Vundo trojan virus

wading4 · 03-20-2008, 10:14 PM

Hello,

I have Windows XP Professional SP2. My McAfee VircusScan Enterprise software detected a vundo trojan virus in a windows/system32/vtstu.dll file and was unable to clean, move, or delete it. This is causing my computer to react very slowly when I click on icons on the desktop or in folders or on the start menu and other menus. It takes 12 - 15 seconds to respond. Buttons in dialogue boxes respond normally. I followed the 5 steps and have copied the results of the Deckard's System Scanner below. I attached the extra.txt as well as the activescan.txt from the panda scan, I tried to include that in the post but it was too long. The symptoms seemed to have cleared up after the active scan 'disinfected a virus,' however on rebooting, the problems reoccurred. I have not had major problems with viruses or tried this forum before today. Hope you can help.

Frank

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-03-20 23:36:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
59: 2008-03-21 03:36:55 UTC - RP150 - Deckard's System Scanner Restore Point
58: 2008-03-21 03:12:37 UTC - RP149 - Removed SmartFTP Client
57: 2008-03-21 03:07:52 UTC - RP148 - Removed EndNote X1
56: 2008-03-21 02:50:13 UTC - RP147 - Software Distribution Service 3.0
55: 2008-03-21 02:27:14 UTC - RP146 - Software Distribution Service 3.0

-- First Restore Point --
1: 2008-03-18 23:44:22 UTC - RP92 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:55 PM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\mHotKey.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {37C94FBE-C0ED-41EB-83DE-01EE9D758704} - C:\WINDOWS\system32\vtstu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {85A611CA-CA0F-469B-8220-B70221A545BB} - C:\WINDOWS\system32\byxvwur.dll
O2 - BHO: {2b4a9f67-de92-4c98-d924-e63d9030ba29} - {92ab0309-d36e-429d-89c4-29ed76f9a4b2} - C:\WINDOWS\system32\pqehvxol.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Gateway Hotkey Software] C:\WINDOWS\mHotKey.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [f0aa0335] rundll32.exe "C:\WINDOWS\system32\mqyhejfj.dll",b
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186866287954
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O20 - Winlogon Notify: byxvwur - C:\WINDOWS\SYSTEM32\byxvwur.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

--
End of file - 8376 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.6.0.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.6.0.0>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>

S3 grmnusb - c:\windows\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-02-22 15:52:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-07-27 14:16:00 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 2.job
2007-07-27 14:16:00 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job

-- Files created between 2008-02-20 and 2008-03-20 -----------------------------

2008-03-20 23:38:44 0 d-------- C:\Program Files\Trend Micro
2008-03-20 23:25:04 63 --a------ C:\WINDOWS\system\SysSD.dll
2008-03-20 23:24:51 270336 --a------ C:\WINDOWS\system32\CheckDll.dll <Not Verified; Max Secure Software; Spyware Detector>
2008-03-20 23:24:50 0 d-------- C:\Program Files\SpywareDetector
2008-03-20 23:08:43 0 d-------- C:\Documents and Settings\All Users\{87F7773C-EC9C-461A-AA7B-4AF8EF54DF49}
2008-03-20 22:28:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-03-20 22:13:51 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-20 22:13:38 0 d-------- C:\Program Files\SpywareBlaster
2008-03-20 20:32:51 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-20 19:45:25 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-20 19:41:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-03-20 14:23:49 0 d-------- C:\WINDOWS\system32\DRM
2008-03-20 12:01:02 87104 --a------ C:\WINDOWS\system32\mqyhejfj.dll
2008-03-20 11:58:02 91712 --a------ C:\WINDOWS\system32\pqehvxol.dll
2008-03-20 07:23:59 18944 --a------ C:\WINDOWS\system32\qoMdCtRj.dll
2008-03-20 07:23:59 41472 --a------ C:\WINDOWS\system32\awtQHaaW.dll
2008-03-20 07:23:52 36864 --a------ C:\svchost.exe
2008-03-19 11:32:06 93248 --a------ C:\WINDOWS\system32\qgfnkgcr.dll
2008-03-18 19:44:12 354833 --ahs---- C:\WINDOWS\system32\utstv.ini2
2008-03-18 19:44:05 290816 --a------ C:\WINDOWS\system32\vtstu.dll
2008-03-18 19:39:52 134 --a------ C:\n.bat
2008-03-18 19:39:41 0 --a------ C:\x.dat
2008-03-18 19:39:35 305 --a------ C:\z.dat
2008-03-18 19:39:32 162816 --a------ C:\winlogon.exe
2008-03-18 19:39:02 39424 --a------ C:\WINDOWS\system32\byxvwur.dll
2008-03-18 13:22:51 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-03-02 12:21:34 0 d-------- C:\Program Files\FTP and Web stuff
2008-03-02 12:20:18 0 d-------- C:\Program Files\Universal
2008-03-02 11:37:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\SmartFTP
2008-03-01 19:32:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\EndNote
2008-03-01 19:32:05 0 d-------- C:\Program Files\Common Files\Risxtd
2008-02-22 16:00:11 0 d-------- C:\Program Files\iPod

-- Find3M Report ---------------------------------------------------------------

2008-03-20 23:28:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-03-20 23:09:04 0 d-------- C:\Program Files\Common Files
2008-03-20 21:16:01 0 d-------- C:\Program Files\iTunes
2008-03-20 21:15:35 0 d-------- C:\Program Files\Google
2008-03-20 07:37:46 0 d-------- C:\Program Files\Incomplete
2008-03-07 20:49:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-02-18 14:20:10 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-08 15:59:40 0 d-------- C:\Program Files\QuickTime
2008-02-07 20:13:17 0 d-------- C:\Program Files\JMP 7 Trial
2008-02-07 20:13:17 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-27 18:28:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-01-27 13:50:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-01-27 12:35:12 0 d-------- C:\Program Files\Java
2008-01-25 11:46:52 0 d-------- C:\Program Files\SAS Institute
2008-01-21 23:00:58 0 d-------- C:\Program Files\SAS
2008-01-13 18:13:51 1455 --a------ C:\WINDOWS\mozver.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37C94FBE-C0ED-41EB-83DE-01EE9D758704}]
03/18/2008 07:44 PM 290816 --a------ C:\WINDOWS\system32\vtstu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85A611CA-CA0F-469B-8220-B70221A545BB}]
03/18/2008 07:39 PM 39424 --a------ C:\WINDOWS\system32\byxvwur.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92ab0309-d36e-429d-89c4-29ed76f9a4b2}]
03/20/2008 11:58 AM 91712 --a------ C:\WINDOWS\system32\pqehvxol.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [01/05/2007 05:18 AM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [02/21/2007 02:19 PM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [02/21/2007 02:17 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02/25/2007 11:34 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02/25/2007 11:34 PM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [02/25/2007 11:33 PM]
"AGRSMMSG"="AGRSMMSG.exe" [08/30/2006 05:40 AM C:\WINDOWS\AGRSMMSG.exe]
"Gateway Hotkey Software"="C:\WINDOWS\mHotKey.exe" [03/08/2007 12:41 AM]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/22/2004 08:00 PM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [08/06/2004 03:50 AM]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [10/07/2003 09:48 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/17/2007 06:19 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 04:42 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/01/2008 12:13 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 02:10 PM]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [03/18/2008 01:17 PM]
"f0aa0335"="C:\WINDOWS\system32\mqyhejfj.dll" [03/20/2008 12:01 PM]
"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [03/19/2008 10:16 AM]
"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [03/19/2008 10:16 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/27/2007 11:24 AM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [09/11/2006 05:40 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{85A611CA-CA0F-469B-8220-B70221A545BB}"= C:\WINDOWS\system32\byxvwur.dll [03/18/2008 07:39 PM 39424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxvwur]
byxvwur.dll 03/18/2008 07:39 PM 39424 C:\WINDOWS\system32\byxvwur.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll 03/05/2008 10:55 AM 167936 C:\Program Files\SpywareDetector\SDNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtstu.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d2f67b2-3c78-11dc-b8a3-001b7752ffad}]
AutoRun\command- F:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a193b53f-3c6c-11dc-b8a2-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a193b544-3c6c-11dc-b8a2-001b7752ffad}]
AutoRun\command- F:\LaunchU3.exe -a

