Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page trojan-keylogger.win32.fung...What the heck is this and how do I kill it?
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 10-30-2008, 09:56 AM   #1 (permalink)
Registered User
 
Join Date: Oct 2008
Posts: 5
OS: WinXP SrvcPk 3


trojan-keylogger.win32.fung...What the heck is this and how do I kill it?
Approximately 3-4 days ago I started receiving a message across the screen every 15 mins or so. It looks like a Windows Firewall alert message but I noticed that a few words in the display are misspelled like Your as in "your computer" is spelled Tour and instead of Firewall it says Frewall. The alert tells me that I have a Trojan-Keylogger.Win32.fung virus or spyware worm and that it will take screenshots and keylog my info. I'm getting pissed. It keeps popping up and I have no idea what to do. I have run Avira and SpyBot but...nothing.

It reads like this:

Windows Security Alert
To help protect tour computer, Windows Frewall has blocked activity of harmful software

Do you want to block suspocious software?
Name: Trojan-Keylogger.WIN32.FUNG
Risk Level: High
Description: Fung is a Spyware program that records keystrokes and takes screen shots of the computer
********

So, I followed some instructions and created this scan(s)
Hope this helps!!!

_________________________

Logfile of random's system information tool 1.04 (written by random/random)
Run by Dolly boushey at 2008-10-30 11:33:19
Microsoft Windows XP Professional Service Pack 3
System drive C: has 29 GB (75%) free of 38 GB
Total RAM: 511 MB (26% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:33 AM, on 10/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Dolly boushey\Application Data\Google\mupd1_2_1165664.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\DOLLYB~1\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe
C:\Documents and Settings\Dolly boushey\Desktop\RSIT.exe
C:\Program Files\trend micro\Dolly boushey.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [asus32] "C:\Documents and Settings\Dolly boushey\Application Data\Google\mupd1_2_1165664.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1199830544906
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OneStepSearch Service - Unknown owner - C:\Program Files\OneStep\onestep.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6350 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\System32\NvCpl.dll [2004-01-08 4866048]
"nwiz"=nwiz.exe /installquiet []
"SigmaTel StacMon"=C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe [2004-04-29 90169]
"Broadcom Wireless Manager UI"=C:\WINDOWS\System32\WLTRAY.exe [2005-12-19 1347584]
"BCMSMMSG"=C:\WINDOWS\BCMSMMSG.exe [2003-08-29 122880]
"iPrint Tray"=C:\WINDOWS\system32\iprntctl.exe [2007-09-06 40960]
"iPrint Event Monitor"=C:\WINDOWS\system32\iprntlgn.exe [2007-09-06 45056]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"asus32"=C:\Documents and Settings\Dolly boushey\Application Data\Google\mupd1_2_1165664.exe [2008-10-29 98304]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

C:\Documents and Settings\Dolly boushey\Start Menu\Programs\Startup
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\WINDOWS\system32\drivers\svchost.exe"="C:\WINDOWS\system32\drivers\svchost.exe:*:Disabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b00d0e90-c2e4-11dc-8e2d-000f1f23261f}]
shell\AutoRun\command - E:\


