Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Possible Vundo Infection
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 08-04-2008, 07:37 PM   #1 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 13
OS: Win XP Service Pack 2


Possible Vundo Infection
This is a Toshiba Satellite laptop running Windows Vista Home Basic. It seems to have the Vundo infection as there are multiple popups and some unusual files in the startup area of the registry. I attempted to run the panda virus scan and it was taking forever (over 4 hours) so I stopped an only did the DSS scan (as well as following all of the other steps). The logs from the DSS follow:


Deckard's System Scanner v20071014.68
Run by Holly on 2008-08-04 22:08:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
6: 2008-08-05 01:54:55 UTC - RP175 - Windows Defender Checkpoint
5: 2008-08-04 20:17:18 UTC - RP173 - Windows Update
4: 2008-08-04 19:13:33 UTC - RP172 - Windows Update
3: 2008-07-30 02:13:33 UTC - RP171 - Restore Operation
2: 2008-07-29 14:48:52 UTC - RP170 - Installed Google Earth.


-- First Restore Point --
1: 2008-07-29 14:47:18 UTC - RP169 - Installed Google Earth.


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 1014 MiB (1024 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-04 22:10:42
Platform: Windows Vista (6.00.6000)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\dwm.exe
C:\Windows\System32\taskeng.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Users\Holly\svchost.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\wuauclt.exe
C:\Windows\explorer.exe
C:\Users\Holly\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [Host Process] C:\Users\Holly\svchost.exe
O4 - HKCU\..\Run: [LSA Shellu] C:\Users\Holly\lsass.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Holly\AppData\Local\Temp\ssqRLEUO.dll,#1
O4 - HKCU\..\Run: [BM73603419] Rundll32.exe "C:\Users\Holly\AppData\Local\Temp\snbbxnxb.dll",s
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Holly\AppData\Local\Temp\urqPjIyx.dll,c
O4 - HKCU\..\Run: [70530785] rundll32.exe "C:\Users\Holly\AppData\Local\Temp\ixikiact.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O10 - Unknown file in Winsock LSP: C:\Windows\System32\wpclsp.dll
O10 - Unknown file in Winsock LSP: C:\Windows\System32\wpclsp.dll
O10 - Unknown file in Winsock LSP: C:\Windows\System32\wpclsp.dll
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\msitss.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\System32\agrsmsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe
O23 - Service: Swupdtmr - Unknown owner - C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\System32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


--
End of file - 7803 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S4 KR3NPXP - c:\windows\system32\drivers\kr3npxp.sys <Not Verified; TOSHIBA CORPORATION; TOSHIBA RAID>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(TM)>
R2 TODDSrv (TOSHIBA Optical Disc Drive Service) - c:\windows\system32\toddsrv.exe <Not Verified; TOSHIBA Corporation; TDCSrv Application>
R2 TOSHIBA Bluetooth Service - c:\program files\toshiba\bluetooth toshiba stack\tosbtsrv.exe <Not Verified; TOSHIBA CORPORATION; Bluetooth Stack for Windows by TOSHIBA>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-08-04 22:02:28 0 d-------- C:\Program Files\Microsoft Silverlight
2008-08-04 21:55:06 0 d-------- C:\Users\All Users\TEMP
2008-08-04 21:55:01 0 d-------- C:\Program Files\SpywareBlaster
2008-08-04 15:12:07 511 --a------ C:\Users\Holly\996.bat
2008-08-04 15:11:48 77 --a------ C:\Users\Holly\6952.bat
2008-08-02 12:59:27 0 d-------- C:\Program Files\Panda Security
2008-08-02 12:21:05 511 --a------ C:\Users\Holly\860.bat
2008-08-02 12:21:05 77 --a------ C:\Users\Holly\8078.bat
2008-08-02 10:15:07 511 --a------ C:\Users\Holly\584.bat
2008-08-02 10:14:36 77 --a------ C:\Users\Holly\4962.bat
2008-07-31 16:34:43 511 --a------ C:\Users\Holly\668.bat
2008-07-31 16:34:25 77 --a------ C:\Users\Holly\3828.bat
2008-07-29 22:31:38 511 --a------ C:\Users\Holly\395.bat
2008-07-29 22:30:05 77 --a------ C:\Users\Holly\1714.bat
2008-07-28 20:32:53 0 d-------- C:\perflogs
2008-07-20 20:08:49 511 --a------ C:\Users\Holly\470.bat
2008-07-20 19:53:25 77 --a------ C:\Users\Holly\7463.bat
2008-07-19 20:03:13 511 --a------ C:\Users\Holly\547.bat
2008-07-19 19:42:48 77 --a------ C:\Users\Holly\5678.bat
2008-07-12 10:40:46 511 --a------ C:\Users\Holly\674.bat
2008-07-12 09:09:31 511 --a------ C:\Users\Holly\230.bat
2008-07-12 08:13:38 511 --a------ C:\Users\Holly\873.bat
2008-07-11 22:34:51 511 --a------ C:\Users\Holly\112.bat
2008-07-10 13:19:30 0 --a------ C:\Users\Rett\jagex_runescape_preferences.dat
2008-07-08 21:11:07 511 --a------ C:\Users\Holly\977.bat
2008-07-06 08:28:13 510 --a------ C:\Users\Holly\72.bat


-- Find3M Report ---------------------------------------------------------------

2008-08-04 15:15:47 0 d-------- C:\Users\Holly\AppData\Roaming\LimeWire
2008-08-02 12:52:41 0 d-------- C:\Program Files\LimeWire
2008-07-29 22:18:19 0 d-------- C:\Users\Holly\AppData\Roaming\Move Networks
2008-07-29 22:18:16 0 d-------- C:\Program Files\Yahoo!
2008-07-29 22:18:16 0 d-------- C:\Program Files\Internet Offers
2008-07-29 22:18:16 0 d-------- C:\Program Files\illiminable
2008-07-29 22:18:15 0 d-------- C:\Program Files\Google
2008-07-29 22:18:15 0 d-------- C:\Program Files\dvdSanta
2008-07-29 22:18:15 0 d-------- C:\Program Files\DivX
2008-07-29 22:18:14 0 d-------- C:\Program Files\Common Files
2008-07-29 22:18:14 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-07-29 22:18:14 0 d-------- C:\Program Files\Common Files\PX Storage Engine


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [11/28/2006 11:14 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [11/28/2006 11:17 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [11/28/2006 11:13 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [10/27/2006 04:50 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/02/2006 08:33 AM]
"RtHDVCpl"="RtHDVCpl.exe" [11/09/2006 01:57 PM C:\Windows\RtHDVCpl.exe]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [12/16/2005 05:41 AM]
"NDSTray.exe"="NDSTray.exe" []
"HWSetup"="C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" [11/01/2006 11:06 AM]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [01/18/2006 07:06 PM]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [11/06/2006 08:14 PM]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [12/20/2006 02:16 AM]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [12/07/2006 07:49 PM]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [12/11/2006 08:45 PM]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [12/15/2006 06:59 PM]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [04/08/2007 12:44 PM]
"WPCUMI"="C:\Windows\system32\WpcUmi.exe" [11/02/2006 08:34 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [11/10/2006 05:22 PM]
"Host Process"="C:\Users\Holly\svchost.exe" [12/23/2007 01:05 AM]
"LSA Shellu"="C:\Users\Holly\lsass.exe" []
"MSServer"="C:\Users\Holly\AppData\Local\Temp\ssqRLEUO.dll,#1" []
"BM73603419"="C:\Users\Holly\AppData\Local\Temp\snbbxnxb.dll,s" []
"cmds"="C:\Users\Holly\AppData\Local\Temp\urqPjIyx.dll,c" []
"70530785"="C:\Users\Holly\AppData\Local\Temp\ixikiact.dll,b" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 5:15:54 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"=2 (0x2)
"DontDisplayLogonHoursWarnings"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{655b8bb4-375e-11dc-be07-806e6f6e6963}]
AutoRun\command- D:\autorun.exe
readme\command- notepad readme.txt
Setup\command- D:\install.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac1c6111-5b12-11dc-aa8f-001b381ccf47}]
AutoRun\command- F:\LaunchU3.exe -a

*Newly Created Service* - PAVBOOT

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-08-04 22:14:22 ------------
Attached Files
File Type: txt extra.txt (19.1 KB, 2 views)
threehundred is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 08-07-2008, 09:40 PM   #2 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 13
OS: Win XP Service Pack 2


Re: Possible Vundo Infection
Bump, please.
threehundred is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-09-2008, 11:21 AM   #3 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,235
OS: Windows 7 Premium x64

My System

Re: Possible Vundo Infection
Hi threehundred

Thank you for your patience. I will be helping you deal with the issues raised in your log from this point onwards

Before we start jumping into things, here is a quick basic note which I mention to everyone. The fix which I have provided for you is for this computer only, it should not be used on any other computer. Each fix is tailor made for the specific task in hand. If for some reason you have system restore disabled, then please re-enable it before proceeding, an infected restore is better than none. Please read through the fix first and set enough time aside to complete the task in one session. If there is anything you feel needs clarification then please ask - do not guess! Thanks.

If this is a computer from a work place then please advise your IT department of the concerning issues before commencing past this point.

Please follow these directions in the order they are set out for you.

I do notice is that your virus checker is showing as outdated, has your subsciption to McAfee VirusScan expired?

Also I see quite a few .bat files on your computer that are saved not as names but as numbers, can I just ask are these files that you yourself have created

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and for Windows XP users install the Recovery Console first

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  2. Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
Last edited by sjb007; 08-09-2008 at 11:26 AM.
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-10-2008, 02:45 PM   #4 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 13
OS: Win XP Service Pack 2


Re: Possible Vundo Infection
The .bat files were not created by the user. Also, the antivirus has expired. Since she will be renewing, which antivirus would you suggest? I am unable to find McAfee anywhere on the computer to adjust settings like firewall, etc. I do know it is there because it shows up in the windows security center.