*Newly Created Service* - SDSERVICE

-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.test.com
127.0.0.1 www.ads.x10.com
127.0.0.1 www.600pics.com
127.0.0.1 www.doberman.befree.com
127.0.0.1 www.enews.bfast.com
127.0.0.1 www.etoys.bfast.com
127.0.0.1 www.falcon.bfast.com
127.0.0.1 www.ftp.befree.com
127.0.0.1 www.ftp.bfast.com
127.0.0.1 www.geocities.bfast.com

882 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-03-20 23:42:28 ------------

wading4 · 03-25-2008, 09:05 AM

Bump! Hey guys, I know I'm new but its been over 100 hours and no replies from anyone. My computer is still infected, please help.

**chemist** · 03-25-2008, 04:13 PM

Hello and Welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please be patient with me during this time.

**chemist** · 03-25-2008, 07:41 PM

Hello again, wading4.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please visit this webpage for instructions on downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments of your time.

If you have any questions along the way...STOP and ask them before proceeding.

When the tool is finished, it will produce a log for you. Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleansing the system.

------------------------------------------------------

Please post the following in your next reply:

C:\ComboFix.txt
new HijackThis log

wading4 · 03-25-2008, 08:49 PM

Thanks Chemist,

Here is my combofix.txt along with my new hijackthis.log

Look forward to hearing from you,

ComboFix 08-03-25.1 - Administrator 2008-03-25 22:33:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1384 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Fonts\'
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\awtQHaaW.dll
C:\WINDOWS\system32\jfjehyqm.ini
C:\WINDOWS\system32\mqyhejfj.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pqehvxol.dll
C:\WINDOWS\system32\qgfnkgcr.dll
C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\vtstu.dll
C:\winlogon.exe
C:\x.dat
C:\z.dat
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-25 20:27 . 2008-03-25 20:33 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-03-21 10:08 . 2008-03-21 10:08 <DIR> d-------- C:\WINDOWS\system32\aqVreo18
2008-03-21 10:08 . 2008-03-21 10:08 <DIR> d-------- C:\Temp\gbRve12
2008-03-21 10:08 . 2008-03-21 10:08 <DIR> d-------- C:\Temp
2008-03-20 23:38 . 2008-03-20 23:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-20 23:25 . 2008-03-20 23:25 124 --a------ C:\WINDOWS\system32\SDRemoveDB.db
2008-03-20 23:25 . 2008-03-23 15:22 63 --a------ C:\WINDOWS\system\SysSD.dll
2008-03-20 23:08 . 2008-03-20 23:08 <DIR> d-------- C:\Documents and Settings\All Users\{87F7773C-EC9C-461A-AA7B-4AF8EF54DF49}
2008-03-20 22:13 . 2008-03-20 23:04 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-20 22:13 . 2008-03-25 22:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-20 20:32 . 2008-03-20 21:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-20 20:32 . 2008-03-20 20:51 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-20 20:32 . 2008-03-20 20:51 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-20 20:32 . 2008-03-20 20:51 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-20 19:45 . 2008-03-20 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-20 19:41 . 2008-03-20 19:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-03-20 14:23 . 2008-03-20 14:23 <DIR> d-------- C:\WINDOWS\system32\DRM
2008-03-20 07:23 . 2008-03-20 07:23 18,944 --a------ C:\WINDOWS\system32\qoMdCtRj.dll
2008-03-19 11:35 . 2008-03-20 11:55 1,531,315 --ahs---- C:\WINDOWS\system32\kpmokjtw.ini
2008-03-18 19:39 . 2008-03-18 19:39 134 --a------ C:\n.bat
2008-03-18 13:22 . 2008-03-18 13:22 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-03-02 12:21 . 2008-03-02 12:22 <DIR> d-------- C:\Program Files\FTP and Web stuff
2008-03-02 12:20 . 2008-03-02 12:20 <DIR> d-------- C:\Program Files\Universal
2008-03-02 11:37 . 2008-03-02 11:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SmartFTP
2008-03-01 19:32 . 2008-03-01 19:32 <DIR> d-------- C:\Program Files\Common Files\Risxtd
2008-03-01 19:32 . 2008-03-20 14:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\EndNote

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 19:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-03-23 16:06 --------- d-----w C:\Program Files\Incomplete
2008-03-21 01:16 --------- d-----w C:\Program Files\iTunes
2008-03-21 01:15 --------- d-----w C:\Program Files\Google
2008-02-22 20:00 --------- d-----w C:\Program Files\iPod
2008-02-18 18:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-08 19:59 --------- d-----w C:\Program Files\QuickTime
2008-02-08 00:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-08 00:13 --------- d-----w C:\Program Files\JMP 7 Trial
2008-01-27 17:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-01-27 16:35 --------- d-----w C:\Program Files\Java
2007-08-27 15:05 1,164,456 ----a-w C:\Program Files\install_flash_player.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 11:24 68856]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-05 05:18 827392]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 14:19 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 14:17 970752]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-02-25 23:34 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-02-25 23:34 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-02-25 23:33 131072]
"AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 05:40 89542 C:\WINDOWS\AGRSMMSG.exe]
"Gateway Hotkey Software"="C:\WINDOWS\mHotKey.exe" [2007-03-08 00:41 478720]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48 147514]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-17 18:19 185632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 04:42 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-04-06 16:49]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d2f67b2-3c78-11dc-b8a3-001b7752ffad}]
\Shell\AutoRun\command - F:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a193b544-3c6c-11dc-b8a2-001b7752ffad}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-03-21 18:52:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-07-27 18:16:00 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-07-27 18:16:00 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 22:36:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-25 22:38:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-26 02:38:08
.
2008-03-23 19:54:38 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:56 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\mHotKey.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Gateway Hotkey Software] C:\WINDOWS\mHotKey.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186866287954
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 7569 bytes

wading4 · 03-26-2008, 07:15 AM

Hi again,

So I was hoping I was all set, I scanned my computer last night and found no viruses. When I started it up this morning, however, the virus scanner found another vundo trojan virus of

CATCHME2008-03-25_223614.20.ZIP.VIR

The Virus Scan moved it to the quarantine folder but could not delete it.