======List of files/folders created in the last 1 months======

2008-10-30 11:33:20 ----D---- C:\Program Files\trend micro
2008-10-30 11:33:19 ----D---- C:\rsit
2008-10-30 11:20:47 ----A---- C:\WINDOWS\gmer.ini
2008-10-30 11:20:45 ----RA---- C:\WINDOWS\gmer.exe
2008-10-30 11:20:45 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-10-30 11:20:45 ----A---- C:\WINDOWS\gmer.dll
2008-10-30 03:52:57 ----D---- C:\Program Files\Avira
2008-10-30 03:52:57 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2008-10-30 03:41:16 ----D---- C:\Documents and Settings\All Users\Application Data\Avg8
2008-10-30 03:04:40 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-10-30 03:04:40 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-29 17:48:49 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-29 02:01:19 ----D---- C:\Documents and Settings\Dolly boushey\Application Data\Google
2008-10-26 05:15:55 ----D---- C:\Program Files\Bonjour
2008-10-26 05:14:55 ----D---- C:\Program Files\QuickTime
2008-10-26 05:13:27 ----D---- C:\Program Files\Apple Software Update
2008-10-26 03:39:17 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-10-26 03:38:48 ----A---- C:\WINDOWS\system32\javaws.exe
2008-10-26 03:38:48 ----A---- C:\WINDOWS\system32\javaw.exe
2008-10-26 03:38:48 ----A---- C:\WINDOWS\system32\java.exe
2008-10-26 03:29:52 ----A---- C:\WINDOWS\system32\wmpns.dll
2008-10-26 03:28:54 ----D---- C:\WINDOWS\Prefetch
2008-10-26 03:26:13 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-10-26 03:26:05 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-26 03:25:56 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-10-26 03:25:48 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-26 03:25:39 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-26 03:25:30 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-10-26 03:25:22 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-10-26 03:25:15 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-10-26 03:25:07 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-10-26 03:24:59 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-10-26 03:24:50 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-10-26 03:24:42 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-10-26 03:24:35 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-10-26 03:24:29 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-10-26 03:24:23 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-10-26 03:17:13 ----D---- C:\WINDOWS\system32\scripting
2008-10-26 03:17:10 ----D---- C:\WINDOWS\l2schemas
2008-10-26 03:17:08 ----D---- C:\WINDOWS\system32\en
2008-10-26 03:07:27 ----D---- C:\WINDOWS\network diagnostic
2008-10-24 02:29:30 ----D---- C:\Documents and Settings\Dolly boushey\Application Data\Mozilla
2008-10-23 21:52:37 ----HDC---- C:\WINDOWS\$NtUninstallKB958644_0$
2008-10-23 05:23:51 ----D---- C:\Documents and Settings\Dolly boushey\Application Data\Move Networks
2008-10-23 03:50:14 ----N---- C:\WINDOWS\system32\wlanapi.dll
2008-10-23 03:49:59 ----N---- C:\WINDOWS\system32\tspkg.dll
2008-10-23 03:49:58 ----N---- C:\WINDOWS\system32\tsgqec.dll
2008-10-23 03:49:39 ----N---- C:\WINDOWS\system32\setupn.exe
2008-10-23 03:49:32 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2008-10-23 03:49:30 ----N---- C:\WINDOWS\system32\rasqec.dll
2008-10-23 03:49:28 ----N---- C:\WINDOWS\system32\qutil.dll
2008-10-23 03:49:25 ----N---- C:\WINDOWS\system32\qcliprov.dll
2008-10-23 03:49:25 ----N---- C:\WINDOWS\system32\qagentrt.dll
2008-10-23 03:49:25 ----N---- C:\WINDOWS\system32\qagent.dll
2008-10-23 03:49:18 ----N---- C:\WINDOWS\system32\onex.dll
2008-10-23 03:49:04 ----N---- C:\WINDOWS\system32\napstat.exe
2008-10-23 03:49:03 ----N---- C:\WINDOWS\system32\napmontr.dll
2008-10-23 03:49:03 ----N---- C:\WINDOWS\system32\napipsec.dll
2008-10-23 03:49:01 ----N---- C:\WINDOWS\system32\msxml6r.dll
