Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page [SOLVED] Possible Trojan Vondu virus and slow performance.
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 12-03-2008, 05:21 PM   #1 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: XP


[SOLVED] Possible Trojan Vondu virus and slow performance.
I'm not exactly sure what is causing my pc problems. My Norton anti-virus indicated my computer was infected with the Trojan Vondu virus. On my own, after reading the threads, I downloaded and used SDFix. Performance of my computer has increased. However, I'm now receiving pop-up messages for Winweb Secruity. These messages indicate a warning: "Your OC is still infected with dangerous viruses." I appreciate
your help and assistance.

DDS (Version 1.0) - NTFSx86
Run by Ben at 18:17:18.39 on Wed 12/03/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.397 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Rhapsody\rhapsody.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Rhapsody\rhaphlpr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Application Data\830483350\582137331.exe
C:\DOCUME~1\BEND9K~1.003\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\NDGM1AVD\dds[1].com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {656EC4B7-072B-4698-B504-2A414C1F0037} - c:\program files\embarq totalaccess\accelerator\prpl_IePopupBlocker.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton antivirus\engine\16.1.0.33\IPSBHO.DLL
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\bae\BAE.dll
BHO: {cc51dbba-12d7-4365-b728-98c2e5db1811} - c:\windows\system32\tonoyisa.dll
BHO: {D5DF7C9D-6069-4552-8B0C-D02A912FC889} - ws.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe /startup
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
mRun: [RecoverFromReboot] c:\windows\temp\RecoverFromReboot.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SandIcon] c:\imagemate compactflash usb\SandIcon.Exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [pujukogiwa] Rundll32.exe "c:\windows\system32\widajuku.dll",s
mRun: [582137331] "c:\documents and settings\all users\application data\830483350\582137331.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\program files\mcafee\spamkiller\mcapfbho.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\embarq totalaccess\accelerator\prplsf.dll
Trusted Zone: listen.com,%20real.com,%20llnwd.net,%20rhap
Trusted Zone: *.listen.com
Trusted Zone: *.llnwd.net
Trusted Zone: *.real.com
Trusted Zone: rhapapp.real.com
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\duwiwuse.dll c:\windows\system32\medemovo.dll,c:\windows\system32\puligote.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\puligote.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1001000.021\SYMEFA.SYS [2008-12-1 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\nav\1001000.021\BHDrvx86.sys [2008-12-1 255536]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\nav\1001000.021\ccHPx86.sys [2008-12-1 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20081201.001\IDSxpx86.sys [2008-12-2 274808]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\norton antivirus\engine\16.1.0.33\ccsvchst.exe" /s "norton antivirus" /m "c:\program files\norton antivirus\engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-3-11 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-2 99376]
R3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20081202.035\NAVENG.SYS [2008-12-3 89104]
R3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20081202.035\NAVEX15.SYS [2008-12-3 876112]
R3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\drivers\SDSTOR2K.SYS [2006-12-11 37781]

=============== Created Last 30 ================

2008-12-03 18:07 198,740 a------- c:\windows\system32\ws.dll
2008-12-03 18:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\830483350
2008-12-03 17:30 <DIR> --d----- c:\windows\ERUNT
2008-12-03 17:26 <DIR> --d----- C:\SDFix
2008-12-03 16:01 <DIR> --d----- C:\VundoFix Backups
2008-12-02 07:06 1,333,445 ---sh--- c:\windows\system32\imigebeg.ini
2008-12-01 17:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-12-01 17:16 35,888 a----r-- c:\windows\system32\drivers\SymIM.sys
2008-12-01 17:16 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-01 17:16 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-01 17:16 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-01 17:16 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-01 17:16 <DIR> --d----- c:\program files\Symantec
2008-12-01 17:16 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-12-01 17:16 <DIR> --d----- c:\windows\system32\drivers\NAV
2008-12-01 17:16 <DIR> --d----- c:\program files\Norton AntiVirus
2008-12-01 17:16 <DIR> --d----- c:\program files\NortonInstaller
2008-12-01 17:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2008-12-01 17:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2008-12-01 17:00 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2008-12-01 08:00 1,302,086 ---sh--- c:\windows\system32\ibipoyok.ini
2008-11-30 13:30 1,296,222 ---sh--- c:\windows\system32\igojoyuw.ini
2008-11-29 10:22 1,296,240 ---sh--- c:\windows\system32\ijolagup.ini
2008-11-29 09:52 1,296,231 ---sh--- c:\windows\system32\ujodadog.ini
2008-11-29 09:27 1,296,231 ---sh--- c:\windows\system32\okezisus.ini
2008-11-29 09:05 1,296,231 ---sh--- c:\windows\system32\uyezupab.ini
2008-11-29 08:42 1,296,231 ---sh--- c:\windows\system32\ijipodey.ini
2008-11-29 08:20 1,296,231 ---sh--- c:\windows\system32\oguloder.ini
2008-11-29 07:57 1,296,231 ---sh--- c:\windows\system32\edefibuj.ini
2008-11-29 07:35 1,296,231 ---sh--- c:\windows\system32\aherolav.ini
2008-11-29 07:12 1,296,240 ---sh--- c:\windows\system32\erubuzid.ini
2008-11-29 06:50 1,296,222 ---sh--- c:\windows\system32\agifumij.ini
2008-11-29 06:27 1,296,222 ---sh--- c:\windows\system32\ezowuwor.ini
2008-11-29 06:05 1,296,222 ---sh--- c:\windows\system32\italifel.ini
2008-11-29 05:42 1,296,222 ---sh--- c:\windows\system32\ijenafen.ini
2008-11-29 05:19 1,296,222 ---sh--- c:\windows\system32\edojoyis.ini
2008-11-29 04:57 1,296,222 ---sh--- c:\windows\system32\edulopem.ini
2008-11-29 04:34 1,296,222 ---sh--- c:\windows\system32\ateyanun.ini
2008-11-29 04:12 1,296,222 ---sh--- c:\windows\system32\ujigewuy.ini
2008-11-29 03:49 1,296,222 ---sh--- c:\windows\system32\idevuyal.ini
2008-11-29 03:27 1,296,222 ---sh--- c:\windows\system32\owuralam.ini
2008-11-29 03:04 1,296,222 ---sh--- c:\windows\system32\ewiniyon.ini
2008-11-29 02:42 1,296,222 ---sh--- c:\windows\system32\ovufarep.ini
2008-11-29 02:19 1,296,222 ---sh--- c:\windows\system32\uhogisiz.ini
2008-11-29 01:57 1,296,222 ---sh--- c:\windows\system32\azebelep.ini
2008-11-29 01:34 1,296,222 ---sh--- c:\windows\system32\ikejibut.ini
2008-11-28 07:21 1,632,016 ---sh--- c:\windows\system32\ominanoj.ini
2008-11-28 06:59 1,632,016 ---sh--- c:\windows\system32\ewofehiv.ini
2008-11-27 18:41 1,590,573 ---sh--- c:\windows\system32\ohuvumok.ini
2008-11-27 06:35 1,607,599 ---sh--- c:\windows\system32\arojivoj.ini
2008-11-26 19:55 <DIR> --d----- c:\program files\common files\Scanner
2008-11-26 19:55 <DIR> --d----- c:\program files\CA Yahoo! Anti-Spy
2008-11-26 08:49 1,607,608 ---sh--- c:\windows\system32\ubulajif.ini
2008-11-26 08:26 1,607,599 ---sh--- c:\windows\system32\abodemur.ini
2008-11-26 08:04 1,607,599 ---sh--- c:\windows\system32\iyarawif.ini
2008-11-26 07:41 1,607,599 ---sh--- c:\windows\system32\etopegog.ini
2008-11-26 07:18 1,607,599 ---sh--- c:\windows\system32\unevoriy.ini
2008-11-25 19:13 1,607,599 ---sh--- c:\windows\system32\udomowat.ini
2008-11-25 18:51 1,607,599 ---sh--- c:\windows\system32\uwofujow.ini
2008-11-25 18:28 1,607,599 ---sh--- c:\windows\system32\ozohagaf.ini
2008-11-25 18:06 1,607,599 ---sh--- c:\windows\system32\owijezoj.ini
2008-11-25 17:43 1,607,599 ---sh--- c:\windows\system32\ubeliler.ini
2008-11-23 04:47 1,593,394 ---sh--- c:\windows\system32\afiyuyev.ini
2008-11-08 12:30 25,277 a------- C:\logfile
2008-11-08 12:30 54,156 a---h--- c:\windows\QTFont.qfn
2008-11-08 12:30 1,409 a------- c:\windows\QTFont.for
2008-11-08 12:23 <DIR> --d----- c:\windows\system32\BWKDLogs
2008-11-08 12:22 5,632 a------- c:\windows\system32\ptpusb.dll
2008-11-08 12:22 159,232 a------- c:\windows\system32\ptpusd.dll
2008-11-08 12:21 <DIR> --d----- c:\program files\common files\Kodak
2008-11-08 12:19 <DIR> --d----- c:\program files\Kodak
2008-11-08 12:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kodak

