[SOLVED] Possible Trojan Vondu virus and slow performance.

Hokie76 · 12-03-2008, 04:21 PM

I'm not exactly sure what is causing my pc problems. My Norton anti-virus indicated my computer was infected with the Trojan Vondu virus. On my own, after reading the threads, I downloaded and used SDFix. Performance of my computer has increased. However, I'm now receiving pop-up messages for Winweb Secruity. These messages indicate a warning: "Your OC is still infected with dangerous viruses." I appreciate
your help and assistance.

DDS (Version 1.0) - NTFSx86
Run by Ben at 18:17:18.39 on Wed 12/03/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.397 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Rhapsody\rhapsody.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Rhapsody\rhaphlpr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Application Data\830483350\582137331.exe
C:\DOCUME~1\BEND9K~1.003\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\NDGM1AVD\dds[1].com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {656EC4B7-072B-4698-B504-2A414C1F0037} - c:\program files\embarq totalaccess\accelerator\prpl_IePopupBlocker.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton antivirus\engine\16.1.0.33\IPSBHO.DLL
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\bae\BAE.dll
BHO: {cc51dbba-12d7-4365-b728-98c2e5db1811} - c:\windows\system32\tonoyisa.dll
BHO: {D5DF7C9D-6069-4552-8B0C-D02A912FC889} - ws.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe /startup
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
mRun: [RecoverFromReboot] c:\windows\temp\RecoverFromReboot.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SandIcon] c:\imagemate compactflash usb\SandIcon.Exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [pujukogiwa] Rundll32.exe "c:\windows\system32\widajuku.dll",s
mRun: [582137331] "c:\documents and settings\all users\application data\830483350\582137331.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\program files\mcafee\spamkiller\mcapfbho.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\embarq totalaccess\accelerator\prplsf.dll
Trusted Zone: listen.com,%20real.com,%20llnwd.net,%20rhap
Trusted Zone: *.listen.com
Trusted Zone: *.llnwd.net
Trusted Zone: *.real.com
Trusted Zone: rhapapp.real.com
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\duwiwuse.dll c:\windows\system32\medemovo.dll,c:\windows\system32\puligote.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\puligote.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1001000.021\SYMEFA.SYS [2008-12-1 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\nav\1001000.021\BHDrvx86.sys [2008-12-1 255536]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\nav\1001000.021\ccHPx86.sys [2008-12-1 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20081201.001\IDSxpx86.sys [2008-12-2 274808]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\norton antivirus\engine\16.1.0.33\ccsvchst.exe" /s "norton antivirus" /m "c:\program files\norton antivirus\engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-3-11 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-2 99376]
R3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20081202.035\NAVENG.SYS [2008-12-3 89104]
R3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20081202.035\NAVEX15.SYS [2008-12-3 876112]
R3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\drivers\SDSTOR2K.SYS [2006-12-11 37781]

=============== Created Last 30 ================

2008-12-03 18:07 198,740 a------- c:\windows\system32\ws.dll
2008-12-03 18:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\830483350
2008-12-03 17:30 <DIR> --d----- c:\windows\ERUNT
2008-12-03 17:26 <DIR> --d----- C:\SDFix
2008-12-03 16:01 <DIR> --d----- C:\VundoFix Backups
2008-12-02 07:06 1,333,445 ---sh--- c:\windows\system32\imigebeg.ini
2008-12-01 17:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-12-01 17:16 35,888 a----r-- c:\windows\system32\drivers\SymIM.sys
2008-12-01 17:16 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-01 17:16 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-01 17:16 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-01 17:16 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-01 17:16 <DIR> --d----- c:\program files\Symantec
2008-12-01 17:16 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-12-01 17:16 <DIR> --d----- c:\windows\system32\drivers\NAV
2008-12-01 17:16 <DIR> --d----- c:\program files\Norton AntiVirus
2008-12-01 17:16 <DIR> --d----- c:\program files\NortonInstaller
2008-12-01 17:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2008-12-01 17:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2008-12-01 17:00 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2008-12-01 08:00 1,302,086 ---sh--- c:\windows\system32\ibipoyok.ini
2008-11-30 13:30 1,296,222 ---sh--- c:\windows\system32\igojoyuw.ini
2008-11-29 10:22 1,296,240 ---sh--- c:\windows\system32\ijolagup.ini
2008-11-29 09:52 1,296,231 ---sh--- c:\windows\system32\ujodadog.ini
2008-11-29 09:27 1,296,231 ---sh--- c:\windows\system32\okezisus.ini
2008-11-29 09:05 1,296,231 ---sh--- c:\windows\system32\uyezupab.ini
2008-11-29 08:42 1,296,231 ---sh--- c:\windows\system32\ijipodey.ini
2008-11-29 08:20 1,296,231 ---sh--- c:\windows\system32\oguloder.ini
2008-11-29 07:57 1,296,231 ---sh--- c:\windows\system32\edefibuj.ini
2008-11-29 07:35 1,296,231 ---sh--- c:\windows\system32\aherolav.ini
2008-11-29 07:12 1,296,240 ---sh--- c:\windows\system32\erubuzid.ini
2008-11-29 06:50 1,296,222 ---sh--- c:\windows\system32\agifumij.ini
2008-11-29 06:27 1,296,222 ---sh--- c:\windows\system32\ezowuwor.ini
2008-11-29 06:05 1,296,222 ---sh--- c:\windows\system32\italifel.ini
2008-11-29 05:42 1,296,222 ---sh--- c:\windows\system32\ijenafen.ini
2008-11-29 05:19 1,296,222 ---sh--- c:\windows\system32\edojoyis.ini
2008-11-29 04:57 1,296,222 ---sh--- c:\windows\system32\edulopem.ini
2008-11-29 04:34 1,296,222 ---sh--- c:\windows\system32\ateyanun.ini
2008-11-29 04:12 1,296,222 ---sh--- c:\windows\system32\ujigewuy.ini
2008-11-29 03:49 1,296,222 ---sh--- c:\windows\system32\idevuyal.ini
2008-11-29 03:27 1,296,222 ---sh--- c:\windows\system32\owuralam.ini
2008-11-29 03:04 1,296,222 ---sh--- c:\windows\system32\ewiniyon.ini
2008-11-29 02:42 1,296,222 ---sh--- c:\windows\system32\ovufarep.ini
2008-11-29 02:19 1,296,222 ---sh--- c:\windows\system32\uhogisiz.ini
2008-11-29 01:57 1,296,222 ---sh--- c:\windows\system32\azebelep.ini
2008-11-29 01:34 1,296,222 ---sh--- c:\windows\system32\ikejibut.ini
2008-11-28 07:21 1,632,016 ---sh--- c:\windows\system32\ominanoj.ini
2008-11-28 06:59 1,632,016 ---sh--- c:\windows\system32\ewofehiv.ini
2008-11-27 18:41 1,590,573 ---sh--- c:\windows\system32\ohuvumok.ini
2008-11-27 06:35 1,607,599 ---sh--- c:\windows\system32\arojivoj.ini
2008-11-26 19:55 <DIR> --d----- c:\program files\common files\Scanner
2008-11-26 19:55 <DIR> --d----- c:\program files\CA Yahoo! Anti-Spy
2008-11-26 08:49 1,607,608 ---sh--- c:\windows\system32\ubulajif.ini
2008-11-26 08:26 1,607,599 ---sh--- c:\windows\system32\abodemur.ini
2008-11-26 08:04 1,607,599 ---sh--- c:\windows\system32\iyarawif.ini
2008-11-26 07:41 1,607,599 ---sh--- c:\windows\system32\etopegog.ini
2008-11-26 07:18 1,607,599 ---sh--- c:\windows\system32\unevoriy.ini
2008-11-25 19:13 1,607,599 ---sh--- c:\windows\system32\udomowat.ini
2008-11-25 18:51 1,607,599 ---sh--- c:\windows\system32\uwofujow.ini
2008-11-25 18:28 1,607,599 ---sh--- c:\windows\system32\ozohagaf.ini
2008-11-25 18:06 1,607,599 ---sh--- c:\windows\system32\owijezoj.ini
2008-11-25 17:43 1,607,599 ---sh--- c:\windows\system32\ubeliler.ini
2008-11-23 04:47 1,593,394 ---sh--- c:\windows\system32\afiyuyev.ini
2008-11-08 12:30 25,277 a------- C:\logfile
2008-11-08 12:30 54,156 a---h--- c:\windows\QTFont.qfn
2008-11-08 12:30 1,409 a------- c:\windows\QTFont.for
2008-11-08 12:23 <DIR> --d----- c:\windows\system32\BWKDLogs
2008-11-08 12:22 5,632 a------- c:\windows\system32\ptpusb.dll
2008-11-08 12:22 159,232 a------- c:\windows\system32\ptpusd.dll
2008-11-08 12:21 <DIR> --d----- c:\program files\common files\Kodak
2008-11-08 12:19 <DIR> --d----- c:\program files\Kodak
2008-11-08 12:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kodak

==================== Find3M ====================

2008-12-01 17:26 <DIR> --d----- c:\program files\common files\EarthLink
2008-12-01 17:15 <DIR> --d----- c:\program files\McAfee
2008-11-27 17:44 <DIR> --d----- c:\program files\I Will Pass!
2008-11-26 20:01 <DIR> --d----- c:\program files\Data Caching
2008-11-15 08:03 6,686 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-03 12:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 06:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-15 06:57 1,846,016 -------- c:\windows\system32\dllcache\win32k.sys
2008-09-05 23:30 241,704 -------- c:\windows\system32\dllcache\wgaLogon.dll
2008-09-05 23:29 917,032 -------- c:\windows\system32\dllcache\WgaTray.exe
2008-01-15 22:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com
2008-01-01 14:58 <DIR> --d----- c:\docume~1\bend9k~1.003\applic~1\Earthlink
2007-12-30 17:10 <DIR> --d----- c:\docume~1\bend9k~1.003\applic~1\ScamBlocker
2007-03-11 20:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2006-08-07 19:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OrbNetworks
2006-08-07 18:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MotiveSysIDs
2004-08-11 17:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI

============= FINISH: 18:17:53.28 ===============

Katana · 12-04-2008, 03:32 AM

Quote:

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------- -----------------------------------------------------------
Step 2

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

----------------------------------------------------------- -----------------------------------------------------------
Step 3

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.

Now download and install Java Runtime Environment (JRE) .
(it comes with a toolbar pre-selected, so make sure you uncheck the box)

----------------------------------------------------------- -----------------------------------------------------------
Step 4

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

MalwareBytes Log
Combofix Log
How are things running now ?

----------------------------------------------------------- -----------------------------------------------------------

Additional Notes

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 2.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.

Please go to this link Adobe Acrobat Reader Download Link
Click Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

Hokie76 · 12-04-2008, 04:48 PM

Malwarebytes' Anti-Malware 1.31
Database version: 1460
Windows 5.1.2600 Service Pack 2

12/4/2008 6:08:06 PM
mbam-log-2008-12-04 (18-08-06).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 185867
Time elapsed: 59 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 108

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ws.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cc51dbba-12d7-4365-b728-98c2e5db1811} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cc51dbba-12d7-4365-b728-98c2e5db1811} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ws.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115174.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115192.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115245.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115263.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115169.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115172.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115178.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115180.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115184.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115186.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115189.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115194.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115198.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115201.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115204.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115207.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115213.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115216.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115219.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115222.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115225.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115228.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115231.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115234.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115237.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115240.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115243.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115248.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115252.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115254.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115257.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115259.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115262.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115811.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115812.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115813.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115832.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116517.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116518.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116519.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116520.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116521.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116579.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116580.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116581.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116603.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116604.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116606.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116608.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116609.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116610.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116612.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116613.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116617.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116618.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116620.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116621.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116622.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116605.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116641.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116659.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116677.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116625.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116626.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116627.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116628.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116632.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116633.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116635.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116636.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116638.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116639.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116640.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116642.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116643.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116645.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116646.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116647.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116648.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116649.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116650.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116651.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116652.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116653.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116655.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116656.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116658.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116662.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116663.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116664.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116665.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116666.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116668.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116669.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116670.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116672.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116676.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116679.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116681.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116682.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116683.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116685.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116686.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116687.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0117513.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1442\A0118617.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1442\A0118619.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