2008-10-23 03:49:01 ----N---- C:\WINDOWS\system32\msxml6.dll
2008-10-23 03:48:57 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2008-10-23 03:48:57 ----N---- C:\WINDOWS\system32\mssha.dll
2008-10-23 03:48:31 ----N---- C:\WINDOWS\system32\mmcperf.exe
2008-10-23 03:48:30 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2008-10-23 03:48:29 ----N---- C:\WINDOWS\system32\mmcex.dll
2008-10-23 03:48:29 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-10-23 03:48:13 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2008-10-23 03:48:11 ----N---- C:\WINDOWS\system32\kmsvc.dll
2008-10-23 03:48:10 ----N---- C:\WINDOWS\system32\kbdpash.dll
2008-10-23 03:48:10 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2008-10-23 03:48:10 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2008-10-23 03:48:10 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2008-10-23 03:47:52 ----N---- C:\WINDOWS\system32\smtpapi.dll
2008-10-23 03:47:52 ----N---- C:\WINDOWS\system32\rwnh.dll
2008-10-23 03:47:31 ----A---- C:\WINDOWS\006018_.tmp
2008-10-23 03:47:28 ----N---- C:\WINDOWS\system32\eapsvc.dll
2008-10-23 03:47:28 ----N---- C:\WINDOWS\system32\eapqec.dll
2008-10-23 03:47:28 ----N---- C:\WINDOWS\system32\eappprxy.dll
2008-10-23 03:47:28 ----N---- C:\WINDOWS\system32\eapphost.dll
2008-10-23 03:47:28 ----N---- C:\WINDOWS\system32\eappgnui.dll
2008-10-23 03:47:28 ----N---- C:\WINDOWS\system32\eappcfg.dll
2008-10-23 03:47:28 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2008-10-23 03:47:28 ----N---- C:\WINDOWS\system32\eapolqec.dll
2008-10-23 03:47:22 ----N---- C:\WINDOWS\system32\dot3ui.dll
2008-10-23 03:47:22 ----N---- C:\WINDOWS\system32\dot3svc.dll
2008-10-23 03:47:22 ----N---- C:\WINDOWS\system32\dot3msm.dll
2008-10-23 03:47:22 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2008-10-23 03:47:22 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2008-10-23 03:47:22 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2008-10-23 03:47:22 ----N---- C:\WINDOWS\system32\dot3api.dll
2008-10-23 03:47:20 ----N---- C:\WINDOWS\system32\dimsroam.dll
2008-10-23 03:47:20 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2008-10-23 03:47:19 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2008-10-23 03:47:15 ----N---- C:\WINDOWS\system32\credssp.dll
2008-10-23 03:47:04 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2008-10-23 03:47:04 ----N---- C:\WINDOWS\system32\azroles.dll
2008-10-23 03:46:48 ----N---- C:\WINDOWS\system32\aaclient.dll
2008-10-23 01:12:44 ----HDC---- C:\WINDOWS\$NtUninstallKB956803_0$
2008-10-23 01:12:35 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-23 01:12:23 ----HDC---- C:\WINDOWS\$NtUninstallKB957095_0$
2008-10-23 01:11:22 ----HDC---- C:\WINDOWS\$NtUninstallKB954211_0$
2008-10-23 01:10:53 ----HDC---- C:\WINDOWS\$NtUninstallKB956841_0$
2008-10-13 19:42:17 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2_0$
2008-10-13 19:42:04 ----HDC---- C:\WINDOWS\$NtUninstallKB952954_0$
2008-10-13 19:41:53 ----HDC---- C:\WINDOWS\$NtUninstallKB946648_0$
2008-10-13 19:41:42 ----HDC---- C:\WINDOWS\$NtUninstallKB953839$
2008-10-13 19:41:09 ----HDC---- C:\WINDOWS\$NtUninstallKB950974_0$
2008-10-13 19:40:56 ----HDC---- C:\WINDOWS\$NtUninstallKB951698_0$
2008-10-13 19:40:43 ----HDC---- C:\WINDOWS\$NtUninstallKB950762_0$
2008-10-13 19:40:26 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-10-13 19:40:10 ----HDC---- C:\WINDOWS\$NtUninstallKB952287_0$
2008-10-13 19:38:23 ----HDC---- C:\WINDOWS\$NtUninstallKB951066_0$
2008-10-13 19:38:00 ----HDC---- C:\WINDOWS\$NtUninstallKB951748_0$
2008-10-13 19:37:36 ----HDC---- C:\WINDOWS\$NtUninstallKB950749$
2008-10-13 19:37:20 ----HDC---- C:\WINDOWS\$NtUninstallKB938464_0$
2008-10-13 19:36:55 ----HDC---- C:\WINDOWS\$NtUninstallKB932823-v3$
2008-10-10 16:22:23 ----D---- C:\Program Files\OneStep