==================== Find3M ====================

2008-12-01 17:26 <DIR> --d----- c:\program files\common files\EarthLink
2008-12-01 17:15 <DIR> --d----- c:\program files\McAfee
2008-11-27 17:44 <DIR> --d----- c:\program files\I Will Pass!
2008-11-26 20:01 <DIR> --d----- c:\program files\Data Caching
2008-11-15 08:03 6,686 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-03 12:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 06:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-15 06:57 1,846,016 -------- c:\windows\system32\dllcache\win32k.sys
2008-09-05 23:30 241,704 -------- c:\windows\system32\dllcache\wgaLogon.dll
2008-09-05 23:29 917,032 -------- c:\windows\system32\dllcache\WgaTray.exe
2008-01-15 22:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com
2008-01-01 14:58 <DIR> --d----- c:\docume~1\bend9k~1.003\applic~1\Earthlink
2007-12-30 17:10 <DIR> --d----- c:\docume~1\bend9k~1.003\applic~1\ScamBlocker
2007-03-11 20:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2006-08-07 19:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OrbNetworks
2006-08-07 18:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MotiveSysIDs
2004-08-11 17:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI

============= FINISH: 18:17:53.28 ===============
Attached Files
File Type: txt Attach.txt (15.4 KB, 1 views)
File Type: txt GMER.txt (17.7 KB, 3 views)
Hokie76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 12-04-2008, 04:32 AM   #2 (permalink)
Analyst, Security Team
 
Katana's Avatar
 
Join Date: Nov 2007
Location: Manchester, UK
Posts: 1,358
OS: W2K SP4 + XP SP2 + Vista


Re: Possible Trojan Vondu virus and slow performance.
Quote:
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
Step 1


Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------- -----------------------------------------------------------
Step 2

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


----------------------------------------------------------- -----------------------------------------------------------
Step 3


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Now download and install Java Runtime Environment (JRE) .
(it comes with a toolbar pre-selected, so make sure you uncheck the box)

----------------------------------------------------------- -----------------------------------------------------------
Step 4

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • MalwareBytes Log
  • Combofix Log
  • How are things running now ?

----------------------------------------------------------- -----------------------------------------------------------

Additional Notes


Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 2.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.
  • Please go to this link Adobe Acrobat Reader Download Link
  • Click Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.
__________________
Katana is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-04-2008, 05:48 PM   #3 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: XP


Re: Possible Trojan Vondu virus and slow performance.
Malwarebytes' Anti-Malware 1.31
Database version: 1460
Windows 5.1.2600 Service Pack 2

12/4/2008 6:08:06 PM
mbam-log-2008-12-04 (18-08-06).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 185867
Time elapsed: 59 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 108

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ws.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cc51dbba-12d7-4365-b728-98c2e5db1811} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cc51dbba-12d7-4365-b728-98c2e5db1811} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ws.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115174.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115192.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115245.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115263.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115169.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115172.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115178.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115180.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115184.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115186.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115189.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115194.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115198.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115201.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115204.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115207.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115213.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115216.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115219.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115222.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115225.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115228.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115231.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115234.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115237.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115240.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115243.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115248.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115252.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115254.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115257.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115259.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115262.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115811.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115812.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115813.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0115832.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116517.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116518.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116519.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116520.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116521.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116579.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116580.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116581.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116603.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116604.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116606.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116608.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116609.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116610.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116612.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116613.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116617.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116618.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116620.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116621.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116622.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116605.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116641.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116659.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116677.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116625.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116626.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116627.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116628.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116632.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116633.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116635.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116636.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116638.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116639.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116640.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116642.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116643.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116645.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116646.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116647.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116648.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116649.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116650.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116651.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116652.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116653.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116655.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116656.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116658.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116662.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116663.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116664.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116665.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116666.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116668.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116669.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116670.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116672.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116676.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116679.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116681.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116682.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116683.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116685.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116686.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0116687.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1440\A0117513.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1442\A0118617.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1442\A0118619.dll (Trojan.Vundo) -> Quarantined and deleted successfully.