Please help.

Also, I noticed in my last log that it said the windows restore program had not been installed but I followed the directions on the link you sent me so I'm not sure what I did wrong.

Thanks so much,

**chemist** · 03-26-2008, 02:46 PM

Hello again, Frank.

Quote:

So I was hoping I was all set, I scanned my computer last night and found no viruses. When I started it up this morning, however, the virus scanner found another vundo trojan virus

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing or running of scanners unless requested by a helper.

------------------------------------------------------

A keylogger was present in your system and it was possible that it stole some of your passwords that you use online. If any were stolen, they will be found in the following files:

Navigate to this file in blue: C:\QooBox\Quarantine\C\z.dat.vir

Also check this file although it is probably empty: C:\QooBox\Quarantine\C\x.dat.vir

Right-click on and open the files with Notepad. Any stolen data will be revealed. Check all accounts in this data file, and ensure you change all related passwords on another clean computer. If any data were stolen, please don't post them in the forum.

------------------------------------------------------

Quote:

Also, I noticed in my last log that it said the windows restore program had not been installed but I followed the directions on the link you sent me so I'm not sure what I did wrong.

Let's perform this quick check to see if the Windows Recovery Console was installed:

Open Notepad and copy/paste the text in the quotebox below into it:

Quote:

type "C:\boot.ini">C:\look.txt
Start notepad C:\Look.txt
del peek.bat

Save this as peek.bat Choose to "Save type as - All Files"

It should look like this:

Double click on peek.bat & allow it to run. A notepad file will open. Post the contents of that file in your next reply, and close the file.

wading4 · 03-26-2008, 03:12 PM

Hi,

Sorry, I'll be patient.

It did steal one of my passwords.

Here are the results from running the peek.bat

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

**chemist** · 03-26-2008, 04:11 PM

Hello again, wading4.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

This machine does not have the Windows XP Recovery Console installed.

The Windows Recovery Console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Please do this:

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Download the file & save it as its originally named, next to ComboFix.exe.

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

wading4 · 03-26-2008, 04:46 PM

Okay,

Here is my CF_RC.txt

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU(2).exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

**chemist** · 03-27-2008, 08:58 AM

Hello again, Frank. Good job. You may now safely reboot your computer.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

I see you have Spyware Detector installed on your system. This application was previously listed as a rogue program. Please read here

Although no longer listed as such, we recommend uninstalling it and downloading antispyware programs that have proven themselves tried and true. See here for a list of trustworthy antispyware products.

------------------------------------------------------

1. Close any open browsers.

2. Open Notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\system32\qoMdCtRj.dll
C:\WINDOWS\system32\kpmokjtw.ini
C:\n.bat
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\Fonts\a.zip

DirLook::
C:\WINDOWS\system32\DRM

Folder::
C:\WINDOWS\system32\aqVreo18
C:\Temp\gbRve12

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

------------------------------------------------------

Please post the following in your next reply:

C:\ComboFix.txt
new HijackThis log

wading4 · 03-27-2008, 05:29 PM

Hi Chemist,

Here is the ComboFix.txt produced by following your instructions, followed by my new Hijackthis.log

ComboFix 08-03-25.1 - Administrator 2008-03-27 19:21:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1452 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

FILE ::
C:\n.bat
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\system32\kpmokjtw.ini
C:\WINDOWS\system32\qoMdCtRj.dll
C:\WINDOWS\system32\vbzip10.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\n.bat
C:\Temp\gbRve12
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\system32\aqVreo18
C:\WINDOWS\system32\kpmokjtw.ini
C:\WINDOWS\system32\qoMdCtRj.dll
C:\WINDOWS\system32\vbzip10.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-26 10:31 . 2008-03-26 10:31 65 --a------ C:\WINDOWS\minitab.ini
2008-03-26 10:29 . 2008-03-26 10:33 <DIR> d-------- C:\Program Files\Minitab 15
2008-03-25 20:27 . 2008-03-25 20:33 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-03-21 10:08 . 2008-03-27 19:21 <DIR> d-------- C:\Temp
2008-03-20 23:38 . 2008-03-20 23:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-20 23:36 . 2008-03-20 23:36 <DIR> d-------- C:\Deckard
2008-03-20 23:25 . 2008-03-20 23:25 124 --a------ C:\WINDOWS\system32\SDRemoveDB.db
2008-03-20 23:25 . 2008-03-23 15:22 63 --a------ C:\WINDOWS\system\SysSD.dll
2008-03-20 23:08 . 2008-03-20 23:08 <DIR> d-------- C:\Documents and Settings\All Users\{87F7773C-EC9C-461A-AA7B-4AF8EF54DF49}
2008-03-20 22:13 . 2008-03-20 23:04 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-20 22:13 . 2008-03-25 22:41 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-20 20:32 . 2008-03-20 21:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-20 20:32 . 2008-03-20 20:51 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-20 20:32 . 2008-03-20 20:51 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-20 20:32 . 2008-03-20 20:51 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-20 19:45 . 2008-03-20 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-20 19:41 . 2008-03-20 19:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-03-20 14:23 . 2008-03-20 14:23 <DIR> d-------- C:\WINDOWS\system32\DRM
2008-03-02 12:21 . 2008-03-02 12:22 <DIR> d-------- C:\Program Files\FTP and Web stuff
2008-03-02 12:20 . 2008-03-02 12:20 <DIR> d-------- C:\Program Files\Universal
2008-03-02 11:37 . 2008-03-02 11:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SmartFTP
2008-03-01 19:32 . 2008-03-01 19:32 <DIR> d-------- C:\Program Files\Common Files\Risxtd
2008-03-01 19:32 . 2008-03-20 14:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\EndNote

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 19:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-03-23 16:06 --------- d-----w C:\Program Files\Incomplete
2008-03-21 01:16 --------- d-----w C:\Program Files\iTunes
2008-03-21 01:15 --------- d-----w C:\Program Files\Google
2008-02-22 20:00 --------- d-----w C:\Program Files\iPod
2008-02-18 18:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-08 19:59 --------- d-----w C:\Program Files\QuickTime
2008-02-08 00:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-08 00:13 --------- d-----w C:\Program Files\JMP 7 Trial
2008-01-27 17:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-01-27 16:35 --------- d-----w C:\Program Files\Java
2007-08-27 15:05 1,164,456 ----a-w C:\Program Files\install_flash_player.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\DRM ----