Below are the two logs requested:


ComboFix 08-08-10.01 - Holly 2008-08-10 16:21:49.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.346 [GMT -4:00]
Running from: C:\Users\Holly\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Holly\AppData\Roaming\macromedia\Flash Player\#SharedObjects\FRCTDF6G\interclick.com
C:\Users\Holly\AppData\Roaming\macromedia\Flash Player\#SharedObjects\FRCTDF6G\interclick.com\ud.sol
C:\Users\Holly\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Users\Holly\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Users\Holly\ctfmon.exe
C:\Users\Holly\svchost.exe
C:\Users\Rett\AppData\Roaming\macromedia\Flash Player\#SharedObjects\6QDGRXES\interclick.com
C:\Users\Rett\AppData\Roaming\macromedia\Flash Player\#SharedObjects\6QDGRXES\interclick.com\ud.sol
C:\Users\Rett\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Users\Rett\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-04 22:06 . 2008-08-04 22:06 <DIR> d-------- C:\Deckard
2008-08-04 22:02 . 2008-08-04 22:02 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-04 21:55 . 2008-08-04 21:55 <DIR> d-------- C:\Users\All Users\TEMP
2008-08-04 21:55 . 2008-08-04 21:55 <DIR> d-------- C:\ProgramData\TEMP
2008-08-04 21:55 . 2008-08-04 21:55 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-04 17:06 . 2008-08-04 17:06 205,824 --a------ C:\Windows\System32\msoeacct.dll
2008-08-04 17:06 . 2008-08-04 17:06 87,040 --a------ C:\Windows\System32\msoert2.dll
2008-08-04 17:06 . 2008-08-04 17:06 39,424 --a------ C:\Windows\System32\ACCTRES.dll
2008-08-04 17:05 . 2008-08-04 17:05 2,923,520 --a------ C:\Windows\explorer.exe
2008-08-04 17:05 . 2008-08-04 17:05 714,240 --a------ C:\Windows\System32\timedate.cpl
2008-08-04 17:05 . 2008-08-04 17:05 704,000 --a------ C:\Windows\System32\PhotoScreensaver.scr
2008-08-04 17:05 . 2008-08-04 17:05 542,720 --a------ C:\Windows\System32\sysmain.dll
2008-08-04 17:05 . 2008-08-04 17:05 258,232 --a------ C:\Windows\System32\drivers\acpi.sys
2008-08-04 17:05 . 2008-08-04 17:05 28,344 --a------ C:\Windows\System32\drivers\battc.sys
2008-08-04 17:05 . 2008-08-04 17:05 24,064 --a------ C:\Windows\System32\wtsapi32.dll
2008-08-04 17:05 . 2008-08-04 17:05 20,920 --a------ C:\Windows\System32\drivers\compbatt.sys
2008-08-04 17:05 . 2008-08-04 17:05 14,208 --a------ C:\Windows\System32\drivers\CmBatt.sys
2008-08-04 17:04 . 2008-08-04 17:05 1,655,289 --a------ C:\Windows\System32\wlan.tmf
2008-08-04 17:04 . 2008-08-04 17:04 502,784 --a------ C:\Windows\System32\wlansvc.dll
2008-08-04 17:04 . 2008-08-04 17:04 297,984 --a------ C:\Windows\System32\wlansec.dll
2008-08-04 17:04 . 2008-08-04 17:04 290,816 --a------ C:\Windows\System32\wlanmsm.dll
2008-08-04 17:04 . 2008-08-04 17:04 67,584 --a------ C:\Windows\System32\wlanhlp.dll
2008-08-04 17:04 . 2008-08-04 17:04 47,104 --a------ C:\Windows\System32\wlanapi.dll
2008-08-04 17:03 . 2008-08-04 17:03 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-08-04 17:03 . 2008-08-04 17:03 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-08-04 17:02 . 2008-08-04 17:02 376,320 --a------ C:\Windows\System32\winsrv.dll
2008-08-04 17:02 . 2008-08-04 17:02 49,664 --a------ C:\Windows\System32\csrsrv.dll
2008-08-04 16:55 . 2008-08-04 16:56 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-08-04 16:55 . 2008-08-04 16:55 374,456 --a------ C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-08-04 16:55 . 2008-08-04 16:55 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-08-04 16:54 . 2008-08-04 16:54 414,208 --a------ C:\Windows\System32\msscp.dll
2008-08-04 16:53 . 2008-08-04 16:53 8,147,968 --a------ C:\Windows\System32\wmploc.DLL
2008-08-04 16:53 . 2008-08-04 16:53 356,864 --a------ C:\Windows\System32\MediaMetadataHandler.dll
2008-08-04 16:53 . 2008-08-04 16:53 7,680 --a------ C:\Windows\System32\spwmp.dll
2008-08-04 16:53 . 2008-08-04 16:53 4,096 --a------ C:\Windows\System32\msdxm.ocx
2008-08-04 16:53 . 2008-08-04 16:53 4,096 --a------ C:\Windows\System32\dxmasf.dll
2008-08-04 16:52 . 2008-08-04 16:52 396,800 --a------ C:\Windows\System32\MPSSVC.dll
2008-08-04 16:52 . 2008-08-04 16:52 392,192 --a------ C:\Windows\System32\FirewallAPI.dll
2008-08-04 16:52 . 2008-08-04 16:52 178,688 --a------ C:\Windows\System32\iphlpsvc.dll
2008-08-04 16:52 . 2008-08-04 16:52 86,016 --a------ C:\Windows\System32\icfupgd.dll
2008-08-04 16:52 . 2008-08-04 16:52 63,488 --a------ C:\Windows\System32\drivers\mpsdrv.sys
2008-08-04 16:52 . 2008-08-04 16:52 61,952 --a------ C:\Windows\System32\cmifw.dll
2008-08-04 16:52 . 2008-08-04 16:52 23,040 --a------ C:\Windows\System32\drivers\tunnel.sys
2008-08-04 16:52 . 2008-08-04 16:52 16,896 --a------ C:\Windows\System32\wfapigp.dll
2008-08-04 16:52 . 2008-08-04 16:52 15,360 --a------ C:\Windows\System32\drivers\TUNMP.SYS
2008-08-04 16:50 . 2008-08-04 16:50 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-08-04 16:50 . 2008-08-04 16:50 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-08-04 16:50 . 2008-08-04 16:50 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-08-04 16:50 . 2008-08-04 16:50 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-08-04 16:50 . 2008-08-04 16:50 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-08-04 16:50 . 2008-08-04 16:50 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-08-04 16:50 . 2008-08-04 16:50 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-08-04 16:50 . 2008-08-04 16:50 17,464 --a------ C:\Windows\System32\drivers\intelide.sys
2008-08-04 16:49 . 2008-08-04 16:49 1,191,936 --a------ C:\Windows\System32\msxml3.dll
2008-08-04 16:49 . 2008-08-04 16:49 224,768 --a------ C:\Windows\System32\drivers\usbport.sys
2008-08-04 16:49 . 2008-08-04 16:49 192,000 --a------ C:\Windows\System32\drivers\usbhub.sys
2008-08-04 16:49 . 2008-08-04 16:49 73,216 --a------ C:\Windows\System32\drivers\usbccgp.sys
2008-08-04 16:49 . 2008-08-04 16:49 38,400 --a------ C:\Windows\System32\drivers\usbehci.sys
2008-08-04 16:49 . 2008-08-04 16:49 23,040 --a------ C:\Windows\System32\drivers\usbuhci.sys
2008-08-04 16:49 . 2008-08-04 16:49 8,704 --a------ C:\Windows\System32\hcrstco.dll
2008-08-04 16:49 . 2008-08-04 16:49 8,704 --a------ C:\Windows\System32\hccoin.dll
2008-08-04 16:49 . 2008-08-04 16:49 5,888 --a------ C:\Windows\System32\drivers\usbd.sys
2008-08-04 16:49 . 2008-08-04 16:49 2,048 --a------ C:\Windows\System32\msxml3r.dll
2008-08-04 16:47 . 2008-08-04 16:47 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-08-04 16:47 . 2008-08-04 16:47 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-08-04 16:47 . 2008-08-04 16:47 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-08-04 16:47 . 2008-08-04 16:47 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-08-04 16:47 . 2008-08-04 16:47 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-08-04 16:45 . 2008-08-04 16:45 9,845,248 --a------ C:\Windows\System32\NlsData000a.dll
2008-08-04 16:45 . 2008-08-04 16:45 6,917,120 --a------ C:\Windows\System32\NlsLexicons0c1a.dll
2008-08-04 16:45 . 2008-08-04 16:45 4,493,312 --a------ C:\Windows\System32\NlsData0816.dll
2008-08-04 16:45 . 2008-08-04 16:45 4,493,312 --a------ C:\Windows\System32\NlsData0416.dll
2008-08-04 16:45 . 2008-08-04 16:45 4,493,312 --a------ C:\Windows\System32\NlsData0414.dll
2008-08-04 16:45 . 2008-08-04 16:45 2,641,408 --a------ C:\Windows\System32\NlsData000c.dll
2008-08-04 16:45 . 2008-08-04 16:45 2,340,864 --a------ C:\Windows\System32\NlsData000d.dll
2008-08-04 16:45 . 2008-08-04 16:45 1,963,520 --a------ C:\Windows\System32\NlsData0c1a.dll
2008-08-04 16:45 . 2008-08-04 16:45 1,963,520 --a------ C:\Windows\System32\NlsData081a.dll
2008-08-04 16:45 . 2008-08-04 16:45 1,963,520 --a------ C:\Windows\System32\NlsData000f.dll
2008-08-04 16:45 . 2008-08-04 16:45 797,696 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-08-04 16:40 . 2008-08-04 16:40 1,585,664 --a------ C:\Windows\System32\setupapi.dll
2008-08-04 16:37 . 2008-08-04 16:37 82,432 --a------ C:\Windows\System32\drivers\sdbus.sys
2008-08-04 16:37 . 2008-08-04 16:37 13,312 --a------ C:\Windows\System32\drivers\sffdisk.sys
2008-08-04 16:37 . 2008-08-04 16:37 12,800 --a------ C:\Windows\System32\drivers\sffp_sd.sys
2008-08-04 16:36 . 2008-08-04 16:36 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-08-04 16:35 . 2008-08-04 16:35 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-08-04 16:35 . 2008-08-04 16:35 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-08-04 16:35 . 2008-08-04 16:35 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-08-04 16:35 . 2008-08-04 16:35 2,048 --a------ C:\Windows\System32\asferror.dll
2008-08-04 16:34 . 2008-08-04 16:34 2,605,568 --a------ C:\Windows\System32\SLsvc.exe
2008-08-04 16:34 . 2008-08-04 16:34 566,784 --a------ C:\Windows\System32\SLCommDlg.dll
2008-08-04 16:34 . 2008-08-04 16:34 351,232 --a------ C:\Windows\System32\SLUI.exe
2008-08-04 16:34 . 2008-08-04 16:34 268,288 --a------ C:\Windows\System32\mcbuilder.exe
2008-08-04 16:34 . 2008-08-04 16:34 223,232 --a------ C:\Windows\System32\SLC.dll
2008-08-04 16:34 . 2008-08-04 16:34 186,368 --a------ C:\Windows\System32\SLLUA.exe
2008-08-04 16:34 . 2008-08-04 16:34 57,856 --a------ C:\Windows\System32\SLUINotify.dll
2008-08-04 16:34 . 2008-08-04 16:34 39,936 --a------ C:\Windows\System32\slcinst.dll
2008-08-04 16:34 . 2008-08-04 16:34 33,280 --a------ C:\Windows\System32\slwmi.dll
2008-08-04 16:33 . 2008-08-04 16:33 1,335,296 --a------ C:\Windows\System32\msxml6.dll
2008-08-04 16:33 . 2008-08-04 16:33 2,048 --a------ C:\Windows\System32\msxml6r.dll
2008-08-04 16:30 . 2008-08-04 16:30 737,792 --a------ C:\Windows\System32\inetcomm.dll
2008-08-04 16:30 . 2008-08-04 16:30 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-08-04 16:30 . 2008-08-04 16:30 84,480 --a------ C:\Windows\System32\INETRES.dll
2008-08-04 16:30 . 2008-08-04 16:30 14,848 --a------ C:\Windows\System32\wshrm.dll
2008-08-04 16:29 . 2008-08-04 16:29 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-08-04 16:28 . 2008-08-04 16:28 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-08-04 16:28 . 2008-08-04 16:28 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-08-04 16:27 . 2008-08-04 16:27 83,968 --a------ C:\Windows\System32\dnsrslvr.dll
2008-08-04 16:27 . 2008-08-04 16:27 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-08-04 16:25 . 2008-08-04 16:25 788,992 --a------ C:\Windows\System32\rpcrt4.dll
2008-08-04 16:25 . 2008-08-04 16:25 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-08-04 16:25 . 2008-08-04 16:25 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-08-04 16:25 . 2008-08-04 16:25 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-08-04 16:25 . 2008-08-04 16:25 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-08-04 16:24 . 2008-08-04 16:24 1,327,104 --a------ C:\Windows\System32\quartz.dll
2008-08-04 16:24 . 2008-08-04 16:24 152,576 --a------ C:\Windows\System32\imagehlp.dll
2008-08-04 16:24 . 2008-08-04 16:24 12,800 --a------ C:\Windows\System32\drivers\fs_rec.sys
2008-08-04 16:24 . 2008-08-04 16:24 5,120 --a------ C:\Windows\System32\wmi.dll
2008-08-04 16:19 . 2008-08-04 16:19 633,856 --a------ C:\Windows\System32\user32.dll
2008-08-04 16:19 . 2008-08-04 16:19 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-04 16:17 . 2008-08-04 16:17 750,080 --a------ C:\Windows\System32\qmgr.dll
2008-08-04 15:16 . 2008-08-04 15:16 1,712,984 --a------ C:\Windows\System32\wuaueng.dll
2008-08-04 15:16 . 2008-08-04 15:16 1,524,224 --a------ C:\Windows\System32\wucltux.dll
2008-08-04 15:16 . 2008-08-04 15:16 53,080 --a------ C:\Windows\System32\wuauclt.exe
2008-08-04 15:16 . 2008-08-04 15:16 43,352 --a------ C:\Windows\System32\wups2.dll
2008-08-04 15:15 . 2008-08-04 15:15 549,720 --a------ C:\Windows\System32\wuapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 03:02 147,456 ----a-w C:\Users\Holly\vbzip10.dll
2008-08-05 03:02 --------- d-----w C:\Users\Holly\AppData\Roaming\LimeWire
2008-08-05 02:54 174 --sha-w C:\Program Files\desktop.ini
2008-08-05 02:49 --------- d-----w C:\Program Files\Windows Sidebar
2008-08-05 02:49 --------- d-----w C:\Program Files\Windows Mail
2008-08-05 02:49 --------- d-----w C:\Program Files\Windows Defender
2008-08-05 02:49 --------- d-----w C:\Program Files\Windows Calendar
2008-08-04 20:46 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll
2008-08-04 20:39 944,184 ----a-w C:\Windows\System32\winload.exe
2008-08-04 20:31 88,576 ----a-w C:\Windows\System32\avifil32.dll
2008-08-04 20:28 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-08-04 20:28 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-08-04 20:28 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-08-04 20:28 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-08-04 20:28 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-08-04 20:21 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-08-04 20:21 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-08-04 20:21 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-08-04 20:21 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-08-02 16:52 --------- d-----w C:\Program Files\LimeWire
2008-07-30 02:18 --------- d-----w C:\Users\Holly\AppData\Roaming\Move Networks
2008-07-30 02:18 --------- d-----w C:\Program Files\Yahoo!
2008-07-30 02:18 --------- d-----w C:\Program Files\Internet Offers
2008-07-30 02:18 --------- d-----w C:\Program Files\illiminable
2008-07-30 02:18 --------- d-----w C:\Program Files\Google
2008-07-30 02:18 --------- d-----w C:\Program Files\dvdSanta
2008-07-30 02:18 --------- d-----w C:\Program Files\DivX
2008-07-30 02:18 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-07-30 02:18 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2008-07-29 00:44 --------- d-----w C:\ProgramData\YAHOO
2008-07-26 00:45 --------- d-----w C:\Users\Rett\AppData\Roaming\LimeWire
2008-07-21 01:41 --------- d-----w C:\Users\Malorie\AppData\Roaming\LimeWire
2008-07-09 01:11 511 ----a-w C:\Users\Holly\977.bat
2008-07-06 12:28 510 ----a-w C:\Users\Holly\72.bat
2008-07-03 20:12 511 ----a-w C:\Users\Holly\213.bat
2008-01-29 23:39 74 ----a-w C:\Users\Holly\n.bat
2007-12-23 05:10 278,538 ----a-w C:\Users\Holly\Setup.exe
2007-05-24 01:14 262,144 ----a-w C:\ProgramData\ntuser.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-10 17:22 417792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2006-11-28 23:14 98304]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2006-11-28 23:17 106496]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2006-11-28 23:13 81920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 16:50 815104]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2005-12-16 05:41 188416]
"HWSetup"="C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 11:06 413696]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-01-18 19:06 421888]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 20:14 34352]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [2007-04-08 12:44 303104]
"WPCUMI"="C:\Windows\system32\WpcUmi.exe" [2006-11-02 08:34 176128]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 13:57 3784704 C:\Windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 17:18 443968]