ComboFix

ComboFix 08-12-04.04 - Ben 2008-12-04 19:37:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.478 [GMT -5:00]
Running from: c:\documents and settings\Ben.D9K3CT91.003\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ben.D9K3CT91.003\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-04 19:08 . 2008-12-04 19:08 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-04 19:00 . 2008-12-04 19:02 <DIR> d-------- c:\program files\Foxit Software
2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\program files\AskBarDis
2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Foxit
2008-12-04 18:58 . 2008-12-04 18:58 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 18:58 . 2008-12-04 18:58 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-04 18:30 . 2008-12-04 18:44 198,740 --a------ c:\windows\system32\ws.dll
2008-12-04 17:15 . 2008-12-04 19:35 <DIR> d-------- c:\program files\MSN Messenger
2008-12-03 21:28 . 2008-12-03 21:28 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-03 20:42 . 2008-12-03 20:42 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Malwarebytes
2008-12-03 20:41 . 2008-12-04 17:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-03 20:41 . 2008-12-03 20:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 20:41 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 20:41 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 19:26 . 2008-12-03 19:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-03 19:26 . 2008-12-03 20:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 18:29 . 2008-12-03 18:49 250 --a------ c:\windows\gmer.ini
2008-12-03 18:07 . 2008-12-03 18:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\830483350
2008-12-03 17:30 . 2008-12-03 17:31 <DIR> d-------- c:\windows\ERUNT
2008-12-03 17:26 . 2008-12-03 17:50 <DIR> d-------- C:\SDFix
2008-12-03 16:01 . 2008-12-03 16:01 <DIR> d-------- C:\VundoFix Backups
2008-12-01 17:17 . 2008-12-01 17:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\windows\system32\drivers\NAV
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Windows Sidebar
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Symantec
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\NortonInstaller
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Norton AntiVirus
2008-12-01 17:16 . 2008-12-01 17:18 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-12-01 17:16 . 2008-12-01 17:16 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-01 17:16 . 2008-12-01 17:16 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-01 17:16 . 2008-12-01 17:16 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-12-01 17:16 . 2008-12-01 17:16 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-01 17:16 . 2008-12-01 17:16 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-01 17:06 . 2008-12-01 17:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-01 17:06 . 2008-12-01 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2008-12-01 17:00 . 2008-12-01 17:00 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files
2008-11-26 19:55 . 2008-11-26 19:55 <DIR> d-------- c:\program files\Common Files\Scanner
2008-11-26 19:55 . 2008-11-26 19:57 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy
2008-11-08 12:30 . 2008-12-04 18:46 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-08 12:30 . 2008-12-04 18:53 28,887 --a------ C:\logfile
2008-11-08 12:30 . 2008-11-08 12:30 1,409 --a------ c:\windows\QTFont.for
2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\program files\QuickTime
2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-08 12:23 . 2008-11-08 12:23 <DIR> d-------- c:\windows\system32\BWKDLogs
2008-11-08 12:22 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-08 12:22 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-08 12:21 . 2008-11-08 12:21 <DIR> d-------- c:\program files\Common Files\Kodak
2008-11-08 12:19 . 2008-11-08 12:23 <DIR> d-------- c:\program files\Kodak
2008-11-08 12:18 . 2008-11-08 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kodak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 00:08 --------- d-----w c:\program files\Common Files\Adobe
2008-12-04 23:58 --------- d-----w c:\program files\Java
2008-12-01 22:26 --------- d-----w c:\program files\Common Files\EarthLink
2008-12-01 22:15 --------- d-----w c:\program files\McAfee
2008-12-01 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-01 01:05 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-27 22:44 --------- d-----w c:\program files\I Will Pass!
2008-11-27 01:01 --------- d-----w c:\program files\Data Caching
2008-11-15 13:03 6,686 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
2008-01-10 23:38 18,827,272 ----a-w c:\program files\RhapsodyReal.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-04_18.48.47.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 2042 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
+ 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-04 23:58:22 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-04 23:45:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_740.dat
+ 2008-12-04 23:58:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f24.dat
+ 2006-12-02 03:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 03:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 03:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 12:58 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-17 169472]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SandIcon"="c:\imagemate compactflash usb\SandIcon.Exe" [2000-11-13 131072]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"582137331"="c:\documents and settings\All Users\Application Data\830483350\582137331.exe" [2008-12-03 1070115]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-17 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=
"c:\\WINDOWS\\system32\\verclsid.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\McAfee\\SpamKiller\\MSKSrvr.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"50325:TCP"= 50325:TCP:PORT_50325
"30721:TCP"= 30721:TCP:PORT_30721
"5016:TCP"= 5016:TCP:PORT_5016
"22321:TCP"= 22321:TCP:PORT_22321
"44003:TCP"= 44003:TCP:PORT_44003
"57743:TCP"= 57743:TCP:PORT_57743
"13835:TCP"= 13835:TCP:PORT_13835
"46899:TCP"= 46899:TCP:PORT_46899
"34421:TCP"= 34421:TCP:PORT_34421
"7923:TCP"= 7923:TCP:PORT_7923
"28060:TCP"= 28060:TCP:PORT_28060
"32550:TCP"= 32550:TCP:PORT_32550
"22374:TCP"= 22374:TCP:PORT_22374
"6577:TCP"= 6577:TCP:PORT_6577
"15115:TCP"= 15115:TCP:PORT_15115
"27977:TCP"= 27977:TCP:PORT_27977
"48243:TCP"= 48243:TCP:PORT_48243
"41892:TCP"= 41892:TCP:PORT_41892
"50432:TCP"= 50432:TCP:PORT_50432
"20058:TCP"= 20058:TCP:PORT_20058
"17521:TCP"= 17521:TCP:PORT_17521
"22666:TCP"= 22666:TCP:PORT_22666
"16478:TCP"= 16478:TCP:PORT_16478
"30830:TCP"= 30830:TCP:PORT_30830
"30024:TCP"= 30024:TCP:PORT_30024
"22241:TCP"= 22241:TCP:PORT_22241
"40438:TCP"= 40438:TCP:PORT_40438
"60954:TCP"= 60954:TCP:PORT_60954
"64148:TCP"= 64148:TCP:PORT_64148
"48662:TCP"= 48662:TCP:PORT_48662
"36843:TCP"= 36843:TCP:PORT_36843
"54641:TCP"= 54641:TCP:PORT_54641
"10132:TCP"= 10132:TCP:PORT_10132
"20449:TCP"= 20449:TCP:PORT_20449
"13578:TCP"= 13578:TCP:PORT_13578
"29263:TCP"= 29263:TCP:PORT_29263
"34815:TCP"= 34815:TCP:PORT_34815
"26258:TCP"= 26258:TCP:PORT_26258
"43890:TCP"= 43890:TCP:PORT_43890
"22058:TCP"= 22058:TCP:PORT_22058
"42261:TCP"= 42261:TCP:PORT_42261
"45445:TCP"= 45445:TCP:PORT_45445
"8223:TCP"= 8223:TCP:PORT_8223
"27791:TCP"= 27791:TCP:PORT_27791
"28599:TCP"= 28599:TCP:PORT_28599
"55149:TCP"= 55149:TCP:PORT_55149
"11255:TCP"= 11255:TCP:PORT_11255
"50103:TCP"= 50103:TCP:PORT_50103
"9606:TCP"= 9606:TCP:PORT_9606
"25969:TCP"= 25969:TCP:PORT_25969
"31293:TCP"= 31293:TCP:PORT_31293
"44015:TCP"= 44015:TCP:PORT_44015
"19033:TCP"= 19033:TCP:PORT_19033
"5566:TCP"= 5566:TCP:PORT_5566
"8646:TCP"= 8646:TCP:PORT_8646
"26640:TCP"= 26640:TCP:PORT_26640
"52665:TCP"= 52665:TCP:PORT_52665
"16839:TCP"= 16839:TCP:PORT_16839
"64961:TCP"= 64961:TCP:PORT_64961
"15420:TCP"= 15420:TCP:PORT_15420
"22329:TCP"= 22329:TCP:PORT_22329
"15908:TCP"= 15908:TCP:PORT_15908
"41693:TCP"= 41693:TCP:PORT_41693
"56559:TCP"= 56559:TCP:PORT_56559
"37705:TCP"= 37705:TCP:PORT_37705
"58418:TCP"= 58418:TCP:PORT_58418
"39866:TCP"= 39866:TCP:PORT_39866
"31166:TCP"= 31166:TCP:PORT_31166
"50600:TCP"= 50600:TCP:PORT_50600
"41925:TCP"= 41925:TCP:PORT_41925
"26441:TCP"= 26441:TCP:PORT_26441
"54143:TCP"= 54143:TCP:PORT_54143
"55302:TCP"= 55302:TCP:PORT_55302
"63320:TCP"= 63320:TCP:PORT_63320
"16948:TCP"= 16948:TCP:PORT_16948
"7181:TCP"= 7181:TCP:PORT_7181
"10520:TCP"= 10520:TCP:PORT_10520
"63901:TCP"= 63901:TCP:PORT_63901
"24490:TCP"= 24490:TCP:PORT_24490
"15468:TCP"= 15468:TCP:PORT_15468
"52434:TCP"= 52434:TCP:PORT_52434

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1001000.021\SYMEFA.SYS [2008-12-01 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NAV\1001000.021\BHDrvx86.sys [2008-12-01 255536]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NAV\1001000.021\ccHPx86.sys [2008-12-01 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081203.001\IDSxpx86.sys [2008-12-03 274808]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-03-11 24652]
R3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-03 38496]
S3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\DRIVERS\SDSTOR2K.SYS [2006-12-11 37781]