2006-07-21 01:04 68048 --a------ C:\WINDOWS\system32\DRM\ENU\Eula.rtf

((((((((((((((((((((((((((((( snapshot@2008-03-25_22.37.59.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-26 14:31:25 61,440 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\ARPPRODUCTICON.exe
+ 2008-03-26 14:31:25 61,440 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\Mtb15_Unit_English_D_1CC99A0B3B834169BB32524669A32BB3.exe
+ 2008-03-26 14:31:25 61,440 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\Mtb15_Unit_English_P_1CC99A0B3B834169BB32524669A32BB3.exe
+ 2008-03-26 14:31:25 61,440 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\NewShortcut1_1CC99A0B3B834169BB32524669A32BB3.exe
+ 2008-03-26 14:31:25 61,440 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\NewShortcut2_1CC99A0B3B834169BB32524669A32BB3.exe
+ 2008-03-26 14:31:25 61,440 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\NewShortcut4_1CC99A0B3B834169BB32524669A32BB3.exe
+ 2008-03-26 14:31:25 61,440 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\NewShortcut5_1CC99A0B3B834169BB32524669A32BB3.exe
+ 2008-03-26 14:31:25 61,440 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\NewShortcut6_1CC99A0B3B834169BB32524669A32BB3.exe
+ 2008-03-26 14:31:25 61,440 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\RmdGerman_1CC99A0B3B834169BB32524669A32BB3.exe
+ 2008-03-26 14:31:25 65,536 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
+ 2008-03-26 14:31:27 155,648 ----a-w C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Publisher Runtime\OLQNVEMFLLD1E3XLF34G43MHAC\Objects\mt_asm_lic_3_2_0.dll
+ 2008-03-26 14:31:27 1,519,616 ----a-w C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Publisher Runtime\OLQNVEMFLLD1E3XLF34G43MHAC\Objects\mt_asm_lic_gui_3_3_0.dll
+ 2008-03-26 14:31:27 17,920 ----a-w C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Publisher Runtime\OLQNVEMFLLD1E3XLF34G43MHAC\Objects\prv_fallback_6_41_98.dll
- 2008-03-23 19:53:36 63,930 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-26 12:41:35 63,930 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-23 19:53:36 406,896 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-26 12:41:35 406,896 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 11:24 68856]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2007-06-11 16:34 190696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-05 05:18 827392]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 14:19 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 14:17 970752]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-02-25 23:34 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-02-25 23:34 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-02-25 23:33 131072]
"AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 05:40 89542 C:\WINDOWS\AGRSMMSG.exe]
"Gateway Hotkey Software"="C:\WINDOWS\mHotKey.exe" [2007-03-08 00:41 478720]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48 147514]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-17 18:19 185632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 04:42 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-04-06 16:49]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d2f67b2-3c78-11dc-b8a3-001b7752ffad}]
\Shell\AutoRun\command - F:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a193b544-3c6c-11dc-b8a2-001b7752ffad}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-03-21 18:52:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-07-27 18:16:00 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-07-27 18:16:00 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 19:22:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-27 19:22:59
ComboFix-quarantined-files.txt 2008-03-27 23:22:56
ComboFix2.txt 2008-03-26 02:38:12
.
2008-03-23 19:54:38 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:24 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\mHotKey.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Gateway Hotkey Software] C:\WINDOWS\mHotKey.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186866287954
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 7535 bytes

**chemist** · 03-27-2008, 06:26 PM

Hello again, Frank. Do you still use Limewire?

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist: (Make sure you do not miss any)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Please remember to close all other windows, including browsers then click Fix checked.

------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 Update 5 and Save it to your Desktop.
Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the Download button to the right.
Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > (Settings) > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button.
- There are two options in the window to clear the cache - Leave BOTH Checked.
  - Applications and Applets
  - Trace and Log Files
- Click OK on Delete Temporary Files Window.
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

------------------------------------------------------

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save Report As... button, then choose Save as Text to save the file to your desktop so that you may post it in your next reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
new HijackThis log
report on system behavior

wading4 · 03-27-2008, 10:38 PM

Hi Chemist,

No, I am no longer using LimeWire. I deleted it a little while ago.

I did everything you said in the last post.

Here is the log from the Kaspersky Scan followed by the new hijackthis.log Looks like there are still viruses present, huh.

Currently, I am not experiencing any slowdowns, pop-ups, or other weirdness on my computer. Everything seems to be running normally at the moment.

One other question, I have a removable 'thumb drive' that I have used periodically within the last week. I plug it in to transfer something and then remove it. Is this at risk? I did a Virus Scan on it about a week ago and it didn't find anything. How should I deal with this?

Thanks,

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 28, 2008 12:28:02 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/03/2008
Kaspersky Anti-Virus database records: 667874
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 71043
Number of viruses found: 8
Number of infected objects: 26
Number of suspicious objects: 0
Duration of the scan process: 01:43:58

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UADC_0001_D10M0210\installer.exe Infected: not-a-virus:FraudTool.Win32.AdvancedCleaner.c skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_AG_127_CC0BE6.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_AG_127_CC0BE6.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir/Setup.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir ZIP: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\Fonts\Setup.exe.vir Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\QooBox\Quarantine\C\WINDOWS\Fonts\svchost.exe.vir Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\awtQHaaW.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mqyhejfj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pqehvxol.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qgfnkgcr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qoMdCtRj.dll.vir Infected: Trojan-Downloader.Win32.Agent.lqz skipped
C:\QooBox\Quarantine\C\winlogon.exe.vir Infected: not-a-virus:PSWTool.Win32.PassView.ag skipped
C:\quarantine\Av-test.txt.Vir Infected: EICAR-Test-File skipped
C:\quarantine\catchme2008-03-25_223614.20.zip.Vir/vtstu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\quarantine\catchme2008-03-25_223614.20.zip.Vir ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP137\A0015786.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP145\A0016494.exe Infected: not-a-virus:PSWTool.Win32.FirePass.a skipped
C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP149\A0017192.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP150\A0018194.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ktg skipped
C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP158\A0018779.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP158\A0018780.exe Infected: not-a-virus:PSWTool.Win32.PassView.ag skipped
C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP158\A0018782.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP158\A0018783.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP158\A0018784.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP158\A0018785.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP161\A0018946.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP161\A0018948.dll Infected: Trojan-Downloader.Win32.Agent.lqz skipped
C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP164\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{057F5BB8-D502-4BEF-B4F6-03038B5E8459}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP164\change.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:46 AM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\mHotKey.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Gateway Hotkey Software] C:\WINDOWS\mHotKey.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186866287954
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 7666 bytes

**chemist** · 03-28-2008, 11:00 AM

Congratulations, Frank. Well done! Your logs appear clean. You should be good to go.

