Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 3 1 23
 
LinkBack Thread Tools
Old 12-28-2008, 09:17 AM   #1 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 81
OS: Winxp Pro SP2


Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
I had the Trojan.Vundo 2 Weeks ago removed most of it, but it seemed to reappear yesterday and today.
NOD32 3.9.669.0 terminated the connection (i am using FireFox) but it still manages to get into my computer.
I have been using Malwarebytes AntiMalware to (partially?) remove the previous one in safe mode and disabled system restore.


NOD32 Log
Code:
28/12/2008 15:05:14	HTTP filter	file	hxxp://ggggq.wwlax.com/get_frst.php?uid=1001B2AC-095F-2057-0528-07010507002C	a variant of Win32/TrojanDownloader.Agent.OOL trojan	connection
Previous Infection
Code:
20/12/2008 23:28:01	HTTP filter	file	hxxp://dornaboret.com/cache/getfile.php?f=pdf	PDF/Exploit.Pidief.NEK trojan	connection terminated - quarantined	TOM\Tom Whyte	Threat was detected upon access to web by the application: E:\Program Files\Mozilla Firefox\firefox.exe.
Any help in stopping this from getting into my system permanently would be a great help.
It is annoying having to start in safe mode whilst in the middle of working.

Thank again TST --as i know this is a busy forum
Attached Files
File Type: zip DDS.zip (12.7 KB, 1 views)
File Type: txt ark.txt (35.9 KB, 1 views)
Last edited by Whytey; 12-28-2008 at 09:26 AM.
Whytey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 12-28-2008, 11:06 AM   #2 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 81
OS: Winxp Pro SP2


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
Deckard's System Scanner v20071014.68
Run by Tom Whyte on 2008-12-28 18:00:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 90% (more than 75%).


-- HijackThis (run as Tom Whyte.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:01:29, on 28/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\DU Meter\DUMeterSvc.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\Program Files\GameTracker\GSInGameService.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
E:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
E:\WINDOWS\CTHELPER.EXE
E:\WINDOWS\system32\CTXFIHLP.EXE
E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
E:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\Program Files\Razer\Copperhead\razerhid.exe
E:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
E:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
E:\Program Files\FlashGet\flashget.exe
E:\Program Files\Windows Live\Messenger\msnmsgr.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\IoctlSvc.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\Program Files\DU Meter\DUMeter.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\Program Files\SpywareBlaster\spywareblaster.exe
E:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
E:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
E:\Program Files\SpywareBlaster\spywareblaster.exe
E:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
E:\Program Files\Razer\Copperhead\razertra.exe
E:\Program Files\Razer\Copperhead\razerofa.exe
E:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
E:\WINDOWS\system32\vmnat.exe
E:\WINDOWS\system32\vmnetdhcp.exe
E:\Program Files\Rockstar Games\Rockstar Games Social Club\1_1_3_0\RGSC.exe
E:\Program Files\VMware\VMware Workstation\vmware-authd.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Windows Media Player\wmplayer.exe
E:\Program Files\VMware\VMware Workstation\vmware.exe
E:\Program Files\VMware\VMware Workstation\vmware-tray.exe
E:\Program Files\VMware\VMware Workstation\vmware-vmx.exe
E:\WINDOWS\system32\notepad.exe
D:\Setup files\Virus Removel\dss.exe
E:\PROGRA~1\TRENDM~1\HIJACK~1\TOMWHY~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - E:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - E:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - E:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - E:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [CTDVDDET] "E:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "E:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "E:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "E:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Copperhead] E:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [Launch LGDCore] "E:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "E:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Flashget] E:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [RGSC] E:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DU Meter] E:\Program Files\DU Meter\DUMeter.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareBlaster.lnk = E:\Program Files\SpywareBlaster\spywareblaster.exe
O8 - Extra context menu item: &Download All with FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Sothink SWF Catcher - E:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - E:\Program Files\HTTrack Website Download\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - E:\Program Files\HTTrack Website Download\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - E:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - E:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: e:\program files\vmware\vmware workstation\vsocklib.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - E:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/...?1229792197968
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1168025951812
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - E:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BsHelpCS - Unknown owner - E:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - E:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GS In-Game Service - ClanServers Hosting LLC - E:\Program Files\GameTracker\GSInGameService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - E:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - E:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: TVersityMediaServer - Unknown owner - E:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - E:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - E:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - E:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - E:\WINDOWS\system32\vmnat.exe

--
End of file - 14451 bytes

-- Files created between 2008-11-28 and 2008-12-28 -----------------------------

2008-12-28 16:30:21 0 d-------- E:\VundoFix Backups
2008-12-27 17:10:08 1101824 --a------ E:\WINDOWS\system32\nvwimg.dll
2008-12-27 17:10:07 1724416 --a------ E:\WINDOWS\system32\nvwdmcpl.dll
2008-12-27 17:10:07 466944 --a------ E:\WINDOWS\system32\nvshell.dll
2008-12-27 17:10:06 1503232 --a------ E:\WINDOWS\system32\nview.dll
2008-12-27 17:10:00 0 d-------- E:\NVIDIA
2008-12-27 15:39:39 603 --a------ E:\reset.cmd
2008-12-27 13:00:35 0 dr-h----- E:\Documents and Settings\Tom Whyte\Recent
2008-12-22 12:18:23 0 d--hs---- E:\Documents and Settings\NetworkService\Cookies
2008-12-20 23:20:49 24576 --a------ E:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-12-20 17:07:39 503808 --a------ E:\WINDOWS\msvcp80.dll <Not Verified; Microsoft Corporation; Microsoft® Visual Studio® .NET>
2008-12-20 15:41:39 68096 --a------ E:\WINDOWS\zip.exe
2008-12-20 15:41:39 49152 --a------ E:\WINDOWS\VFIND.exe
2008-12-20 15:41:39 212480 --a------ E:\WINDOWS\SWXCACLS.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-12-20 15:41:39 136704 --a------ E:\WINDOWS\SWSC.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-12-20 15:41:39 161792 --a------ E:\WINDOWS\SWREG.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-12-20 15:41:39 98816 --a------ E:\WINDOWS\sed.exe
2008-12-20 15:41:39 80412 --a------ E:\WINDOWS\grep.exe
2008-12-20 15:41:39 89504 --a------ E:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-12-20 14:50:18 0 d-------- E:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-12-17 22:09:38 0 d-------- E:\WINDOWS\nview
2008-12-17 17:19:19 0 d-------- E:\Documents and Settings\LocalService\Application Data\GameTracker
2008-12-17 17:19:16 0 d-------- E:\Program Files\GameTracker
2008-12-17 17:18:52 0 d-------- E:\Documents and Settings\Tom Whyte\Application Data\GameTracker
2008-12-17 14:04:24 0 d-------- E:\WINDOWS\Left 4 Dead
2008-12-17 14:04:24 0 d-------- E:\Program Files\Left 4 Dead
2008-12-17 12:54:10 0 d-------- E:\Program Files\ProductKeyExplorer
2008-12-12 16:36:06 0 d-------- E:\Program Files\Systweak
2008-12-12 13:20:09 0 d-------- E:\Program Files\iTunes
2008-12-12 13:20:09 0 d-------- E:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-10 18:02:10 0 d-------- E:\Program Files\NavNet
2008-12-07 01:00:37 0 d-------- E:\Program Files\Western Digital Corp
2008-12-06 16:54:03 0 d-------- E:\Program Files\Symantec
2008-12-06 13:10:16 0 d-------- E:\Program Files\OO Software
2008-12-03 10:19:25 0 d-------- E:\Documents and Settings\Administrator\Application Data\TeraCopy
2008-12-03 10:03:31 0 d-------- E:\Program Files\Microsoft Games for Windows - LIVE
2008-12-03 07:59:37 0 d-------- E:\Program Files\DAEMON Tools Toolbar
2008-12-03 07:58:52 0 d-------- E:\Program Files\DAEMON Tools Lite
2008-12-02 22:56:51 0 d-------- E:\Documents and Settings\Tom Whyte\Application Data\DAEMON Tools
2008-12-02 13:25:58 0 d-------- E:\Documents and Settings\All Users\Application Data\Hagel Technologies
2008-11-29 11:24:40 0 d--h---c- E:\Documents and Settings\All Users\Application Data\{6ABA9AFC-BC32-41F6-AE1E-C0C9C137DB7B}