*Newly Created Service* - JAVAQUICKSTARTERSERVICE
*Newly Created Service* - MBAMSWISSARMY
.
Contents of the 'Scheduled Tasks' folder

2008-11-22 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2004-08-04 05:00]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe


.
------- Supplementary Scan -------
.
uStart Page = www.cnn.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll
Trusted Zone: listen.com,%20real.com,%20llnwd.net,%20rhap
Trusted Zone: *.listen.com
Trusted Zone: *.llnwd.net
Trusted Zone: *.real.com
Trusted Zone: rhapapp.real.com

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 19:39:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(968)
c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll
.
Completion time: 2008-12-04 19:39:57
ComboFix-quarantined-files.txt 2008-12-05 00:39:55
ComboFix2.txt 2008-12-05 00:36:11
ComboFix3.txt 2008-12-04 23:49:42

Pre-Run: 142,339,633,152 bytes free
Post-Run: 142,325,522,432 bytes free

312 --- E O F --- 2008-12-03 22:57:03


Hi Katana,
Here is the combofix and malaware log. Your instructions also mentioned a new Hijackthislog. how do I create that? I completed the instructions, including new java and adobe. I'm still receiving winweb secruity pop-ups. I receive a small message in the bottom corner, and two large boxes that appear. One is a winweb system scan, and the other states "winweb security has blocked a program from accessing the web." I click the X and it asks "continue unprotected?" Thank you for your help.
Hokie76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-04-2008, 06:42 PM   #4 (permalink)
Analyst, Security Team
 
Katana's Avatar
 
Join Date: Nov 2007
Location: Manchester, UK
Posts: 1,358
OS: W2K SP4 + XP SP2 + Vista


Re: Possible Trojan Vondu virus and slow performance.
Information

Quote:
Your instructions also mentioned a new Hijackthislog.
Don't worry about that yet :)

There are a lot of open ports on your machine, do you play a lot of online games or have several P2P programs ?
----------------------------------------------------------- -----------------------------------------------------------
Step 1

Disable Teatimer
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.


----------------------------------------------------------- -----------------------------------------------------------
Step 2

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code:
    http://www.techsupportforum.com/security-center/hijackthis-log-help/319876-possible-trojan-vondu-virus-slow-performance.html#post1838701
Comment:: Katana
Collect::[4]
c:\documents and settings\All Users\Application Data\830483350\582137331.exe
File::
c:\windows\Tasks\EasyShare Registration Task.job
Folder::
c:\documents and settings\All Users\Application Data\830483350
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"=-
"SpybotSD TeaTimer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"=-
"ISUSPM Startup"=-
"ISUSScheduler"=-
"Share-to-Web Namespace Daemon"=-
"dscactivate"=-
"DellSupportCenter"=-
"582137331"=-
"SunJavaUpdateSched"=-
"Adobe Reader Speed Launcher"=-
  • Save this as CFScript.txt and place it on your desktop.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
  • A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
  • Click OK and follow the instructions to submit the file.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


----------------------------------------------------------- -----------------------------------------------------------
Step 3


Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/par...avwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------- -----------------------------------------------------------
Step 4

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • Combofix Log
  • Kaspersky Log
  • How are things running now ?
__________________
Katana is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-04-2008, 07:26 PM   #5 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: XP


Re: Possible Trojan Vondu virus and slow performance.
No, I don't play any online games, and if I have to ask what PSP means, I guess that would answer your question. Person 2 person?
Under step one, I did not have the box in the right corner to click. However, I was able to complete part 2 and unclicked tea timer.

Under step 2, your instructions "A window will open asking you to ensure you are
connected to the internet, this is so a file can be submitted for analysis."
This did not occur. Within in the blue COmbofix box, as it completed and begin to produce the log, 2 error messages appeared in the box. Permission was denied. Do you need to know the exact detail of the messages?

I'm getting ready to proceed to step 3. Kaspersky Online Scanner. Should I wait?
Hokie76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-05-2008, 01:37 AM   #6 (permalink)
Analyst, Security Team
 
Katana's Avatar
 
Join Date: Nov 2007
Location: Manchester, UK
Posts: 1,358
OS: W2K SP4 + XP SP2 + Vista


Re: Possible Trojan Vondu virus and slow performance.
You can continue with step 3, it is just a scan it doesn't actually do anything.
__________________
Katana is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-05-2008, 04:51 AM   #7 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: XP


Re: Possible Trojan Vondu virus and slow performance.
Combofix log:

ComboFix 08-12-04.04 - Ben 2008-12-04 19:37:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.478 [GMT -5:00]
Running from: c:\documents and settings\Ben.D9K3CT91.003\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ben.D9K3CT91.003\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-04 19:08 . 2008-12-04 19:08 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-04 19:00 . 2008-12-04 19:02 <DIR> d-------- c:\program files\Foxit Software
2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\program files\AskBarDis
2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Foxit
2008-12-04 18:58 . 2008-12-04 18:58 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 18:58 . 2008-12-04 18:58 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-04 18:30 . 2008-12-04 18:44 198,740 --a------ c:\windows\system32\ws.dll
2008-12-04 17:15 . 2008-12-04 19:35 <DIR> d-------- c:\program files\MSN Messenger
2008-12-03 21:28 . 2008-12-03 21:28 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-03 20:42 . 2008-12-03 20:42 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Malwarebytes
2008-12-03 20:41 . 2008-12-04 17:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-03 20:41 . 2008-12-03 20:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 20:41 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 20:41 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 19:26 . 2008-12-03 19:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-03 19:26 . 2008-12-03 20:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 18:29 . 2008-12-03 18:49 250 --a------ c:\windows\gmer.ini
2008-12-03 18:07 . 2008-12-03 18:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\830483350
2008-12-03 17:30 . 2008-12-03 17:31 <DIR> d-------- c:\windows\ERUNT
2008-12-03 17:26 . 2008-12-03 17:50 <DIR> d-------- C:\SDFix
2008-12-03 16:01 . 2008-12-03 16:01 <DIR> d-------- C:\VundoFix Backups
2008-12-01 17:17 . 2008-12-01 17:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\windows\system32\drivers\NAV
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Windows Sidebar
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Symantec
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\NortonInstaller
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Norton AntiVirus
2008-12-01 17:16 . 2008-12-01 17:18 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-12-01 17:16 . 2008-12-01 17:16 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-01 17:16 . 2008-12-01 17:16 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-01 17:16 . 2008-12-01 17:16 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-12-01 17:16 . 2008-12-01 17:16 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-01 17:16 . 2008-12-01 17:16 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-01 17:06 . 2008-12-01 17:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-01 17:06 . 2008-12-01 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2008-12-01 17:00 . 2008-12-01 17:00 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files
2008-11-26 19:55 . 2008-11-26 19:55 <DIR> d-------- c:\program files\Common Files\Scanner
2008-11-26 19:55 . 2008-11-26 19:57 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy
2008-11-08 12:30 . 2008-12-04 18:46 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-08 12:30 . 2008-12-04 18:53 28,887 --a------ C:\logfile
2008-11-08 12:30 . 2008-11-08 12:30 1,409 --a------ c:\windows\QTFont.for
2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\program files\QuickTime
2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-08 12:23 . 2008-11-08 12:23 <DIR> d-------- c:\windows\system32\BWKDLogs
2008-11-08 12:22 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-08 12:22 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-08 12:21 . 2008-11-08 12:21 <DIR> d-------- c:\program files\Common Files\Kodak
2008-11-08 12:19 . 2008-11-08 12:23 <DIR> d-------- c:\program files\Kodak
2008-11-08 12:18 . 2008-11-08 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kodak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 00:08 --------- d-----w c:\program files\Common Files\Adobe
2008-12-04 23:58 --------- d-----w c:\program files\Java
2008-12-01 22:26 --------- d-----w c:\program files\Common Files\EarthLink
2008-12-01 22:15 --------- d-----w c:\program files\McAfee
2008-12-01 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-01 01:05 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-27 22:44 --------- d-----w c:\program files\I Will Pass!
2008-11-27 01:01 --------- d-----w c:\program files\Data Caching
2008-11-15 13:03 6,686 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
2008-01-10 23:38 18,827,272 ----a-w c:\program files\RhapsodyReal.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-04_18.48.47.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 2042 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
+ 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-04 23:58:22 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-04 23:45:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_740.dat
+ 2008-12-04 23:58:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f24.dat
+ 2006-12-02 03:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 03:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 03:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 12:58 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-17 169472]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SandIcon"="c:\imagemate compactflash usb\SandIcon.Exe" [2000-11-13 131072]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"582137331"="c:\documents and settings\All Users\Application Data\830483350\582137331.exe" [2008-12-03 1070115]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-17 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=
"c:\\WINDOWS\\system32\\verclsid.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\McAfee\\SpamKiller\\MSKSrvr.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"50325:TCP"= 50325:TCP:PORT_50325
"30721:TCP"= 30721:TCP:PORT_30721
"5016:TCP"= 5016:TCP:PORT_5016
"22321:TCP"= 22321:TCP:PORT_22321
"44003:TCP"= 44003:TCP:PORT_44003
"57743:TCP"= 57743:TCP:PORT_57743
"13835:TCP"= 13835:TCP:PORT_13835
"46899:TCP"= 46899:TCP:PORT_46899
"34421:TCP"= 34421:TCP:PORT_34421
"7923:TCP"= 7923:TCP:PORT_7923
"28060:TCP"= 28060:TCP:PORT_28060
"32550:TCP"= 32550:TCP:PORT_32550
"22374:TCP"= 22374:TCP:PORT_22374
"6577:TCP"= 6577:TCP:PORT_6577
"15115:TCP"= 15115:TCP:PORT_15115
"27977:TCP"= 27977:TCP:PORT_27977
"48243:TCP"= 48243:TCP:PORT_48243
"41892:TCP"= 41892:TCP:PORT_41892
"50432:TCP"= 50432:TCP:PORT_50432
"20058:TCP"= 20058:TCP:PORT_20058
"17521:TCP"= 17521:TCP:PORT_17521
"22666:TCP"= 22666:TCP:PORT_22666
"16478:TCP"= 16478:TCP:PORT_16478
"30830:TCP"= 30830:TCP:PORT_30830
"30024:TCP"= 30024:TCP:PORT_30024
"22241:TCP"= 22241:TCP:PORT_22241
"40438:TCP"= 40438:TCP:PORT_40438
"60954:TCP"= 60954:TCP:PORT_60954
"64148:TCP"= 64148:TCP:PORT_64148
"48662:TCP"= 48662:TCP:PORT_48662
"36843:TCP"= 36843:TCP:PORT_36843
"54641:TCP"= 54641:TCP:PORT_54641
"10132:TCP"= 10132:TCP:PORT_10132
"20449:TCP"= 20449:TCP:PORT_20449
"13578:TCP"= 13578:TCP:PORT_13578
"29263:TCP"= 29263:TCP:PORT_29263
"34815:TCP"= 34815:TCP:PORT_34815
"26258:TCP"= 26258:TCP:PORT_26258
"43890:TCP"= 43890:TCP:PORT_43890
"22058:TCP"= 22058:TCP:PORT_22058
"42261:TCP"= 42261:TCP:PORT_42261
"45445:TCP"= 45445:TCP:PORT_45445
"8223:TCP"= 8223:TCP:PORT_8223
"27791:TCP"= 27791:TCP:PORT_27791
"28599:TCP"= 28599:TCP:PORT_28599
"55149:TCP"= 55149:TCP:PORT_55149
"11255:TCP"= 11255:TCP:PORT_11255
"50103:TCP"= 50103:TCP:PORT_50103
"9606:TCP"= 9606:TCP:PORT_9606
"25969:TCP"= 25969:TCP:PORT_25969
"31293:TCP"= 31293:TCP:PORT_31293
"44015:TCP"= 44015:TCP:PORT_44015
"19033:TCP"= 19033:TCP:PORT_19033
"5566:TCP"= 5566:TCP:PORT_5566
"8646:TCP"= 8646:TCP:PORT_8646
"26640:TCP"= 26640:TCP:PORT_26640
"52665:TCP"= 52665:TCP:PORT_52665
"16839:TCP"= 16839:TCP:PORT_16839
"64961:TCP"= 64961:TCP:PORT_64961
"15420:TCP"= 15420:TCP:PORT_15420
"22329:TCP"= 22329:TCP:PORT_22329
"15908:TCP"= 15908:TCP:PORT_15908
"41693:TCP"= 41693:TCP:PORT_41693
"56559:TCP"= 56559:TCP:PORT_56559
"37705:TCP"= 37705:TCP:PORT_37705
"58418:TCP"= 58418:TCP:PORT_58418
"39866:TCP"= 39866:TCP:PORT_39866
"31166:TCP"= 31166:TCP:PORT_31166
"50600:TCP"= 50600:TCP:PORT_50600
"41925:TCP"= 41925:TCP:PORT_41925
"26441:TCP"= 26441:TCP:PORT_26441
"54143:TCP"= 54143:TCP:PORT_54143
"55302:TCP"= 55302:TCP:PORT_55302
"63320:TCP"= 63320:TCP:PORT_63320
"16948:TCP"= 16948:TCP:PORT_16948
"7181:TCP"= 7181:TCP:PORT_7181
"10520:TCP"= 10520:TCP:PORT_10520
"63901:TCP"= 63901:TCP:PORT_63901
"24490:TCP"= 24490:TCP:PORT_24490
"15468:TCP"= 15468:TCP:PORT_15468
"52434:TCP"= 52434:TCP:PORT_52434

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1001000.021\SYMEFA.SYS [2008-12-01 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NAV\1001000.021\BHDrvx86.sys [2008-12-01 255536]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NAV\1001000.021\ccHPx86.sys [2008-12-01 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081203.001\IDSxpx86.sys [2008-12-03 274808]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-03-11 24652]
R3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-03 38496]
S3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\DRIVERS\SDSTOR2K.SYS [2006-12-11 37781]

*Newly Created Service* - JAVAQUICKSTARTERSERVICE
*Newly Created Service* - MBAMSWISSARMY
.
Contents of the 'Scheduled Tasks' folder

2008-11-22 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2004-08-04 05:00]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe


.
------- Supplementary Scan -------
.
uStart Page = www.cnn.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll
Trusted Zone: listen.com,%20real.com,%20llnwd.net,%20rhap
Trusted Zone: *.listen.com
Trusted Zone: *.llnwd.net
Trusted Zone: *.real.com
Trusted Zone: rhapapp.real.com

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 19:39:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(968)
c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll
.
Completion time: 2008-12-04 19:39:57
ComboFix-quarantined-files.txt 2008-12-05 00:39:55
ComboFix2.txt 2008-12-05 00:36:11
ComboFix3.txt 2008-12-04 23:49:42

Pre-Run: 142,339,633,152 bytes free
Post-Run: 142,325,522,432 bytes free

312 --- E O F --- 2008-12-03 22:57:03




Kaspersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 5, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, December 04, 2008 20:42:50
Records in database: 1436944
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - File:


Scan statistics:
Files scanned: 120789
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:18:44


File name / Threat name / Threats count
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1

The selected area was scanned.