Quote:

One other question, I have a removable 'thumb drive' that I have used periodically within the last week. I plug it in to transfer something and then remove it. Is this at risk? I did a Virus Scan on it about a week ago and it didn't find anything. How should I deal with this?

Scan it regularly and you should be OK.

Quote:

Looks like there are still viruses present, huh.

As far as those infected objects listed in the Kaspersky log, those are safely tucked away in ComboFix's quarantine folder or in old System Restore points, which we will be taking care of now.

------------------------------------------------------

Please re-enable any antivirus or antispyware programs disabled earlier if you haven't already.

Delete the following folder in blue and files in red:

C:\Documents and Settings\Administrator\Application Data\LimeWire
C:\quarantine\Av-test.txt.Vir
C:\quarantine\catchme2008-03-25_223614.20.zip.Vir

Go to Start>>Run>> and Copy/Paste the following single line command into the Run box and click OK

combofix /u

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore points which contain previous infections, and create a fresh, clean System Restore point.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

FIREWALL
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:

Do not install more than one firewall program as they will conflict with each other.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

How Did I Get Infected In The First Place? by TonyKlein
PC Safety and Security--What Do I Need?

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

SpywareBlaster 4.0 prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
SpywareGuard catches and blocks spyware installation and browser hijacking in real-time. See tutorial here
IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here
MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
Spybot - Search & Destroy 1.5.2 is an excellent spyware remover and also offers real-time protection against critical registry changes. Only use the Immunize feature if you don't use SpywareBlaster. See tutorial here

Please respond to this thread one more time so we can mark this thread as resolved.

wading4 · 03-28-2008, 06:01 PM

Hello again Chemist,

Not quite resolved yet? I re-enabled my anti-virus and anti-spyware. I deleted the C:\Documents and Settings\Administrator\Application Data\LimeWire but I could not delete

C:\quarantine\Av-test.txt.Vir or
C:\quarantine\catchme2008-03-25_223614.20.zip.Vir

When I try to a my virus scan keeps popping up and then a message appears saying "Error deleting file or folder - Cannot delete Av-test.txt.Vir (or catchme2008-03-25_223614.20.zip.Vir) Make sure the disk is not full or write protected or the file is not currently in use."

How should I proceed?

Thanks,

**chemist** · 03-28-2008, 07:30 PM

Hi Frank. Those two files present no harm to your system. They are present in a quarantined folder with a .vir extension and cannot cause harm. I listed them for deletion because of your concern over the Kaspersky scan findings.

McAfee is guarding those files from deletion. McAfee almost certainly empties that folder on a regular basis.

If you don't want to wait, or just want to get rid of them period,

Disable VirusScan, delete the files, reenable VirusScan, OR
Delete them in Safe Mode, OR
Use McAfee VirusScan:
- Scan "All Files"
- Scan only directory "C:\quarantine"
- Actions: 1st - "Delete files" and 2nd - "Continue scanning"
- Move to folder "C:\tmp"
- Empty the folder "C:\tmp"

Let us know what you decided or if that worked.

wading4 · 03-29-2008, 12:51 PM

Hello,

Okay, I deleted the .vir files in my quarantine folder by briefly disabling my AntiVirus, deleting the files, and then re-enabling it.

Thanks,

I also uninstalled Combofix and followed the rest of your guidelines in the post before last about firewalls, spyware blaster, spybot and all that.

So, unless there was something else you wanted me to do, we can call this thread resolved.

Thanks so much again.

**chemist** · 03-29-2008, 01:22 PM

You're very welcome.

03-25-2008, 09:05 AM	#2 (permalink)
wading4 Registered User Join Date: Mar 2008 Posts: 10 OS: win xp	Re: Vundo trojan virus Bump! Hey guys, I know I'm new but its been over 100 hours and no replies from anyone. My computer is still infected, please help.

03-25-2008, 04:13 PM	#3 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,510 OS: XP SP3	Re: Vundo trojan virus Hello and Welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible. Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription. Please be patient with me during this time.

03-25-2008, 07:41 PM	#4 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,510 OS: XP SP3	Re: Vundo trojan virus Hello again, wading4. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ------------------------------------------------------ Please visit this webpage for instructions on downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments of your time. If you have any questions along the way...STOP and ask them before proceeding. When the tool is finished, it will produce a log for you. Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleansing the system. ------------------------------------------------------ Please post the following in your next reply: C:\ComboFix.txt new HijackThis log