ComboFix

ComboFix 08-12-04.04 - Ben 2008-12-04 19:37:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.478 [GMT -5:00]
Running from: c:\documents and settings\Ben.D9K3CT91.003\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ben.D9K3CT91.003\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-04 19:08 . 2008-12-04 19:08 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-04 19:00 . 2008-12-04 19:02 <DIR> d-------- c:\program files\Foxit Software
2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\program files\AskBarDis
2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Foxit
2008-12-04 18:58 . 2008-12-04 18:58 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 18:58 . 2008-12-04 18:58 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-04 18:30 . 2008-12-04 18:44 198,740 --a------ c:\windows\system32\ws.dll
2008-12-04 17:15 . 2008-12-04 19:35 <DIR> d-------- c:\program files\MSN Messenger
2008-12-03 21:28 . 2008-12-03 21:28 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-03 20:42 . 2008-12-03 20:42 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Malwarebytes
2008-12-03 20:41 . 2008-12-04 17:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-03 20:41 . 2008-12-03 20:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 20:41 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 20:41 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 19:26 . 2008-12-03 19:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-03 19:26 . 2008-12-03 20:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 18:29 . 2008-12-03 18:49 250 --a------ c:\windows\gmer.ini
2008-12-03 18:07 . 2008-12-03 18:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\830483350
2008-12-03 17:30 . 2008-12-03 17:31 <DIR> d-------- c:\windows\ERUNT
2008-12-03 17:26 . 2008-12-03 17:50 <DIR> d-------- C:\SDFix
2008-12-03 16:01 . 2008-12-03 16:01 <DIR> d-------- C:\VundoFix Backups
2008-12-01 17:17 . 2008-12-01 17:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\windows\system32\drivers\NAV
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Windows Sidebar
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Symantec
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\NortonInstaller
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Norton AntiVirus
2008-12-01 17:16 . 2008-12-01 17:18 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-12-01 17:16 . 2008-12-01 17:16 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-01 17:16 . 2008-12-01 17:16 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-01 17:16 . 2008-12-01 17:16 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-12-01 17:16 . 2008-12-01 17:16 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-01 17:16 . 2008-12-01 17:16 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-01 17:06 . 2008-12-01 17:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-01 17:06 . 2008-12-01 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2008-12-01 17:00 . 2008-12-01 17:00 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files
2008-11-26 19:55 . 2008-11-26 19:55 <DIR> d-------- c:\program files\Common Files\Scanner
2008-11-26 19:55 . 2008-11-26 19:57 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy
2008-11-08 12:30 . 2008-12-04 18:46 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-08 12:30 . 2008-12-04 18:53 28,887 --a------ C:\logfile
2008-11-08 12:30 . 2008-11-08 12:30 1,409 --a------ c:\windows\QTFont.for
2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\program files\QuickTime
2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-08 12:23 . 2008-11-08 12:23 <DIR> d-------- c:\windows\system32\BWKDLogs
2008-11-08 12:22 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-08 12:22 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-08 12:21 . 2008-11-08 12:21 <DIR> d-------- c:\program files\Common Files\Kodak
2008-11-08 12:19 . 2008-11-08 12:23 <DIR> d-------- c:\program files\Kodak
2008-11-08 12:18 . 2008-11-08 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kodak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 00:08 --------- d-----w c:\program files\Common Files\Adobe
2008-12-04 23:58 --------- d-----w c:\program files\Java
2008-12-01 22:26 --------- d-----w c:\program files\Common Files\EarthLink
2008-12-01 22:15 --------- d-----w c:\program files\McAfee
2008-12-01 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-01 01:05 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-27 22:44 --------- d-----w c:\program files\I Will Pass!
2008-11-27 01:01 --------- d-----w c:\program files\Data Caching
2008-11-15 13:03 6,686 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
2008-01-10 23:38 18,827,272 ----a-w c:\program files\RhapsodyReal.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-04_18.48.47.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 20

42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
+ 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-04 23:58:22 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-04 23:45:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_740.dat
+ 2008-12-04 23:58:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f24.dat
+ 2006-12-02 03:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 03:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 03:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 12:58 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-17 169472]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SandIcon"="c:\imagemate compactflash usb\SandIcon.Exe" [2000-11-13 131072]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"582137331"="c:\documents and settings\All Users\Application Data\830483350\582137331.exe" [2008-12-03 1070115]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-17 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=
"c:\\WINDOWS\\system32\\verclsid.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\McAfee\\SpamKiller\\MSKSrvr.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"50325:TCP"= 50325:TCP:PORT_50325
"30721:TCP"= 30721:TCP:PORT_30721
"5016:TCP"= 5016:TCP:PORT_5016
"22321:TCP"= 22321:TCP:PORT_22321
"44003:TCP"= 44003:TCP:PORT_44003
"57743:TCP"= 57743:TCP:PORT_57743
"13835:TCP"= 13835:TCP:PORT_13835
"46899:TCP"= 46899:TCP:PORT_46899
"34421:TCP"= 34421:TCP:PORT_34421
"7923:TCP"= 7923:TCP:PORT_7923
"28060:TCP"= 28060:TCP:PORT_28060
"32550:TCP"= 32550:TCP:PORT_32550
"22374:TCP"= 22374:TCP:PORT_22374
"6577:TCP"= 6577:TCP:PORT_6577
"15115:TCP"= 15115:TCP:PORT_15115
"27977:TCP"= 27977:TCP:PORT_27977
"48243:TCP"= 48243:TCP:PORT_48243
"41892:TCP"= 41892:TCP:PORT_41892
"50432:TCP"= 50432:TCP:PORT_50432
"20058:TCP"= 20058:TCP:PORT_20058
"17521:TCP"= 17521:TCP:PORT_17521
"22666:TCP"= 22666:TCP:PORT_22666
"16478:TCP"= 16478:TCP:PORT_16478
"30830:TCP"= 30830:TCP:PORT_30830
"30024:TCP"= 30024:TCP:PORT_30024
"22241:TCP"= 22241:TCP:PORT_22241
"40438:TCP"= 40438:TCP:PORT_40438
"60954:TCP"= 60954:TCP:PORT_60954
"64148:TCP"= 64148:TCP:PORT_64148
"48662:TCP"= 48662:TCP:PORT_48662
"36843:TCP"= 36843:TCP:PORT_36843
"54641:TCP"= 54641:TCP:PORT_54641
"10132:TCP"= 10132:TCP:PORT_10132
"20449:TCP"= 20449:TCP:PORT_20449
"13578:TCP"= 13578:TCP:PORT_13578
"29263:TCP"= 29263:TCP:PORT_29263
"34815:TCP"= 34815:TCP:PORT_34815
"26258:TCP"= 26258:TCP:PORT_26258
"43890:TCP"= 43890:TCP:PORT_43890
"22058:TCP"= 22058:TCP:PORT_22058
"42261:TCP"= 42261:TCP:PORT_42261
"45445:TCP"= 45445:TCP:PORT_45445
"8223:TCP"= 8223:TCP:PORT_8223
"27791:TCP"= 27791:TCP:PORT_27791
"28599:TCP"= 28599:TCP:PORT_28599
"55149:TCP"= 55149:TCP:PORT_55149
"11255:TCP"= 11255:TCP:PORT_11255
"50103:TCP"= 50103:TCP:PORT_50103
"9606:TCP"= 9606:TCP:PORT_9606
"25969:TCP"= 25969:TCP:PORT_25969
"31293:TCP"= 31293:TCP:PORT_31293
"44015:TCP"= 44015:TCP:PORT_44015
"19033:TCP"= 19033:TCP:PORT_19033
"5566:TCP"= 5566:TCP:PORT_5566
"8646:TCP"= 8646:TCP:PORT_8646
"26640:TCP"= 26640:TCP:PORT_26640
"52665:TCP"= 52665:TCP:PORT_52665
"16839:TCP"= 16839:TCP:PORT_16839
"64961:TCP"= 64961:TCP:PORT_64961
"15420:TCP"= 15420:TCP:PORT_15420
"22329:TCP"= 22329:TCP:PORT_22329
"15908:TCP"= 15908:TCP:PORT_15908
"41693:TCP"= 41693:TCP:PORT_41693
"56559:TCP"= 56559:TCP:PORT_56559
"37705:TCP"= 37705:TCP:PORT_37705
"58418:TCP"= 58418:TCP:PORT_58418
"39866:TCP"= 39866:TCP:PORT_39866
"31166:TCP"= 31166:TCP:PORT_31166
"50600:TCP"= 50600:TCP:PORT_50600
"41925:TCP"= 41925:TCP:PORT_41925
"26441:TCP"= 26441:TCP:PORT_26441
"54143:TCP"= 54143:TCP:PORT_54143
"55302:TCP"= 55302:TCP:PORT_55302
"63320:TCP"= 63320:TCP:PORT_63320
"16948:TCP"= 16948:TCP:PORT_16948
"7181:TCP"= 7181:TCP:PORT_7181
"10520:TCP"= 10520:TCP:PORT_10520
"63901:TCP"= 63901:TCP:PORT_63901
"24490:TCP"= 24490:TCP:PORT_24490
"15468:TCP"= 15468:TCP:PORT_15468
"52434:TCP"= 52434:TCP:PORT_52434

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1001000.021\SYMEFA.SYS [2008-12-01 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NAV\1001000.021\BHDrvx86.sys [2008-12-01 255536]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NAV\1001000.021\ccHPx86.sys [2008-12-01 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081203.001\IDSxpx86.sys [2008-12-03 274808]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-03-11 24652]
R3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-03 38496]
S3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\DRIVERS\SDSTOR2K.SYS [2006-12-11 37781]

*Newly Created Service* - JAVAQUICKSTARTERSERVICE
*Newly Created Service* - MBAMSWISSARMY
.
Contents of the 'Scheduled Tasks' folder

2008-11-22 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2004-08-04 05:00]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe

.
------- Supplementary Scan -------
.
uStart Page = www.cnn.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll
Trusted Zone: listen.com,%20real.com,%20llnwd.net,%20rhap
Trusted Zone: *.listen.com
Trusted Zone: *.llnwd.net
Trusted Zone: *.real.com
Trusted Zone: rhapapp.real.com

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 19:39:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(968)
c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll
.
Completion time: 2008-12-04 19:39:57
ComboFix-quarantined-files.txt 2008-12-05 00:39:55
ComboFix2.txt 2008-12-05 00:36:11
ComboFix3.txt 2008-12-04 23:49:42

Pre-Run: 142,339,633,152 bytes free
Post-Run: 142,325,522,432 bytes free

312 --- E O F --- 2008-12-03 22:57:03

Hi Katana,
Here is the combofix and malaware log. Your instructions also mentioned a new Hijackthislog. how do I create that? I completed the instructions, including new java and adobe. I'm still receiving winweb secruity pop-ups. I receive a small message in the bottom corner, and two large boxes that appear. One is a winweb system scan, and the other states "winweb security has blocked a program from accessing the web." I click the X and it asks "continue unprotected?" Thank you for your help.

Katana · 12-04-2008, 05:42 PM

Information

Quote:

Your instructions also mentioned a new Hijackthislog.

Don't worry about that yet :)

There are a lot of open ports on your machine, do you play a lot of online games or have several P2P programs ?
----------------------------------------------------------- -----------------------------------------------------------
Step 1

Disable Teatimer
First step:

Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.

----------------------------------------------------------- -----------------------------------------------------------
Step 2

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/319876-possible-trojan-vondu-virus-slow-performance.html#post1838701
Comment:: Katana
Collect::[4]
c:\documents and settings\All Users\Application Data\830483350\582137331.exe
File::
c:\windows\Tasks\EasyShare Registration Task.job
Folder::
c:\documents and settings\All Users\Application Data\830483350
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"=-
"SpybotSD TeaTimer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"=-
"ISUSPM Startup"=-
"ISUSScheduler"=-
"Share-to-Web Namespace Daemon"=-
"dscactivate"=-
"DellSupportCenter"=-
"582137331"=-
"SunJavaUpdateSched"=-
"Adobe Reader Speed Launcher"=-

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
Click OK and follow the instructions to submit the file.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

----------------------------------------------------------- -----------------------------------------------------------
Step 3

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/par...avwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------- -----------------------------------------------------------
Step 4

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

Combofix Log
Kaspersky Log
How are things running now ?

Hokie76 · 12-04-2008, 06:26 PM

No, I don't play any online games, and if I have to ask what PSP means, I guess that would answer your question. Person 2 person?
Under step one, I did not have the box in the right corner to click. However, I was able to complete part 2 and unclicked tea timer.

Under step 2, your instructions "A window will open asking you to ensure you are
connected to the internet, this is so a file can be submitted for analysis."
This did not occur. Within in the blue COmbofix box, as it completed and begin to produce the log, 2 error messages appeared in the box. Permission was denied. Do you need to know the exact detail of the messages?

I'm getting ready to proceed to step 3. Kaspersky Online Scanner. Should I wait?

Katana · 12-05-2008, 12:37 AM

You can continue with step 3, it is just a scan it doesn't actually do anything.