======List of files/folders modified in the last 1 months======

2008-10-30 11:33:20 ----RD---- C:\Program Files
2008-10-30 11:20:47 ----D---- C:\WINDOWS
2008-10-30 11:20:45 ----D---- C:\WINDOWS\system32\drivers
2008-10-30 10:40:34 ----D---- C:\Program Files\Mozilla Firefox
2008-10-30 10:29:22 ----D---- C:\Documents and Settings\Dolly boushey\Application Data\OpenOffice.org2
2008-10-30 10:29:07 ----D---- C:\WINDOWS\Temp
2008-10-30 04:37:34 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-30 03:42:15 ----D---- C:\WINDOWS\system32
2008-10-30 03:39:49 ----SD---- C:\Documents and Settings\Dolly boushey\Application Data\Microsoft
2008-10-30 02:53:37 ----SHD---- C:\WINDOWS\Installer
2008-10-30 02:53:37 ----D---- C:\Program Files\Common Files
2008-10-29 16:08:35 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-29 02:02:19 ----D---- C:\Documents and Settings\Dolly boushey\Application Data\Identities
2008-10-29 02:02:19 ----D---- C:\Documents and Settings\Dolly boushey\Application Data\Apple Computer
2008-10-29 02:02:19 ----D---- C:\Documents and Settings\Dolly boushey\Application Data\Adobe
2008-10-28 03:17:12 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-10-27 04:13:22 ----D---- C:\WINDOWS\Microsoft.NET
2008-10-27 04:13:21 ----RSD---- C:\WINDOWS\assembly
2008-10-26 05:18:03 ----HD---- C:\WINDOWS\inf
2008-10-26 05:13:30 ----SD---- C:\WINDOWS\Tasks
2008-10-26 03:43:31 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-26 03:43:17 ----D---- C:\WINDOWS\WinSxS
2008-10-26 03:42:10 ----D---- C:\Program Files\Internet Explorer
2008-10-26 03:40:03 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-10-26 03:39:30 ----A---- C:\WINDOWS\imsins.BAK
2008-10-26 03:38:46 ----D---- C:\Program Files\Java
2008-10-26 03:35:06 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-26 03:29:58 ----A---- C:\WINDOWS\OEWABLog.txt
2008-10-26 03:29:22 ----A---- C:\WINDOWS\setuplog.txt
2008-10-26 03:28:20 ----D---- C:\WINDOWS\system32\Setup
2008-10-26 03:28:19 ----D---- C:\WINDOWS\AppPatch
2008-10-26 03:28:18 ----D---- C:\WINDOWS\system32\wbem
2008-10-26 03:28:16 ----RSD---- C:\WINDOWS\Fonts
2008-10-26 03:26:15 ----D---- C:\WINDOWS\system32\CatRoot
2008-10-26 03:24:30 ----D---- C:\Program Files\Messenger
2008-10-26 03:23:56 ----D---- C:\WINDOWS\security
2008-10-26 03:18:24 ----D---- C:\WINDOWS\ServicePackFiles
2008-10-26 03:18:22 ----D---- C:\Program Files\Windows Media Player
2008-10-26 03:17:45 ----D---- C:\WINDOWS\system32\inetsrv
2008-10-26 03:17:44 ----D---- C:\WINDOWS\ime
2008-10-26 03:17:43 ----D---- C:\WINDOWS\Help
2008-10-26 03:17:16 ----D---- C:\WINDOWS\system32\en-US
2008-10-26 03:17:15 ----D---- C:\WINDOWS\system32\usmt
2008-10-26 03:17:08 ----D---- C:\WINDOWS\system32\bits
2008-10-26 03:17:08 ----D---- C:\WINDOWS\peernet
2008-10-26 03:17:07 ----D---- C:\Program Files\Movie Maker
2008-10-26 03:10:56 ----D---- C:\WINDOWS\system32\Restore
2008-10-26 03:10:56 ----D---- C:\WINDOWS\system32\npp
2008-10-26 03:10:56 ----D---- C:\WINDOWS\mui
2008-10-26 03:10:54 ----D---- C:\WINDOWS\msagent
2008-10-26 03:10:51 ----D---- C:\WINDOWS\srchasst
2008-10-26 03:10:49 ----D---- C:\Program Files\NetMeeting
2008-10-26 03:10:47 ----D---- C:\WINDOWS\system32\Com
2008-10-26 03:10:42 ----D---- C:\Program Files\Windows NT
2008-10-26 03:10:42 ----D---- C:\Program Files\Outlook Express
2008-10-26 03:10:37 ----D---- C:\Program Files\Common Files\System
2008-10-26 03:10:04 ----D---- C:\WINDOWS\system32\oobe
2008-10-26 03:10:01 ----D---- C:\WINDOWS\system
2008-10-26 03:05:57 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-10-26 03:05:45 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2008-10-26 03:00:25 ----D---- C:\WINDOWS\EHome
2008-10-24 06:13:21 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-10-23 04:02:57 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-10-23 04:00:49 ----D---- C:\WINDOWS\system32\appmgmt
2008-10-23 04:00:36 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-15 11:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll
2008-10-10 16:48:52 ----D---- C:\WINDOWS\Debug
2008-10-07 12:19:42 ----A---- C:\WINDOWS\system32\MRT.exe
2008-10-03 12:41:15 ----A---- C:\WINDOWS\system32\ieframe.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-06-27 75072]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 nipplpt2;Novell iCapture Lpt Redirector 2; C:\WINDOWS\system32\drivers\nipplpt.sys [2007-09-06 34671]
R1 OMCI;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2004-02-20 17217]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2005-11-02 424320]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-05-15 43136]
R3 BCMModem;BCM V.92 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [2003-08-29 1101696]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-01-08 1378636]
R3 STAC97;Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\stac97.sys [2004-05-12 258704]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys []
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-10-30 85969]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-30 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-30 151297]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2004-01-08 77824]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2005-12-19 18944]
S2 OneStepSearch Service;OneStepSearch Service; C:\Program Files\OneStep\onestep.exe C:\Program Files\OneStep\onestep.dll Service []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------
Attached Files
File Type: txt info.txt (7.6 KB, 3 views)
File Type: txt gmer.txt (1.2 KB, 5 views)
ryanpangle is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 10-30-2008, 10:38 AM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,566
OS: 2000 Pro; XP Pro; XP Home