-- Find3M Report ---------------------------------------------------------------

2008-12-28 17:55:24 0 d-------- E:\Documents and Settings\Tom Whyte\Application Data\VMware
2008-12-28 17:54:16 0 d-------- E:\Program Files\FlashGet
2008-12-28 16:28:45 0 d-------- E:\Documents and Settings\Tom Whyte\Application Data\TeraCopy
2008-12-28 15:33:02 0 --a------ E:\WINDOWS\TempFile
2008-12-28 14:57:53 8572 --a------ E:\WINDOWS\system32\d3d9caps.dat
2008-12-27 21:21:08 204296 --a------ E:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-12-27 14:52:32 0 d-------- E:\Program Files\SpywareBlaster
2008-12-26 19:07:36 0 d-------- E:\Program Files\JDownloader
2008-12-25 19:45:13 0 d-------- E:\Program Files\Real Alternative
2008-12-25 01:07:19 0 d-------- E:\Program Files\mIRC
2008-12-24 16:30:33 0 d-------- E:\Program Files\mkv2vob
2008-12-24 12:35:53 546 --a------ E:\Documents and Settings\Tom Whyte\Application Data\AutoGK.ini
2008-12-24 12:24:31 0 d-------- E:\Program Files\FlashFXP
2008-12-22 18:09:17 0 d-------- E:\Documents and Settings\Tom Whyte\Application Data\dvdcss
2008-12-20 23:46:05 0 d-------- E:\Program Files\Common Files
2008-12-20 16:25:51 592 --a------ E:\WINDOWS\chgkey.vbs
2008-12-18 1949 0 d-------- E:\Program Files\Xfire
2008-12-18 12:29:51 0 d-------- E:\Documents and Settings\Tom Whyte\Application Data\Xfire
2008-12-17 21:49:20 0 d-------- E:\Program Files\Common Files\Wise Installation Wizard
2008-12-17 14:41:33 0 d-------- E:\Program Files\Activision
2008-12-15 14:43:54 0 d-------- E:\Program Files\UltraISO
2008-12-15 14:43:23 0 d-------- E:\Program Files\Common Files\EZB Systems
2008-12-13 16:37:04 0 d-------- E:\Program Files\Steam
2008-12-13 15:24:17 0 d-------- E:\Program Files\Rockstar Games
2008-12-13 15:24:15 0 d--h----- E:\Program Files\InstallShield Installation Information
2008-12-12 13:20:13 0 d-------- E:\Program Files\iPod
2008-12-12 13:20:13 0 d-------- E:\Program Files\Common Files\Apple
2008-12-12 13:17:02 0 d-------- E:\Program Files\QuickTime
2008-12-11 21:58:12 0 d-------- E:\Program Files\SubmitEaze
2008-12-11 21:08:26 0 d-------- E:\Documents and Settings\Tom Whyte\Application Data\FileZilla
2008-12-08 11:28:03 0 d-------- E:\Program Files\Java
2008-12-06 14:58:37 0 d-------- E:\Program Files\Runtime Software
2008-12-05 19:28:36 0 d-------- E:\Program Files\Malwarebytes' Anti-Malware
2008-12-04 20:39:06 0 d-------- E:\Program Files\Mozilla Thunderbird
2008-12-02 22:19:42 0 d-------- E:\Program Files\DAEMON Tools Pro
2008-12-02 13:43:16 0 d-------- E:\Documents and Settings\Tom Whyte\Application Data\Vidalia
2008-12-02 13:43:16 0 d-------- E:\Documents and Settings\Tom Whyte\Application Data\Tor
2008-11-28 20:45:49 0 d-------- E:\Program Files\EA Games
2008-11-25 16:53:59 0 d-------- E:\Program Files\Acoustica Shared Effects
2008-11-22 18:35:53 0 d-------- E:\Program Files\Acoustica Mixcraft 4
2008-11-22 15:33:36 34308 --a------ E:\WINDOWS\system32\Chip.dll
2008-11-22 15:32:58 0 d-------- E:\Documents and Settings\Tom Whyte\Application Data\Acoustica
2008-11-22 15:28:42 0 d-------- E:\Program Files\VSTplugins
2008-11-22 15:28:42 0 d-------- E:\Program Files\Antares Audio Technologies
2008-11-22 15:08:19 0 d-------- E:\Program Files\Common Files\Digidesign
2008-11-19 16:56:11 0 d-------- E:\Program Files\FileZilla FTP Client
2008-11-18 16:00:04 0 d-------- E:\Documents and Settings\Tom Whyte\Application Data\Leadertech
2008-11-16 1600 0 d-------- E:\Documents and Settings\Tom Whyte\Application Data\Mp3tag
2008-11-16 15:51:18 0 d-------- E:\Program Files\MediaMonkey
2008-11-16 15:39:32 0 d-------- E:\Program Files\Mp3tag
2008-11-14 14:40:39 0 d-------- E:\Program Files\DVD Audio Extractor
2008-11-13 23:52:52 0 d-------- E:\Documents and Settings\Tom Whyte\Application Data\mirc
2008-11-11 16:37:42 0 d-------- E:\Program Files\RealVNC
2008-11-10 1835 0 d-------- E:\Program Files\VMware
2008-11-08 22:01:28 0 d-------- E:\Program Files\nLite
2008-11-08 19:09:50 0 d-------- E:\Documents and Settings\Tom Whyte\Application Data\GetRight Pro
2008-11-08 18:04:05 0 d-------- E:\Program Files\SUPERAntiSpyware
2008-11-08 17:18:52 0 d-------- E:\Program Files\DIFX
2008-11-08 17:04:27 0 d-------- E:\Documents and Settings\Tom Whyte\Application Data\WinRAR
2008-11-04 14:24:16 0 d-------- E:\Documents and Settings\Tom Whyte\Application Data\Activision
2008-11-02 21:53:03 0 d-------- E:\Documents and Settings\Tom Whyte\Application Data\Adobe
2008-11-02 21:30:26 0 d-------- E:\Program Files\Common Files\Adobe
2008-11-02 21:28:04 0 d-------- E:\Program Files\Common Files\Adobe AIR
2008-11-01 16:45:57 0 d-------- E:\Program Files\Bethesda Softworks
2008-11-01 16:09:10 0 d-------- E:\Documents and Settings\Tom Whyte\Application Data\Capcom
2008-11-01 16:08:20 0 d-------- E:\Program Files\MotoGP 08
2008-11-01 03:01:05 0 d-------- E:\Program Files\Virtual Earth 3D
2008-10-31 20:30:29 0 d-------- E:\Program Files\Electronic Arts
2008-10-31 15:20:00 0 d-------- E:\Program Files\Microsoft Silverlight
2008-10-31 02:02:00 0 d-------- E:\Program Files\Ubisoft
2008-10-31 00:43:18 0 d-------- E:\Program Files\AGEIA Technologies
2008-10-02 22:50:16 81920 --a------ E:\WINDOWS\system32\frapsvid.dll <Not Verified; Beepa P/L; FRAPS>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
10/11/2008 05:43 34816 --a------ E:\Program Files\Java\jre6\bin\jp2ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
10/11/2008 05:43 73728 --a------ E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTDVDDET"="E:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [18/06/2003 00:00]
"RCSystem"="E:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [16/06/2005 17:25]
"AudioDrvEmulator"="E:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [16/06/2005 17:25]
"CTHelper"="CTHELPER.EXE" [17/08/2006 11:32 E:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [17/08/2006 11:32 E:\WINDOWS\system32\CTXFIHLP.EXE]
"egui"="E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [01/07/2008 08:01]
"Copperhead"="E:\Program Files\Razer\Copperhead\razerhid.exe" [25/11/2005 10:53]
"Launch LGDCore"="E:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" [26/04/2007 16:22]
"Launch LCDMon"="E:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe" [26/04/2007 15:54]
"Flashget"="E:\Program Files\FlashGet\flashget.exe" [29/06/2007 11:44]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [15/12/2008 20:17]
"nwiz"="nwiz.exe" [15/12/2008 20:17 E:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [15/12/2008 20:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RGSC"="E:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [13/12/2008 13:08]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [04/08/2004 01:07]
"NVIDIA nTune"="E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [04/09/2007 19:25]
"msnmsgr"="E:\Program Files\Windows Live\Messenger\msnmsgr.exe" [06/07/2008 13:07]
"DU Meter"="E:\Program Files\DU Meter\DUMeter.exe" [06/08/2008 16:16]