C:\Users\Malorie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-06-18 14:46:56 147456]

C:\Users\Rett\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-06-18 14:46:56 147456]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 05:15:54 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BE72CEC1-CAAF-493B-B075-5EBBA76BF2A2}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{C116E19A-60C0-47F9-9BAB-6C6BDEF5E836}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{09557353-EFED-4298-969C-3C4C6C8EA901}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{324F5534-C43A-436A-86BA-0C03D963A787}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6E2A9832-E68C-4705-A52B-17DC1BF8AAF4}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E0DBAB60-E7BB-45D0-AD3A-9408E83A63CB}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{E0A1D70A-3A58-4566-B004-8C8C889E7BEB}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2008-06-19 17:24]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);C:\Windows\system32\DRIVERS\s125bus.sys [2007-04-24 09:33]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;C:\Windows\system32\DRIVERS\s125mdfl.sys [2007-04-24 09:33]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;C:\Windows\system32\DRIVERS\s125mdm.sys [2007-04-24 09:33]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);C:\Windows\system32\DRIVERS\s125mgmt.sys [2007-04-24 09:33]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;C:\Windows\system32\DRIVERS\s125obex.sys [2007-04-24 09:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{655b8bb4-375e-11dc-be07-806e6f6e6963}]
\shell\AutoRun\command - D:\autorun.exe
\shell\readme\command - notepad readme.txt
\shell\Setup\command - D:\install.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac1c6111-5b12-11dc-aa8f-001b381ccf47}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Host Process - C:\Users\Holly\svchost.exe
HKCU-Run-LSA Shellu - C:\Users\Holly\lsass.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Holly\AppData\Roaming\Mozilla\Firefox\Profiles\9qs3b3m9.default\


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 16:26:21
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????q??R??????^?8?^?p?^???^???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-10 16:28:37
ComboFix-quarantined-files.txt 2008-08-10 20:28:33

Pre-Run: 41,113,829,376 bytes free
Post-Run: 41,352,093,696 bytes free

280 --- E O F --- 2008-08-08 05:38:28










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:35:11 PM, on 8/10/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6716 bytes
threehundred is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-11-2008, 09:59 AM   #5 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,235
OS: Windows 7 Premium x64

My System

Re: Possible Vundo Infection
Hi there threehundred

Regarding antivirus software, a good free anti virus software to start with is AntiVir®. If you are looking for paid solutions then you may wish to check out Smart Security by ESET which has a good reputation and comes complete with its own firewall, you can try this product on trial before purchasing.