Hokie76 · 12-05-2008, 03:51 AM

Combofix log:

ComboFix 08-12-04.04 - Ben 2008-12-04 19:37:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.478 [GMT -5:00]
Running from: c:\documents and settings\Ben.D9K3CT91.003\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ben.D9K3CT91.003\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-04 19:08 . 2008-12-04 19:08 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-04 19:00 . 2008-12-04 19:02 <DIR> d-------- c:\program files\Foxit Software
2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\program files\AskBarDis
2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Foxit
2008-12-04 18:58 . 2008-12-04 18:58 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 18:58 . 2008-12-04 18:58 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-04 18:30 . 2008-12-04 18:44 198,740 --a------ c:\windows\system32\ws.dll
2008-12-04 17:15 . 2008-12-04 19:35 <DIR> d-------- c:\program files\MSN Messenger
2008-12-03 21:28 . 2008-12-03 21:28 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-03 20:42 . 2008-12-03 20:42 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Malwarebytes
2008-12-03 20:41 . 2008-12-04 17:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-03 20:41 . 2008-12-03 20:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 20:41 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 20:41 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 19:26 . 2008-12-03 19:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-03 19:26 . 2008-12-03 20:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 18:29 . 2008-12-03 18:49 250 --a------ c:\windows\gmer.ini
2008-12-03 18:07 . 2008-12-03 18:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\830483350
2008-12-03 17:30 . 2008-12-03 17:31 <DIR> d-------- c:\windows\ERUNT
2008-12-03 17:26 . 2008-12-03 17:50 <DIR> d-------- C:\SDFix
2008-12-03 16:01 . 2008-12-03 16:01 <DIR> d-------- C:\VundoFix Backups
2008-12-01 17:17 . 2008-12-01 17:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\windows\system32\drivers\NAV
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Windows Sidebar
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Symantec
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\NortonInstaller
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Norton AntiVirus
2008-12-01 17:16 . 2008-12-01 17:18 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-12-01 17:16 . 2008-12-01 17:16 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-01 17:16 . 2008-12-01 17:16 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-01 17:16 . 2008-12-01 17:16 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-12-01 17:16 . 2008-12-01 17:16 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-01 17:16 . 2008-12-01 17:16 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-01 17:06 . 2008-12-01 17:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-01 17:06 . 2008-12-01 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2008-12-01 17:00 . 2008-12-01 17:00 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files
2008-11-26 19:55 . 2008-11-26 19:55 <DIR> d-------- c:\program files\Common Files\Scanner
2008-11-26 19:55 . 2008-11-26 19:57 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy
2008-11-08 12:30 . 2008-12-04 18:46 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-08 12:30 . 2008-12-04 18:53 28,887 --a------ C:\logfile
2008-11-08 12:30 . 2008-11-08 12:30 1,409 --a------ c:\windows\QTFont.for
2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\program files\QuickTime
2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-08 12:23 . 2008-11-08 12:23 <DIR> d-------- c:\windows\system32\BWKDLogs
2008-11-08 12:22 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-08 12:22 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-08 12:21 . 2008-11-08 12:21 <DIR> d-------- c:\program files\Common Files\Kodak
2008-11-08 12:19 . 2008-11-08 12:23 <DIR> d-------- c:\program files\Kodak
2008-11-08 12:18 . 2008-11-08 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kodak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 00:08 --------- d-----w c:\program files\Common Files\Adobe
2008-12-04 23:58 --------- d-----w c:\program files\Java
2008-12-01 22:26 --------- d-----w c:\program files\Common Files\EarthLink
2008-12-01 22:15 --------- d-----w c:\program files\McAfee
2008-12-01 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-01 01:05 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-27 22:44 --------- d-----w c:\program files\I Will Pass!
2008-11-27 01:01 --------- d-----w c:\program files\Data Caching
2008-11-15 13:03 6,686 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
2008-01-10 23:38 18,827,272 ----a-w c:\program files\RhapsodyReal.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-04_18.48.47.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 20

42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
+ 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-04 23:58:22 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-04 23:45:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_740.dat
+ 2008-12-04 23:58:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f24.dat
+ 2006-12-02 03:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 03:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 03:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 12:58 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-17 169472]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SandIcon"="c:\imagemate compactflash usb\SandIcon.Exe" [2000-11-13 131072]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"582137331"="c:\documents and settings\All Users\Application Data\830483350\582137331.exe" [2008-12-03 1070115]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-17 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=
"c:\\WINDOWS\\system32\\verclsid.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\McAfee\\SpamKiller\\MSKSrvr.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"50325:TCP"= 50325:TCP:PORT_50325
"30721:TCP"= 30721:TCP:PORT_30721
"5016:TCP"= 5016:TCP:PORT_5016
"22321:TCP"= 22321:TCP:PORT_22321
"44003:TCP"= 44003:TCP:PORT_44003
"57743:TCP"= 57743:TCP:PORT_57743
"13835:TCP"= 13835:TCP:PORT_13835
"46899:TCP"= 46899:TCP:PORT_46899
"34421:TCP"= 34421:TCP:PORT_34421
"7923:TCP"= 7923:TCP:PORT_7923
"28060:TCP"= 28060:TCP:PORT_28060
"32550:TCP"= 32550:TCP:PORT_32550
"22374:TCP"= 22374:TCP:PORT_22374
"6577:TCP"= 6577:TCP:PORT_6577
"15115:TCP"= 15115:TCP:PORT_15115
"27977:TCP"= 27977:TCP:PORT_27977
"48243:TCP"= 48243:TCP:PORT_48243
"41892:TCP"= 41892:TCP:PORT_41892
"50432:TCP"= 50432:TCP:PORT_50432
"20058:TCP"= 20058:TCP:PORT_20058
"17521:TCP"= 17521:TCP:PORT_17521
"22666:TCP"= 22666:TCP:PORT_22666
"16478:TCP"= 16478:TCP:PORT_16478
"30830:TCP"= 30830:TCP:PORT_30830
"30024:TCP"= 30024:TCP:PORT_30024
"22241:TCP"= 22241:TCP:PORT_22241
"40438:TCP"= 40438:TCP:PORT_40438
"60954:TCP"= 60954:TCP:PORT_60954
"64148:TCP"= 64148:TCP:PORT_64148
"48662:TCP"= 48662:TCP:PORT_48662
"36843:TCP"= 36843:TCP:PORT_36843
"54641:TCP"= 54641:TCP:PORT_54641
"10132:TCP"= 10132:TCP:PORT_10132
"20449:TCP"= 20449:TCP:PORT_20449
"13578:TCP"= 13578:TCP:PORT_13578
"29263:TCP"= 29263:TCP:PORT_29263
"34815:TCP"= 34815:TCP:PORT_34815
"26258:TCP"= 26258:TCP:PORT_26258
"43890:TCP"= 43890:TCP:PORT_43890
"22058:TCP"= 22058:TCP:PORT_22058
"42261:TCP"= 42261:TCP:PORT_42261
"45445:TCP"= 45445:TCP:PORT_45445
"8223:TCP"= 8223:TCP:PORT_8223
"27791:TCP"= 27791:TCP:PORT_27791
"28599:TCP"= 28599:TCP:PORT_28599
"55149:TCP"= 55149:TCP:PORT_55149
"11255:TCP"= 11255:TCP:PORT_11255
"50103:TCP"= 50103:TCP:PORT_50103
"9606:TCP"= 9606:TCP:PORT_9606
"25969:TCP"= 25969:TCP:PORT_25969
"31293:TCP"= 31293:TCP:PORT_31293
"44015:TCP"= 44015:TCP:PORT_44015
"19033:TCP"= 19033:TCP:PORT_19033
"5566:TCP"= 5566:TCP:PORT_5566
"8646:TCP"= 8646:TCP:PORT_8646
"26640:TCP"= 26640:TCP:PORT_26640
"52665:TCP"= 52665:TCP:PORT_52665
"16839:TCP"= 16839:TCP:PORT_16839
"64961:TCP"= 64961:TCP:PORT_64961
"15420:TCP"= 15420:TCP:PORT_15420
"22329:TCP"= 22329:TCP:PORT_22329
"15908:TCP"= 15908:TCP:PORT_15908
"41693:TCP"= 41693:TCP:PORT_41693
"56559:TCP"= 56559:TCP:PORT_56559
"37705:TCP"= 37705:TCP:PORT_37705
"58418:TCP"= 58418:TCP:PORT_58418
"39866:TCP"= 39866:TCP:PORT_39866
"31166:TCP"= 31166:TCP:PORT_31166
"50600:TCP"= 50600:TCP:PORT_50600
"41925:TCP"= 41925:TCP:PORT_41925
"26441:TCP"= 26441:TCP:PORT_26441
"54143:TCP"= 54143:TCP:PORT_54143
"55302:TCP"= 55302:TCP:PORT_55302
"63320:TCP"= 63320:TCP:PORT_63320
"16948:TCP"= 16948:TCP:PORT_16948
"7181:TCP"= 7181:TCP:PORT_7181
"10520:TCP"= 10520:TCP:PORT_10520
"63901:TCP"= 63901:TCP:PORT_63901
"24490:TCP"= 24490:TCP:PORT_24490
"15468:TCP"= 15468:TCP:PORT_15468
"52434:TCP"= 52434:TCP:PORT_52434

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1001000.021\SYMEFA.SYS [2008-12-01 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NAV\1001000.021\BHDrvx86.sys [2008-12-01 255536]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NAV\1001000.021\ccHPx86.sys [2008-12-01 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081203.001\IDSxpx86.sys [2008-12-03 274808]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-03-11 24652]
R3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-03 38496]
S3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\DRIVERS\SDSTOR2K.SYS [2006-12-11 37781]

*Newly Created Service* - JAVAQUICKSTARTERSERVICE
*Newly Created Service* - MBAMSWISSARMY
.
Contents of the 'Scheduled Tasks' folder

2008-11-22 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2004-08-04 05:00]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe

.
------- Supplementary Scan -------
.
uStart Page = www.cnn.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll
Trusted Zone: listen.com,%20real.com,%20llnwd.net,%20rhap
Trusted Zone: *.listen.com
Trusted Zone: *.llnwd.net
Trusted Zone: *.real.com
Trusted Zone: rhapapp.real.com

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 19:39:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(968)
c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll
.
Completion time: 2008-12-04 19:39:57
ComboFix-quarantined-files.txt 2008-12-05 00:39:55
ComboFix2.txt 2008-12-05 00:36:11
ComboFix3.txt 2008-12-04 23:49:42

Pre-Run: 142,339,633,152 bytes free
Post-Run: 142,325,522,432 bytes free

312 --- E O F --- 2008-12-03 22:57:03

Kaspersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 5, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, December 04, 2008 20:42:50
Records in database: 1436944
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - File:

Scan statistics:
Files scanned: 120789
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:18:44

File name / Threat name / Threats count
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1

The selected area was scanned.

Things seem to be running better this morning. I let the scan finish overnight, and returned to it this morning. So far, I have not had any pop-ups from Winweb security. Overall performance seems to be improved. The computer is not as sluggish.

Katana · 12-05-2008, 04:07 AM

That looks like the same log from Combofix, please try again.

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

File::
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz
c:\windows\Tasks\EasyShare Registration Task.job
Folder::
c:\documents and settings\All Users\Application Data\830483350
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"=-
"SpybotSD TeaTimer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"=-
"ISUSPM Startup"=-
"ISUSScheduler"=-
"Share-to-Web Namespace Daemon"=-
"dscactivate"=-
"DellSupportCenter"=-
"582137331"=-
"SunJavaUpdateSched"=-
"Adobe Reader Speed Launcher"=-

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Hokie76 · 12-05-2008, 02:12 PM

Katana: The following errors appeared in the Combofix blue box:

Access is denied
SED: can't read temp0A: no such file or directory
SED: can't read temp0D: no such file or directory
Temp00 The system cannot find the file specified.

ComboFix 08-12-05.02 - Ben 2008-12-05 16:57:19.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.558 [GMT -5:00]
Running from: c:\documents and settings\Ben.D9K3CT91.003\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ben.D9K3CT91.003\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\program files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz
c:\program files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz
c:\windows\Tasks\EasyShare Registration Task.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz
c:\program files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz

.
((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-04 19:08 . 2008-12-04 19:08 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-04 19:00 . 2008-12-04 19:02 <DIR> d-------- c:\program files\Foxit Software
2008-12-04 19:00 . 2008-12-04 21:52 <DIR> d-------- c:\program files\AskBarDis
2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Foxit
2008-12-04 18:58 . 2008-12-04 18:58 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 18:58 . 2008-12-04 18:58 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-04 17:15 . 2008-12-04 19:35 <DIR> d-------- c:\program files\MSN Messenger
2008-12-03 21:28 . 2008-12-03 21:28 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-03 20:42 . 2008-12-03 20:42 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Malwarebytes
2008-12-03 20:41 . 2008-12-04 17:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-03 20:41 . 2008-12-03 20:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 20:41 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 20:41 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 19:26 . 2008-12-03 19:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-03 19:26 . 2008-12-03 20:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 18:29 . 2008-12-03 18:49 250 --a------ c:\windows\gmer.ini
2008-12-03 17:30 . 2008-12-03 17:31 <DIR> d-------- c:\windows\ERUNT
2008-12-03 17:26 . 2008-12-03 17:50 <DIR> d-------- C:\SDFix
2008-12-03 16:01 . 2008-12-03 16:01 <DIR> d-------- C:\VundoFix Backups
2008-12-01 17:17 . 2008-12-01 17:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\windows\system32\drivers\NAV
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Windows Sidebar
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Symantec
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\NortonInstaller
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Norton AntiVirus
2008-12-01 17:16 . 2008-12-01 17:18 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-12-01 17:16 . 2008-12-01 17:16 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-01 17:16 . 2008-12-01 17:16 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-01 17:16 . 2008-12-01 17:16 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-12-01 17:16 . 2008-12-01 17:16 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-01 17:16 . 2008-12-01 17:16 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-01 17:06 . 2008-12-01 17:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-01 17:06 . 2008-12-01 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2008-12-01 17:00 . 2008-12-01 17:00 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files
2008-11-26 19:55 . 2008-11-26 19:55 <DIR> d-------- c:\program files\Common Files\Scanner
2008-11-26 19:55 . 2008-11-26 19:57 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy
2008-11-08 12:30 . 2008-12-04 21:08 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-08 12:30 . 2008-12-04 21:14 30,584 --a------ C:\logfile
2008-11-08 12:30 . 2008-11-08 12:30 1,409 --a------ c:\windows\QTFont.for
2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\program files\QuickTime
2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-08 12:23 . 2008-11-08 12:23 <DIR> d-------- c:\windows\system32\BWKDLogs
2008-11-08 12:22 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-08 12:22 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-08 12:21 . 2008-11-08 12:21 <DIR> d-------- c:\program files\Common Files\Kodak
2008-11-08 12:19 . 2008-11-08 12:23 <DIR> d-------- c:\program files\Kodak
2008-11-08 12:18 . 2008-11-08 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kodak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 00:08 --------- d-----w c:\program files\Common Files\Adobe
2008-12-04 23:58 --------- d-----w c:\program files\Java
2008-12-01 22:26 --------- d-----w c:\program files\Common Files\EarthLink
2008-12-01 22:15 --------- d-----w c:\program files\McAfee
2008-12-01 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-01 01:05 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-27 22:44 --------- d-----w c:\program files\I Will Pass!
2008-11-27 01:01 --------- d-----w c:\program files\Data Caching
2008-11-15 13:03 6,686 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
2008-01-10 23:38 18,827,272 ----a-w c:\program files\RhapsodyReal.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-04_18.48.47.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 20