Re: trojan-keylogger.win32.fung...What the heck is this and how do I kill it?
Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

    Using Internet Explorer, Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As. Save it to your desktop, or somewhere you can find it easily.
    Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.


    While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things.
    Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
    • Open Spybot Search & Destroy.
    • In the Mode menu click "Advanced mode" if not already selected.
    • Choose "Yes" at the Warning prompt.
    • Expand the "Tools" menu.
    • Click "Resident".
    • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
    • In the File menu click "Exit" to exit Spybot Search & Destroy.
    • See this link for a tutorial


  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus application is re-enabled. A reboot should have done this.

  8. Open HijackThis (C:\Program Files\trend micro\hijackthis.exe) and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-30-2008, 07:41 PM   #3 (permalink)
Registered User
 
Join Date: Oct 2008
Posts: 5
OS: WinXP SrvcPk 3


Re: trojan-keylogger.win32.fung...What the heck is this and how do I kill it?
I followed all of the instructions and here are posted replies:




ComboFix 08-10-30.09 - Nathan Espinoza 2008-10-30 21:31:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.189 [GMT -5:00]
Running from: C:\Documents and Settings\Dolly boushey\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Dolly boushey\Application Data\Google\fwldpl.dll
C:\Documents and Settings\Dolly boushey\Application Data\Google\mupd1_2_1165664.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-31 )))))))))))))))))))))))))))))))
.