I want to take a closer look at a couple of the bat files by running a further scan for me.

I would ask that you use Internet Explorer if possible
Navigate to either Virus Total -> http://www.virustotal.com/en/indexf.html or Jottis -> http://virusscan.jotti.org/
Click on the browse/choose button and navigate to the following filepath below

C:\Users\Holly\996.bat

Once you have found the file then click on the send button, you may be placed in a queue, please be patient until your results are back
Copy and paste the results to a text file and save them to a secure location and post them as a reply in your next post

Please repeat the proceedure for the folowing files below:
C:\Users\Holly\213.bat
C:\Users\Holly\n.bat

Download and scan with CCleaner lite
1.Double click the file and install ccleaner

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.
In the Applications Tab:
  • Clean all in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:


**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Please post back the results along with the result from virustotal/jotti
Also update me on how things are running
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-12-2008, 09:39 PM   #6 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 13
OS: Win XP Service Pack 2


Re: Possible Vundo Infection
I installed the free Avira Antivir program and it immediately found this:

File: C:\Users\Holly\Setup.exe

Trojan: TR/Agent.VB.AQC

I did an update of the Antivir software and ran a scan, it started finding thousands of files in a folder that I do not think exists. Each of the files found were zip files and they were named after different downloadable programs and thousands of different movie titles. I ended up stopping the scan as it had already been running 2 hours and it was basically naming every movie or software in alphabetical order and it had only made it to the C's.

After getting Kaspersky finally to download and start scanning, it scanned for a very long time working constantly. I tried to save the report, but it would not let me save it ANYWHERE on the computer. I tried 20 or so different places. Viewing the report, it looks as though it is the huge list that the antivir scan was finding (tons of programs and movie names in zip format). Since I could not get the Kaspersky scan to save, I have included an excerpt from the beginning of the Antivir scan to the point where it starts listing the programs and movies (the list was way too long to post).

The computer is running, and seems to be working a little better than previous to working with you on it. I really appreciate your help on it.


The following are the 3 virustotal scans of the 3 bat files you requested. After that is the Avira Antivir scan log file.



C:\Users\Holly\996.bat

Antivirus Version Last Update Result
AhnLab-V3 2008.8.13.0 2008.08.12 -
AntiVir 7.8.1.19 2008.08.12 -
Authentium 5.1.0.4 2008.08.12 -
Avast 4.8.1195.0 2008.08.12 -
AVG 8.0.0.156 2008.08.12 -
BitDefender 7.2 2008.08.12 -
CAT-QuickHeal 9.50 2008.08.12 -
ClamAV 0.93.1 2008.08.12 -
DrWeb 4.44.0.09170 2008.08.12 -
eSafe 7.0.17.0 2008.08.12 -
eTrust-Vet 31.6.6027 2008.08.12 -
Ewido 4.0 2008.08.12 -
F-Prot 4.4.4.56 2008.08.12 -
Fortinet 3.14.0.0 2008.08.12 -
GData 2.0.7306.1023 2008.08.12 -
Ikarus T3.1.1.34.0 2008.08.12 -
K7AntiVirus 7.10.412 2008.08.12 -
Kaspersky 7.0.0.125 2008.08.12 -
McAfee 5358 2008.08.11 -
Microsoft 1.3807 2008.08.12 -
NOD32v2 3349 2008.08.12 -
Norman 5.80.02 2008.08.12 -
Panda 9.0.0.4 2008.08.12 -
PCTools 4.4.2.0 2008.08.12 -
Prevx1 V2 2008.08.12 -
Rising 20.57.12.00 2008.08.12 -
Sophos 4.32.0 2008.08.12 -
Sunbelt 3.1.1542.1 2008.08.12 -
Symantec 10 2008.08.12 -
TheHacker 6.3.0.3.046 2008.08.12 -
TrendMicro 8.700.0.1004 2008.08.12 -
VBA32 3.12.8.3 2008.08.11 -
ViRobot 2008.8.12.1333 2008.08.12 -
VirusBuster 4.5.11.0 2008.08.12 -
Webwasher-Gateway 6.6.2 2008.08.12 -
Additional information
File size: 511 bytes
MD5...: eb47c78e926d9ae9e95583fbdcf604ef
SHA1..: 8fcf3a9fca4921bf9e0a6f2102ef41ef4f901af2
SHA256: 8aedb9c8a1863c588226a82b5be4786952fd202762df004704f2cce1668ffd43
SHA512: 2a8a5b8482908fb899ca7f49cc877676e31911b117bbaa807ff92d3d5bd1b5db
05009ce281e69fef1522f5392d1f8be228191a7ad473b71ffc49807c62377c7e
PEiD..: -
PEInfo: -






C:\Users\Holly\213.bat


Antivirus Version Last Update Result
AhnLab-V3 2008.8.13.0 2008.08.12 -
AntiVir 7.8.1.19 2008.08.12 -
Authentium 5.1.0.4 2008.08.12 -
Avast 4.8.1195.0 2008.08.12 -
AVG 8.0.0.156 2008.08.12 -
BitDefender 7.2 2008.08.12 -
CAT-QuickHeal 9.50 2008.08.12 -
ClamAV 0.93.1 2008.08.12 -
DrWeb 4.44.0.09170 2008.08.12 -
eSafe 7.0.17.0 2008.08.12 -
eTrust-Vet 31.6.6027 2008.08.12 -
Ewido 4.0 2008.08.12 -
F-Prot 4.4.4.56 2008.08.12 -
F-Secure 7.60.13501.0 2008.08.12 -
Fortinet 3.14.0.0 2008.08.12 -
GData 2.0.7306.1023 2008.08.12 -
Ikarus T3.1.1.34.0 2008.08.12 -
K7AntiVirus 7.10.412 2008.08.12 -
Kaspersky 7.0.0.125 2008.08.12 -
McAfee 5358 2008.08.11 -
Microsoft 1.3807 2008.08.12 -
NOD32v2 3349 2008.08.12 -
Norman 5.80.02 2008.08.12 -
Panda 9.0.0.4 2008.08.12 -
PCTools 4.4.2.0 2008.08.12 -
Prevx1 V2 2008.08.12 -
Rising 20.57.12.00 2008.08.12 -
Sophos 4.32.0 2008.08.12 -
Sunbelt 3.1.1542.1 2008.08.12 -
Symantec 10 2008.08.12 -
TheHacker 6.3.0.3.046 2008.08.12 -
TrendMicro 8.700.0.1004 2008.08.12 -
VBA32 3.12.8.3 2008.08.11 -
ViRobot 2008.8.12.1333 2008.08.12 -
VirusBuster 4.5.11.0 2008.08.12 -
Webwasher-Gateway 6.6.2 2008.08.12 -
Additional information
File size: 511 bytes
MD5...: 468207fe4a6f00c1b58f7284543634f6
SHA1..: 8c99fdd39c766c71e9acb0324edf3c0b4b492e37
SHA256: 78aa64072225a9e187bf40c2323f2ea179dbf25adc80eb1ba289e47cb45c4f68
SHA512: 6e6de6a41da5664c194e94cc30b0b9aca9c6183a90fbe86a524bbd8dcc56c81d
e97d7b75780bc718509808ee094ea6dc303b91ff317ab42261c4cc1ef65a42d6
PEiD..: -
PEInfo: -




C:\Users\Holly\n.bat



Antivirus Version Last Update Result
AhnLab-V3 2008.8.13.0 2008.08.12 -
AntiVir 7.8.1.19 2008.08.12 -
Authentium 5.1.0.4 2008.08.12 -
Avast 4.8.1195.0 2008.08.12 -
AVG 8.0.0.156 2008.08.12 -
BitDefender 7.2 2008.08.12 -
CAT-QuickHeal 9.50 2008.08.12 -
ClamAV 0.93.1 2008.08.12 -
DrWeb 4.44.0.09170 2008.08.12 -
eSafe 7.0.17.0 2008.08.12 -
eTrust-Vet 31.6.6027 2008.08.12 -
Ewido 4.0 2008.08.12 -
F-Prot 4.4.4.56 2008.08.12 -
F-Secure 7.60.13501.0 2008.08.12 -
Fortinet 3.14.0.0 2008.08.12 -
GData 2.0.7306.1023 2008.08.12 -
Ikarus T3.1.1.34.0 2008.08.12 -
K7AntiVirus 7.10.412 2008.08.12 -
Kaspersky 7.0.0.125 2008.08.12 -
McAfee 5358 2008.08.11 -
Microsoft 1.3807 2008.08.12 -
NOD32v2 3349 2008.08.12 -
Norman 5.80.02 2008.08.12 -
Panda 9.0.0.4 2008.08.12 -
PCTools 4.4.2.0 2008.08.12 -
Prevx1 V2 2008.08.12 -
Rising 20.57.12.00 2008.08.12 -
Sophos 4.32.0 2008.08.12 -
Sunbelt 3.1.1542.1 2008.08.12 -
Symantec 10 2008.08.12 -
TheHacker 6.3.0.3.046 2008.08.12 -
TrendMicro 8.700.0.1004 2008.08.12 -
VBA32 3.12.8.3 2008.08.11 -
ViRobot 2008.8.12.1333 2008.08.12 -
VirusBuster 4.5.11.0 2008.08.12 -
Webwasher-Gateway 6.6.2 2008.08.12 -
Additional information
File size: 74 bytes
MD5...: 5600501da82eb973d1a5f9d97fd6c6cb
SHA1..: f73315037e5f772bde3f8be459602263d5fad453
SHA256: ca0db7693585e51c8a2c631c7035c37bf97f69afc03a0f3d2988b68beb3594b5
SHA512: 33323e46bcfea888c4ab9cd8fda57468a88ef175a2701465f3f9606151848381
61d189a312115413e5d22db3f8c08c44d2e4e9434cfa0d6eefaa79acf1e98b24
PEiD..: -
PEInfo: -