42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
+ 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-04 23:58:22 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-05 02

20 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_220.dat
+ 2008-12-05 02:07:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_554.dat
+ 2006-12-02 03:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 03:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 03:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-17 169472]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SandIcon"="c:\imagemate compactflash usb\SandIcon.Exe" [2000-11-13 131072]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-17 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=
"c:\\WINDOWS\\system32\\verclsid.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\McAfee\\SpamKiller\\MSKSrvr.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"50325:TCP"= 50325:TCP:PORT_50325
"30721:TCP"= 30721:TCP:PORT_30721
"5016:TCP"= 5016:TCP:PORT_5016
"22321:TCP"= 22321:TCP:PORT_22321
"44003:TCP"= 44003:TCP:PORT_44003
"57743:TCP"= 57743:TCP:PORT_57743
"13835:TCP"= 13835:TCP:PORT_13835
"46899:TCP"= 46899:TCP:PORT_46899
"34421:TCP"= 34421:TCP:PORT_34421
"7923:TCP"= 7923:TCP:PORT_7923
"28060:TCP"= 28060:TCP:PORT_28060
"32550:TCP"= 32550:TCP:PORT_32550
"22374:TCP"= 22374:TCP:PORT_22374
"6577:TCP"= 6577:TCP:PORT_6577
"15115:TCP"= 15115:TCP:PORT_15115
"27977:TCP"= 27977:TCP:PORT_27977
"48243:TCP"= 48243:TCP:PORT_48243
"41892:TCP"= 41892:TCP:PORT_41892
"50432:TCP"= 50432:TCP:PORT_50432
"20058:TCP"= 20058:TCP:PORT_20058
"17521:TCP"= 17521:TCP:PORT_17521
"22666:TCP"= 22666:TCP:PORT_22666
"16478:TCP"= 16478:TCP:PORT_16478
"30830:TCP"= 30830:TCP:PORT_30830
"30024:TCP"= 30024:TCP:PORT_30024
"22241:TCP"= 22241:TCP:PORT_22241
"40438:TCP"= 40438:TCP:PORT_40438
"60954:TCP"= 60954:TCP:PORT_60954
"64148:TCP"= 64148:TCP:PORT_64148
"48662:TCP"= 48662:TCP:PORT_48662
"36843:TCP"= 36843:TCP:PORT_36843
"54641:TCP"= 54641:TCP:PORT_54641
"10132:TCP"= 10132:TCP:PORT_10132
"20449:TCP"= 20449:TCP:PORT_20449
"13578:TCP"= 13578:TCP:PORT_13578
"29263:TCP"= 29263:TCP:PORT_29263
"34815:TCP"= 34815:TCP:PORT_34815
"26258:TCP"= 26258:TCP:PORT_26258
"43890:TCP"= 43890:TCP:PORT_43890
"22058:TCP"= 22058:TCP:PORT_22058
"42261:TCP"= 42261:TCP:PORT_42261
"45445:TCP"= 45445:TCP:PORT_45445
"8223:TCP"= 8223:TCP:PORT_8223
"27791:TCP"= 27791:TCP:PORT_27791
"28599:TCP"= 28599:TCP:PORT_28599
"55149:TCP"= 55149:TCP:PORT_55149
"11255:TCP"= 11255:TCP:PORT_11255
"50103:TCP"= 50103:TCP:PORT_50103
"9606:TCP"= 9606:TCP:PORT_9606
"25969:TCP"= 25969:TCP:PORT_25969
"31293:TCP"= 31293:TCP:PORT_31293
"44015:TCP"= 44015:TCP:PORT_44015
"19033:TCP"= 19033:TCP:PORT_19033
"5566:TCP"= 5566:TCP:PORT_5566
"8646:TCP"= 8646:TCP:PORT_8646
"26640:TCP"= 26640:TCP:PORT_26640
"52665:TCP"= 52665:TCP:PORT_52665
"16839:TCP"= 16839:TCP:PORT_16839
"64961:TCP"= 64961:TCP:PORT_64961
"15420:TCP"= 15420:TCP:PORT_15420
"22329:TCP"= 22329:TCP:PORT_22329
"15908:TCP"= 15908:TCP:PORT_15908
"41693:TCP"= 41693:TCP:PORT_41693
"56559:TCP"= 56559:TCP:PORT_56559
"37705:TCP"= 37705:TCP:PORT_37705
"58418:TCP"= 58418:TCP:PORT_58418
"39866:TCP"= 39866:TCP:PORT_39866
"31166:TCP"= 31166:TCP:PORT_31166
"50600:TCP"= 50600:TCP:PORT_50600
"41925:TCP"= 41925:TCP:PORT_41925
"26441:TCP"= 26441:TCP:PORT_26441
"54143:TCP"= 54143:TCP:PORT_54143
"55302:TCP"= 55302:TCP:PORT_55302
"63320:TCP"= 63320:TCP:PORT_63320
"16948:TCP"= 16948:TCP:PORT_16948
"7181:TCP"= 7181:TCP:PORT_7181
"10520:TCP"= 10520:TCP:PORT_10520
"63901:TCP"= 63901:TCP:PORT_63901
"24490:TCP"= 24490:TCP:PORT_24490
"15468:TCP"= 15468:TCP:PORT_15468
"52434:TCP"= 52434:TCP:PORT_52434

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1001000.021\SYMEFA.SYS [2008-12-01 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NAV\1001000.021\BHDrvx86.sys [2008-12-01 255536]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NAV\1001000.021\ccHPx86.sys [2008-12-01 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081203.001\IDSxpx86.sys [2008-12-03 274808]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-03-11 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-04 99376]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-03 38496]
S3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\DRIVERS\SDSTOR2K.SYS [2006-12-11 37781]

*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
uStart Page = www.cnn.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll
Trusted Zone: listen.com,%20real.com,%20llnwd.net,%20rhap
Trusted Zone: *.listen.com
Trusted Zone: *.llnwd.net
Trusted Zone: *.real.com
Trusted Zone: rhapapp.real.com

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 17:02:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(968)
c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll
.
Completion time: 2008-12-05 17:07:03
ComboFix-quarantined-files.txt 2008-12-05 22:05:44
ComboFix2.txt 2008-12-05 02:11:16
ComboFix3.txt 2008-12-05 00:39:59
ComboFix4.txt 2008-12-05 00:36:11
ComboFix5.txt 2008-12-05 21:56:05

Pre-Run: 142,348,165,120 bytes free
Post-Run: 142,390,947,840 bytes free

296 --- E O F --- 2008-12-03 22:57:03

Katana · 12-05-2008, 03:06 PM

Right, let's sort out those open ports next.

Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.

Code:

@echo off
MD C:\Katana
regedit /e C:\Katana\Restore-me.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List"
start notepad C:\Katana\Restore-me.reg
del /q %0
exit

Double click on look.bat
Please be patient, it won't take long.

Notepad will open, please copy/paste the results here.

Hokie76 · 12-05-2008, 03:31 PM

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"
"8097:TCP"="8097:TCP:*:Enabled:EarthLink UHP Modem Support"
"50325:TCP"="50325:TCP:*:Enabled:PORT_50325"
"30721:TCP"="30721:TCP:*:Enabled:PORT_30721"
"5016:TCP"="5016:TCP:*:Enabled:PORT_5016"
"22321:TCP"="22321:TCP:*:Enabled:PORT_22321"
"44003:TCP"="44003:TCP:*:Enabled:PORT_44003"
"57743:TCP"="57743:TCP:*:Enabled:PORT_57743"
"13835:TCP"="13835:TCP:*:Enabled:PORT_13835"
"46899:TCP"="46899:TCP:*:Enabled:PORT_46899"
"34421:TCP"="34421:TCP:*:Enabled:PORT_34421"
"7923:TCP"="7923:TCP:*:Enabled:PORT_7923"
"28060:TCP"="28060:TCP:*:Enabled:PORT_28060"
"32550:TCP"="32550:TCP:*:Enabled:PORT_32550"
"22374:TCP"="22374:TCP:*:Enabled:PORT_22374"
"6577:TCP"="6577:TCP:*:Enabled:PORT_6577"
"15115:TCP"="15115:TCP:*:Enabled:PORT_15115"
"27977:TCP"="27977:TCP:*:Enabled:PORT_27977"
"48243:TCP"="48243:TCP:*:Enabled:PORT_48243"
"41892:TCP"="41892:TCP:*:Enabled:PORT_41892"
"50432:TCP"="50432:TCP:*:Enabled:PORT_50432"
"20058:TCP"="20058:TCP:*:Enabled:PORT_20058"
"17521:TCP"="17521:TCP:*:Enabled:PORT_17521"
"22666:TCP"="22666:TCP:*:Enabled:PORT_22666"
"16478:TCP"="16478:TCP:*:Enabled:PORT_16478"
"30830:TCP"="30830:TCP:*:Enabled:PORT_30830"
"30024:TCP"="30024:TCP:*:Enabled:PORT_30024"
"22241:TCP"="22241:TCP:*:Enabled:PORT_22241"
"40438:TCP"="40438:TCP:*:Enabled:PORT_40438"
"60954:TCP"="60954:TCP:*:Enabled:PORT_60954"
"64148:TCP"="64148:TCP:*:Enabled:PORT_64148"
"48662:TCP"="48662:TCP:*:Enabled:PORT_48662"
"36843:TCP"="36843:TCP:*:Enabled:PORT_36843"
"54641:TCP"="54641:TCP:*:Enabled:PORT_54641"
"10132:TCP"="10132:TCP:*:Enabled:PORT_10132"
"20449:TCP"="20449:TCP:*:Enabled:PORT_20449"
"13578:TCP"="13578:TCP:*:Enabled:PORT_13578"
"29263:TCP"="29263:TCP:*:Enabled:PORT_29263"
"34815:TCP"="34815:TCP:*:Enabled:PORT_34815"
"26258:TCP"="26258:TCP:*:Enabled:PORT_26258"
"43890:TCP"="43890:TCP:*:Enabled:PORT_43890"
"22058:TCP"="22058:TCP:*:Enabled:PORT_22058"
"42261:TCP"="42261:TCP:*:Enabled:PORT_42261"
"45445:TCP"="45445:TCP:*:Enabled:PORT_45445"
"8223:TCP"="8223:TCP:*:Enabled:PORT_8223"
"27791:TCP"="27791:TCP:*:Enabled:PORT_27791"
"28599:TCP"="28599:TCP:*:Enabled:PORT_28599"
"55149:TCP"="55149:TCP:*:Enabled:PORT_55149"
"11255:TCP"="11255:TCP:*:Enabled:PORT_11255"
"50103:TCP"="50103:TCP:*:Enabled:PORT_50103"
"9606:TCP"="9606:TCP:*:Enabled:PORT_9606"
"25969:TCP"="25969:TCP:*:Enabled:PORT_25969"
"31293:TCP"="31293:TCP:*:Enabled:PORT_31293"
"44015:TCP"="44015:TCP:*:Enabled:PORT_44015"
"19033:TCP"="19033:TCP:*:Enabled:PORT_19033"
"5566:TCP"="5566:TCP:*:Enabled:PORT_5566"
"8646:TCP"="8646:TCP:*:Enabled:PORT_8646"
"26640:TCP"="26640:TCP:*:Enabled:PORT_26640"
"52665:TCP"="52665:TCP:*:Enabled:PORT_52665"
"16839:TCP"="16839:TCP:*:Enabled:PORT_16839"
"64961:TCP"="64961:TCP:*:Enabled:PORT_64961"
"15420:TCP"="15420:TCP:*:Enabled:PORT_15420"
"22329:TCP"="22329:TCP:*:Enabled:PORT_22329"
"15908:TCP"="15908:TCP:*:Enabled:PORT_15908"
"41693:TCP"="41693:TCP:*:Enabled:PORT_41693"
"56559:TCP"="56559:TCP:*:Enabled:PORT_56559"
"37705:TCP"="37705:TCP:*:Enabled:PORT_37705"
"58418:TCP"="58418:TCP:*:Enabled:PORT_58418"
"39866:TCP"="39866:TCP:*:Enabled:PORT_39866"
"31166:TCP"="31166:TCP:*:Enabled:PORT_31166"
"50600:TCP"="50600:TCP:*:Enabled:PORT_50600"
"41925:TCP"="41925:TCP:*:Enabled:PORT_41925"
"26441:TCP"="26441:TCP:*:Enabled:PORT_26441"
"54143:TCP"="54143:TCP:*:Enabled:PORT_54143"
"55302:TCP"="55302:TCP:*:Enabled:PORT_55302"
"63320:TCP"="63320:TCP:*:Enabled:PORT_63320"
"16948:TCP"="16948:TCP:*:Enabled:PORT_16948"
"7181:TCP"="7181:TCP:*:Enabled:PORT_7181"
"10520:TCP"="10520:TCP:*:Enabled:PORT_10520"
"63901:TCP"="63901:TCP:*:Enabled:PORT_63901"
"24490:TCP"="24490:TCP:*:Enabled:PORT_24490"
"15468:TCP"="15468:TCP:*:Enabled:PORT_15468"
"52434:TCP"="52434:TCP:*:Enabled:PORT_52434"

Katana · 12-05-2008, 03:55 PM

Download the closeports.zip attachment.