03-25-2008, 08:49 PM	#5 (permalink)
wading4 Registered User Join Date: Mar 2008 Posts: 10 OS: win xp	Re: Vundo trojan virus Thanks Chemist, Here is my combofix.txt along with my new hijackthis.log Look forward to hearing from you, ComboFix 08-03-25.1 - Administrator 2008-03-25 22:33:07.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1384 [GMT -4:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\Fonts\' C:\WINDOWS\Fonts\a.zip C:\WINDOWS\Fonts\svchost.exe C:\WINDOWS\system32\awtQHaaW.dll C:\WINDOWS\system32\jfjehyqm.ini C:\WINDOWS\system32\mqyhejfj.dll C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\pqehvxol.dll C:\WINDOWS\system32\qgfnkgcr.dll C:\WINDOWS\system32\utstv.ini C:\WINDOWS\system32\utstv.ini2 C:\WINDOWS\system32\vtstu.dll C:\winlogon.exe C:\x.dat C:\z.dat D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 ))))))))))))))))))))))))))))))) . 2008-03-25 20:27 . 2008-03-25 20:33 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner 2008-03-21 10:08 . 2008-03-21 10:08 <DIR> d-------- C:\WINDOWS\system32\aqVreo18 2008-03-21 10:08 . 2008-03-21 10:08 <DIR> d-------- C:\Temp\gbRve12 2008-03-21 10:08 . 2008-03-21 10:08 <DIR> d-------- C:\Temp 2008-03-20 23:38 . 2008-03-20 23:38 <DIR> d-------- C:\Program Files\Trend Micro 2008-03-20 23:25 . 2008-03-20 23:25 124 --a------ C:\WINDOWS\system32\SDRemoveDB.db 2008-03-20 23:25 . 2008-03-23 15:22 63 --a------ C:\WINDOWS\system\SysSD.dll 2008-03-20 23:08 . 2008-03-20 23:08 <DIR> d-------- C:\Documents and Settings\All Users\{87F7773C-EC9C-461A-AA7B-4AF8EF54DF49} 2008-03-20 22:13 . 2008-03-20 23:04 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-03-20 22:13 . 2008-03-25 22:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-20 20:32 . 2008-03-20 21:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-03-20 20:32 . 2008-03-20 20:51 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-03-20 20:32 . 2008-03-20 20:51 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-03-20 20:32 . 2008-03-20 20:51 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-03-20 19:45 . 2008-03-20 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee 2008-03-20 19:41 . 2008-03-20 19:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee 2008-03-20 14:23 . 2008-03-20 14:23 <DIR> d-------- C:\WINDOWS\system32\DRM 2008-03-20 07:23 . 2008-03-20 07:23 18,944 --a------ C:\WINDOWS\system32\qoMdCtRj.dll 2008-03-19 11:35 . 2008-03-20 11:55 1,531,315 --ahs---- C:\WINDOWS\system32\kpmokjtw.ini 2008-03-18 19:39 . 2008-03-18 19:39 134 --a------ C:\n.bat 2008-03-18 13:22 . 2008-03-18 13:22 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll 2008-03-02 12:21 . 2008-03-02 12:22 <DIR> d-------- C:\Program Files\FTP and Web stuff 2008-03-02 12:20 . 2008-03-02 12:20 <DIR> d-------- C:\Program Files\Universal 2008-03-02 11:37 . 2008-03-02 11:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SmartFTP 2008-03-01 19:32 . 2008-03-01 19:32 <DIR> d-------- C:\Program Files\Common Files\Risxtd 2008-03-01 19:32 . 2008-03-20 14:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\EndNote . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-23 19:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire 2008-03-23 16:06 --------- d-----w C:\Program Files\Incomplete 2008-03-21 01:16 --------- d-----w C:\Program Files\iTunes 2008-03-21 01:15 --------- d-----w C:\Program Files\Google 2008-02-22 20:00 --------- d-----w C:\Program Files\iPod 2008-02-18 18:20 --------- d-----w C:\Program Files\Common Files\Adobe 2008-02-08 19:59 --------- d-----w C:\Program Files\QuickTime 2008-02-08 00:13 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-08 00:13 --------- d-----w C:\Program Files\JMP 7 Trial 2008-01-27 17:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3 2008-01-27 16:35 --------- d-----w C:\Program Files\Java 2007-08-27 15:05 1,164,456 ----a-w C:\Program Files\install_flash_player.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 11:24 68856] "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-05 05:18 827392] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 14:19 819200] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 14:17 970752] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-02-25 23:34 131072] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-02-25 23:34 155648] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-02-25 23:33 131072] "AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 05:40 89542 C:\WINDOWS\AGRSMMSG.exe] "Gateway Hotkey Software"="C:\WINDOWS\mHotKey.exe" [2007-03-08 00:41 478720] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00 94208] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50 139320] "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48 147514] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-17 18:19 185632] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 04:42 144784] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-04-06 16:49] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d2f67b2-3c78-11dc-b8a3-001b7752ffad}] \Shell\AutoRun\command - F:\Installer.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a193b544-3c6c-11dc-b8a2-001b7752ffad}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2008-03-21 18:52:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-07-27 18:16:00 C:\WINDOWS\Tasks\ISP signup reminder 1.job" - C:\WINDOWS\system32\OOBE\oobebaln.exe "2007-07-27 18:16:00 C:\WINDOWS\Tasks\ISP signup reminder 2.job" - C:\WINDOWS\system32\OOBE\oobebaln.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-25 22:36:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\System32\SCardSvr.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************ . Completion time: 2008-03-25 22:38:11 - machine was rebooted ComboFix-quarantined-files.txt 2008-03-26 02:38:08 . 2008-03-23 19:54:38 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:41:56 PM, on 3/25/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\mHotKey.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Gateway Hotkey Software] C:\WINDOWS\mHotKey.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186866287954 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- End of file - 7569 bytes

03-26-2008, 07:15 AM	#6 (permalink)
wading4 Registered User Join Date: Mar 2008 Posts: 10 OS: win xp	Re: Vundo trojan virus Hi again, So I was hoping I was all set, I scanned my computer last night and found no viruses. When I started it up this morning, however, the virus scanner found another vundo trojan virus of CATCHME2008-03-25_223614.20.ZIP.VIR The Virus Scan moved it to the quarantine folder but could not delete it. Please help. Also, I noticed in my last log that it said the windows restore program had not been installed but I followed the directions on the link you sent me so I'm not sure what I did wrong. Thanks so much,

03-26-2008, 03:12 PM	#8 (permalink)
wading4 Registered User Join Date: Mar 2008 Posts: 10 OS: win xp	Re: Vundo trojan virus Hi, Sorry, I'll be patient. It did steal one of my passwords. Here are the results from running the peek.bat [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

03-26-2008, 04:11 PM	#9 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,510 OS: XP SP3	Re: Vundo trojan virus Hello again, wading4. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ------------------------------------------------------ This machine does not have the Windows XP Recovery Console installed. The Windows Recovery Console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. Please do this: Go to Microsoft's website => http://support.microsoft.com/kb/310994 Select the download that's appropriate for your Operating System Download the file & save it as its originally named, next to ComboFix.exe. Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper. When complete, a log named CF_RC.txt will open. Please post the contents of that log. Please do not reboot your machine until we have reviewed the log.

03-26-2008, 04:46 PM	#10 (permalink)
wading4 Registered User Join Date: Mar 2008 Posts: 10 OS: win xp	Re: Vundo trojan virus Okay, Here is my CF_RC.txt WindowsXP-KB310994-SP2-Pro-BootDisk-ENU(2).exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