Scan from Antivir




Avira AntiVir Personal
Report file date: Tuesday, August 12, 2008 13:46

Scanning for 1549254 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows Vista
Windows version: (plain) [6.0.6000]
Boot mode: Normally booted
Username: SYSTEM
Computer name: HOLLY-PC

Version information:
BUILD.DAT : 8.1.0.326 16933 Bytes 7/11/2008 12:57:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 14:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 19:54:15
ANTIVIR2.VDF : 7.0.5.207 2316800 Bytes 8/4/2008 17:42:53
ANTIVIR3.VDF : 7.0.6.2 258560 Bytes 8/12/2008 17:42:55
Engineversion : 8.1.1.19
AEVDF.DLL : 8.1.0.5 102772 Bytes 7/9/2008 14:46:50
AESCRIPT.DLL : 8.1.0.63 311673 Bytes 8/12/2008 17:43:10
AESCN.DLL : 8.1.0.23 119156 Bytes 8/12/2008 17:43:09
AERDL.DLL : 8.1.0.20 418165 Bytes 7/9/2008 14:46:50
AEPACK.DLL : 8.1.2.1 364917 Bytes 8/12/2008 17:43:07
AEOFFICE.DLL : 8.1.0.21 192891 Bytes 8/12/2008 17:43:05
AEHEUR.DLL : 8.1.0.47 1368437 Bytes 8/12/2008 17:43:04
AEHELP.DLL : 8.1.0.15 115063 Bytes 7/9/2008 14:46:50
AEGEN.DLL : 8.1.0.35 315764 Bytes 8/12/2008 17:43:01
AEEMU.DLL : 8.1.0.7 430452 Bytes 8/12/2008 17:42:59
AECORE.DLL : 8.1.1.8 172406 Bytes 8/12/2008 17:42:58
AEBB.DLL : 8.1.0.1 53617 Bytes 4/24/2008 14:50:42
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 8/12/2008 17:42:56
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, August 12, 2008 13:46

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'SearchFilterHost.exe' - '1' Module(s) have been scanned
Scan process 'SearchProtocolHost.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'VSSVC.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'ieuser.exe' - '1' Module(s) have been scanned
Scan process 'Ivpsvmgr.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'PresentationFontCache.exe' - '1' Module(s) have been scanned
Scan process 'CFSwMgr.exe' - '1' Module(s) have been scanned
Scan process 'SynToshiba.exe' - '1' Module(s) have been scanned
Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
Scan process 'WmiPrvSE.exe' - '1' Module(s) have been scanned
Scan process 'TOSCDSPD.exe' - '1' Module(s) have been scanned
Scan process 'wpcumi.exe' - '1' Module(s) have been scanned
Scan process 'TCrdMain.exe' - '1' Module(s) have been scanned
Scan process 'SmoothView.exe' - '1' Module(s) have been scanned
Scan process 'TPwrMain.exe' - '1' Module(s) have been scanned
Scan process 'KeNotify.exe' - '1' Module(s) have been scanned
Scan process 'NDSTray.exe' - '1' Module(s) have been scanned
Scan process 'ltmoh.exe' - '1' Module(s) have been scanned
Scan process 'RtHDVCpl.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'dwm.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ULCDRSvr.exe' - '1' Module(s) have been scanned
Scan process 'TosBtSrv.exe' - '1' Module(s) have been scanned
Scan process 'TosCoSrv.exe' - '1' Module(s) have been scanned
Scan process 'TODDSrv.exe' - '1' Module(s) have been scanned
Scan process 'swupdtmr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'pinger.exe' - '1' Module(s) have been scanned
Scan process 'CFSvcs.exe' - '1' Module(s) have been scanned
Scan process 'agrsmsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SLsvc.exe' - '1' Module(s) have been scanned
Scan process 'audiodg.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'lsm.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'wininit.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
68 processes with 68 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '51' files ).


Starting the file scan:

Begin scan in 'C:\' <SQ004508V01>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\aoafowrq.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4902cd00.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\avtqpojy.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4915cd1b.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\awtsTMEv.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4915cd22.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\byXNeFxX.dll
[DETECTION] Is the TR/Monder.31232 Trojan
[NOTE] The file was moved to '48f9cd28.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\cbXQjhGx.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48f9cd16.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\ddcDWPjg.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4904cd19.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\dlvthukk.dll
[DETECTION] Is the TR/Crypt.Morphine.Gen Trojan
[NOTE] The file was moved to '4917cd21.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\efcbBQHW.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4904cd1b.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\fecgmvfy.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4904cd1a.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\gebAromm.dll
[DETECTION] Is the TR/Monder.31232 Trojan
[NOTE] The file was moved to '4903cd1b.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\geBrpmno.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48e3cd1b.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\hhckqeqj.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4904cd1e.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\hncjteab.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4904cd25.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\hwasvfpw.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4902cd2e.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\iifcBuUo.dll
[DETECTION] Is the TR/Monderb.AA Trojan
[NOTE] The file was moved to '4907cd20.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\iifebCUO.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4907cd21.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\ikibevvi.dll
[DETECTION] Is the TR/Crypt.Morphine.Gen Trojan
[NOTE] The file was moved to '490acd23.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\imvawgmm.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4917cd25.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\ipawgrxm.dll
[DETECTION] Is the TR/Crypt.Morphine.Gen Trojan
[NOTE] The file was moved to '4902cd28.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\ireyveqf.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4906cd2b.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\itvandac.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4917cd2d.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\ixikiact.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '490acd31.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\jkkJcBsp.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '490ccd25.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\jpmvaeak.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '490ecd2a.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\leadbpee.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4902cd1f.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\mftiqadj.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4915cd21.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\mlJBQHYQ.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48ebcd27.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\okmpccuj.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '490ecd26.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\oqbvcwdc.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4903cd2d.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\pjeocknb.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4906cd26.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\pmnMdDww.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '490fcd29.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\porpqwtm.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4913cd2c.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\qoMdCVPJ.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48eecd2c.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\qoMeEVnN.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4c30202d.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\qpxfwayk.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4919cd2d.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\rmqfqskm.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4912cd2b.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\skebfspl.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4906cd29.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\snbbxnxb.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4ddd202e.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\ssqOHbCR.dll
[DETECTION] Is the TR/Monder.31232 Trojan
[NOTE] The file was moved to '4912cd32.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\ssqRLEUO.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4dcc2033.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmfjqokr.dll
[DETECTION] Is the TR/Agent.vpx Trojan
[NOTE] The file was moved to '4907cd2d.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp00012a3a
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4911cd2d.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp00012b92
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4dcf202e.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp00012d08
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4911cd2f.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp00012d75
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4911cd2e.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp00012e8e
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4dcf202f.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp00012ecc
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4de39baf.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp00013062
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4911cd30.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp000131c9
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4de39bb0.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp000131e8
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4911cd31.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp00013217
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4de39bb2.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp000133eb
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4dc184e9.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp0001381f
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4911cd32.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp000139c4
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4dc184eb.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp000139d4
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4dc18341.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp00013a51
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4dc184ea.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp00013de9
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4911cd33.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp000167d6
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4dc184ec.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp0001a42a
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4911cd34.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp0002c189
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4dc184ed.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp00048af0
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4911cd36.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\tmp00170c8e
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4dc184ef.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\urqNDVml.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4912cd38.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\urqomlKA.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4dc284e1.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\urqPjIyx.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4912cd3a.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\vrpfvlgw.dll
[DETECTION] Is the TR/Crypt.Morphine.Gen Trojan
[NOTE] The file was moved to '4911cd39.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\vtuSLfFW.dll
[DETECTION] Is the TR/Monder.31232 Trojan
[NOTE] The file was moved to '4916cd3b.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\wgsvtdtb.dll
[DETECTION] Is the TR/Crypt.Morphine.Gen Trojan
[NOTE] The file was moved to '4914cd2e.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\whekumha.dll
[DETECTION] Is the TR/Crypt.Morphine.Gen Trojan
[NOTE] The file was moved to '4906cd30.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\xgyvmvro.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '491acd2f.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\xydxnljk.dll
[DETECTION] Is the TR/Crypt.Morphine.Gen Trojan
[NOTE] The file was moved to '4905cd41.qua'!
C:\Deckard\System Scanner\20080810162959\backup\Users\Holly\AppData\Local\Temp\yvqpkudn.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4912cd3f.qua'!
C:\QooBox\Quarantine\C\Users\Holly\ctfmon.exe.vir
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4907cfed.qua'!
C:\QooBox\Quarantine\C\Users\Holly\svchost.exe.vir
[DETECTION] Is the TR/Agent.VB.AQC Trojan
[NOTE] The file was moved to '4904cfef.qua'!
C:\Users\Holly\a.zip
[0] Archive type: ZIP
--> Setup.exe
[DETECTION] Is the TR/Agent.VB.AQC Trojan
[NOTE] The file was moved to '491bcfdb.qua'!
C:\Users\Holly\'\#1 DVD Audio Ripper 1.2.50.zip
[0] Archive type: ZIP
--> Setup.exe
[DETECTION] Is the TR/Agent.VB.AQC Trojan
[NOTE] The file was moved to '48c1cfe0.qua'!
C:\Users\Holly\'\#1 DVD Audio Ripper 1.2.54.zip
[0] Archive type: ZIP
--> Setup.exe
[DETECTION] Is the TR/Agent.VB.AQC Trojan
[NOTE] The file was moved to '4a449d41.qua'!
C:\Users\Holly\'\#1 DVD Ripper 4.0.zip
[0] Archive type: ZIP
--> Setup.exe
[DETECTION] Is the TR/Agent.VB.AQC Trojan
[NOTE] The file was moved to '48c1cfe2.qua'!
C:\Users\Holly\'\#1 DVD Ripper 6.2.4.zip
[0] Archive type: ZIP
--> Setup.exe
threehundred is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-13-2008, 08:50 AM   #7 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,235
OS: Windows 7 Premium x64