Unzip it to your desktop.
Double click the closeports.reg and click Yes to any prompts

If there are any problems once you have done this, please do the following

Navigate to C:\Katana\Restore-me.reg and double click it. Accept any prompts.

Are there any problems left now ?

Hokie76 · 12-05-2008, 04:06 PM

Complete. No problems. I have not experienced any Winweb messages. I did notice my Internet Explorer is running with add-ons disabled. is this correct? when I navigate to TOOLS then Manage Add-ons is not available.

Hokie76 · 12-05-2008, 05:05 PM

Add ons working after reboot.

Katana · 12-06-2008, 02:34 AM

Quote:

Originally Posted by Hokie76

Add ons working after reboot.

Great stuff

I have attached a file, download it and put it in C:\Katana folder.
It just explains what to do if there are any problems arising from closing those ports.

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

You can also delete any logs we have produced, and empty your Recycle bin.

Enable Teatimer

RIGHT click Link >>> HERE <<< Link and select "save as" and save it to your desktop
Double click ResetTeaTimer.bat
Open Spybot S&D
Click Mode, check Advanced Mode
Go To Left Panel, Click Tools, then also in left panel, click Resident
If your firewall raises a question, say OK
check the box labeled Resident Tea-Timer and OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
You can now delete ResetTeaTimer.bat

The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/par...avwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy <<< A must have program
- It includes host protection and registry protection
- A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware <<< A New and effective program
a-squared Free <<< A good "realtime" or "on demand" scanner
superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    - Change the Download signed ActiveX controls to Prompt
    - Change the Download unsigned ActiveX controls to Disable
    - Change the Initialise and script ActiveX controls not marked as safe to Disable
    - Change the Installation of desktop items to Prompt
    - Change the Launching programs and files in an IFRAME to Prompt
    - Change the Navigate sub-frames across different domains to Prompt
    - When all these settings have been made, click on the OK button.
    - If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
- FireFox
  - With many addons available that make customization easy this is a very popular choice
  - NoScript and AdBlockPlus addons are essential
- Opera
  - Another popular alternative
- Netscape
  - Another popular alternative
  - Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner
- Free and very simple to use
CCleaner
- Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

Hokie76 · 12-06-2008, 05:55 AM

Thank you Katana. I'll uninstall Combofix, and over the next several days update or load the recommendations you have listed.

I appreciate your help. The computer seems to be working well. My wife even noticed a change in the speed, and in the past it sounded as if the CPU was going to blow up based on the overload.

Again, I can't thank you enough. I was unaware of this website until I begin to research my problem. Your service definitely deserves a donation, and I may have created more work for your team by recommending you all to friends and co-workers.

Thanks for walking me through all the steps. I hope to not have to visit this website any time in the future. :)

12-04-2008, 04:48 PM	#3 (permalink)
Hokie76 Registered User Join Date: Dec 2008 Posts: 9 OS: XP	Re: Possible Trojan Vondu virus and slow performance. Malwarebytes' Anti-Malware 1.31 Database version: 1460 Windows 5.1.2600 Service Pack 2 12/4/2008 6:08:06 PM mbam-log-2008-12-04 (18-08-06).txt Scan type: Full Scan (C:\\|D:\\|E:\\|) Objects scanned: 185867 Time elapsed: 59 minute(s), 23 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 5 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 108 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\ws.dll (Trojan.FakeAlert) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cc51dbba-12d7-4365-b728-98c2e5db1811} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{cc51dbba-12d7-4365-b728-98c2e5db1811} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\ws.dll (Trojan.FakeAlert) -> Delete on reboot. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115174.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115192.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115245.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115263.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115169.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115172.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115178.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115180.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115184.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115186.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115189.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115194.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115198.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115201.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115204.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115207.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115213.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115216.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115219.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115222.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115225.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115228.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115231.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115234.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115237.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115240.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115243.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115248.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115252.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115254.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115257.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115259.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115262.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115811.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115812.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115813.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115832.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116517.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116518.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116519.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116520.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116521.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116579.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116580.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116581.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116603.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116604.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116606.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116608.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116609.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116610.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116612.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116613.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116617.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116618.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116620.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116621.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116622.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116605.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116641.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116659.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116677.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116625.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116626.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116627.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116628.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116632.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116633.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116635.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116636.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116638.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116639.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116640.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116642.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116643.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116645.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116646.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116647.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116648.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116649.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116650.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116651.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116652.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116653.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116655.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116656.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116658.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116662.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116663.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116664.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116665.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116666.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116668.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116669.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116670.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116672.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116676.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116679.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116681.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116682.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116683.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116685.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116686.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116687.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0117513.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1442\A0118617.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1442\A0118619.dll (Trojan.Vundo) -> Quarantined and deleted successfully. ComboFix ComboFix 08-12-04.04 - Ben 2008-12-04 19:37:42.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.478 [GMT -5:00] Running from: c:\documents and settings\Ben.D9K3CT91.003\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ben.D9K3CT91.003\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 ))))))))))))))))))))))))))))))) . 2008-12-04 19:08 . 2008-12-04 19:08 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2008-12-04 19:00 . 2008-12-04 19:02 <DIR> d-------- c:\program files\Foxit Software 2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\program files\AskBarDis 2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Foxit 2008-12-04 18:58 . 2008-12-04 18:58 410,984 --a------ c:\windows\system32\deploytk.dll 2008-12-04 18:58 . 2008-12-04 18:58 73,728 --a------ c:\windows\system32\javacpl.cpl 2008-12-04 18:30 . 2008-12-04 18:44 198,740 --a------ c:\windows\system32\ws.dll 2008-12-04 17:15 . 2008-12-04 19:35 <DIR> d-------- c:\program files\MSN Messenger 2008-12-03 21:28 . 2008-12-03 21:28 <DIR> d-------- c:\program files\Enigma Software Group 2008-12-03 20:42 . 2008-12-03 20:42 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Malwarebytes 2008-12-03 20:41 . 2008-12-04 17:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-03 20:41 . 2008-12-03 20:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-03 20:41 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-03 20:41 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-03 19:26 . 2008-12-03 19:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-12-03 19:26 . 2008-12-03 20:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-03 18:29 . 2008-12-03 18:49 250 --a------ c:\windows\gmer.ini 2008-12-03 18:07 . 2008-12-03 18:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\830483350 2008-12-03 17:30 . 2008-12-03 17:31 <DIR> d-------- c:\windows\ERUNT 2008-12-03 17:26 . 2008-12-03 17:50 <DIR> d-------- C:\SDFix 2008-12-03 16:01 . 2008-12-03 16:01 <DIR> d-------- C:\VundoFix Backups 2008-12-01 17:17 . 2008-12-01 17:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\windows\system32\drivers\NAV 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Windows Sidebar 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Symantec 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\NortonInstaller 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Norton AntiVirus 2008-12-01 17:16 . 2008-12-01 17:18 <DIR> d-------- c:\program files\Common Files\Symantec Shared 2008-12-01 17:16 . 2008-12-01 17:16 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS 2008-12-01 17:16 . 2008-12-01 17:16 60,808 --a------ c:\windows\system32\S32EVNT1.DLL 2008-12-01 17:16 . 2008-12-01 17:16 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys 2008-12-01 17:16 . 2008-12-01 17:16 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT 2008-12-01 17:16 . 2008-12-01 17:16 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF 2008-12-01 17:06 . 2008-12-01 17:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller 2008-12-01 17:06 . 2008-12-01 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton 2008-12-01 17:00 . 2008-12-01 17:00 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files 2008-11-26 19:55 . 2008-11-26 19:55 <DIR> d-------- c:\program files\Common Files\Scanner 2008-11-26 19:55 . 2008-11-26 19:57 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy 2008-11-08 12:30 . 2008-12-04 18:46 54,156 --ah----- c:\windows\QTFont.qfn 2008-11-08 12:30 . 2008-12-04 18:53 28,887 --a------ C:\logfile 2008-11-08 12:30 . 2008-11-08 12:30 1,409 --a------ c:\windows\QTFont.for 2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\program files\QuickTime 2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer 2008-11-08 12:23 . 2008-11-08 12:23 <DIR> d-------- c:\windows\system32\BWKDLogs 2008-11-08 12:22 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll 2008-11-08 12:22 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll 2008-11-08 12:21 . 2008-11-08 12:21 <DIR> d-------- c:\program files\Common Files\Kodak 2008-11-08 12:19 . 2008-11-08 12:23 <DIR> d-------- c:\program files\Kodak 2008-11-08 12:18 . 2008-11-08 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kodak . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-05 00:08 --------- d-----w c:\program files\Common Files\Adobe 2008-12-04 23:58 --------- d-----w c:\program files\Java 2008-12-01 22:26 --------- d-----w c:\program files\Common Files\EarthLink 2008-12-01 22:15 --------- d-----w c:\program files\McAfee 2008-12-01 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee 2008-12-01 01:05 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore 2008-11-27 22:44 --------- d-----w c:\program files\I Will Pass! 2008-11-27 01:01 --------- d-----w c:\program files\Data Caching 2008-11-15 13:03 6,686 --sha-w c:\windows\system32\KGyGaAvL.sys 2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll 2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll 2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll 2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys 2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys 2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll 2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe 2008-01-10 23:38 18,827,272 ----a-w c:\program files\RhapsodyReal.exe . ((((((((((((((((((((((((((((( snapshot@2008-12-04_18.48.47.39 ))))))))))))))))))))))))))))))))))))))))) . + 2007-12-12 2042 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe + 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\java.exe + 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\javaw.exe + 2008-12-04 23:58:22 148,888 ----a-w c:\windows\system32\javaws.exe + 2008-12-04 23:45:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_740.dat + 2008-12-04 23:58:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f24.dat + 2006-12-02 03:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll + 2006-12-02 03:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll + 2006-12-02 03:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] 2008-11-18 12:58 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-17 169472] "MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688] "SandIcon"="c:\imagemate compactflash usb\SandIcon.Exe" [2000-11-13 131072] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "582137331"="c:\documents and settings\All Users\Application Data\830483350\582137331.exe" [2008-12-03 1070115] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-17 24576] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"= "c:\\WINDOWS\\system32\\verclsid.exe"= "c:\\WINDOWS\\system32\\dwwin.exe"= "c:\\Program Files\\McAfee\\SpamKiller\\MSKSrvr.exe"= "c:\\Program Files\\Rhapsody\\rhapsody.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8097:TCP"= 8097:TCP:EarthLink UHP Modem Support "50325:TCP"= 50325:TCP:PORT_50325 "30721:TCP"= 30721:TCP:PORT_30721 "5016:TCP"= 5016:TCP:PORT_5016 "22321:TCP"= 22321:TCP:PORT_22321 "44003:TCP"= 44003:TCP:PORT_44003 "57743:TCP"= 57743:TCP:PORT_57743 "13835:TCP"= 13835:TCP:PORT_13835 "46899:TCP"= 46899:TCP:PORT_46899 "34421:TCP"= 34421:TCP:PORT_34421 "7923:TCP"= 7923:TCP:PORT_7923 "28060:TCP"= 28060:TCP:PORT_28060 "32550:TCP"= 32550:TCP:PORT_32550 "22374:TCP"= 22374:TCP:PORT_22374 "6577:TCP"= 6577:TCP:PORT_6577 "15115:TCP"= 15115:TCP:PORT_15115 "27977:TCP"= 27977:TCP:PORT_27977 "48243:TCP"= 48243:TCP:PORT_48243 "41892:TCP"= 41892:TCP:PORT_41892 "50432:TCP"= 50432:TCP:PORT_50432 "20058:TCP"= 20058:TCP:PORT_20058 "17521:TCP"= 17521:TCP:PORT_17521 "22666:TCP"= 22666:TCP:PORT_22666 "16478:TCP"= 16478:TCP:PORT_16478 "30830:TCP"= 30830:TCP:PORT_30830 "30024:TCP"= 30024:TCP:PORT_30024 "22241:TCP"= 22241:TCP:PORT_22241 "40438:TCP"= 40438:TCP:PORT_40438 "60954:TCP"= 60954:TCP:PORT_60954 "64148:TCP"= 64148:TCP:PORT_64148 "48662:TCP"= 48662:TCP:PORT_48662 "36843:TCP"= 36843:TCP:PORT_36843 "54641:TCP"= 54641:TCP:PORT_54641 "10132:TCP"= 10132:TCP:PORT_10132 "20449:TCP"= 20449:TCP:PORT_20449 "13578:TCP"= 13578:TCP:PORT_13578 "29263:TCP"= 29263:TCP:PORT_29263 "34815:TCP"= 34815:TCP:PORT_34815 "26258:TCP"= 26258:TCP:PORT_26258 "43890:TCP"= 43890:TCP:PORT_43890 "22058:TCP"= 22058:TCP:PORT_22058 "42261:TCP"= 42261:TCP:PORT_42261 "45445:TCP"= 45445:TCP:PORT_45445 "8223:TCP"= 8223:TCP:PORT_8223 "27791:TCP"= 27791:TCP:PORT_27791 "28599:TCP"= 28599:TCP:PORT_28599 "55149:TCP"= 55149:TCP:PORT_55149 "11255:TCP"= 11255:TCP:PORT_11255 "50103:TCP"= 50103:TCP:PORT_50103 "9606:TCP"= 9606:TCP:PORT_9606 "25969:TCP"= 25969:TCP:PORT_25969 "31293:TCP"= 31293:TCP:PORT_31293 "44015:TCP"= 44015:TCP:PORT_44015 "19033:TCP"= 19033:TCP:PORT_19033 "5566:TCP"= 5566:TCP:PORT_5566 "8646:TCP"= 8646:TCP:PORT_8646 "26640:TCP"= 26640:TCP:PORT_26640 "52665:TCP"= 52665:TCP:PORT_52665 "16839:TCP"= 16839:TCP:PORT_16839 "64961:TCP"= 64961:TCP:PORT_64961 "15420:TCP"= 15420:TCP:PORT_15420 "22329:TCP"= 22329:TCP:PORT_22329 "15908:TCP"= 15908:TCP:PORT_15908 "41693:TCP"= 41693:TCP:PORT_41693 "56559:TCP"= 56559:TCP:PORT_56559 "37705:TCP"= 37705:TCP:PORT_37705 "58418:TCP"= 58418:TCP:PORT_58418 "39866:TCP"= 39866:TCP:PORT_39866 "31166:TCP"= 31166:TCP:PORT_31166 "50600:TCP"= 50600:TCP:PORT_50600 "41925:TCP"= 41925:TCP:PORT_41925 "26441:TCP"= 26441:TCP:PORT_26441 "54143:TCP"= 54143:TCP:PORT_54143 "55302:TCP"= 55302:TCP:PORT_55302 "63320:TCP"= 63320:TCP:PORT_63320 "16948:TCP"= 16948:TCP:PORT_16948 "7181:TCP"= 7181:TCP:PORT_7181 "10520:TCP"= 10520:TCP:PORT_10520 "63901:TCP"= 63901:TCP:PORT_63901 "24490:TCP"= 24490:TCP:PORT_24490 "15468:TCP"= 15468:TCP:PORT_15468 "52434:TCP"= 52434:TCP:PORT_52434 R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1001000.021\SYMEFA.SYS [2008-12-01 309296] R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NAV\1001000.021\BHDrvx86.sys [2008-12-01 255536] R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NAV\1001000.021\ccHPx86.sys [2008-12-01 362544] R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081203.001\IDSxpx86.sys [2008-12-03 274808] R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 [] R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-03-11 24652] R3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-03 38496] S3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\DRIVERS\SDSTOR2K.SYS [2006-12-11 37781] Newly Created Service - JAVAQUICKSTARTERSERVICE Newly Created Service - MBAMSWISSARMY . Contents of the 'Scheduled Tasks' folder 2008-11-22 c:\windows\Tasks\EasyShare Registration Task.job - c:\windows\system32\rundll32.exe [2004-08-04 05:00] . - - - - ORPHANS REMOVED - - - - HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe . ------- Supplementary Scan ------- . uStart Page = www.cnn.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html LSP: c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll Trusted Zone: listen.com,%20real.com,%20llnwd.net,%20rhap Trusted Zone: .listen.com Trusted Zone: .llnwd.net Trusted Zone: .real.com Trusted Zone: rhapapp.real.com O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-04 19:39:03 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus] "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(968) c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll . Completion time: 2008-12-04 19:39:57 ComboFix-quarantined-files.txt 2008-12-05 00:39:55 ComboFix2.txt 2008-12-05 00:36:11 ComboFix3.txt 2008-12-04 23:49:42 Pre-Run: 142,339,633,152 bytes free Post-Run: 142,325,522,432 bytes free 312 --- E O F --- 2008-12-03 22:57:03 Hi Katana, Here is the combofix and malaware log. Your instructions also mentioned a new Hijackthislog. how do I create that? I completed the instructions, including new java and adobe. I'm still receiving winweb secruity pop-ups. I receive a small message in the bottom corner, and two large boxes that appear. One is a winweb system scan, and the other states "winweb security has blocked a program from accessing the web." I click the X and it asks "continue unprotected?" Thank you for your help.