Things seem to be running better this morning. I let the scan finish overnight, and returned to it this morning. So far, I have not had any pop-ups from Winweb security. Overall performance seems to be improved. The computer is not as sluggish.
Hokie76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-05-2008, 05:07 AM   #8 (permalink)
Analyst, Security Team
 
Katana's Avatar
 
Join Date: Nov 2007
Location: Manchester, UK
Posts: 1,358
OS: W2K SP4 + XP SP2 + Vista


Re: Possible Trojan Vondu virus and slow performance.
That looks like the same log from Combofix, please try again.


Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code:
    File::
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz
c:\windows\Tasks\EasyShare Registration Task.job
Folder::
c:\documents and settings\All Users\Application Data\830483350
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"=-
"SpybotSD TeaTimer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"=-
"ISUSPM Startup"=-
"ISUSScheduler"=-
"Share-to-Web Namespace Daemon"=-
"dscactivate"=-
"DellSupportCenter"=-
"582137331"=-
"SunJavaUpdateSched"=-
"Adobe Reader Speed Launcher"=-
  • Save this as CFScript.txt and place it on your desktop.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
__________________
Katana is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-05-2008, 03:12 PM   #9 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: XP


Re: Possible Trojan Vondu virus and slow performance.
Katana: The following errors appeared in the Combofix blue box:

Access is denied
SED: can't read temp0A: no such file or directory
SED: can't read temp0D: no such file or directory
Temp00 The system cannot find the file specified.







ComboFix 08-12-05.02 - Ben 2008-12-05 16:57:19.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.558 [GMT -5:00]
Running from: c:\documents and settings\Ben.D9K3CT91.003\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ben.D9K3CT91.003\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\program files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz
c:\program files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz
c:\windows\Tasks\EasyShare Registration Task.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz
c:\program files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz

.
((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-04 19:08 . 2008-12-04 19:08 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-04 19:00 . 2008-12-04 19:02 <DIR> d-------- c:\program files\Foxit Software
2008-12-04 19:00 . 2008-12-04 21:52 <DIR> d-------- c:\program files\AskBarDis
2008-12-04 19:00 . 2008-12-04 19:00 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Foxit
2008-12-04 18:58 . 2008-12-04 18:58 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 18:58 . 2008-12-04 18:58 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-04 17:15 . 2008-12-04 19:35 <DIR> d-------- c:\program files\MSN Messenger
2008-12-03 21:28 . 2008-12-03 21:28 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-03 20:42 . 2008-12-03 20:42 <DIR> d-------- c:\documents and settings\Ben.D9K3CT91.003\Application Data\Malwarebytes
2008-12-03 20:41 . 2008-12-04 17:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-03 20:41 . 2008-12-03 20:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 20:41 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 20:41 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 19:26 . 2008-12-03 19:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-03 19:26 . 2008-12-03 20:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 18:29 . 2008-12-03 18:49 250 --a------ c:\windows\gmer.ini
2008-12-03 17:30 . 2008-12-03 17:31 <DIR> d-------- c:\windows\ERUNT
2008-12-03 17:26 . 2008-12-03 17:50 <DIR> d-------- C:\SDFix
2008-12-03 16:01 . 2008-12-03 16:01 <DIR> d-------- C:\VundoFix Backups
2008-12-01 17:17 . 2008-12-01 17:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\windows\system32\drivers\NAV
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Windows Sidebar
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Symantec
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\NortonInstaller
2008-12-01 17:16 . 2008-12-01 17:16 <DIR> d-------- c:\program files\Norton AntiVirus
2008-12-01 17:16 . 2008-12-01 17:18 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-12-01 17:16 . 2008-12-01 17:16 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-01 17:16 . 2008-12-01 17:16 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-01 17:16 . 2008-12-01 17:16 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-12-01 17:16 . 2008-12-01 17:16 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-01 17:16 . 2008-12-01 17:16 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-01 17:06 . 2008-12-01 17:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-01 17:06 . 2008-12-01 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2008-12-01 17:00 . 2008-12-01 17:00 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files
2008-11-26 19:55 . 2008-11-26 19:55 <DIR> d-------- c:\program files\Common Files\Scanner
2008-11-26 19:55 . 2008-11-26 19:57 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy
2008-11-08 12:30 . 2008-12-04 21:08 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-08 12:30 . 2008-12-04 21:14 30,584 --a------ C:\logfile
2008-11-08 12:30 . 2008-11-08 12:30 1,409 --a------ c:\windows\QTFont.for
2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\program files\QuickTime
2008-11-08 12:24 . 2008-11-08 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-08 12:23 . 2008-11-08 12:23 <DIR> d-------- c:\windows\system32\BWKDLogs
2008-11-08 12:22 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-08 12:22 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-08 12:21 . 2008-11-08 12:21 <DIR> d-------- c:\program files\Common Files\Kodak
2008-11-08 12:19 . 2008-11-08 12:23 <DIR> d-------- c:\program files\Kodak
2008-11-08 12:18 . 2008-11-08 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kodak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 00:08 --------- d-----w c:\program files\Common Files\Adobe
2008-12-04 23:58 --------- d-----w c:\program files\Java
2008-12-01 22:26 --------- d-----w c:\program files\Common Files\EarthLink
2008-12-01 22:15 --------- d-----w c:\program files\McAfee
2008-12-01 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-01 01:05 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-27 22:44 --------- d-----w c:\program files\I Will Pass!
2008-11-27 01:01 --------- d-----w c:\program files\Data Caching
2008-11-15 13:03 6,686 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
2008-01-10 23:38 18,827,272 ----a-w c:\program files\RhapsodyReal.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-04_18.48.47.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 2042 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
+ 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-12-04 23:58:22 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-04 23:58:22 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-05 0220 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_220.dat
+ 2008-12-05 02:07:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_554.dat
+ 2006-12-02 03:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 03:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 03:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-17 169472]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SandIcon"="c:\imagemate compactflash usb\SandIcon.Exe" [2000-11-13 131072]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-17 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=
"c:\\WINDOWS\\system32\\verclsid.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\McAfee\\SpamKiller\\MSKSrvr.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"50325:TCP"= 50325:TCP:PORT_50325
"30721:TCP"= 30721:TCP:PORT_30721
"5016:TCP"= 5016:TCP:PORT_5016
"22321:TCP"= 22321:TCP:PORT_22321
"44003:TCP"= 44003:TCP:PORT_44003
"57743:TCP"= 57743:TCP:PORT_57743
"13835:TCP"= 13835:TCP:PORT_13835
"46899:TCP"= 46899:TCP:PORT_46899
"34421:TCP"= 34421:TCP:PORT_34421
"7923:TCP"= 7923:TCP:PORT_7923
"28060:TCP"= 28060:TCP:PORT_28060
"32550:TCP"= 32550:TCP:PORT_32550
"22374:TCP"= 22374:TCP:PORT_22374
"6577:TCP"= 6577:TCP:PORT_6577
"15115:TCP"= 15115:TCP:PORT_15115
"27977:TCP"= 27977:TCP:PORT_27977
"48243:TCP"= 48243:TCP:PORT_48243
"41892:TCP"= 41892:TCP:PORT_41892
"50432:TCP"= 50432:TCP:PORT_50432
"20058:TCP"= 20058:TCP:PORT_20058
"17521:TCP"= 17521:TCP:PORT_17521
"22666:TCP"= 22666:TCP:PORT_22666
"16478:TCP"= 16478:TCP:PORT_16478
"30830:TCP"= 30830:TCP:PORT_30830
"30024:TCP"= 30024:TCP:PORT_30024
"22241:TCP"= 22241:TCP:PORT_22241
"40438:TCP"= 40438:TCP:PORT_40438
"60954:TCP"= 60954:TCP:PORT_60954
"64148:TCP"= 64148:TCP:PORT_64148
"48662:TCP"= 48662:TCP:PORT_48662
"36843:TCP"= 36843:TCP:PORT_36843
"54641:TCP"= 54641:TCP:PORT_54641
"10132:TCP"= 10132:TCP:PORT_10132
"20449:TCP"= 20449:TCP:PORT_20449
"13578:TCP"= 13578:TCP:PORT_13578
"29263:TCP"= 29263:TCP:PORT_29263
"34815:TCP"= 34815:TCP:PORT_34815
"26258:TCP"= 26258:TCP:PORT_26258
"43890:TCP"= 43890:TCP:PORT_43890
"22058:TCP"= 22058:TCP:PORT_22058
"42261:TCP"= 42261:TCP:PORT_42261
"45445:TCP"= 45445:TCP:PORT_45445
"8223:TCP"= 8223:TCP:PORT_8223
"27791:TCP"= 27791:TCP:PORT_27791
"28599:TCP"= 28599:TCP:PORT_28599
"55149:TCP"= 55149:TCP:PORT_55149
"11255:TCP"= 11255:TCP:PORT_11255
"50103:TCP"= 50103:TCP:PORT_50103
"9606:TCP"= 9606:TCP:PORT_9606
"25969:TCP"= 25969:TCP:PORT_25969
"31293:TCP"= 31293:TCP:PORT_31293
"44015:TCP"= 44015:TCP:PORT_44015
"19033:TCP"= 19033:TCP:PORT_19033
"5566:TCP"= 5566:TCP:PORT_5566
"8646:TCP"= 8646:TCP:PORT_8646
"26640:TCP"= 26640:TCP:PORT_26640
"52665:TCP"= 52665:TCP:PORT_52665
"16839:TCP"= 16839:TCP:PORT_16839
"64961:TCP"= 64961:TCP:PORT_64961
"15420:TCP"= 15420:TCP:PORT_15420
"22329:TCP"= 22329:TCP:PORT_22329
"15908:TCP"= 15908:TCP:PORT_15908
"41693:TCP"= 41693:TCP:PORT_41693
"56559:TCP"= 56559:TCP:PORT_56559
"37705:TCP"= 37705:TCP:PORT_37705
"58418:TCP"= 58418:TCP:PORT_58418
"39866:TCP"= 39866:TCP:PORT_39866
"31166:TCP"= 31166:TCP:PORT_31166
"50600:TCP"= 50600:TCP:PORT_50600
"41925:TCP"= 41925:TCP:PORT_41925
"26441:TCP"= 26441:TCP:PORT_26441
"54143:TCP"= 54143:TCP:PORT_54143
"55302:TCP"= 55302:TCP:PORT_55302
"63320:TCP"= 63320:TCP:PORT_63320
"16948:TCP"= 16948:TCP:PORT_16948
"7181:TCP"= 7181:TCP:PORT_7181
"10520:TCP"= 10520:TCP:PORT_10520
"63901:TCP"= 63901:TCP:PORT_63901
"24490:TCP"= 24490:TCP:PORT_24490
"15468:TCP"= 15468:TCP:PORT_15468
"52434:TCP"= 52434:TCP:PORT_52434