My System

Re: Possible Vundo Infection
Hi there threehundred

Most of what antivir found is already in quarantine by DSS. 5 other files which were found by Antivir were placed in Antivir's quarantine. The bat files appear to be clean

As you had problems with the kaspersky scan I want you to try a different scan

Go here to run an online scannner from ESET.
Note: -> You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is uncheckmarked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish,
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-17-2008, 05:44 PM   #8 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 13
OS: Win XP Service Pack 2


Re: Possible Vundo Infection
I am having a lot of trouble getting any of these scans to complete. There are SO MANY threats found that IE locks up before the scan completes. I finally got the ESET scan to complete and the log file is 9,259 KB. Trying to paste it here wouldn't work as it would freeze up IE or firefox each time I tried. I've added the HJT log file and need to know how I should post this ESET scan log file because it is huge.


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:53 PM, on 8/16/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8024 bytes
threehundred is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-18-2008, 01:06 AM   #9 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,235
OS: Windows 7 Premium x64

My System

Re: Possible Vundo Infection
Hi there

Can you add the scan as an attachment, or break the scan up over two post
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-18-2008, 11:54 AM   #10 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 13
OS: Win XP Service Pack 2


Re: Possible Vundo Infection
I had to put the txt file in a zip file to compress it. It's attached.
Attached Files
File Type: zip log.zip (523.4 KB, 3 views)
threehundred is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-18-2008, 04:42 PM   #11 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,235
OS: Windows 7 Premium x64

My System

Re: Possible Vundo Infection
Howdy there threehundred

Good work in getting the scans to me

I want you to repeat the scan with ESET Online scanner but this time I want to change the scan settings and let ESET deal with the threats itself.

Go here to run an online scannner from ESET.
Note: -> You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is checkmarked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish,
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log (as a zip file if the needs be) as a reply to this topic along with a fresh HJT log

Keep me updated me on how things are running.
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-20-2008, 04:59 PM   #12 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 13
OS: Win XP Service Pack 2


Re: Possible Vundo Infection
I am unable to get the ESET scan to complete. I have tried six times and each time takes about 3-4 hours and then IE just stalls out. Is there something else I can try?
threehundred is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-21-2008, 02:43 AM   #13 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,235
OS: Windows 7 Premium x64

My System

Re: Possible Vundo Infection
Hi there

Lets try a different scanner

Please perform this online scan: F-Secure Online Scanner

The online scanner is on the bottom right of the page.
Follow the directions in the F-Secure page for proper Installation.

* You may receive an alert on the address bar at this point to install the ActiveX control.
* Click on that alert and then click "Insall ActiveX component".
* Read the license agreement and click "Accept".
* Click "Full System Scan" to download the scanning components and begin scan and cleaning.
* When the scan completes, click the "I want to decide item by item" button.
* For each item found, Select "Disinfect" and click "Next".
* When done, click the "Show Report" button, then copy and paste the entire report into your next reply.
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-23-2008, 07:16 PM   #14 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 13
OS: Win XP Service Pack 2


Re: Possible Vundo Infection
Scanning Report
Saturday, August 23, 2008 17:54:03 - 21:15:58

Computer name: HOLLY-PC
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 15 malware found
TrackingCookie.Adbrite (spyware)

* System

TrackingCookie.Adrevolver (spyware)

* System

TrackingCookie.Adtech (spyware)

* System

TrackingCookie.Advertising (spyware)

* System

TrackingCookie.Atdmt (spyware)

* System

TrackingCookie.Doubleclick (spyware)

* System

TrackingCookie.Mediaplex (spyware)

* System

TrackingCookie.Questionmarket (spyware)

* System

TrackingCookie.Revsci (spyware)

* System

TrackingCookie.Specificclick (spyware)

* System

TrackingCookie.Statcounter (spyware)

* System

TrackingCookie.Webtrends (spyware)

* System

TrackingCookie.Yieldmanager (spyware)

* System

Vundo.gen38 (virus)

* C:\DECKARD\SYSTEM SCANNER\20080810162959\BACKUP\USERS\HOLLY\APPDATA\LOCAL\TEMP\JDAQITFM.INI (Submitted)

W32/Malware (virus)

* C:\PROGRAM FILES\SPYWAREBLASTER\SBAUTOUPDATE.EXE (Submitted)

Statistics
Scanned:

* Files: 70098
* System: 4463
* Not scanned: 16

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 15
* Submitted: 2

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
* C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
* C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-08-23
* F-Secure Pegasus: 1.20.0, 2008-04-14
* F-Secure AVP: 7.0.171, 2008-08-22

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
threehundred is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-24-2008, 07:54 AM   #15 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,235
OS: Windows 7 Premium x64

My System

Re: Possible Vundo Infection
Hi there threehundred

Go to start menu - Select Run and in the command box type in notepad
Next - copy/paste the text in the code box below into it:

Code:
Dirlook::
C:\Users\Holly\'
- Save this to your desktop as CFScript.txt
- Drag the CFScript.txt over onto Combofix.exe and release.



Combofix will then execute the script and produce a fresh log
If your computer does not reboot on completion then reboot it now and generate and Post this log back in your next reply
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-24-2008, 04:52 PM   #16 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 13
OS: Win XP Service Pack 2


Re: Possible Vundo Infection
Another huge log file. I had to zip it and attach it.
Attached Files
File Type: zip cflog.zip (539.2 KB, 1 views)
threehundred is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-25-2008, 02:21 AM   #17 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,235
OS: Windows 7 Premium x64

My System

Re: Possible Vundo Infection
Hi there threehundred

Great work in getting the logs to me, we can now remove the items with combofix, the list of deletions in this next log may force you to post the results as a zip once again

Go to start menu - Select Run and in the command box type in notepad
Next - copy/paste the text in the code box below into it:

Code:
File::
C:\Users\Holly\vbzip10.dll

Folder::
C:\Users\Holly\'
- Save this to your desktop as CFScript.txt
- Drag the CFScript.txt over onto Combofix.exe and release.



Combofix will then execute the script and produce a fresh log
If your computer does not reboot on completion then reboot it now and generate and fresh HJT log

Please post back with:
-> the log from combofix
-> HJT log
-> Also inform me on how things are running now
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-25-2008, 01:18 PM   #18 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 13
OS: Win XP Service Pack 2


Re: Possible Vundo Infection
The laptop seems to be running better, although I haven't done a lot of surfing on it. Here is the HJT log and attached is a zip of the ComboFix log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:46 PM, on 8/25/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\explorer.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7943 bytes
Attached Files
File Type: zip cflog.zip (349.5 KB, 1 views)
threehundred is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-25-2008, 01:36 PM   #19 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,235
OS: Windows 7 Premium x64

My System

Re: Possible Vundo Infection
Howdy there

Things are looking much better now, Just one entry left over to deal with.

Go to start menu - Select Run and in the command box type in notepad
Next - copy/paste the text in the code box below into it:

Code:
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{655b8bb4-375e-11dc-be07-806e6f6e6963}]
- Save this to your desktop as CFScript.txt
- Drag the CFScript.txt over onto Combofix.exe and release.



Combofix will then execute the script and produce a fresh log
Paste this log in your next reply
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-25-2008, 06:49 PM   #20 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 13
OS: Win XP Service Pack 2