12-04-2008, 06:26 PM	#5 (permalink)
Hokie76 Registered User Join Date: Dec 2008 Posts: 9 OS: XP	Re: Possible Trojan Vondu virus and slow performance. No, I don't play any online games, and if I have to ask what PSP means, I guess that would answer your question. Person 2 person? Under step one, I did not have the box in the right corner to click. However, I was able to complete part 2 and unclicked tea timer. Under step 2, your instructions "A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis." This did not occur. Within in the blue COmbofix box, as it completed and begin to produce the log, 2 error messages appeared in the box. Permission was denied. Do you need to know the exact detail of the messages? I'm getting ready to proceed to step 3. Kaspersky Online Scanner. Should I wait?

12-05-2008, 12:37 AM	#6 (permalink)
Katana Analyst, Security Team Join Date: Nov 2007 Location: Manchester, UK Posts: 1,208 OS: W2K SP4 + XP SP2 + Vista	Re: Possible Trojan Vondu virus and slow performance. You can continue with step 3, it is just a scan it doesn't actually do anything. __________________

12-05-2008, 03:51 AM	#7 (permalink)
Hokie76 Registered User Join Date: Dec 2008 Posts: 9 OS: XP	Re: Possible Trojan Vondu virus and slow performance. Combofix log: ComboFix 08-12-04.04 - Ben 2008-12-04 19:37:42.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.478 [GMT -5:00] Running from: c:\documents and settings\Ben.D9K3CT91.003\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ben.D9K3CT91.003\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 ))))))))))))))))))))))))))))))) . 2008-12-04 19:08 . 2008-12-04 19:08 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2008-12-04 19:00 . 2008-12-04 19:02 <DIR> d-------- c:\program files\Foxit Software 2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\program files\AskBarDis 2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Foxit 2008-12-04 18:58 . 2008-12-04 18:58 410,984 --a------ c:\windows\system32\deploytk.dll 2008-12-04 18:58 . 2008-12-04 18:58 73,728 --a------ c:\windows\system32\javacpl.cpl 2008-12-04 18:30 . 2008-12-04 18:44 198,740 --a------ c:\windows\system32\ws.dll 2008-12-04 17:15 . 2008-12-04 19:35 <DIR> d-------- c:\program files\MSN Messenger 2008-12-03 21:28 . 2008-12-03 21:28 <DIR> d-------- c:\program files\Enigma Software Group 2008-12-03 20:42 . 2008-12-03 20:42 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Malwarebytes 2008-12-03 20:41 . 2008-12-04 17:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-03 20:41 . 2008-12-03 20:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-03 20:41 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-03 20:41 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-03 19:26 . 2008-12-03 19:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-12-03 19:26 . 2008-12-03 20:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-03 18:29 . 2008-12-03 18:49 250 --a------ c:\windows\gmer.ini 2008-12-03 18:07 . 2008-12-03 18:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\830483350 2008-12-03 17:30 . 2008-12-03 17:31 <DIR> d-------- c:\windows\ERUNT 2008-12-03 17:26 . 2008-12-03 17:50 <DIR> d-------- C:\SDFix 2008-12-03 16:01 . 2008-12-03 16:01 <DIR> d-------- C:\VundoFix Backups 2008-12-01 17:17 . 2008-12-01 17:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\windows\system32\drivers\NAV 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Windows Sidebar 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Symantec 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\NortonInstaller 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Norton AntiVirus 2008-12-01 17:16 . 2008-12-01 17:18 <DIR> d-------- c:\program files\Common Files\Symantec Shared 2008-12-01 17:16 . 2008-12-01 17:16 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS 2008-12-01 17:16 . 2008-12-01 17:16 60,808 --a------ c:\windows\system32\S32EVNT1.DLL 2008-12-01 17:16 . 2008-12-01 17:16 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys 2008-12-01 17:16 . 2008-12-01 17:16 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT 2008-12-01 17:16 . 2008-12-01 17:16 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF 2008-12-01 17:06 . 2008-12-01 17:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller 2008-12-01 17:06 . 2008-12-01 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton 2008-12-01 17:00 . 2008-12-01 17:00 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files 2008-11-26 19:55 . 2008-11-26 19:55 <DIR> d-------- c:\program files\Common Files\Scanner 2008-11-26 19:55 . 2008-11-26 19:57 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy 2008-11-08 12:30 . 2008-12-04 18:46 54,156 --ah----- c:\windows\QTFont.qfn 2008-11-08 12:30 . 2008-12-04 18:53 28,887 --a------ C:\logfile 2008-11-08 12:30 . 2008-11-08 12:30 1,409 --a------ c:\windows\QTFont.for 2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\program files\QuickTime 2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer 2008-11-08 12:23 . 2008-11-08 12:23 <DIR> d-------- c:\windows\system32\BWKDLogs 2008-11-08 12:22 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll 2008-11-08 12:22 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll 2008-11-08 12:21 . 2008-11-08 12:21 <DIR> d-------- c:\program files\Common Files\Kodak 2008-11-08 12:19 . 2008-11-08 12:23 <DIR> d-------- c:\program files\Kodak 2008-11-08 12:18 . 2008-11-08 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kodak . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-05 00:08 --------- d-----w c:\program files\Common Files\Adobe 2008-12-04 23:58 --------- d-----w c:\program files\Java 2008-12-01 22:26 --------- d-----w c:\program files\Common Files\EarthLink 2008-12-01 22:15 --------- d-----w c:\program files\McAfee 2008-12-01 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee 2008-12-01 01:05 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore 2008-11-27 22:44 --------- d-----w c:\program files\I Will Pass! 2008-11-27 01:01 --------- d-----w c:\program files\Data Caching 2008-11-15 13:03 6,686 --sha-w c:\windows\system32\KGyGaAvL.sys 2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll 2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll 2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll 2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys 2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys 2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll 2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe 2008-01-10 23:38 18,827,272 ----a-w c:\program files\RhapsodyReal.exe . ((((((((((((((((((((((((((((( snapshot@2008-12-04_18.48.47.39 ))))))))))))))))))))))))))))))))))))))))) . + 2007-12-12 2042 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe + 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\java.exe + 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\javaw.exe + 2008-12-04 23:58:22 148,888 ----a-w c:\windows\system32\javaws.exe + 2008-12-04 23:45:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_740.dat + 2008-12-04 23:58:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f24.dat + 2006-12-02 03:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll + 2006-12-02 03:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll + 2006-12-02 03:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] 2008-11-18 12:58 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-17 169472] "MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688] "SandIcon"="c:\imagemate compactflash usb\SandIcon.Exe" [2000-11-13 131072] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "582137331"="c:\documents and settings\All Users\Application Data\830483350\582137331.exe" [2008-12-03 1070115] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-17 24576] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"= "c:\\WINDOWS\\system32\\verclsid.exe"= "c:\\WINDOWS\\system32\\dwwin.exe"= "c:\\Program Files\\McAfee\\SpamKiller\\MSKSrvr.exe"= "c:\\Program Files\\Rhapsody\\rhapsody.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8097:TCP"= 8097:TCP:EarthLink UHP Modem Support "50325:TCP"= 50325:TCP:PORT_50325 "30721:TCP"= 30721:TCP:PORT_30721 "5016:TCP"= 5016:TCP:PORT_5016 "22321:TCP"= 22321:TCP:PORT_22321 "44003:TCP"= 44003:TCP:PORT_44003 "57743:TCP"= 57743:TCP:PORT_57743 "13835:TCP"= 13835:TCP:PORT_13835 "46899:TCP"= 46899:TCP:PORT_46899 "34421:TCP"= 34421:TCP:PORT_34421 "7923:TCP"= 7923:TCP:PORT_7923 "28060:TCP"= 28060:TCP:PORT_28060 "32550:TCP"= 32550:TCP:PORT_32550 "22374:TCP"= 22374:TCP:PORT_22374 "6577:TCP"= 6577:TCP:PORT_6577 "15115:TCP"= 15115:TCP:PORT_15115 "27977:TCP"= 27977:TCP:PORT_27977 "48243:TCP"= 48243:TCP:PORT_48243 "41892:TCP"= 41892:TCP:PORT_41892 "50432:TCP"= 50432:TCP:PORT_50432 "20058:TCP"= 20058:TCP:PORT_20058 "17521:TCP"= 17521:TCP:PORT_17521 "22666:TCP"= 22666:TCP:PORT_22666 "16478:TCP"= 16478:TCP:PORT_16478 "30830:TCP"= 30830:TCP:PORT_30830 "30024:TCP"= 30024:TCP:PORT_30024 "22241:TCP"= 22241:TCP:PORT_22241 "40438:TCP"= 40438:TCP:PORT_40438 "60954:TCP"= 60954:TCP:PORT_60954 "64148:TCP"= 64148:TCP:PORT_64148 "48662:TCP"= 48662:TCP:PORT_48662 "36843:TCP"= 36843:TCP:PORT_36843 "54641:TCP"= 54641:TCP:PORT_54641 "10132:TCP"= 10132:TCP:PORT_10132 "20449:TCP"= 20449:TCP:PORT_20449 "13578:TCP"= 13578:TCP:PORT_13578 "29263:TCP"= 29263:TCP:PORT_29263 "34815:TCP"= 34815:TCP:PORT_34815 "26258:TCP"= 26258:TCP:PORT_26258 "43890:TCP"= 43890:TCP:PORT_43890 "22058:TCP"= 22058:TCP:PORT_22058 "42261:TCP"= 42261:TCP:PORT_42261 "45445:TCP"= 45445:TCP:PORT_45445 "8223:TCP"= 8223:TCP:PORT_8223 "27791:TCP"= 27791:TCP:PORT_27791 "28599:TCP"= 28599:TCP:PORT_28599 "55149:TCP"= 55149:TCP:PORT_55149 "11255:TCP"= 11255:TCP:PORT_11255 "50103:TCP"= 50103:TCP:PORT_50103 "9606:TCP"= 9606:TCP:PORT_9606 "25969:TCP"= 25969:TCP:PORT_25969 "31293:TCP"= 31293:TCP:PORT_31293 "44015:TCP"= 44015:TCP:PORT_44015 "19033:TCP"= 19033:TCP:PORT_19033 "5566:TCP"= 5566:TCP:PORT_5566 "8646:TCP"= 8646:TCP:PORT_8646 "26640:TCP"= 26640:TCP:PORT_26640 "52665:TCP"= 52665:TCP:PORT_52665 "16839:TCP"= 16839:TCP:PORT_16839 "64961:TCP"= 64961:TCP:PORT_64961 "15420:TCP"= 15420:TCP:PORT_15420 "22329:TCP"= 22329:TCP:PORT_22329 "15908:TCP"= 15908:TCP:PORT_15908 "41693:TCP"= 41693:TCP:PORT_41693 "56559:TCP"= 56559:TCP:PORT_56559 "37705:TCP"= 37705:TCP:PORT_37705 "58418:TCP"= 58418:TCP:PORT_58418 "39866:TCP"= 39866:TCP:PORT_39866 "31166:TCP"= 31166:TCP:PORT_31166 "50600:TCP"= 50600:TCP:PORT_50600 "41925:TCP"= 41925:TCP:PORT_41925 "26441:TCP"= 26441:TCP:PORT_26441 "54143:TCP"= 54143:TCP:PORT_54143 "55302:TCP"= 55302:TCP:PORT_55302 "63320:TCP"= 63320:TCP:PORT_63320 "16948:TCP"= 16948:TCP:PORT_16948 "7181:TCP"= 7181:TCP:PORT_7181 "10520:TCP"= 10520:TCP:PORT_10520 "63901:TCP"= 63901:TCP:PORT_63901 "24490:TCP"= 24490:TCP:PORT_24490 "15468:TCP"= 15468:TCP:PORT_15468 "52434:TCP"= 52434:TCP:PORT_52434 R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1001000.021\SYMEFA.SYS [2008-12-01 309296] R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NAV\1001000.021\BHDrvx86.sys [2008-12-01 255536] R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NAV\1001000.021\ccHPx86.sys [2008-12-01 362544] R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081203.001\IDSxpx86.sys [2008-12-03 274808] R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 [] R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-03-11 24652] R3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-03 38496] S3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\DRIVERS\SDSTOR2K.SYS [2006-12-11 37781] Newly Created Service - JAVAQUICKSTARTERSERVICE Newly Created Service - MBAMSWISSARMY . Contents of the 'Scheduled Tasks' folder 2008-11-22 c:\windows\Tasks\EasyShare Registration Task.job - c:\windows\system32\rundll32.exe [2004-08-04 05:00] . - - - - ORPHANS REMOVED - - - - HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe . ------- Supplementary Scan ------- . uStart Page = www.cnn.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html LSP: c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll Trusted Zone: listen.com,%20real.com,%20llnwd.net,%20rhap Trusted Zone: .listen.com Trusted Zone: .llnwd.net Trusted Zone: .real.com Trusted Zone: rhapapp.real.com O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-04 19:39:03 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus] "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(968) c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll . Completion time: 2008-12-04 19:39:57 ComboFix-quarantined-files.txt 2008-12-05 00:39:55 ComboFix2.txt 2008-12-05 00:36:11 ComboFix3.txt 2008-12-04 23:49:42 Pre-Run: 142,339,633,152 bytes free Post-Run: 142,325,522,432 bytes free 312 --- E O F --- 2008-12-03 22:57:03 Kaspersky log: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Friday, December 5, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Thursday, December 04, 2008 20:42:50 Records in database: 1436944 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - File: Scan statistics: Files scanned: 120789 Threat name: 1 Infected objects: 2 Suspicious objects: 0 Duration of the scan: 01:18:44 File name / Threat name / Threats count C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1 The selected area was scanned. Things seem to be running better this morning. I let the scan finish overnight, and returned to it this morning. So far, I have not had any pop-ups from Winweb security. Overall performance seems to be improved. The computer is not as sluggish.