E:\Documents and Settings\Tom Whyte\Start Menu\Startup\
SpywareBlaster.lnk - E:\Program Files\SpywareBlaster\spywareblaster.exe [08/11/2008 18:11:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"NoStartMenuMyMusic"=1 (0x1)
"NoSMMyPictures"=1 (0x1)
"NoAutoTrayNotify"=1 (0x1)
"NoFavoritesMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=E:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=E:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=E:\WINDOWS\pss\BlueSoleil.lnkCommon Startup
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight.lnk
backup=E:\WINDOWS\pss\GetRight.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
backup=E:\WINDOWS\pss\Privoxy.lnkCommon Startup
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^SlimServer Tray Tool.lnk]
backup=E:\WINDOWS\pss\SlimServer Tray Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
backup=E:\WINDOWS\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZDWLan Utility.lnk]
backup=E:\WINDOWS\pss\ZDWLan Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Tom Whyte^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=E:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Tom Whyte^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
path=E:\Documents and Settings\Tom Whyte\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
backup=E:\WINDOWS\pss\Folding@Home 5.03.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Tom Whyte^Start Menu^Programs^Startup^hamachi.lnk]
backup=E:\WINDOWS\pss\hamachi.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Tom Whyte^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
backup=E:\WINDOWS\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Tom Whyte^Start Menu^Programs^Startup^SAM.lnk]
backup=E:\WINDOWS\pss\SAM.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Tom Whyte^Start Menu^Programs^Startup^WampServer.lnk]
backup=E:\WINDOWS\pss\WampServer.lnkStartup
path=E:\Documents and Settings\Tom Whyte\Start Menu\Programs\Startup\WampServer.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Tom Whyte^Start Menu^Startup^Shortcut to LGDevAgt.exe.lnk]
path=E:\Documents and Settings\Tom Whyte\Start Menu\Startup\Shortcut to LGDevAgt.exe.lnk
backup=E:\WINDOWS\pss\Shortcut to LGDevAgt.exe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Tom Whyte^Start Menu^Startup^Xfire.lnk]
path=E:\Documents and Settings\Tom Whyte\Start Menu\Startup\Xfire.lnk
backup=E:\WINDOWS\pss\Xfire.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
"E:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
E:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
"E:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlazeServoTool]
"E:\Program Files\BlazeVideo\BlazeDTV 2.5a\MediaDetector.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtTray]
"E:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CacheBoost]
E:\Program Files\Systweak\Systweak CacheBoost\trayicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
E:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
"E:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DU Meter]
E:\Program Files\DU Meter\DUMeter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
E:\Program Files\Electronic Arts\EADM\Core.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Echovoice Gamer Statistics]
E:\Program Files\Echovoice\Gamer Statistics\G15 Echovoice Gamer Statistics.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
"E:\PROGRA~1\FlashGet\Flashget.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBB36X Configure]
"E:\WINDOWS\system32\JMRaidTool.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
"E:\Documents and Settings\Tom Whyte\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Download Accelerator]
C:\Cracks & Keygens\ida.exe -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
"E:\Program Files\Spyware Doctor\pctsTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"E:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"E:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"E:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"E:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
E:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nHancer]
"E:\Program Files\KSE\nHancer 32bit\nHancer.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
"E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
"E:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "E:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
"E:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"E:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RGSC]
E:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
E:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"E:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"E:\Program Files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
E:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
E:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"E:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
"E:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmware-tray]
"E:\Program Files\VMware\VMware Workstation\vmware-tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
"E:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xfire]
"E:\Program Files\Xfire\xfire.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebrootSpySweeperService"=2 (0x2)
"slimsvc"=3 (0x3)
"SlimServerMySQL"=2 (0x2)
"IQService"=2 (0x2)
"IDriverT"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"Bonjour Service"=2 (0x2)
"BlueSoleil Hid Service"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"wampmysqld"=3 (0x3)
"wampapache"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"mi-raysat_3dsMax2008_32"=2 (0x2)
"iPod Service"=3 (0x3)
"DTDZIYZULDY"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"Autodesk Licensing Service"=2 (0x2)
"Autodata Limited License Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"StarWindServiceAE"=2 (0x2)
"SDhelper"=2 (0x2)
"odserv"=3 (0x3)
"O&O Defrag"=2 (0x2)
"WinVNC4"=2 (0x2)
"BlueSoleilCS"=2 (0x2)
"CacheBoost Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ffab9697-1c06-11dc-9682-0016e68aed37}]
AutoRun\command- .\Start.exe




-- End of Deckard's System Scanner: finished at 2008-12-28 18:02:49 ------------
Whytey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-28-2008, 07:11 PM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,882
OS: WinXP and Vista


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
Hello Whytey,

Please--delete dss.exe from your system now. The tool was retired quite some time ago as some of today's malware interferes with the tool and can cause undesirable results.

The tool we use is dds.com.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.

Post the dds.txt and please attach the Attach.txt
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-28-2008, 07:43 PM   #4 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 81
OS: Winxp Pro SP2


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
Quote:
Originally Posted by Ried View Post
Hello Whytey,

Please--delete dss.exe from your system now. The tool was retired quite some time ago as some of today's malware interferes with the tool and can cause undesirable results.

The tool we use is dds.com.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.