2008-10-30 11:33 . 2008-10-30 11:33 <DIR> d-------- C:\rsit
2008-10-30 11:33 . 2008-10-30 11:33 <DIR> d-------- C:\Program Files\trend micro
2008-10-30 11:20 . 2008-10-30 11:20 250 --a------ C:\WINDOWS\gmer.ini
2008-10-30 03:52 . 2008-10-30 03:52 <DIR> d-------- C:\Program Files\Avira
2008-10-30 03:52 . 2008-10-30 03:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-10-30 03:41 . 2008-10-30 03:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-10-30 03:04 . 2008-10-30 03:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-30 03:04 . 2008-10-30 03:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-29 17:48 . 2008-10-29 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-26 05:15 . 2008-10-26 05:15 <DIR> d-------- C:\Program Files\Bonjour
2008-10-26 05:14 . 2008-10-26 05:15 <DIR> d-------- C:\Program Files\QuickTime
2008-10-26 05:13 . 2008-10-26 05:13 <DIR> d-------- C:\Program Files\Apple Software Update
2008-10-26 03:29 . 2008-04-13 19:12 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-10-26 03:17 . 2008-10-26 03:17 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-10-26 03:17 . 2008-10-26 03:17 <DIR> d-------- C:\WINDOWS\system32\en
2008-10-26 03:17 . 2008-10-26 03:17 <DIR> d-------- C:\WINDOWS\l2schemas
2008-10-23 20:10 . 2008-10-15 11:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-23 05:23 . 2008-10-27 20:01 <DIR> d-------- C:\Documents and Settings\Dolly boushey\Application Data\Move Networks
2008-10-23 03:49 . 2008-04-13 19:12 1,306,624 --------- C:\WINDOWS\system32\msxml6.dll
2008-10-23 03:48 . 2008-04-13 19:10 844,314 -----c--- C:\WINDOWS\system32\dllcache\msdxm.ocx
2008-10-23 03:47 . 2008-04-13 19:12 695,808 -----c--- C:\WINDOWS\system32\dllcache\drmv2clt.dll
2008-10-23 03:46 . 2008-04-13 19:11 136,192 --------- C:\WINDOWS\system32\aaclient.dll
2008-10-23 03:46 . 2008-04-13 12:23 8,192 -----c--- C:\WINDOWS\system32\dllcache\asferror.dll
2008-10-22 18:54 . 2008-09-08 05:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-22 18:53 . 2008-08-14 05:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-22 18:53 . 2008-08-14 05:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-22 18:53 . 2008-08-14 04:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-22 18:53 . 2008-08-14 04:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-22 18:53 . 2008-09-15 07:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-10 16:34 . 2008-06-13 06:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-10 16:31 . 2008-05-08 09:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-10-10 16:30 . 2008-05-01 09:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-10-10 16:25 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-10-10 16:22 . 2008-10-29 18:14 <DIR> d-------- C:\Program Files\OneStep
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-09-05 23:30 . 2008-09-05 23:30 241,704 -----c--- C:\WINDOWS\system32\dllcache\wgaLogon.dll
2008-09-05 23:29 . 2008-09-05 23:29 917,032 -----c--- C:\WINDOWS\system32\dllcache\WgaTray.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-31 01:36 --------- d-----w C:\Documents and Settings\Dolly boushey\Application Data\OpenOffice.org2
2008-10-29 07:02 --------- d-----w C:\Documents and Settings\Dolly boushey\Application Data\Apple Computer
2008-10-26 08:38 --------- d-----w C:\Program Files\Java
2008-10-23 09:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-29 15:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe
2008-08-29 14:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-01-08 4866048]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2004-04-29 90169]
"Broadcom Wireless Manager UI"="C:\WINDOWS\System32\WLTRAY.exe" [2005-12-19 1347584]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [2007-09-06 40960]
"iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [2007-09-06 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2004-01-08 C:\WINDOWS\system32\nwiz.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 C:\WINDOWS\BCMSMMSG.exe]

C:\Documents and Settings\Dolly boushey\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 393216]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 nipplpt2;Novell iCapture Lpt Redirector 2;C:\WINDOWS\system32\drivers\nipplpt.sys [2007-09-06 34671]
S2 OneStepSearch Service;OneStepSearch Service;C:\Program Files\OneStep\onestep.exe C:\Program Files\OneStep\onestep.dll Service [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b00d0e90-c2e4-11dc-8e2d-000f1f23261f}]
\Shell\AutoRun\command - E:\