12-05-2008, 04:07 AM	#8 (permalink)
Katana Analyst, Security Team Join Date: Nov 2007 Location: Manchester, UK Posts: 1,208 OS: W2K SP4 + XP SP2 + Vista	Re: Possible Trojan Vondu virus and slow performance. That looks like the same log from Combofix, please try again. Custom CFScript Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: Code: File:: C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz c:\windows\Tasks\EasyShare Registration Task.job Folder:: c:\documents and settings\All Users\Application Data\830483350 Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"=- "SpybotSD TeaTimer"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MMTray"=- "ISUSPM Startup"=- "ISUSScheduler"=- "Share-to-Web Namespace Daemon"=- "dscactivate"=- "DellSupportCenter"=- "582137331"=- "SunJavaUpdateSched"=- "Adobe Reader Speed Launcher"=- Save this as CFScript.txt and place it on your desktop. Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper __________________

12-05-2008, 02:12 PM	#9 (permalink)
Hokie76 Registered User Join Date: Dec 2008 Posts: 9 OS: XP	Re: Possible Trojan Vondu virus and slow performance. Katana: The following errors appeared in the Combofix blue box: Access is denied SED: can't read temp0A: no such file or directory SED: can't read temp0D: no such file or directory Temp00 The system cannot find the file specified. ComboFix 08-12-05.02 - Ben 2008-12-05 16:57:19.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.558 [GMT -5:00] Running from: c:\documents and settings\Ben.D9K3CT91.003\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ben.D9K3CT91.003\Desktop\CFScript.txt * Created a new restore point FILE :: c:\program files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz c:\program files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz c:\windows\Tasks\EasyShare Registration Task.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz c:\program files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz . ((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 ))))))))))))))))))))))))))))))) . 2008-12-04 19:08 . 2008-12-04 19:08 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2008-12-04 19:00 . 2008-12-04 19:02 <DIR> d-------- c:\program files\Foxit Software 2008-12-04 19:00 . 2008-12-04 21:52 <DIR> d-------- c:\program files\AskBarDis 2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Foxit 2008-12-04 18:58 . 2008-12-04 18:58 410,984 --a------ c:\windows\system32\deploytk.dll 2008-12-04 18:58 . 2008-12-04 18:58 73,728 --a------ c:\windows\system32\javacpl.cpl 2008-12-04 17:15 . 2008-12-04 19:35 <DIR> d-------- c:\program files\MSN Messenger 2008-12-03 21:28 . 2008-12-03 21:28 <DIR> d-------- c:\program files\Enigma Software Group 2008-12-03 20:42 . 2008-12-03 20:42 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Malwarebytes 2008-12-03 20:41 . 2008-12-04 17:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-03 20:41 . 2008-12-03 20:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-03 20:41 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-03 20:41 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-03 19:26 . 2008-12-03 19:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-12-03 19:26 . 2008-12-03 20:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-03 18:29 . 2008-12-03 18:49 250 --a------ c:\windows\gmer.ini 2008-12-03 17:30 . 2008-12-03 17:31 <DIR> d-------- c:\windows\ERUNT 2008-12-03 17:26 . 2008-12-03 17:50 <DIR> d-------- C:\SDFix 2008-12-03 16:01 . 2008-12-03 16:01 <DIR> d-------- C:\VundoFix Backups 2008-12-01 17:17 . 2008-12-01 17:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\windows\system32\drivers\NAV 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Windows Sidebar 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Symantec 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\NortonInstaller 2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Norton AntiVirus 2008-12-01 17:16 . 2008-12-01 17:18 <DIR> d-------- c:\program files\Common Files\Symantec Shared 2008-12-01 17:16 . 2008-12-01 17:16 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS 2008-12-01 17:16 . 2008-12-01 17:16 60,808 --a------ c:\windows\system32\S32EVNT1.DLL 2008-12-01 17:16 . 2008-12-01 17:16 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys 2008-12-01 17:16 . 2008-12-01 17:16 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT 2008-12-01 17:16 . 2008-12-01 17:16 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF 2008-12-01 17:06 . 2008-12-01 17:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller 2008-12-01 17:06 . 2008-12-01 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton 2008-12-01 17:00 . 2008-12-01 17:00 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files 2008-11-26 19:55 . 2008-11-26 19:55 <DIR> d-------- c:\program files\Common Files\Scanner 2008-11-26 19:55 . 2008-11-26 19:57 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy 2008-11-08 12:30 . 2008-12-04 21:08 54,156 --ah----- c:\windows\QTFont.qfn 2008-11-08 12:30 . 2008-12-04 21:14 30,584 --a------ C:\logfile 2008-11-08 12:30 . 2008-11-08 12:30 1,409 --a------ c:\windows\QTFont.for 2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\program files\QuickTime 2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer 2008-11-08 12:23 . 2008-11-08 12:23 <DIR> d-------- c:\windows\system32\BWKDLogs 2008-11-08 12:22 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll 2008-11-08 12:22 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll 2008-11-08 12:21 . 2008-11-08 12:21 <DIR> d-------- c:\program files\Common Files\Kodak 2008-11-08 12:19 . 2008-11-08 12:23 <DIR> d-------- c:\program files\Kodak 2008-11-08 12:18 . 2008-11-08 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kodak . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-05 00:08 --------- d-----w c:\program files\Common Files\Adobe 2008-12-04 23:58 --------- d-----w c:\program files\Java 2008-12-01 22:26 --------- d-----w c:\program files\Common Files\EarthLink 2008-12-01 22:15 --------- d-----w c:\program files\McAfee 2008-12-01 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee 2008-12-01 01:05 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore 2008-11-27 22:44 --------- d-----w c:\program files\I Will Pass! 2008-11-27 01:01 --------- d-----w c:\program files\Data Caching 2008-11-15 13:03 6,686 --sha-w c:\windows\system32\KGyGaAvL.sys 2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll 2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll 2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll 2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys 2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys 2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll 2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe 2008-01-10 23:38 18,827,272 ----a-w c:\program files\RhapsodyReal.exe . ((((((((((((((((((((((((((((( snapshot@2008-12-04_18.48.47.39 ))))))))))))))))))))))))))))))))))))))))) . + 2007-12-12 2042 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe + 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\java.exe + 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\javaw.exe + 2008-12-04 23:58:22 148,888 ----a-w c:\windows\system32\javaws.exe + 2008-12-05 0220 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_220.dat + 2008-12-05 02:07:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_554.dat + 2006-12-02 03:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll + 2006-12-02 03:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll + 2006-12-02 03:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] "Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-17 169472] "MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688] "SandIcon"="c:\imagemate compactflash usb\SandIcon.Exe" [2000-11-13 131072] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-17 24576] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"= "c:\\WINDOWS\\system32\\verclsid.exe"= "c:\\WINDOWS\\system32\\dwwin.exe"= "c:\\Program Files\\McAfee\\SpamKiller\\MSKSrvr.exe"= "c:\\Program Files\\Rhapsody\\rhapsody.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8097:TCP"= 8097:TCP:EarthLink UHP Modem Support "50325:TCP"= 50325:TCP:PORT_50325 "30721:TCP"= 30721:TCP:PORT_30721 "5016:TCP"= 5016:TCP:PORT_5016 "22321:TCP"= 22321:TCP:PORT_22321 "44003:TCP"= 44003:TCP:PORT_44003 "57743:TCP"= 57743:TCP:PORT_57743 "13835:TCP"= 13835:TCP:PORT_13835 "46899:TCP"= 46899:TCP:PORT_46899 "34421:TCP"= 34421:TCP:PORT_34421 "7923:TCP"= 7923:TCP:PORT_7923 "28060:TCP"= 28060:TCP:PORT_28060 "32550:TCP"= 32550:TCP:PORT_32550 "22374:TCP"= 22374:TCP:PORT_22374 "6577:TCP"= 6577:TCP:PORT_6577 "15115:TCP"= 15115:TCP:PORT_15115 "27977:TCP"= 27977:TCP:PORT_27977 "48243:TCP"= 48243:TCP:PORT_48243 "41892:TCP"= 41892:TCP:PORT_41892 "50432:TCP"= 50432:TCP:PORT_50432 "20058:TCP"= 20058:TCP:PORT_20058 "17521:TCP"= 17521:TCP:PORT_17521 "22666:TCP"= 22666:TCP:PORT_22666 "16478:TCP"= 16478:TCP:PORT_16478 "30830:TCP"= 30830:TCP:PORT_30830 "30024:TCP"= 30024:TCP:PORT_30024 "22241:TCP"= 22241:TCP:PORT_22241 "40438:TCP"= 40438:TCP:PORT_40438 "60954:TCP"= 60954:TCP:PORT_60954 "64148:TCP"= 64148:TCP:PORT_64148 "48662:TCP"= 48662:TCP:PORT_48662 "36843:TCP"= 36843:TCP:PORT_36843 "54641:TCP"= 54641:TCP:PORT_54641 "10132:TCP"= 10132:TCP:PORT_10132 "20449:TCP"= 20449:TCP:PORT_20449 "13578:TCP"= 13578:TCP:PORT_13578 "29263:TCP"= 29263:TCP:PORT_29263 "34815:TCP"= 34815:TCP:PORT_34815 "26258:TCP"= 26258:TCP:PORT_26258 "43890:TCP"= 43890:TCP:PORT_43890 "22058:TCP"= 22058:TCP:PORT_22058 "42261:TCP"= 42261:TCP:PORT_42261 "45445:TCP"= 45445:TCP:PORT_45445 "8223:TCP"= 8223:TCP:PORT_8223 "27791:TCP"= 27791:TCP:PORT_27791 "28599:TCP"= 28599:TCP:PORT_28599 "55149:TCP"= 55149:TCP:PORT_55149 "11255:TCP"= 11255:TCP:PORT_11255 "50103:TCP"= 50103:TCP:PORT_50103 "9606:TCP"= 9606:TCP:PORT_9606 "25969:TCP"= 25969:TCP:PORT_25969 "31293:TCP"= 31293:TCP:PORT_31293 "44015:TCP"= 44015:TCP:PORT_44015 "19033:TCP"= 19033:TCP:PORT_19033 "5566:TCP"= 5566:TCP:PORT_5566 "8646:TCP"= 8646:TCP:PORT_8646 "26640:TCP"= 26640:TCP:PORT_26640 "52665:TCP"= 52665:TCP:PORT_52665 "16839:TCP"= 16839:TCP:PORT_16839 "64961:TCP"= 64961:TCP:PORT_64961 "15420:TCP"= 15420:TCP:PORT_15420 "22329:TCP"= 22329:TCP:PORT_22329 "15908:TCP"= 15908:TCP:PORT_15908 "41693:TCP"= 41693:TCP:PORT_41693 "56559:TCP"= 56559:TCP:PORT_56559 "37705:TCP"= 37705:TCP:PORT_37705 "58418:TCP"= 58418:TCP:PORT_58418 "39866:TCP"= 39866:TCP:PORT_39866 "31166:TCP"= 31166:TCP:PORT_31166 "50600:TCP"= 50600:TCP:PORT_50600 "41925:TCP"= 41925:TCP:PORT_41925 "26441:TCP"= 26441:TCP:PORT_26441 "54143:TCP"= 54143:TCP:PORT_54143 "55302:TCP"= 55302:TCP:PORT_55302 "63320:TCP"= 63320:TCP:PORT_63320 "16948:TCP"= 16948:TCP:PORT_16948 "7181:TCP"= 7181:TCP:PORT_7181 "10520:TCP"= 10520:TCP:PORT_10520 "63901:TCP"= 63901:TCP:PORT_63901 "24490:TCP"= 24490:TCP:PORT_24490 "15468:TCP"= 15468:TCP:PORT_15468 "52434:TCP"= 52434:TCP:PORT_52434 R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1001000.021\SYMEFA.SYS [2008-12-01 309296] R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NAV\1001000.021\BHDrvx86.sys [2008-12-01 255536] R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NAV\1001000.021\ccHPx86.sys [2008-12-01 362544] R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081203.001\IDSxpx86.sys [2008-12-03 274808] R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 [] R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-03-11 24652] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-04 99376] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-03 38496] S3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\DRIVERS\SDSTOR2K.SYS [2006-12-11 37781] Newly Created Service - CATCHME . . ------- Supplementary Scan ------- . uStart Page = www.cnn.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html LSP: c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll Trusted Zone: listen.com,%20real.com,%20llnwd.net,%20rhap Trusted Zone: .listen.com Trusted Zone: .llnwd.net Trusted Zone: .real.com Trusted Zone: rhapapp.real.com O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-05 17:02:52 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************ [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus] "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(968) c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll . Completion time: 2008-12-05 17:07:03 ComboFix-quarantined-files.txt 2008-12-05 22:05:44 ComboFix2.txt 2008-12-05 02:11:16 ComboFix3.txt 2008-12-05 00:39:59 ComboFix4.txt 2008-12-05 00:36:11 ComboFix5.txt 2008-12-05 21:56:05 Pre-Run: 142,348,165,120 bytes free Post-Run: 142,390,947,840 bytes free 296 --- E O F --- 2008-12-03 22:57:03