Post the dds.txt and please attach the Attach.txt
Sorry, its zipped in my first post
DDS.zip (12.7 KB, 0 views)
Whytey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-28-2008, 08:00 PM   #5 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 81
OS: Winxp Pro SP2


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
DDS (Version 1.1.0) - NTFSx86
Run by Tom Whyte at 15:50:02.23 on 28/12/2008
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2046.1209 [GMT 0:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\DU Meter\DUMeterSvc.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\Program Files\GameTracker\GSInGameService.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
E:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
E:\WINDOWS\CTHELPER.EXE
E:\WINDOWS\system32\CTXFIHLP.EXE
E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
E:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\Program Files\Razer\Copperhead\razerhid.exe
E:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
E:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
E:\Program Files\FlashGet\flashget.exe
E:\Program Files\Windows Live\Messenger\msnmsgr.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\IoctlSvc.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\Program Files\DU Meter\DUMeter.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\Program Files\SpywareBlaster\spywareblaster.exe
E:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
E:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
E:\WINDOWS\system32\svchost.exe -k imgsvc
E:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
E:\Program Files\SpywareBlaster\spywareblaster.exe
E:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
E:\Program Files\Razer\Copperhead\razertra.exe
E:\Program Files\Razer\Copperhead\razerofa.exe
E:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
E:\WINDOWS\system32\vmnat.exe
E:\WINDOWS\system32\vmnetdhcp.exe
E:\Program Files\Rockstar Games\Rockstar Games Social Club\1_1_3_0\RGSC.exe
E:\Program Files\VMware\VMware Workstation\vmware-authd.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\Windows Media Player\wmplayer.exe
E:\Program Files\WinRAR\WinRAR.exe
E:\DOCUME~1\TOMWHY~1\LOCALS~1\Temp\Rar$EX00.218\gmer.exe
D:\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.windowsxlive.net
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - e:\program files\flashget\jccatch.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - e:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - e:\progra~1\flashfxp\IEFlash.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - e:\program files\flashget\getflash.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - e:\program files\canon\easy-webprint\Toolband.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - e:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [RGSC] e:\program files\rockstar games\rockstar games social club\RGSCLauncher.exe /silent
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
uRun: [NVIDIA nTune] "e:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [msnmsgr] "e:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [DU Meter] e:\program files\du meter\DUMeter.exe
mRun: [CTDVDDET] "e:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [RCSystem] "e:\program files\creative\shared files\module loader\DLLML.exe" RCSystem * -Startup
mRun: [AudioDrvEmulator] "e:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "e:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [egui] "e:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Copperhead] e:\program files\razer\copperhead\razerhid.exe
mRun: [Launch LGDCore] "e:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Launch LCDMon] "e:\program files\common files\logitech\lcd manager\lcdmon.exe"
mRun: [Flashget] e:\program files\flashget\flashget.exe /min
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE e:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [CTFMON.EXE] e:\windows\system32\CTFMON.EXE
StartupFolder: e:\docume~1\tomwhy~1\startm~1\startup\spywar~1.lnk - e:\program files\spywareblaster\spywareblaster.exe
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoFavoritesMenu = 1 (0x1)
IE: &Download All with FlashGet - e:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - e:\program files\flashget\jc_link.htm
IE: Append to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - e:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - e:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - e:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - e:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Sothink SWF Catcher - e:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - e:\program files\flashget\FlashGet.exe
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - e:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - e:\program files\httrack website download\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: e:\program files\vmware\vmware workstation\vsocklib.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - e:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - e:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\tomwhy~1\applic~1\mozilla\firefox\profiles\wnrcqfo4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.digg.com|http://www.torrentleech.org/browse.php
FF - component: e:\program files\daemon tools toolbar\firefoxdtt\components\DTToolbarFF.dll
FF - plugin: e:\documents and settings\tom whyte\application data\mozilla\firefox\profiles\wnrcqfo4.default\extensions\logmeinclient@logmein.com\platform\winnt\plugins\npRescue.dll
FF - plugin: e:\documents and settings\tom whyte\application data\mozilla\firefox\profiles\wnrcqfo4.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npJoostPlugin.dll
FF - plugin: e:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: e:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: e:\program files\photosynth\npPhotosynthMozilla.dll
FF - plugin: e:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: e:\program files\virtual earth 3d\npVE3D.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;e:\windows\system32\drivers\ikfilesec.sys [2008-1-12 42376]
R1 epfwtdir;epfwtdir;e:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R1 IKSysFlt;System Filter Driver;e:\windows\system32\drivers\iksysflt.sys [2008-1-12 66952]
R1 IKSysSec;System Security Driver;e:\windows\system32\drivers\iksyssec.sys [2008-1-12 81288]
R2 DUMeterSvc;DU Meter Service;e:\program files\du meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService [2008-12-2 1386008]
R2 ekrn;Eset Service;"e:\program files\eset\eset nod32 antivirus\ekrn.exe" [2008-7-1 468224]
R2 GS In-Game Service;GS In-Game Service;e:\program files\gametracker\GSInGameService.exe [2008-12-17 2329440]
R2 sdAuxService;PC Tools Auxiliary Service;e:\program files\spyware doctor\pctsAuxs.exe [2008-8-18 356920]
R2 vmci;VMware vmci;\??\e:\windows\system32\drivers\vmci.sys [2008-9-18 54960]
R3 UsbFltr;Razer Copperhead Driver;e:\windows\system32\drivers\copperhd.sys [2007-1-5 11596]
S1 SASDIFSV;SASDIFSV;\??\e:\program files\antispyware\SASDIFSV.SYS []
S1 SASKUTIL;SASKUTIL;\??\e:\program files\antispyware\SASKUTIL.sys []
S3 AF05BDA;AF9005 BDA Device;e:\windows\system32\drivers\AF05BDA.sys [2005-12-29 122752]
S3 motccgp;Motorola USB Composite Device Driver;e:\windows\system32\drivers\motccgp.sys [2008-8-21 18176]
S3 motccgpfl;MotCcgpFlService;e:\windows\system32\drivers\motccgpfl.sys [2007-6-17 7680]
S3 SASENUM;SASENUM;\??\e:\program files\antispyware\SASENUM.SYS []
S3 usbsnoop;usbsnoop (display);e:\windows\system32\drivers\usbsnoop.sys [2008-11-15 40896]
S4 CacheBoost Service;CacheBoost Performance Optimizer and Tuner Service;e:\program files\systweak\systweak cacheboost\cbsrv.exe [2008-12-12 187120]
S4 WebrootSpySweeperService;Webroot Spy Sweeper Engine;"e:\program files\webroot\spy sweeper\SpySweeper.exe" [2008-7-19 3572592]

