 2008-01-22 16:14:31 8,540,160 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-22-2008\Users\00000001\NTUSER.DAT + 2008-01-22 16:14:32 249,856 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-22-2008\Users\00000002\UsrClass.dat + 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-24-2008\ERDNT.EXE + 2008-01-24 13:07:20 8,564,736 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-24-2008\Users\00000001\NTUSER.DAT + 2008-01-24 13:07:20 249,856 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-24-2008\Users\00000002\UsrClass.dat - 2008-01-20 18:54:02 1,114,112 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT + 2008-01-24 19:47:06 1,114,112 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT - 2008-01-20 18:54:02 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat + 2008-01-24 19:47:06 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat - 2008-01-20 18:54:02 1,118,208 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT + 2008-01-24 19:47:06 1,118,208 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT - 2008-01-20 18:54:02 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat + 2008-01-24 19:47:06 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat - 2008-01-20 18:54:02 8,523,776 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT + 2008-01-24 19:47:06 8,564,736 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT - 2008-01-20 18:54:02 249,856 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat + 2008-01-24 19:47:06 249,856 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat - 2006-03-03 01:49:14 69,632 ----a-w C:\WINDOWS\system32\HPZipm12.exe + 2007-08-09 07:27:52 73,728 ----a-w C:\WINDOWS\system32\HPZipm12.exe - 2006-03-03 01:49:14 69,632 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE + 2007-08-09 07:27:52 73,728 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-08 11:04 68856] "Aim6"="" [] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 10:00 15360] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496] "hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 12:18 472776] "nwiz"="nwiz.exe" [2006-04-15 13:26 1519616 C:\WINDOWS\system32\nwiz.exe] "MsmqIntCert"="regsvr32 /s mqrt.dll" [] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 06:29 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 00:46 761948] "QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-04-11 23:54 102400] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 10:18 49152] "ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 17:34 213936] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 17:34 86960] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-03-06 10:28 180224] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 10:03 40960] "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 16:14 53408] "vptray"="c:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 00:40 124656] "SysMetrix"="C:\Program Files\SysMetrix\SysMetrix.exe" [ ] "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 17:34 213936] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-15 13:26 7561216] C:\Documents and Settings\Eric Reese\Start Menu\Programs\Startup\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664] ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 11:04:08 38912] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [2005-12-15 10:40:44 282624] HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-09-24 12:39:30 73728] VPN Client.lnk - C:\WINDOWS\Installer\{176130BC-99A1-41FE-A78B-56045E33AD70}\Icon3E5562ED7.ico [2007-04-20 15:00:09 6144] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnkih] R0 SDbgMsg;SDbgMsg;C:\WINDOWS\system32\drivers\SDbgMsg.sys [2007-11-15 07:18] R0 SyserBoot;SyserBoot;C:\WINDOWS\system32\drivers\SysBoot.sys [2007-11-15 07:18] R0 SyserLanguage;SyserLanguage;C:\WINDOWS\system32\drivers\SysLang.sys [2007-11-15 07:18] R3 kbdcap;kbdcap;C:\WINDOWS\system32\drivers\kbdcap.sys [2008-01-22 22:02] S0 nmfilter;DriverStudio Device Filter;C:\WINDOWS\system32\DRIVERS\nmfilter.sys [] S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 13:05] S2 pciinfo;HP Pci Information;C:\DOCUME~1\ERICRE~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [] S3 DADriv1;DADriv1;C:\Documents and Settings\Eric Reese\Desktop\Desktop Folders\Things I use\Cheat Engines\DAEngine\DAK32.sys [2007-07-12 16:55] S3 gel90xne;gel90xne;C:\DOCUME~1\ERICRE~1\LOCALS~1\Temp\gel90xne.sys [] S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\Eric Reese\Desktop\Things I use\Cheat Engines\Moonlight\IlvMoney1105.sys [] S3 puma1;puma1;C:\Documents and Settings\Eric Reese\Desktop\Desktop Folders\Things I use\Cheat Engines\PumaByZé\puma.sys [] S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 13:05] S3 Revolution1;Revolution1;C:\Documents and Settings\Eric Reese\Desktop\Desktop Folders\Things I use\Cheat Engines\Rev Engine\SHAK3.sys [2007-07-01 22:26] S3 Sex1;Sex1;C:\Documents and Settings\Eric Reese\Desktop\Things I use\Cheat Engines\Sex Engine\Sex.sys [] S3 SoRa1;SoRa1;C:\Documents and Settings\Eric Reese\Desktop\Desktop Folders\Things I use\Cheat Engines\SoRa Engine 2.3\SoRa23.sys [2007-07-20 12:39] S3 sora121;sora121;C:\Documents and Settings\Eric Reese\Desktop\Things I use\Cheat Engines\SoRa Engine2.90\sora12.sys [] S3 SPCommand;SPCommand.sys;C:\WINDOWS\system32\drivers\Plugin\i386\SPCommand.sys [2007-11-15 07:19] S3 spuce1;spuce1;C:\Documents and Settings\Eric Reese\Desktop\Things I use\Cheat Engines\Spuc3 Engine\spuce.sys [] S3 Syser;Syser;C:\WINDOWS\system32\drivers\Syser.sys [2007-11-15 07:20] . Contents of the 'Scheduled Tasks' folder "2008-01-24 01:02:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-01-18 20:00:56 C:\WINDOWS\Tasks\Norton Security Scan.job" - C:\Program Files\Norton Security Scan\Nss.