12-05-2008, 03:06 PM	#10 (permalink)
Katana Analyst, Security Team Join Date: Nov 2007 Location: Manchester, UK Posts: 1,208 OS: W2K SP4 + XP SP2 + Vista	Re: Possible Trojan Vondu virus and slow performance. Right, let's sort out those open ports next. Create A Batch File Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it look.bat Please save it on your desktop. Code: @echo off MD C:\Katana regedit /e C:\Katana\Restore-me.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List" start notepad C:\Katana\Restore-me.reg del /q %0 exit Double click on look.bat Please be patient, it won't take long. Notepad will open, please copy/paste the results here. __________________

12-05-2008, 03:31 PM	#11 (permalink)
Hokie76 Registered User Join Date: Dec 2008 Posts: 9 OS: XP	Look.bat notepad Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004" "445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005" "137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001" "138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002" "8097:TCP"="8097:TCP::Enabled:EarthLink UHP Modem Support" "50325:TCP"="50325:TCP::Enabled:PORT_50325" "30721:TCP"="30721:TCP::Enabled:PORT_30721" "5016:TCP"="5016:TCP::Enabled:PORT_5016" "22321:TCP"="22321:TCP::Enabled:PORT_22321" "44003:TCP"="44003:TCP::Enabled:PORT_44003" "57743:TCP"="57743:TCP::Enabled:PORT_57743" "13835:TCP"="13835:TCP::Enabled:PORT_13835" "46899:TCP"="46899:TCP::Enabled:PORT_46899" "34421:TCP"="34421:TCP::Enabled:PORT_34421" "7923:TCP"="7923:TCP::Enabled:PORT_7923" "28060:TCP"="28060:TCP::Enabled:PORT_28060" "32550:TCP"="32550:TCP::Enabled:PORT_32550" "22374:TCP"="22374:TCP::Enabled:PORT_22374" "6577:TCP"="6577:TCP::Enabled:PORT_6577" "15115:TCP"="15115:TCP::Enabled:PORT_15115" "27977:TCP"="27977:TCP::Enabled:PORT_27977" "48243:TCP"="48243:TCP::Enabled:PORT_48243" "41892:TCP"="41892:TCP::Enabled:PORT_41892" "50432:TCP"="50432:TCP::Enabled:PORT_50432" "20058:TCP"="20058:TCP::Enabled:PORT_20058" "17521:TCP"="17521:TCP::Enabled:PORT_17521" "22666:TCP"="22666:TCP::Enabled:PORT_22666" "16478:TCP"="16478:TCP::Enabled:PORT_16478" "30830:TCP"="30830:TCP::Enabled:PORT_30830" "30024:TCP"="30024:TCP::Enabled:PORT_30024" "22241:TCP"="22241:TCP::Enabled:PORT_22241" "40438:TCP"="40438:TCP::Enabled:PORT_40438" "60954:TCP"="60954:TCP::Enabled:PORT_60954" "64148:TCP"="64148:TCP::Enabled:PORT_64148" "48662:TCP"="48662:TCP::Enabled:PORT_48662" "36843:TCP"="36843:TCP::Enabled:PORT_36843" "54641:TCP"="54641:TCP::Enabled:PORT_54641" "10132:TCP"="10132:TCP::Enabled:PORT_10132" "20449:TCP"="20449:TCP::Enabled:PORT_20449" "13578:TCP"="13578:TCP::Enabled:PORT_13578" "29263:TCP"="29263:TCP::Enabled:PORT_29263" "34815:TCP"="34815:TCP::Enabled:PORT_34815" "26258:TCP"="26258:TCP::Enabled:PORT_26258" "43890:TCP"="43890:TCP::Enabled:PORT_43890" "22058:TCP"="22058:TCP::Enabled:PORT_22058" "42261:TCP"="42261:TCP::Enabled:PORT_42261" "45445:TCP"="45445:TCP::Enabled:PORT_45445" "8223:TCP"="8223:TCP::Enabled:PORT_8223" "27791:TCP"="27791:TCP::Enabled:PORT_27791" "28599:TCP"="28599:TCP::Enabled:PORT_28599" "55149:TCP"="55149:TCP::Enabled:PORT_55149" "11255:TCP"="11255:TCP::Enabled:PORT_11255" "50103:TCP"="50103:TCP::Enabled:PORT_50103" "9606:TCP"="9606:TCP::Enabled:PORT_9606" "25969:TCP"="25969:TCP::Enabled:PORT_25969" "31293:TCP"="31293:TCP::Enabled:PORT_31293" "44015:TCP"="44015:TCP::Enabled:PORT_44015" "19033:TCP"="19033:TCP::Enabled:PORT_19033" "5566:TCP"="5566:TCP::Enabled:PORT_5566" "8646:TCP"="8646:TCP::Enabled:PORT_8646" "26640:TCP"="26640:TCP::Enabled:PORT_26640" "52665:TCP"="52665:TCP::Enabled:PORT_52665" "16839:TCP"="16839:TCP::Enabled:PORT_16839" "64961:TCP"="64961:TCP::Enabled:PORT_64961" "15420:TCP"="15420:TCP::Enabled:PORT_15420" "22329:TCP"="22329:TCP::Enabled:PORT_22329" "15908:TCP"="15908:TCP::Enabled:PORT_15908" "41693:TCP"="41693:TCP::Enabled:PORT_41693" "56559:TCP"="56559:TCP::Enabled:PORT_56559" "37705:TCP"="37705:TCP::Enabled:PORT_37705" "58418:TCP"="58418:TCP::Enabled:PORT_58418" "39866:TCP"="39866:TCP::Enabled:PORT_39866" "31166:TCP"="31166:TCP::Enabled:PORT_31166" "50600:TCP"="50600:TCP::Enabled:PORT_50600" "41925:TCP"="41925:TCP::Enabled:PORT_41925" "26441:TCP"="26441:TCP::Enabled:PORT_26441" "54143:TCP"="54143:TCP::Enabled:PORT_54143" "55302:TCP"="55302:TCP::Enabled:PORT_55302" "63320:TCP"="63320:TCP::Enabled:PORT_63320" "16948:TCP"="16948:TCP::Enabled:PORT_16948" "7181:TCP"="7181:TCP::Enabled:PORT_7181" "10520:TCP"="10520:TCP::Enabled:PORT_10520" "63901:TCP"="63901:TCP::Enabled:PORT_63901" "24490:TCP"="24490:TCP::Enabled:PORT_24490" "15468:TCP"="15468:TCP::Enabled:PORT_15468" "52434:TCP"="52434:TCP::Enabled:PORT_52434"

12-05-2008, 04:06 PM	#13 (permalink)
Hokie76 Registered User Join Date: Dec 2008 Posts: 9 OS: XP	Re: Possible Trojan Vondu virus and slow performance. Complete. No problems. I have not experienced any Winweb messages. I did notice my Internet Explorer is running with add-ons disabled. is this correct? when I navigate to TOOLS then Manage Add-ons is not available.

12-05-2008, 05:05 PM	#14 (permalink)
Hokie76 Registered User Join Date: Dec 2008 Posts: 9 OS: XP	Re: Possible Trojan Vondu virus and slow performance. Add ons working after reboot.

12-06-2008, 05:55 AM	#16 (permalink)
Hokie76 Registered User Join Date: Dec 2008 Posts: 9 OS: XP	Re: Possible Trojan Vondu virus and slow performance. Thank you Katana. I'll uninstall Combofix, and over the next several days update or load the recommendations you have listed. I appreciate your help. The computer seems to be working well. My wife even noticed a change in the speed, and in the past it sounded as if the CPU was going to blow up based on the overload. Again, I can't thank you enough. I was unaware of this website until I begin to research my problem. Your service definitely deserves a donation, and I may have created more work for your team by recommending you all to friends and co-workers. Thanks for walking me through all the steps. I hope to not have to visit this website any time in the future. :)