=============== Created Last 30 ================

2008-12-27 17:07 1,897,408 ac------ e:\windows\system32\dllcache\nv4_mini.sys
2008-12-27 17:07 6,209,312 a------- e:\windows\system32\drivers\nv4_mini.sys
2008-12-27 17:07 4,274,816 ac------ e:\windows\system32\dllcache\nv4_disp.dll
2008-12-27 17:07 6,168,960 a------- e:\windows\system32\nv4_disp.dll
2008-12-27 16:32 11,807 ac------ e:\windows\system32\dllcache\wadv07nt.sys
2008-12-27 16:31 24,660 ac------ e:\windows\system32\dllcache\spxupchk.dll
2008-12-27 16:27 17,280 ac------ e:\windows\system32\dllcache\scr111.sys
2008-12-27 16:26 6,016 ac------ e:\windows\system32\dllcache\qic157.sys
2008-12-27 16:26 130,942 ac------ e:\windows\system32\dllcache\ptserlv.sys
2008-12-27 16:26 128,286 ac------ e:\windows\system32\dllcache\ptserli.sys
2008-12-27 16:26 112,574 ac------ e:\windows\system32\dllcache\ptserlp.sys
2008-12-27 16:26 159,232 ac------ e:\windows\system32\dllcache\ptpusd.dll
2008-12-27 16:26 5,632 ac------ e:\windows\system32\dllcache\ptpusb.dll
2008-12-27 16:26 35,328 ac------ e:\windows\system32\dllcache\psisload.dll
2008-12-27 16:26 16,128 ac------ e:\windows\system32\dllcache\pscr.sys
2008-12-27 16:26 17,792 ac------ e:\windows\system32\dllcache\ppa.sys
2008-12-27 16:26 17,664 ac------ e:\windows\system32\dllcache\ppa3.sys
2008-12-27 16:26 7,552 ac------ e:\windows\system32\dllcache\powerfil.sys
2008-12-27 16:26 7,168 ac------ e:\windows\system32\dllcache\pnrmc.sys
2008-12-27 16:24 30,282 ac------ e:\windows\system32\dllcache\pcntn5hl.sys
2008-12-27 16:23 2,944 ac------ e:\windows\system32\dllcache\msmpu401.sys
2008-12-27 16:23 22,016 ac------ e:\windows\system32\dllcache\msircomm.sys
2008-12-27 16:23 35,200 ac------ e:\windows\system32\dllcache\msgame.sys
2008-12-27 16:23 6,016 ac------ e:\windows\system32\dllcache\msfsio.sys
2008-12-27 16:23 51,328 ac------ e:\windows\system32\dllcache\msdv.sys
2008-12-27 16:23 17,280 ac------ e:\windows\system32\dllcache\mraid35x.sys
2008-12-27 16:21 34,688 ac------ e:\windows\system32\dllcache\lbrtfdc.sys
2008-12-27 16:20 45,632 ac------ e:\windows\system32\dllcache\ip5515.sys
2008-12-27 16:20 90,200 ac------ e:\windows\system32\dllcache\io8ports.dll
2008-12-27 16:20 38,784 ac------ e:\windows\system32\dllcache\io8.sys
2008-12-27 16:20 5,504 ac------ e:\windows\system32\dllcache\intelide.sys
2008-12-27 16:20 13,056 ac------ e:\windows\system32\dllcache\inport.sys
2008-12-27 16:20 16,000 ac------ e:\windows\system32\dllcache\ini910u.sys
2008-12-27 16:20 372,824 ac------ e:\windows\system32\dllcache\iconf32.dll
2008-12-27 16:18 1,041,536 ac------ e:\windows\system32\dllcache\hsfdpsp2.sys
2008-12-27 16:17 324,608 ac------ e:\windows\system32\dllcache\hpojwia.dll
2008-12-27 16:16 629,952 ac------ e:\windows\system32\dllcache\eqn.sys
2008-12-27 16:15 980,034 ac------ e:\windows\system32\dllcache\cicap.sys
2008-12-27 16:14 28,672 ac------ e:\windows\system32\dllcache\atinsnxx.sys
2008-12-27 16:13 66,048 ac------ e:\windows\system32\dllcache\s3legacy.dll
2008-12-27 15:39 603 a------- E:\reset.cmd
2008-12-26 21:49 268 a---h--- E:\sqmdata03.sqm
2008-12-26 21:49 244 a---h--- E:\sqmnoopt03.sqm
2008-12-20 23:20 24,576 a------- e:\windows\system32\VundoFixSVC.exe
2008-12-20 17:07 503,808 a------- e:\windows\msvcp80.dll
2008-12-20 15:41 161,792 a------- e:\windows\SWREG.exe
2008-12-20 15:41 98,816 a------- e:\windows\sed.exe
2008-12-17 22:09 <DIR> --d----- e:\windows\nview
2008-12-17 22:08 290,816 a------- e:\windows\system32\nvwrsth.dll
2008-12-17 17:19 <DIR> --d----- e:\program files\GameTracker
2008-12-17 17:18 <DIR> --d----- e:\docume~1\tomwhy~1\applic~1\GameTracker
2008-12-17 14:04 <DIR> --d----- e:\windows\Left 4 Dead
2008-12-17 14:04 <DIR> --d----- e:\program files\Left 4 Dead
2008-12-17 12:54 <DIR> --d----- e:\program files\ProductKeyExplorer
2008-12-15 16:37 6,168,960 a------- e:\windows\system32\nv4_disp.dll.tmp
2008-12-12 17:44 268 a---h--- E:\sqmdata02.sqm
2008-12-12 17:44 244 a---h--- E:\sqmnoopt02.sqm
2008-12-12 16:55 268 a---h--- E:\sqmdata01.sqm
2008-12-12 16:55 244 a---h--- E:\sqmnoopt01.sqm
2008-12-12 16:36 <DIR> --d----- e:\program files\Systweak
2008-12-12 13:20 <DIR> --d----- e:\program files\iTunes
2008-12-12 13:20 <DIR> --d----- e:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-11 20:37 42,320 a------- e:\windows\system32\xfcodec.dll
2008-12-10 18:02 <DIR> --d----- e:\program files\NavNet
2008-12-07 01:00 <DIR> --d----- e:\program files\Western Digital Corp
2008-12-06 16:54 <DIR> --d----- e:\program files\Symantec
2008-12-06 13:10 <DIR> --d----- e:\program files\OO Software
2008-12-03 10:03 <DIR> --d----- e:\program files\Microsoft Games for Windows - LIVE
2008-12-03 07:59 <DIR> --d----- e:\program files\DAEMON Tools Toolbar
2008-12-03 07:58 <DIR> --d----- e:\program files\DAEMON Tools Lite
2008-12-02 23:11 1,253,376 a------- e:\windows\system32\NvPVEnc.ax
2008-12-02 13:25 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Hagel Technologies
2008-12-02 13:25 <DIR> --d----- e:\program files\DU Meter
2008-11-29 11:24 <DIR> -cd-h--- e:\docume~1\alluse~1\applic~1\{6ABA9AFC-BC32-41F6-AE1E-C0C9C137DB7B}

==================== Find3M ====================

2008-12-28 14:57 8,572 a------- e:\windows\system32\d3d9caps.dat
2008-12-27 21:21 204,296 a------- e:\windows\system32\GDIPFONTCACHEV1.DAT
2008-12-19 20:29 139,280 a------- e:\windows\system32\drivers\PnkBstrK.sys
2008-12-19 20:29 202,000 a------- e:\windows\system32\PnkBstrB.exe
2008-12-17 15:12 66,872 a------- e:\windows\system32\PnkBstrA.exe
2008-12-12 06:26 453,152 a------- e:\windows\system32\NVUNINST.EXE
2008-12-03 19:52 38,496 a------- e:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- e:\windows\system32\drivers\mbam.sys
2008-12-02 22:57 717,296 a------- e:\windows\system32\drivers\sptd.sys
2008-11-22 15:33 34,308 a------- e:\windows\system32\Chip.dll
2008-11-22 15:33 22,004 a------- e:\windows\system32\Pvt.tmp
2008-11-15 01:30 40,896 a------- e:\windows\system32\drivers\usbsnoop.sys
2008-11-10 05:43 410,984 a------- e:\windows\system32\deploytk.dll
2008-10-31 02:05 22,328 a------- e:\docume~1\tomwhy~1\applic~1\PnkBstrK.sys
2008-10-31 02:04 2,250,024 a------- e:\windows\system32\pbsvc.exe
2008-10-28 17:41 14,303,392 a------- e:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 a------- e:\windows\system32\xlivefnt.dll
2008-10-23 13:01 283,648 a------- e:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- e:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- e:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- e:\windows\system32\muweb.dll
2008-10-14 01:03 20,992 a------- e:\windows\system32\vncmirror.dll
2008-10-05 13:47 118,784 a------- e:\windows\web\wallpaper\.html.exe
2008-10-03 10:15 247,326 a------- e:\windows\system32\strmdll.dll
2008-10-02 22:50 81,920 a------- e:\windows\system32\frapsvid.dll
2008-09-30 16:43 1,286,152 a------- e:\windows\system32\msxml4.dll
2008-02-08 13:29 32 a------- e:\docume~1\alluse~1\applic~1\ezsid.dat
2007-12-17 17:23 1,136,640 a------- e:\program files\common files\ewutils2.dll
2004-12-20 00:04 13,824 a------- e:\documents and settings\tom whyte\dmg2iso.exe