03-27-2008, 05:29 PM	#12 (permalink)
wading4 Registered User Join Date: Mar 2008 Posts: 10 OS: win xp	Re: Vundo trojan virus Hi Chemist, Here is the ComboFix.txt produced by following your instructions, followed by my new Hijackthis.log ComboFix 08-03-25.1 - Administrator 2008-03-27 19:21:05.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1452 [GMT -4:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt * Created a new restore point * Resident AV is active FILE :: C:\n.bat C:\WINDOWS\Fonts\a.zip C:\WINDOWS\Fonts\Setup.exe C:\WINDOWS\system32\kpmokjtw.ini C:\WINDOWS\system32\qoMdCtRj.dll C:\WINDOWS\system32\vbzip10.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\n.bat C:\Temp\gbRve12 C:\WINDOWS\Fonts\Setup.exe C:\WINDOWS\system32\aqVreo18 C:\WINDOWS\system32\kpmokjtw.ini C:\WINDOWS\system32\qoMdCtRj.dll C:\WINDOWS\system32\vbzip10.dll . ((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 ))))))))))))))))))))))))))))))) . 2008-03-26 10:31 . 2008-03-26 10:31 65 --a------ C:\WINDOWS\minitab.ini 2008-03-26 10:29 . 2008-03-26 10:33 <DIR> d-------- C:\Program Files\Minitab 15 2008-03-25 20:27 . 2008-03-25 20:33 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner 2008-03-21 10:08 . 2008-03-27 19:21 <DIR> d-------- C:\Temp 2008-03-20 23:38 . 2008-03-20 23:38 <DIR> d-------- C:\Program Files\Trend Micro 2008-03-20 23:36 . 2008-03-20 23:36 <DIR> d-------- C:\Deckard 2008-03-20 23:25 . 2008-03-20 23:25 124 --a------ C:\WINDOWS\system32\SDRemoveDB.db 2008-03-20 23:25 . 2008-03-23 15:22 63 --a------ C:\WINDOWS\system\SysSD.dll 2008-03-20 23:08 . 2008-03-20 23:08 <DIR> d-------- C:\Documents and Settings\All Users\{87F7773C-EC9C-461A-AA7B-4AF8EF54DF49} 2008-03-20 22:13 . 2008-03-20 23:04 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-03-20 22:13 . 2008-03-25 22:41 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-20 20:32 . 2008-03-20 21:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-03-20 20:32 . 2008-03-20 20:51 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-03-20 20:32 . 2008-03-20 20:51 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-03-20 20:32 . 2008-03-20 20:51 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-03-20 19:45 . 2008-03-20 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee 2008-03-20 19:41 . 2008-03-20 19:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee 2008-03-20 14:23 . 2008-03-20 14:23 <DIR> d-------- C:\WINDOWS\system32\DRM 2008-03-02 12:21 . 2008-03-02 12:22 <DIR> d-------- C:\Program Files\FTP and Web stuff 2008-03-02 12:20 . 2008-03-02 12:20 <DIR> d-------- C:\Program Files\Universal 2008-03-02 11:37 . 2008-03-02 11:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SmartFTP 2008-03-01 19:32 . 2008-03-01 19:32 <DIR> d-------- C:\Program Files\Common Files\Risxtd 2008-03-01 19:32 . 2008-03-20 14:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\EndNote . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-23 19:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire 2008-03-23 16:06 --------- d-----w C:\Program Files\Incomplete 2008-03-21 01:16 --------- d-----w C:\Program Files\iTunes 2008-03-21 01:15 --------- d-----w C:\Program Files\Google 2008-02-22 20:00 --------- d-----w C:\Program Files\iPod 2008-02-18 18:20 --------- d-----w C:\Program Files\Common Files\Adobe 2008-02-08 19:59 --------- d-----w C:\Program Files\QuickTime 2008-02-08 00:13 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-08 00:13 --------- d-----w C:\Program Files\JMP 7 Trial 2008-01-27 17:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3 2008-01-27 16:35 --------- d-----w C:\Program Files\Java 2007-08-27 15:05 1,164,456 ----a-w C:\Program Files\install_flash_player.exe . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of C:\WINDOWS\system32\DRM ---- 2006-07-21 01:04 68048 --a------ C:\WINDOWS\system32\DRM\ENU\Eula.rtf ((((((((((((((((((((((((((((( snapshot@2008-03-25_22.37.59.26 ))))))))))))))))))))))))))))))))))))))))) . + 2008-03-26 14:31:25 61,440 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\ARPPRODUCTICON.exe + 2008-03-26 14:31:25 61,440 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\Mtb15_Unit_English_D_1CC99A0B3B834169BB32524669A32BB3.exe + 2008-03-26 14:31:25 61,440 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\Mtb15_Unit_English_P_1CC99A0B3B834169BB32524669A32BB3.exe + 2008-03-26 14:31:25 61,440 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\NewShortcut1_1CC99A0B3B834169BB32524669A32BB3.exe + 2008-03-26 14:31:25 61,440 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\NewShortcut2_1CC99A0B3B834169BB32524669A32BB3.exe + 2008-03-26 14:31:25 61,440 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\NewShortcut4_1CC99A0B3B834169BB32524669A32BB3.exe + 2008-03-26 14:31:25 61,440 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\NewShortcut5_1CC99A0B3B834169BB32524669A32BB3.exe + 2008-03-26 14:31:25 61,440 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\NewShortcut6_1CC99A0B3B834169BB32524669A32BB3.exe + 2008-03-26 14:31:25 61,440 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\RmdGerman_1CC99A0B3B834169BB32524669A32BB3.exe + 2008-03-26 14:31:25 65,536 ----a-r C:\WINDOWS\Installer\{F617649B-2104-41C7-B15A-9F0DE2AF8F4E}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe + 2008-03-26 14:31:27 155,648 ----a-w C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Publisher Runtime\OLQNVEMFLLD1E3XLF34G43MHAC\Objects\mt_asm_lic_3_2_0.dll + 2008-03-26 14:31:27 1,519,616 ----a-w C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Publisher Runtime\OLQNVEMFLLD1E3XLF34G43MHAC\Objects\mt_asm_lic_gui_3_3_0.dll + 2008-03-26 14:31:27 17,920 ----a-w C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Publisher Runtime\OLQNVEMFLLD1E3XLF34G43MHAC\Objects\prv_fallback_6_41_98.dll - 2008-03-23 19:53:36 63,930 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-03-26 12:41:35 63,930 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-03-23 19:53:36 406,896 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-03-26 12:41:35 406,896 ----a-w C:\WINDOWS\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 11:24 68856] "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2007-06-11 16:34 190696] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-05 05:18 827392] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 14:19 819200] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 14:17 970752] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-02-25 23:34 131072] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-02-25 23:34 155648] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-02-25 23:33 131072] "AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 05:40 89542 C:\WINDOWS\AGRSMMSG.exe] "Gateway Hotkey Software"="C:\WINDOWS\mHotKey.exe" [2007-03-08 00:41 478720] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00 94208] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50 139320] "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48 147514] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-17 18:19 185632] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 04:42 144784] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-04-06 16:49] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d2f67b2-3c78-11dc-b8a3-001b7752ffad}] \Shell\AutoRun\command - F:\Installer.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a193b544-3c6c-11dc-b8a2-001b7752ffad}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2008-03-21 18:52:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-07-27 18:16:00 C:\WINDOWS\Tasks\ISP signup reminder 1.job" - C:\WINDOWS\system32\OOBE\oobebaln.exe "2007-07-27 18:16:00 C:\WINDOWS\Tasks\ISP signup reminder 2.job" - C:\WINDOWS\system32\OOBE\oobebaln.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-27 19:22:29 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-03-27 19:22:59 ComboFix-quarantined-files.txt 2008-03-27 23:22:56 ComboFix2.txt 2008-03-26 02:38:12 . 2008-03-23 19:54:38 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:24:24 PM, on 3/27/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\mHotKey.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Gateway Hotkey Software] C:\WINDOWS\mHotKey.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186866287954 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- End of file - 7535 bytes Last edited by wading4; 03-27-2008 at 05:31 PM.