Re: Possible Vundo Infection
ComboFix 08-08-24.03 - Holly 2008-08-25 20:01:34.4 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.357 [GMT -4:00]
Running from: C:\Users\Holly\Desktop\ComboFix.exe
Command switches used :: C:\Users\Holly\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-23 17:47 . 2008-08-23 17:47 <DIR> d-------- C:\fsaua.data
2008-08-15 13:31 . 2008-08-16 23:31 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-08-14 03:03 . 2008-07-15 19:48 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-13 18:30 . 2008-04-10 01:01 737,792 --a------ C:\Windows\System32\inetcomm.dll
2008-08-13 18:30 . 2008-04-09 22:43 84,480 --a------ C:\Windows\System32\INETRES.dll
2008-08-12 15:54 . 2008-08-12 15:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-08-12 13:51 . 2008-08-12 13:51 <DIR> d-------- C:\Program Files\CCleaner
2008-08-12 13:27 . 2008-08-12 13:27 <DIR> d-------- C:\Users\All Users\Avira
2008-08-12 13:27 . 2008-08-12 13:27 <DIR> d-------- C:\ProgramData\Avira
2008-08-12 13:27 . 2008-08-12 13:27 <DIR> d-------- C:\Program Files\Avira
2008-08-10 16:34 . 2008-08-10 16:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-04 22:06 . 2008-08-04 22:06 <DIR> d-------- C:\Deckard
2008-08-04 22:02 . 2008-08-04 22:02 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-04 21:55 . 2008-08-04 21:55 <DIR> d-------- C:\Users\All Users\TEMP
2008-08-04 21:55 . 2008-08-04 21:55 <DIR> d-------- C:\ProgramData\TEMP
2008-08-04 21:55 . 2008-08-04 21:55 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-04 17:06 . 2008-08-04 17:06 205,824 --a------ C:\Windows\System32\msoeacct.dll
2008-08-04 17:06 . 2008-08-04 17:06 87,040 --a------ C:\Windows\System32\msoert2.dll
2008-08-04 17:06 . 2008-08-04 17:06 39,424 --a------ C:\Windows\System32\ACCTRES.dll
2008-08-04 17:05 . 2008-08-04 17:05 2,923,520 --a------ C:\Windows\explorer.exe
2008-08-04 17:05 . 2008-08-04 17:05 714,240 --a------ C:\Windows\System32\timedate.cpl
2008-08-04 17:05 . 2008-08-04 17:05 704,000 --a------ C:\Windows\System32\PhotoScreensaver.scr
2008-08-04 17:05 . 2008-08-04 17:05 542,720 --a------ C:\Windows\System32\sysmain.dll
2008-08-04 17:05 . 2008-08-04 17:05 258,232 --a------ C:\Windows\System32\drivers\acpi.sys
2008-08-04 17:05 . 2008-08-04 17:05 28,344 --a------ C:\Windows\System32\drivers\battc.sys
2008-08-04 17:05 . 2008-08-04 17:05 24,064 --a------ C:\Windows\System32\wtsapi32.dll
2008-08-04 17:05 . 2008-08-04 17:05 20,920 --a------ C:\Windows\System32\drivers\compbatt.sys
2008-08-04 17:05 . 2008-08-04 17:05 14,208 --a------ C:\Windows\System32\drivers\CmBatt.sys
2008-08-04 17:04 . 2008-08-04 17:05 1,655,289 --a------ C:\Windows\System32\wlan.tmf
2008-08-04 17:04 . 2008-08-04 17:04 502,784 --a------ C:\Windows\System32\wlansvc.dll
2008-08-04 17:04 . 2008-08-04 17:04 297,984 --a------ C:\Windows\System32\wlansec.dll
2008-08-04 17:04 . 2008-08-04 17:04 290,816 --a------ C:\Windows\System32\wlanmsm.dll
2008-08-04 17:04 . 2008-08-04 17:04 67,584 --a------ C:\Windows\System32\wlanhlp.dll
2008-08-04 17:04 . 2008-08-04 17:04 47,104 --a------ C:\Windows\System32\wlanapi.dll
2008-08-04 17:03 . 2008-08-04 17:03 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-08-04 17:03 . 2008-08-04 17:03 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-08-04 17:02 . 2008-08-04 17:02 376,320 --a------ C:\Windows\System32\winsrv.dll
2008-08-04 17:02 . 2008-08-04 17:02 49,664 --a------ C:\Windows\System32\csrsrv.dll
2008-08-04 16:55 . 2008-08-04 16:56 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-08-04 16:55 . 2008-08-04 16:55 374,456 --a------ C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-08-04 16:55 . 2008-08-04 16:55 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-08-04 16:54 . 2008-08-04 16:54 414,208 --a------ C:\Windows\System32\msscp.dll
2008-08-04 16:53 . 2008-08-04 16:53 8,147,968 --a------ C:\Windows\System32\wmploc.DLL
2008-08-04 16:53 . 2008-08-04 16:53 356,864 --a------ C:\Windows\System32\MediaMetadataHandler.dll
2008-08-04 16:53 . 2008-08-04 16:53 7,680 --a------ C:\Windows\System32\spwmp.dll
2008-08-04 16:53 . 2008-08-04 16:53 4,096 --a------ C:\Windows\System32\msdxm.ocx
2008-08-04 16:53 . 2008-08-04 16:53 4,096 --a------ C:\Windows\System32\dxmasf.dll
2008-08-04 16:52 . 2008-08-04 16:52 396,800 --a------ C:\Windows\System32\MPSSVC.dll
2008-08-04 16:52 . 2008-08-04 16:52 392,192 --a------ C:\Windows\System32\FirewallAPI.dll
2008-08-04 16:52 . 2008-08-04 16:52 178,688 --a------ C:\Windows\System32\iphlpsvc.dll
2008-08-04 16:52 . 2008-08-04 16:52 86,016 --a------ C:\Windows\System32\icfupgd.dll
2008-08-04 16:52 . 2008-08-04 16:52 63,488 --a------ C:\Windows\System32\drivers\mpsdrv.sys
2008-08-04 16:52 . 2008-08-04 16:52 61,952 --a------ C:\Windows\System32\cmifw.dll
2008-08-04 16:52 . 2008-08-04 16:52 23,040 --a------ C:\Windows\System32\drivers\tunnel.sys
2008-08-04 16:52 . 2008-08-04 16:52 16,896 --a------ C:\Windows\System32\wfapigp.dll
2008-08-04 16:52 . 2008-08-04 16:52 15,360 --a------ C:\Windows\System32\drivers\TUNMP.SYS
2008-08-04 16:50 . 2008-08-04 16:50 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-08-04 16:50 . 2008-08-04 16:50 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-08-04 16:50 . 2008-08-04 16:50 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-08-04 16:50 . 2008-08-04 16:50 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-08-04 16:50 . 2008-08-04 16:50 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-08-04 16:50 . 2008-08-04 16:50 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-08-04 16:50 . 2008-08-04 16:50 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-08-04 16:50 . 2008-08-04 16:50 17,464 --a------ C:\Windows\System32\drivers\intelide.sys
2008-08-04 16:49 . 2008-08-04 16:49 1,191,936 --a------ C:\Windows\System32\msxml3.dll
2008-08-04 16:49 . 2008-08-04 16:49 224,768 --a------ C:\Windows\System32\drivers\usbport.sys
2008-08-04 16:49 . 2008-08-04 16:49 192,000 --a------ C:\Windows\System32\drivers\usbhub.sys
2008-08-04 16:49 . 2008-08-04 16:49 73,216 --a------ C:\Windows\System32\drivers\usbccgp.sys
2008-08-04 16:49 . 2008-08-04 16:49 38,400 --a------ C:\Windows\System32\drivers\usbehci.sys
2008-08-04 16:49 . 2008-08-04 16:49 23,040 --a------ C:\Windows\System32\drivers\usbuhci.sys
2008-08-04 16:49 . 2008-08-04 16:49 8,704 --a------ C:\Windows\System32\hcrstco.dll
2008-08-04 16:49 . 2008-08-04 16:49 8,704 --a------ C:\Windows\System32\hccoin.dll
2008-08-04 16:49 . 2008-08-04 16:49 5,888 --a------ C:\Windows\System32\drivers\usbd.sys
2008-08-04 16:49 . 2008-08-04 16:49 2,048 --a------ C:\Windows\System32\msxml3r.dll
2008-08-04 16:47 . 2008-08-04 16:47 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-08-04 16:47 . 2008-08-04 16:47 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-08-04 16:47 . 2008-08-04 16:47 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-08-04 16:47 . 2008-08-04 16:47 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-08-04 16:47 . 2008-08-04 16:47 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-08-04 16:45 . 2008-08-04 16:45 9,845,248 --a------ C:\Windows\System32\NlsData000a.dll
2008-08-04 16:45 . 2008-08-04 16:45 6,917,120 --a------ C:\Windows\System32\NlsLexicons0c1a.dll
2008-08-04 16:45 . 2008-08-04 16:45 4,493,312 --a------ C:\Windows\System32\NlsData0816.dll
2008-08-04 16:45 . 2008-08-04 16:45 4,493,312 --a------ C:\Windows\System32\NlsData0416.dll
2008-08-04 16:45 . 2008-08-04 16:45 4,493,312 --a------ C:\Windows\System32\NlsData0414.dll
2008-08-04 16:45 . 2008-08-04 16:45 2,641,408 --a------ C:\Windows\System32\NlsData000c.dll
2008-08-04 16:45 . 2008-08-04 16:45 2,340,864 --a------ C:\Windows\System32\NlsData000d.dll
2008-08-04 16:45 . 2008-08-04 16:45 1,963,520 --a------ C:\Windows\System32\NlsData0c1a.dll
2008-08-04 16:45 . 2008-08-04 16:45 1,963,520 --a------ C:\Windows\System32\NlsData081a.dll
2008-08-04 16:45 . 2008-08-04 16:45 1,963,520 --a------ C:\Windows\System32\NlsData000f.dll
2008-08-04 16:45 . 2008-08-04 16:45 797,696 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-08-04 16:40 . 2008-08-04 16:40 1,585,664 --a------ C:\Windows\System32\setupapi.dll
2008-08-04 16:37 . 2008-08-04 16:37 82,432 --a------ C:\Windows\System32\drivers\sdbus.sys
2008-08-04 16:37 . 2008-08-04 16:37 13,312 --a------ C:\Windows\System32\drivers\sffdisk.sys
2008-08-04 16:37 . 2008-08-04 16:37 12,800 --a------ C:\Windows\System32\drivers\sffp_sd.sys
2008-08-04 16:36 . 2008-08-04 16:36 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-08-04 16:35 . 2008-08-04 16:35 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-08-04 16:35 . 2008-08-04 16:35 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-08-04 16:35 . 2008-08-04 16:35 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-08-04 16:35 . 2008-08-04 16:35 2,048 --a------ C:\Windows\System32\asferror.dll
2008-08-04 16:34 . 2008-08-04 16:34 2,605,568 --a------ C:\Windows\System32\SLsvc.exe
2008-08-04 16:34 . 2008-08-04 16:34 566,784 --a------ C:\Windows\System32\SLCommDlg.dll
2008-08-04 16:34 . 2008-08-04 16:34 351,232 --a------ C:\Windows\System32\SLUI.exe
2008-08-04 16:34 . 2008-08-04 16:34 268,288 --a------ C:\Windows\System32\mcbuilder.exe
2008-08-04 16:34 . 2008-08-04 16:34 223,232 --a------ C:\Windows\System32\SLC.dll
2008-08-04 16:34 . 2008-08-04 16:34 186,368 --a------ C:\Windows\System32\SLLUA.exe
2008-08-04 16:34 . 2008-08-04 16:34 57,856 --a------ C:\Windows\System32\SLUINotify.dll
2008-08-04 16:34 . 2008-08-04 16:34 39,936 --a------ C:\Windows\System32\slcinst.dll
2008-08-04 16:34 . 2008-08-04 16:34 33,280 --a------ C:\Windows\System32\slwmi.dll
2008-08-04 16:33 . 2008-08-04 16:33 1,335,296 --a------ C:\Windows\System32\msxml6.dll
2008-08-04 16:33 . 2008-08-04 16:33 2,048 --a------ C:\Windows\System32\msxml6r.dll
2008-08-04 16:30 . 2008-08-04 16:30 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-08-04 16:30 . 2008-08-04 16:30 14,848 --a------ C:\Windows\System32\wshrm.dll
2008-08-04 16:29 . 2008-08-04 16:29 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-08-04 16:28 . 2008-08-04 16:28 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-08-04 16:28 . 2008-08-04 16:28 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-08-04 16:27 . 2008-08-04 16:27 83,968 --a------ C:\Windows\System32\dnsrslvr.dll
2008-08-04 16:27 . 2008-08-04 16:27 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-08-04 16:25 . 2008-08-04 16:25 788,992 --a------ C:\Windows\System32\rpcrt4.dll
2008-08-04 16:25 . 2008-08-04 16:25 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-08-04 16:25 . 2008-08-04 16:25 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-08-04 16:25 . 2008-08-04 16:25 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-08-04 16:25 . 2008-08-04 16:25 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-08-04 16:24 . 2008-08-04 16:24 1,327,104 --a------ C:\Windows\System32\quartz.dll
2008-08-04 16:24 . 2008-08-04 16:24 152,576 --a------ C:\Windows\System32\imagehlp.dll
2008-08-04 16:24 . 2008-08-04 16:24 12,800 --a------ C:\Windows\System32\drivers\fs_rec.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 07:10 --------- d-----w C:\Program Files\Windows Mail
2008-08-12 18:03 --------- d-----w C:\Program Files\Java
2008-08-05 03:02 --------- d-----w C:\Users\Holly\AppData\Roaming\LimeWire
2008-08-05 02:54 174 --sha-w C:\Program Files\desktop.ini
2008-08-05 02:49 --------- d-----w C:\Program Files\Windows Sidebar
2008-08-05 02:49 --------- d-----w C:\Program Files\Windows Defender
2008-08-05 02:49 --------- d-----w C:\Program Files\Windows Calendar
2008-08-04 20:46 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll
2008-08-04 20:39 944,184 ----a-w C:\Windows\System32\winload.exe
2008-08-04 20:31 88,576 ----a-w C:\Windows\System32\avifil32.dll
2008-08-04 20:28 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-08-04 20:28 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-08-02 16:52 --------- d-----w C:\Program Files\LimeWire
2008-07-30 02:18 --------- d-----w C:\Users\Holly\AppData\Roaming\Move Networks
2008-07-30 02:18 --------- d-----w C:\Program Files\Yahoo!
2008-07-30 02:18 --------- d-----w C:\Program Files\Internet Offers
2008-07-30 02:18 --------- d-----w C:\Program Files\illiminable
2008-07-30 02:18 --------- d-----w C:\Program Files\Google
2008-07-30 02:18 --------- d-----w C:\Program Files\dvdSanta
2008-07-30 02:18 --------- d-----w C:\Program Files\DivX
2008-07-30 02:18 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-07-30 02:18 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2008-07-29 00:44 --------- d-----w C:\ProgramData\YAHOO
2008-07-26 00:45 --------- d-----w C:\Users\Rett\AppData\Roaming\LimeWire
2008-07-21 01:41 --------- d-----w C:\Users\Malorie\AppData\Roaming\LimeWire
2008-07-21 00:08 511 ----a-w C:\Users\Holly\470.bat
2008-07-20 23:53 77 ----a-w C:\Users\Holly\7463.bat
2008-07-20 00:03 511 ----a-w C:\Users\Holly\547.bat
2008-07-19 23:42 77 ----a-w C:\Users\Holly\5678.bat
2008-07-12 14:40 511 ----a-w C:\Users\Holly\674.bat
2008-07-12 13:09 511 ----a-w C:\Users\Holly\230.bat
2008-07-12 12:13 511 ----a-w C:\Users\Holly\873.bat
2008-07-12 02:34 511 ----a-w C:\Users\Holly\112.bat
2008-07-10 17:19 0 ----a-w C:\Users\Rett\jagex_runescape_preferences.dat
2008-07-09 01:11 511 ----a-w C:\Users\Holly\977.bat
2008-07-06 12:28 510 ----a-w C:\Users\Holly\72.bat
2008-07-03 20:12 511 ----a-w C:\Users\Holly\213.bat
2008-06-27 03:54 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-06-27 03:54 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-06-27 03:54 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-06-27 03:54 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-06-19 03:25 61,440 ----a-w C:\Windows\System32\winipsec.dll
2008-06-19 03:25 361,984 ----a-w C:\Windows\System32\IPSECSVC.DLL
2008-06-19 03:25 28,672 ----a-w C:\Windows\System32\FwRemoteSvr.dll
2008-06-19 03:25 272,896 ----a-w C:\Windows\System32\polstore.dll
2008-06-12 06:54 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-12 06:54 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-06-12 01:21 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-01-29 23:39 74 ----a-w C:\Users\Holly\n.bat
2007-05-24 01:14 262,144 ----a-w C:\ProgramData\ntuser.dat
.