============= FINISH: 15:50:42.54 ===============
Whytey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-28-2008, 08:24 PM   #6 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,882
OS: WinXP and Vista


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
Thank you. I'm not seeing any active malware in the logs. Are you receiving any pop ups or redirects at all?

I realize online scans are time consuming, but I feel it prudent to get a look at your system from the outside. Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-29-2008, 06:12 AM   #7 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 81
OS: Winxp Pro SP2


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
I am not getting popups, or anything like that. But as i said it came back quite randomly from when i first got infected it last week, which i thought had been removed.
Whytey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-29-2008, 09:15 AM   #8 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,882
OS: WinXP and Vista


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
Please run the online scan, it may reveal remnants for us.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-29-2008, 09:28 AM   #9 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 81
OS: Winxp Pro SP2


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
I have just ran the it and while scanning the windows drive nod32 prompted up with this:

but kaspersky has not found anything, nod32 took over?
Code:
29/12/2008 16:23:14	HTTP filter	file	hxxp://zzzzj.wwlax.com/get_frst.php?uid=1001B2AC-095F-2057-0528-07010507002C	a variant of Win32/TrojanDownloader.Agent.OOL trojan	connection terminated - quarantined	TOM\Tom Whyte	Threat was detected upon access to web by the application: E:\Documents and Settings\Tom Whyte\Local Settings\temp\wavvsnet.tmp.
29/12/2008 16:22:47	Real-time file system protection	file	E:\DOCUME~1\TOMWHY~1\LOCALS~1\Temp\prun.tmp	probably unknown NewHeur_PE virus	cleaned by deleting - quarantined	NT AUTHORITY\SYSTEM	Event occurred on a new file created by the application: E:\WINDOWS\system32\a.exe.
Code:
29/12/2008 16:29:14	HTTP filter	file	hxxp://62.4.83.205/kb435112.dll?&uid=&rid=zdez&guid=21595098B89B4DC88E3FAC431BED8F05&affid=166350	Win32/TrojanDownloader.Agent.ONC trojan	connection terminated - quarantined	TOM\Tom Whyte	Threat was detected upon access to web by the application: E:\WINDOWS\explorer.exe.
It also open a new tab in firefox and goes to a web address.
There was also virusremover2008 and the process name is winstall.exe
for the first one.

When i ended one of the processes, a few minutes after firefox crashed but i am still running the scan .
Last edited by Whytey; 12-29-2008 at 09:40 AM.
Whytey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-29-2008, 09:38 AM   #10 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,882
OS: WinXP and Vista


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
Did Kaspersky complete the scan, or did Nod interrupt it?

Quote:
It also open a new tab in firefox and goes to a web address
What address?
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-29-2008, 09:41 AM   #11 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 81
OS: Winxp Pro SP2


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
Possibly one of the addresses that nod found.
One was an ip address and another one was some other domain.

Code:
hxxp://www.realtrafficbroker.com/adserver/index.php?SID=16
Code:
hxxp://liveantiviruspccheck.com/2009/1/en/_freescan.php?nu=770522166350
Last edited by Whytey; 12-29-2008 at 09:45 AM.
Whytey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-29-2008, 09:43 AM   #12 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,882
OS: WinXP and Vista


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
Did Kaspersky complete the full scan?

Do you use a router?
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-29-2008, 09:48 AM   #13 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 81
OS: Winxp Pro SP2


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
It has completed the scan but nothing was found.

Yes i do have a router and also rundll32.exe keeps coming back when i end it
Whytey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-29-2008, 09:56 AM   #14 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,882
OS: WinXP and Vista


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
It can be normal to have Rundll32.exe running. See here for an explanation

Since I don't know exactly what you've removed in the past, I feel it prudent to perform a hard reset with your router. Leave it on, and there should be a little pinhole in the back of the unit. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).

Then change your admin login and password--make it a strong password.

You may also want to ask your ISP for help in case there are custom settings that need to be maintained.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-29-2008, 09:58 AM   #15 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 81
OS: Winxp Pro SP2


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
rundll32.exe wasnt there before it only just appeared when the virus popped up
Whytey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-29-2008, 10:10 AM   #16 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 81
OS: Winxp Pro SP2


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
Malwarebytes' Anti-Malware 1.31
Database version: 1554
Windows 5.1.2600 Service Pack 2

29/12/2008 17:10:32
mbam-log-2008-12-29 (17-10-27).txt

Scan type: Quick Scan
Objects scanned: 67151
Time elapsed: 7 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 21
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
E:\WINDOWS\system32\opnlKExu.dll (Trojan.Vundo.H) -> No action taken.
E:\WINDOWS\system32\rtruavym.dll (Trojan.Vundo.H) -> No action taken.
E:\WINDOWS\system32\fikiml.dll (Trojan.Vundo.H) -> No action taken.
E:\WINDOWS\system32\xfopntec.dll (Trojan.Vundo.H) -> No action taken.
E:\WINDOWS\system32\ssqOFUNe.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{de538ec5-5f2d-4cd9-aa87-7281933771e8} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{de538ec5-5f2d-4cd9-aa87-7281933771e8} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e6568bef-b466-4df7-bb99-034c09c8c28c} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{e6568bef-b466-4df7-bb99-034c09c8c28c} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e6568bef-b466-4df7-bb99-034c09c8c28c} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqofune (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{de538ec5-5f2d-4cd9-aa87-7281933771e8} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\000000af (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: e:\windows\system32\opnlkexu -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: e:\windows\system32\opnlkexu -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
E:\WINDOWS\system32\opnlKExu.dll (Trojan.Vundo.H) -> No action taken.
E:\WINDOWS\system32\uxEKlnpo.ini (Trojan.Vundo.H) -> No action taken.
E:\WINDOWS\system32\uxEKlnpo.ini2 (Trojan.Vundo.H) -> No action taken.
E:\WINDOWS\system32\fikiml.dll (Trojan.Vundo.H) -> No action taken.
E:\WINDOWS\system32\rtruavym.dll (Trojan.Vundo.H) -> No action taken.
E:\WINDOWS\system32\myvaurtr.ini (Trojan.Vundo.H) -> No action taken.
E:\WINDOWS\system32\xfopntec.dll (Trojan.Vundo.H) -> No action taken.
E:\WINDOWS\system32\ssqOFUNe.dll (Trojan.Vundo) -> No action taken.
E:\RECYCLER\S-1-5-21-1715567821-527237240-839522115-1003\De41.tmp (Trojan.Downloader) -> No action taken.
E:\RECYCLER\S-1-5-21-1715567821-527237240-839522115-1003\De42.tmp (Rogue.Installer) -> No action taken.
E:\RECYCLER\S-1-5-21-1715567821-527237240-839522115-1003\De43.tmp (Trojan.Downloader) -> No action taken.
E:\RECYCLER\S-1-5-21-1715567821-527237240-839522115-1003\De74.exe (Rogue.Installer) -> No action taken.
E:\Documents and Settings\Tom Whyte\Local Settings\temp\winsinstall.exe (Rogue.Installer) -> No action taken.
E:\Documents and Settings\Tom Whyte\Local Settings\temp\winvsnet.tmp (Rogue.Installer) -> No action taken.
E:\Documents and Settings\Tom Whyte\Local Settings\Temporary Internet Files\Content.IE5\K7FX4LQ4\index[1] (Trojan.Vundo.H) -> No action taken.
E:\Documents and Settings\Tom Whyte\Local Settings\Temporary Internet Files\Content.IE5\K7FX4LQ4\winsinstall[1].exe (Rogue.Installer) -> No action taken.
E:\Documents and Settings\Tom Whyte\Local Settings\Temporary Internet Files\Content.IE5\WJ2FPIX6\upd105320[1] (Trojan.Vundo.H) -> No action taken.
E:\reset.cmd (Trojan.Agent) -> No action taken.
Whytey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-29-2008, 10:23 AM   #17 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,882
OS: WinXP and Vista