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-10-26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Dolly boushey\Application Data\Mozilla\Firefox\Profiles\qx50csdu.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.yahoo.com
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 21:32:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-30 21:34:21
ComboFix-quarantined-files.txt 2008-10-31 02:34:17

Pre-Run: 30,007,431,168 bytes free
Post-Run: 30,174,343,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

133 --- E O F --- 2008-10-26 08:26:20

__________________________________________________



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:12 PM, on 10/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\trend micro\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1199830544906
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OneStepSearch Service - Unknown owner - C:\Program Files\OneStep\onestep.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5635 bytes
ryanpangle is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-30-2008, 07:50 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,566
OS: 2000 Pro; XP Pro; XP Home


Re: trojan-keylogger.win32.fung...What the heck is this and how do I kill it?
Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add or Remove Programs) if they exist:

OneStepSearch 1.0

It's adware, or surreptitiously installed in most cases.

---------------------------------------------------------------------------------------------

Using Windows Explorer, or Windows Search, locate and delete the following:

C:\Program Files\OneStep

---------------------------------------------------------------------------------------------

Reboot, and post a new HijackThis log.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-31-2008, 11:13 AM   #5 (permalink)
Registered User
 
Join Date: Oct 2008
Posts: 5
OS: WinXP SrvcPk 3


Re: trojan-keylogger.win32.fung...What the heck is this and how do I kill it?
Thanks again....


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:31 PM, on 10/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\trend micro\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1199830544906
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OneStepSearch Service - Unknown owner - C:\Program Files\OneStep\onestep.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5741 bytes
ryanpangle is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-31-2008, 11:39 AM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,566
OS: 2000 Pro; XP Pro; XP Home


Re: trojan-keylogger.win32.fung...What the heck is this and how do I kill it?
Go to Start>Run then copy and paste, or type the following, then press Enter:

sc stop "OneStepSearch Service"

Next.....

Go to Start>Run then copy and paste, or type the following, then press Enter:

sc delete "OneStepSearch Service"


---------------------------------------------------------------------------------------------

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic and let me know how things are now. Also post a new HijackThis log.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-03-2008, 06:50 AM   #7 (permalink)
Registered User
 
Join Date: Oct 2008
Posts: 5
OS: WinXP SrvcPk 3


Re: trojan-keylogger.win32.fung...What the heck is this and how do I kill it?
Things seem wayyy better and I think this is helping me out alot. Thanks a million!!

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3576 (20081102)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=71624d2d291e3c4bba5a87ead36219e3
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-11-03 08:59:20
# local_time=2008-11-03 02:59:20 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=236150
# found=0
# scan_time=1714

____________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:42 AM, on 11/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\trend micro\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1199830544906
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5873 bytes
ryanpangle is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-03-2008, 07:49 AM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,566
OS: 2000 Pro; XP Pro; XP Home


Re: trojan-keylogger.win32.fung...What the heck is this and how do I kill it?
Clean Logs!

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Java(TM) 6 Update 2

This is outdated, and a security risk by having it installed still. Unfortunately, Java does not uninstall previous version when you update, nor tell you that you should.

Leave Java(TM) 6 Update 7 alone, as it has the most recent security updates.

---------------------------------------------------------------------------------------------

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u



This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.

  • FIREWALL
    Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here

    Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-03-2008, 09:27 AM   #9 (permalink)
Registered User
 
Join Date: Oct 2008
Posts: 5
OS: WinXP SrvcPk 3


Re: trojan-keylogger.win32.fung...What the heck is this and how do I kill it?
Everything is great and I am going to refer everyone I know that has problems to you guys!! You helped me so much and this computer is ready to rock. Thanx!!!
ryanpangle is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-03-2008, 09:50 AM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,566
OS: 2000 Pro; XP Pro; XP Home


Re: trojan-keylogger.win32.fung...What the heck is this and how do I kill it?
Hi ryanpangle -

You're quite welcome for the help. I'm glad to hear things are much better, and we do appreciate the thoughts.

Do us a favor. Show your friends all the prevention tips we have here, so hopefully they will not need our assistance. Prevention is better than cure.

PC Safety and Security--What Do I Need?

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 03:09 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84