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-24 14:54:07 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???xL??????(?@???????@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-24 14:54:43 ComboFix-quarantined-files.txt 2008-01-24 19:54:41 ComboFix2.txt 2008-01-20 19:10:18 ComboFix3.txt 2008-01-18 00:46:59 ComboFix4.txt 2007-07-16 16:26:10 . 2008-01-19 21:35:03 --- E O F --- HiJack This log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:25:07 PM, on 1/24/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\mdm.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe c:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\mqsvc.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\mqtgsvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: (no name) - {AE3C68DE-CB59-4921-8C79-0E828DAAFE3B} - (no file) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll O2 - BHO: (no name) - {D785E699-0B52-41EB-954C-0C5AE809A6B8} - (no file) O2 - BHO: (no name) - {FFF29BE4-24AC-4E31-B99B-45238B764111} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user') O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - http://h50203.www5.hp.com/HPISWeb/Cu...ataManager.CAB O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) - O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) - O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) - O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) - O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) - O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) - O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/game...Plugin9USA.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL O20 - Winlogon Notify: opnnkih - C:\WINDOWS\ O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 12742 bytes And the ESET Online scanner: Win32/BHO.G trojan C:\QooBox\Quarantine\C\WINDOWS\system32\awumclfa.dll.vir |
|
|
|
|
01-25-2008, 08:21 AM
|
#9 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
Re: Trojan.Vundo found, occasional pop-ups
Hi ya ejr5033
No worries that has happened to me before as well  We are nearly there just a couple of things to do Upload this file C:\WINDOWS\system32\re324224.exe to http://virusscan.jotti.org and report back what it found. At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit". When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here. **If the site is too busy, upload it to http://www.virustotal.com/en/indexf.html ================= Run a scan with HiJackThis & select/tick the following & click "Fix checked" : O2 - BHO: (no name) - {D785E699-0B52-41EB-954C-0C5AE809A6B8} - (no file) O2 - BHO: (no name) - {FFF29BE4-24AC-4E31-B99B-45238B764111} - (no file) O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) - O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) - O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) - O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) - O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) - O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) - O20 - Winlogon Notify: opnnkih - C:\WINDOWS\ Please remember to close all other windows, including browsers then click Fix checked. If you have any problems boot into safe mode and run HJT from there Then run a scan with HiJackThis (in NORMAL mode) and post the log in your next reply =============================================== |
|
|
|
|
01-25-2008, 09:50 AM
|
#10 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 12
OS: WinXP
|
Re: Trojan.Vundo found, occasional pop-ups
Alright, the online malware scan:
Service Service load: 0% 100% File: re324224.exe Status: OK MD5: 2f937534d7d2c694e48b70ec5639b102 Packers detected: - Bit9 reports: No threat detected (more info) Scanner results Scan taken on 25 Jan 2008 17:43:49 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Rising Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing and HijackThis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:41:52 PM, on 1/25/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\mdm.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe c:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\mqsvc.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\mqtgsvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: (no name) - {AE3C68DE-CB59-4921-8C79-0E828DAAFE3B} - (no file) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user') O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing) O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - http://h50203.www5.hp.com/HPISWeb/Cu...ataManager.CAB O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/game...Plugin9USA.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 12216 bytes |
|
|
|
|
01-25-2008, 10:54 AM
|
#11 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
Re: Trojan.Vundo found, occasional pop-ups
Hi ejr5033
Your logs are clean  ================= The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein MAKING INTERNET EXPLORER SAFER **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ================= Follow the list above and the potential for infection will reduce dramatically. Please respond to this thread one more time so we can mark this thread as resolved. |
|
|
|
| Thread Tools | |
|
|