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1001000.021\SYMEFA.SYS [2008-12-01 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NAV\1001000.021\BHDrvx86.sys [2008-12-01 255536]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NAV\1001000.021\ccHPx86.sys [2008-12-01 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081203.001\IDSxpx86.sys [2008-12-03 274808]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-03-11 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-04 99376]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-03 38496]
S3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\DRIVERS\SDSTOR2K.SYS [2006-12-11 37781]

*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
uStart Page = www.cnn.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll
Trusted Zone: listen.com,%20real.com,%20llnwd.net,%20rhap
Trusted Zone: *.listen.com
Trusted Zone: *.llnwd.net
Trusted Zone: *.real.com
Trusted Zone: rhapapp.real.com

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 17:02:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(968)
c:\program files\Embarq TotalAccess\Accelerator\prplsf.dll
.
Completion time: 2008-12-05 17:07:03
ComboFix-quarantined-files.txt 2008-12-05 22:05:44
ComboFix2.txt 2008-12-05 02:11:16
ComboFix3.txt 2008-12-05 00:39:59
ComboFix4.txt 2008-12-05 00:36:11
ComboFix5.txt 2008-12-05 21:56:05

Pre-Run: 142,348,165,120 bytes free
Post-Run: 142,390,947,840 bytes free

296 --- E O F --- 2008-12-03 22:57:03
Hokie76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-05-2008, 04:06 PM   #10 (permalink)
Analyst, Security Team
 
Katana's Avatar
 
Join Date: Nov 2007
Location: Manchester, UK
Posts: 1,358
OS: W2K SP4 + XP SP2 + Vista


Re: Possible Trojan Vondu virus and slow performance.
Right, let's sort out those open ports next.

Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.

Code:
@echo off
MD C:\Katana
regedit /e C:\Katana\Restore-me.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List"
start notepad C:\Katana\Restore-me.reg
del /q %0
exit
Double click on look.bat
Please be patient, it won't take long.

Notepad will open, please copy/paste the results here.
__________________
Katana is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-05-2008, 04:31 PM   #11 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: XP