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
This is not making sense, Whytey. There is no way MBAM would find so much - where you've taken no action- and Kaspersky come up with no infection at all.

run a new scan with dds.com and post dds.txt
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-29-2008, 10:26 AM   #18 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,882
OS: WinXP and Vista


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
What sites have you been visiting since you ran the online scan?
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-29-2008, 11:11 AM   #19 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 81
OS: Winxp Pro SP2


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
I have been visting no sites since the scan it just opens up once the tool finds the file.

DDS (Version 1.1.0) - NTFSx86
Run by Tom Whyte at 18:09:07.46 on 29/12/2008
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2046.1377 [GMT 0:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
E:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
E:\WINDOWS\CTHELPER.EXE
E:\WINDOWS\system32\CTXFIHLP.EXE
E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
E:\Program Files\Razer\Copperhead\razerhid.exe
E:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
E:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
E:\Program Files\FlashGet\flashget.exe
E:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
E:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
E:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
E:\Program Files\Windows Live\Messenger\msnmsgr.exe
E:\Program Files\DU Meter\DUMeter.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\DU Meter\DUMeterSvc.exe
E:\Program Files\Razer\Copperhead\razertra.exe
E:\Program Files\Razer\Copperhead\razerofa.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\Program Files\GameTracker\GSInGameService.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\IoctlSvc.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\WINDOWS\system32\svchost.exe -k imgsvc
E:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
E:\Program Files\Rockstar Games\Rockstar Games Social Club\1_1_3_0\RGSC.exe
E:\WINDOWS\system32\vmnat.exe
E:\WINDOWS\system32\vmnetdhcp.exe
E:\Program Files\Windows Media Player\wmplayer.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\VMware\VMware Workstation\vmware-tray.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Documents and Settings\Tom Whyte\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.windowsxlive.net
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - e:\program files\flashget\jccatch.dll
BHO: {31c1a3af-e2ec-4009-987d-0dde77a2ecea} - e:\windows\system32\opnlKExu.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - e:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - e:\progra~1\flashfxp\IEFlash.dll
BHO: {c82c8c90-c430-99bb-7fd4-664bfeb8656e}: {e6568bef-b466-4df7-bb99-034c09c8c28c} - e:\windows\system32\fikiml.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - e:\program files\flashget\getflash.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - e:\program files\canon\easy-webprint\Toolband.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - e:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll
uRun: [RGSC] e:\program files\rockstar games\rockstar games social club\RGSCLauncher.exe /silent
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
uRun: [NVIDIA nTune] "e:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [msnmsgr] "e:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [DU Meter] e:\program files\du meter\DUMeter.exe
mRun: [CTDVDDET] "e:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [RCSystem] "e:\program files\creative\shared files\module loader\DLLML.exe" RCSystem * -Startup
mRun: [AudioDrvEmulator] "e:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "e:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [egui] "e:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Copperhead] e:\program files\razer\copperhead\razerhid.exe
mRun: [Launch LGDCore] "e:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Launch LCDMon] "e:\program files\common files\logitech\lcd manager\lcdmon.exe"
mRun: [Flashget] e:\program files\flashget\flashget.exe /min
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE e:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [000000af] rundll32.exe "e:\windows\system32\rtruavym.dll",b
dRun: [CTFMON.EXE] e:\windows\system32\CTFMON.EXE
StartupFolder: e:\docume~1\tomwhy~1\startm~1\startup\spywar~1.lnk - e:\program files\spywareblaster\spywareblaster.exe
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoFavoritesMenu = 1 (0x1)
IE: &Download All with FlashGet - e:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - e:\program files\flashget\jc_link.htm
IE: Append to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - e:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - e:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - e:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - e:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Sothink SWF Catcher - e:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - e:\program files\flashget\FlashGet.exe
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - e:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - e:\program files\httrack website download\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: e:\program files\vmware\vmware workstation\vsocklib.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - e:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - e:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ssqOFUNe - ssqOFUNe.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: fikiml.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\program files\superantispyware\SASSEH.DLL
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - e:\windows\system32\ssqOFUNe.dll
LSA: Authentication Packages = msv1_0 e:\windows\system32\opnlKExu

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\tomwhy~1\applic~1\mozilla\firefox\profiles\wnrcqfo4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.digg.com|http://www.torrentleech.org/browse.php
FF - component: e:\program files\daemon tools toolbar\firefoxdtt\components\DTToolbarFF.dll
FF - plugin: e:\documents and settings\tom whyte\application data\mozilla\firefox\profiles\wnrcqfo4.default\extensions\logmeinclient@logmein.com\platform\winnt\plugins\npRescue.dll
FF - plugin: e:\documents and settings\tom whyte\application data\mozilla\firefox\profiles\wnrcqfo4.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npJoostPlugin.dll
FF - plugin: e:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: e:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: e:\program files\photosynth\npPhotosynthMozilla.dll
FF - plugin: e:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: e:\program files\virtual earth 3d\npVE3D.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;e:\windows\system32\drivers\ikfilesec.sys [2008-1-12 42376]
R1 epfwtdir;epfwtdir;e:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R1 IKSysFlt;System Filter Driver;e:\windows\system32\drivers\iksysflt.sys [2008-1-12 66952]
R1 IKSysSec;System Security Driver;e:\windows\system32\drivers\iksyssec.sys [2008-1-12 81288]
R2 DUMeterSvc;DU Meter Service;e:\program files\du meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService [2008-12-2 1386008]
R2 ekrn;Eset Service;"e:\program files\eset\eset nod32 antivirus\ekrn.exe" [2008-7-1 468224]
R2 GS In-Game Service;GS In-Game Service;e:\program files\gametracker\GSInGameService.exe [2008-12-17 2329440]
R2 sdAuxService;PC Tools Auxiliary Service;e:\program files\spyware doctor\pctsAuxs.exe [2008-8-18 356920]
R2 vmci;VMware vmci;\??\e:\windows\system32\drivers\vmci.sys [2008-9-18 54960]
R3 UsbFltr;Razer Copperhead Driver;e:\windows\system32\drivers\copperhd.sys [2007-1-5 11596]
S1 SASDIFSV;SASDIFSV;\??\e:\program files\antispyware\SASDIFSV.SYS []
S1 SASKUTIL;SASKUTIL;\??\e:\program files\antispyware\SASKUTIL.sys []
S3 AF05BDA;AF9005 BDA Device;e:\windows\system32\drivers\AF05BDA.sys [2005-12-29 122752]
S3 motccgp;Motorola USB Composite Device Driver;e:\windows\system32\drivers\motccgp.sys [2008-8-21 18176]
S3 motccgpfl;MotCcgpFlService;e:\windows\system32\drivers\motccgpfl.sys [2007-6-17 7680]
S3 SASENUM;SASENUM;\??\e:\program files\antispyware\SASENUM.SYS []
S3 usbsnoop;usbsnoop (display);e:\windows\system32\drivers\usbsnoop.sys [2008-11-15 40896]
S4 CacheBoost Service;CacheBoost Performance Optimizer and Tuner Service;e:\program files\systweak\systweak cacheboost\cbsrv.exe [2008-12-12 187120]
S4 WebrootSpySweeperService;Webroot Spy Sweeper Engine;"e:\program files\webroot\spy sweeper\SpySweeper.exe" [2008-7-19 3572592]