03-27-2008, 06:26 PM	#13 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,510 OS: XP SP3	Re: Vundo trojan virus Hello again, Frank. Do you still use Limewire? Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ------------------------------------------------------ Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist: (Make sure you do not miss any) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = *Please remember to close all other windows, including browsers then click Fix checked.* ------------------------------------------------------ Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Download the latest version of Java Runtime Environment (JRE) 6 Update 5 and Save it to your Desktop. Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications. Click the Download button to the right. Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > (Settings) > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version. After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button. There are two options in the window to clear the cache - Leave BOTH Checked. Applications and Applets Trace and Log Files Click OK on Delete Temporary Files Window. Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window Click OK to leave the Java Control Panel. ------------------------------------------------------ Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. ------------------------------------------------------ Please run this online scan to help look for remnants. Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Click Accept, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save Report As... button, then choose Save as Text to save the file to your desktop so that you may post it in your next reply. * Turn off the real time scanner of any existing antivirus program while performing the online scan ------------------------------------------------------ Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here. ------------------------------------------------------ Please post the following in your next reply: Kaspersky report new HijackThis log report on system behavior

03-27-2008, 10:38 PM	#14 (permalink)
wading4 Registered User Join Date: Mar 2008 Posts: 10 OS: win xp	Re: Vundo trojan virus Hi Chemist, No, I am no longer using LimeWire. I deleted it a little while ago. I did everything you said in the last post. Here is the log from the Kaspersky Scan followed by the new hijackthis.log Looks like there are still viruses present, huh. Currently, I am not experiencing any slowdowns, pop-ups, or other weirdness on my computer. Everything seems to be running normally at the moment. One other question, I have a removable 'thumb drive' that I have used periodically within the last week. I plug it in to transfer something and then remove it. Is this at risk? I did a Virus Scan on it about a week ago and it didn't find anything. How should I deal with this? Thanks, ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Friday, March 28, 2008 12:28:02 AM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 28/03/2008 Kaspersky Anti-Virus database records: 667874 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 71043 Number of viruses found: 8 Number of infected objects: 26 Number of suspicious objects: 0 Duration of the scan process: 01:43:58 Infected Object Name / Virus Name / Last Action C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UADC_0001_D10M0210\installer.exe Infected: not-a-virus:FraudTool.Win32.AdvancedCleaner.c skipped C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_AG_127_CC0BE6.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_AG_127_CC0BE6.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir/Setup.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir ZIP: infected - 1 skipped C:\QooBox\Quarantine\C\WINDOWS\Fonts\Setup.exe.vir Infected: Trojan-Downloader.Win32.VB.bsa skipped C:\QooBox\Quarantine\C\WINDOWS\Fonts\svchost.exe.vir Infected: Trojan-Downloader.Win32.VB.bsa skipped C:\QooBox\Quarantine\C\WINDOWS\system32\awtQHaaW.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped C:\QooBox\Quarantine\C\WINDOWS\system32\mqyhejfj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped C:\QooBox\Quarantine\C\WINDOWS\system32\pqehvxol.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped C:\QooBox\Quarantine\C\WINDOWS\system32\qgfnkgcr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped C:\QooBox\Quarantine\C\WINDOWS\system32\qoMdCtRj.dll.vir Infected: Trojan-Downloader.Win32.Agent.lqz skipped C:\QooBox\Quarantine\C\winlogon.exe.vir Infected: not-a-virus:PSWTool.Win32.PassView.ag skipped C:\quarantine\Av-test.txt.Vir Infected: EICAR-Test-File skipped C:\quarantine\catchme2008-03-25_223614.20.zip.Vir/vtstu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped C:\quarantine\catchme2008-03-25_223614.20.zip.Vir ZIP: infected - 1 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP137\A0015786.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP145\A0016494.exe Infected: not-a-virus:PSWTool.Win32.FirePass.a skipped C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP149\A0017192.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP150\A0018194.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ktg skipped C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP158\A0018779.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP158\A0018780.exe Infected: not-a-virus:PSWTool.Win32.PassView.ag skipped C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP158\A0018782.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP158\A0018783.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP158\A0018784.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP158\A0018785.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP161\A0018946.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP161\A0018948.dll Infected: Trojan-Downloader.Win32.Agent.lqz skipped C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP164\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{057F5BB8-D502-4BEF-B4F6-03038B5E8459}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped D:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP164\change.log Object is locked skipped Scan process completed. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:28:46 AM, on 3/28/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\mHotKey.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...s=PTB&M=E-265M O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Gateway Hotkey Software] C:\WINDOWS\mHotKey.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186866287954 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- End of file - 7666 bytes Last edited by wading4; 03-27-2008 at 10:45 PM.

03-28-2008, 06:01 PM	#16 (permalink)
wading4 Registered User Join Date: Mar 2008 Posts: 10 OS: win xp	Re: Vundo trojan virus Hello again Chemist, Not quite resolved yet? I re-enabled my anti-virus and anti-spyware. I deleted the C:\Documents and Settings\Administrator\Application Data\LimeWire but I could not delete C:\quarantine\Av-test.txt.Vir or C:\quarantine\catchme2008-03-25_223614.20.zip.Vir When I try to a my virus scan keeps popping up and then a message appears saying "Error deleting file or folder - Cannot delete Av-test.txt.Vir (or catchme2008-03-25_223614.20.zip.Vir) Make sure the disk is not full or write protected or the file is not currently in use." How should I proceed? Thanks,

03-28-2008, 07:30 PM	#17 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,510 OS: XP SP3	Re: Vundo trojan virus Hi Frank. Those two files present no harm to your system. They are present in a quarantined folder with a .vir extension and cannot cause harm. I listed them for deletion because of your concern over the Kaspersky scan findings. McAfee is guarding those files from deletion. McAfee almost certainly empties that folder on a regular basis. If you don't want to wait, or just want to get rid of them period, Disable VirusScan, delete the files, reenable VirusScan, OR Delete them in Safe Mode, OR Use McAfee VirusScan: Scan "All Files" Scan only directory "C:\quarantine" Actions: 1st - "Delete files" and 2nd - "Continue scanning" Move to folder "C:\tmp" Empty the folder "C:\tmp" Let us know what you decided or if that worked. Last edited by chemist; 03-28-2008 at 07:33 PM.

03-29-2008, 12:51 PM	#18 (permalink)
wading4 Registered User Join Date: Mar 2008 Posts: 10 OS: win xp	Re: Vundo trojan virus Hello, Okay, I deleted the .vir files in my quarantine folder by briefly disabling my AntiVirus, deleting the files, and then re-enabling it. Thanks, I also uninstalled Combofix and followed the rest of your guidelines in the post before last about firewalls, spyware blaster, spybot and all that. So, unless there was something else you wanted me to do, we can call this thread resolved. Thanks so much again.

03-29-2008, 01:22 PM	#19 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,510 OS: XP SP3	Re: Vundo trojan virus You're very welcome.