Look.bat notepad
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"
"8097:TCP"="8097:TCP:*:Enabled:EarthLink UHP Modem Support"
"50325:TCP"="50325:TCP:*:Enabled:PORT_50325"
"30721:TCP"="30721:TCP:*:Enabled:PORT_30721"
"5016:TCP"="5016:TCP:*:Enabled:PORT_5016"
"22321:TCP"="22321:TCP:*:Enabled:PORT_22321"
"44003:TCP"="44003:TCP:*:Enabled:PORT_44003"
"57743:TCP"="57743:TCP:*:Enabled:PORT_57743"
"13835:TCP"="13835:TCP:*:Enabled:PORT_13835"
"46899:TCP"="46899:TCP:*:Enabled:PORT_46899"
"34421:TCP"="34421:TCP:*:Enabled:PORT_34421"
"7923:TCP"="7923:TCP:*:Enabled:PORT_7923"
"28060:TCP"="28060:TCP:*:Enabled:PORT_28060"
"32550:TCP"="32550:TCP:*:Enabled:PORT_32550"
"22374:TCP"="22374:TCP:*:Enabled:PORT_22374"
"6577:TCP"="6577:TCP:*:Enabled:PORT_6577"
"15115:TCP"="15115:TCP:*:Enabled:PORT_15115"
"27977:TCP"="27977:TCP:*:Enabled:PORT_27977"
"48243:TCP"="48243:TCP:*:Enabled:PORT_48243"
"41892:TCP"="41892:TCP:*:Enabled:PORT_41892"
"50432:TCP"="50432:TCP:*:Enabled:PORT_50432"
"20058:TCP"="20058:TCP:*:Enabled:PORT_20058"
"17521:TCP"="17521:TCP:*:Enabled:PORT_17521"
"22666:TCP"="22666:TCP:*:Enabled:PORT_22666"
"16478:TCP"="16478:TCP:*:Enabled:PORT_16478"
"30830:TCP"="30830:TCP:*:Enabled:PORT_30830"
"30024:TCP"="30024:TCP:*:Enabled:PORT_30024"
"22241:TCP"="22241:TCP:*:Enabled:PORT_22241"
"40438:TCP"="40438:TCP:*:Enabled:PORT_40438"
"60954:TCP"="60954:TCP:*:Enabled:PORT_60954"
"64148:TCP"="64148:TCP:*:Enabled:PORT_64148"
"48662:TCP"="48662:TCP:*:Enabled:PORT_48662"
"36843:TCP"="36843:TCP:*:Enabled:PORT_36843"
"54641:TCP"="54641:TCP:*:Enabled:PORT_54641"
"10132:TCP"="10132:TCP:*:Enabled:PORT_10132"
"20449:TCP"="20449:TCP:*:Enabled:PORT_20449"
"13578:TCP"="13578:TCP:*:Enabled:PORT_13578"
"29263:TCP"="29263:TCP:*:Enabled:PORT_29263"
"34815:TCP"="34815:TCP:*:Enabled:PORT_34815"
"26258:TCP"="26258:TCP:*:Enabled:PORT_26258"
"43890:TCP"="43890:TCP:*:Enabled:PORT_43890"
"22058:TCP"="22058:TCP:*:Enabled:PORT_22058"
"42261:TCP"="42261:TCP:*:Enabled:PORT_42261"
"45445:TCP"="45445:TCP:*:Enabled:PORT_45445"
"8223:TCP"="8223:TCP:*:Enabled:PORT_8223"
"27791:TCP"="27791:TCP:*:Enabled:PORT_27791"
"28599:TCP"="28599:TCP:*:Enabled:PORT_28599"
"55149:TCP"="55149:TCP:*:Enabled:PORT_55149"
"11255:TCP"="11255:TCP:*:Enabled:PORT_11255"
"50103:TCP"="50103:TCP:*:Enabled:PORT_50103"
"9606:TCP"="9606:TCP:*:Enabled:PORT_9606"
"25969:TCP"="25969:TCP:*:Enabled:PORT_25969"
"31293:TCP"="31293:TCP:*:Enabled:PORT_31293"
"44015:TCP"="44015:TCP:*:Enabled:PORT_44015"
"19033:TCP"="19033:TCP:*:Enabled:PORT_19033"
"5566:TCP"="5566:TCP:*:Enabled:PORT_5566"
"8646:TCP"="8646:TCP:*:Enabled:PORT_8646"
"26640:TCP"="26640:TCP:*:Enabled:PORT_26640"
"52665:TCP"="52665:TCP:*:Enabled:PORT_52665"
"16839:TCP"="16839:TCP:*:Enabled:PORT_16839"
"64961:TCP"="64961:TCP:*:Enabled:PORT_64961"
"15420:TCP"="15420:TCP:*:Enabled:PORT_15420"
"22329:TCP"="22329:TCP:*:Enabled:PORT_22329"
"15908:TCP"="15908:TCP:*:Enabled:PORT_15908"
"41693:TCP"="41693:TCP:*:Enabled:PORT_41693"
"56559:TCP"="56559:TCP:*:Enabled:PORT_56559"
"37705:TCP"="37705:TCP:*:Enabled:PORT_37705"
"58418:TCP"="58418:TCP:*:Enabled:PORT_58418"
"39866:TCP"="39866:TCP:*:Enabled:PORT_39866"
"31166:TCP"="31166:TCP:*:Enabled:PORT_31166"
"50600:TCP"="50600:TCP:*:Enabled:PORT_50600"
"41925:TCP"="41925:TCP:*:Enabled:PORT_41925"
"26441:TCP"="26441:TCP:*:Enabled:PORT_26441"
"54143:TCP"="54143:TCP:*:Enabled:PORT_54143"
"55302:TCP"="55302:TCP:*:Enabled:PORT_55302"
"63320:TCP"="63320:TCP:*:Enabled:PORT_63320"
"16948:TCP"="16948:TCP:*:Enabled:PORT_16948"
"7181:TCP"="7181:TCP:*:Enabled:PORT_7181"
"10520:TCP"="10520:TCP:*:Enabled:PORT_10520"
"63901:TCP"="63901:TCP:*:Enabled:PORT_63901"
"24490:TCP"="24490:TCP:*:Enabled:PORT_24490"
"15468:TCP"="15468:TCP:*:Enabled:PORT_15468"
"52434:TCP"="52434:TCP:*:Enabled:PORT_52434"
Hokie76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-05-2008, 04:55 PM   #12 (permalink)
Analyst, Security Team
 
Katana's Avatar
 
Join Date: Nov 2007
Location: Manchester, UK
Posts: 1,358
OS: W2K SP4 + XP SP2 + Vista


Re: Possible Trojan Vondu virus and slow performance.
Download the closeports.zip attachment.

Unzip it to your desktop.
Double click the closeports.reg and click Yes to any prompts

If there are any problems once you have done this, please do the following

Navigate to C:\Katana\Restore-me.reg and double click it. Accept any prompts.

Are there any problems left now ?
Attached Files
File Type: zip closeports.zip (631 Bytes, 4 views)
__________________
Katana is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-05-2008, 05:06 PM   #13 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: XP


Re: Possible Trojan Vondu virus and slow performance.
Complete. No problems. I have not experienced any Winweb messages. I did notice my Internet Explorer is running with add-ons disabled. is this correct? when I navigate to TOOLS then Manage Add-ons is not available.
Hokie76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-05-2008, 06:05 PM   #14 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: XP


Re: Possible Trojan Vondu virus and slow performance.
Add ons working after reboot.
Hokie76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-06-2008, 03:34 AM   #15 (permalink)
Analyst, Security Team
 
Katana's Avatar
 
Join Date: Nov 2007
Location: Manchester, UK
Posts: 1,358
OS: W2K SP4 + XP SP2 + Vista


Re: Possible Trojan Vondu virus and slow performance.
Quote:
Originally Posted by Hokie76 View Post
Add ons working after reboot.
Great stuff
I have attached a file, download it and put it in C:\Katana folder.
It just explains what to do if there are any problems arising from closing those ports.



Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

  • Uninstall Combofix
  • This will clear your System Volume Information restore points and remove all the infected files that were quarantined
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
You can also delete any logs we have produced, and empty your Recycle bin.


Enable Teatimer
  • RIGHT click Link >>> HERE <<< Link and select "save as" and save it to your desktop
  • Double click ResetTeaTimer.bat
  • Open Spybot S&D
  • Click Mode, check Advanced Mode
  • Go To Left Panel, Click Tools, then also in left panel, click Resident
  • If your firewall raises a question, say OK
  • check the box labeled Resident Tea-Timer and OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
  • You can now delete ResetTeaTimer.bat




The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/par...avwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware
  • AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • MalwareBytes Anti-malware <<< A New and effective program
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner

Prevention
  • These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 4.0
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers
  • Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    If you are still using IE6 then either update, or get one of the following.
    • FireFox
      • With many addons available that make customization easy this is a very popular choice
      • NoScript and AdBlockPlus addons are essential
    • Opera
      • Another popular alternative
    • Netscape
      • Another popular alternative
      • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
  • Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
Attached Files
File Type: txt Read Me.txt (583 Bytes, 3 views)
__________________
Katana is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-06-2008, 06:55 AM   #16 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: XP


Re: Possible Trojan Vondu virus and slow performance.
Thank you Katana. I'll uninstall Combofix, and over the next several days update or load the recommendations you have listed.

I appreciate your help. The computer seems to be working well. My wife even noticed a change in the speed, and in the past it sounded as if the CPU was going to blow up based on the overload.

Again, I can't thank you enough. I was unaware of this website until I begin to research my problem. Your service definitely deserves a donation, and I may have created more work for your team by recommending you all to friends and co-workers.

Thanks for walking me through all the steps. I hope to not have to visit this website any time in the future. :)
Hokie76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 09:09 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85