((((((((((((((((((((((((((((( snapshot_2008-08-24_18.30.30.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-19 04:31:59 1,050,448 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-08-25 16:23:39 1,050,448 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-08-19 04:32:52 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-08-25 16:24:30 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-08-19 04:32:52 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-08-25 16:24:30 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-08-19 04:43:37 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-08-25 16:35:17 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-08-19 04:43:32 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-08-25 16:35:12 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
- 2008-08-24 17:30:23 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-25 16:25:21 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-24 17:30:23 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-25 16:25:21 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-24 17:30:23 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-25 16:25:21 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-24 22:23:41 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-08-25 17:40:09 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-08-19 04:37:53 104,024 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-08-25 16:29:35 104,024 ----a-w C:\Windows\System32\perfc009.dat
- 2008-08-19 04:37:53 618,648 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-08-25 16:29:35 618,648 ----a-w C:\Windows\System32\perfh009.dat
- 2008-08-10 20:41:56 5,260 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-684929981-777704919-1356835805-1000_UserData.bin
+ 2008-08-24 22:49:14 5,524 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-684929981-777704919-1356835805-1000_UserData.bin
- 2008-08-10 20:41:56 56,718 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-24 22:49:13 56,982 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-08-11 02:40:55 48,712 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-08-24 22:49:12 49,836 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-10 17:22 417792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2006-11-28 23:14 98304]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2006-11-28 23:17 106496]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2006-11-28 23:13 81920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 16:50 815104]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2005-12-16 05:41 188416]
"HWSetup"="C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 11:06 413696]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-01-18 19:06 421888]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 20:14 34352]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [2007-04-08 12:44 303104]
"WPCUMI"="C:\Windows\system32\WpcUmi.exe" [2006-11-02 08:34 176128]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 13:57 3784704 C:\Windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 17:18 443968]

C:\Users\Malorie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-06-18 14:46:56 147456]

C:\Users\Rett\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-06-18 14:46:56 147456]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 05:15:54 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BE72CEC1-CAAF-493B-B075-5EBBA76BF2A2}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{C116E19A-60C0-47F9-9BAB-6C6BDEF5E836}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{09557353-EFED-4298-969C-3C4C6C8EA901}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{324F5534-C43A-436A-86BA-0C03D963A787}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6E2A9832-E68C-4705-A52B-17DC1BF8AAF4}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E0DBAB60-E7BB-45D0-AD3A-9408E83A63CB}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{E0A1D70A-3A58-4566-B004-8C8C889E7BEB}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2008-06-19 17:24]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);C:\Windows\system32\DRIVERS\s125bus.sys [2007-04-24 09:33]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;C:\Windows\system32\DRIVERS\s125mdfl.sys [2007-04-24 09:33]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;C:\Windows\system32\DRIVERS\s125mdm.sys [2007-04-24 09:33]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);C:\Windows\system32\DRIVERS\s125mgmt.sys [2007-04-24 09:33]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;C:\Windows\system32\DRIVERS\s125obex.sys [2007-04-24 09:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac1c6111-5b12-11dc-aa8f-001b381ccf47}]
\shell\AutoRun\command - F:\LaunchU3.exe -a
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 20:04:29
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????q??R??????^?8?^?p?^???^???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-25 20:05:55
ComboFix-quarantined-files.txt 2008-08-26 00:05:49
ComboFix2.txt 2008-08-25 19:04:16
ComboFix3.txt 2008-08-24 22:31:19
ComboFix4.txt 2008-08-10 20:28:38

Pre-Run: 43,879,002,112 bytes free
Post-Run: 43,748,134,912 bytes free

304 --- E O F --- 2008-08-20 04:13:26
threehundred is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 01:57 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85