=============== Created Last 30 ================

2008-12-29 16:31 1,312,198 ---sh--- e:\windows\system32\myvaurtr.ini
2008-12-29 16:31 87,552 a------- e:\windows\system32\rtruavym.dll
2008-12-29 16:29 131,584 a------- e:\windows\system32\fikiml.dll
2008-12-29 16:29 131,584 a------- e:\windows\system32\xfopntec.dll
2008-12-29 16:28 573,007 a--sh--- e:\windows\system32\uxEKlnpo.ini2
2008-12-29 16:28 573,438 a--sh--- e:\windows\system32\uxEKlnpo.ini
2008-12-29 16:28 287,744 a------- e:\windows\system32\opnlKExu.dll
2008-12-29 16:22 50,176 a------- e:\windows\system32\ssqOFUNe.dll
2008-12-28 18:00 <DIR> --d----- E:\Deckard
2008-12-28 16:30 <DIR> --d----- E:\VundoFix Backups
2008-12-27 17:07 1,897,408 ac------ e:\windows\system32\dllcache\nv4_mini.sys
2008-12-27 17:07 6,209,312 a------- e:\windows\system32\drivers\nv4_mini.sys
2008-12-27 17:07 4,274,816 ac------ e:\windows\system32\dllcache\nv4_disp.dll
2008-12-27 17:07 6,168,960 a------- e:\windows\system32\nv4_disp.dll
2008-12-27 16:32 11,807 ac------ e:\windows\system32\dllcache\wadv07nt.sys
2008-12-27 16:31 24,660 ac------ e:\windows\system32\dllcache\spxupchk.dll
2008-12-27 16:27 17,280 ac------ e:\windows\system32\dllcache\scr111.sys
2008-12-27 16:26 6,016 ac------ e:\windows\system32\dllcache\qic157.sys
2008-12-27 16:26 130,942 ac------ e:\windows\system32\dllcache\ptserlv.sys
2008-12-27 16:26 128,286 ac------ e:\windows\system32\dllcache\ptserli.sys
2008-12-27 16:26 112,574 ac------ e:\windows\system32\dllcache\ptserlp.sys
2008-12-27 16:26 159,232 ac------ e:\windows\system32\dllcache\ptpusd.dll
2008-12-27 16:26 5,632 ac------ e:\windows\system32\dllcache\ptpusb.dll
2008-12-27 16:26 35,328 ac------ e:\windows\system32\dllcache\psisload.dll
2008-12-27 16:26 16,128 ac------ e:\windows\system32\dllcache\pscr.sys
2008-12-27 16:26 17,792 ac------ e:\windows\system32\dllcache\ppa.sys
2008-12-27 16:26 17,664 ac------ e:\windows\system32\dllcache\ppa3.sys
2008-12-27 16:26 7,552 ac------ e:\windows\system32\dllcache\powerfil.sys
2008-12-27 16:26 7,168 ac------ e:\windows\system32\dllcache\pnrmc.sys
2008-12-27 16:24 30,282 ac------ e:\windows\system32\dllcache\pcntn5hl.sys
2008-12-27 16:23 2,944 ac------ e:\windows\system32\dllcache\msmpu401.sys
2008-12-27 16:23 22,016 ac------ e:\windows\system32\dllcache\msircomm.sys
2008-12-27 16:23 35,200 ac------ e:\windows\system32\dllcache\msgame.sys
2008-12-27 16:23 6,016 ac------ e:\windows\system32\dllcache\msfsio.sys
2008-12-27 16:23 51,328 ac------ e:\windows\system32\dllcache\msdv.sys
2008-12-27 16:23 17,280 ac------ e:\windows\system32\dllcache\mraid35x.sys
2008-12-27 16:21 34,688 ac------ e:\windows\system32\dllcache\lbrtfdc.sys
2008-12-27 16:20 45,632 ac------ e:\windows\system32\dllcache\ip5515.sys
2008-12-27 16:20 90,200 ac------ e:\windows\system32\dllcache\io8ports.dll
2008-12-27 16:20 38,784 ac------ e:\windows\system32\dllcache\io8.sys
2008-12-27 16:20 5,504 ac------ e:\windows\system32\dllcache\intelide.sys
2008-12-27 16:20 13,056 ac------ e:\windows\system32\dllcache\inport.sys
2008-12-27 16:20 16,000 ac------ e:\windows\system32\dllcache\ini910u.sys
2008-12-27 16:20 372,824 ac------ e:\windows\system32\dllcache\iconf32.dll
2008-12-27 16:18 1,041,536 ac------ e:\windows\system32\dllcache\hsfdpsp2.sys
2008-12-27 16:17 324,608 ac------ e:\windows\system32\dllcache\hpojwia.dll
2008-12-27 16:16 629,952 ac------ e:\windows\system32\dllcache\eqn.sys
2008-12-27 16:15 980,034 ac------ e:\windows\system32\dllcache\cicap.sys
2008-12-27 16:14 28,672 ac------ e:\windows\system32\dllcache\atinsnxx.sys
2008-12-27 16:13 66,048 ac------ e:\windows\system32\dllcache\s3legacy.dll
2008-12-27 15:39 603 a------- E:\reset.cmd
2008-12-26 21:49 268 a---h--- E:\sqmdata03.sqm
2008-12-26 21:49 244 a---h--- E:\sqmnoopt03.sqm
2008-12-20 23:20 24,576 a------- e:\windows\system32\VundoFixSVC.exe
2008-12-20 17:07 503,808 a------- e:\windows\msvcp80.dll
2008-12-20 15:41 161,792 a------- e:\windows\SWREG.exe
2008-12-20 15:41 98,816 a------- e:\windows\sed.exe
2008-12-17 22:09 <DIR> --d----- e:\windows\nview
2008-12-17 22:08 290,816 a------- e:\windows\system32\nvwrsth.dll
2008-12-17 17:19 <DIR> --d----- e:\program files\GameTracker
2008-12-17 17:18 <DIR> --d----- e:\docume~1\tomwhy~1\applic~1\GameTracker
2008-12-17 14:04 <DIR> --d----- e:\windows\Left 4 Dead
2008-12-17 14:04 <DIR> --d----- e:\program files\Left 4 Dead
2008-12-17 12:54 <DIR> --d----- e:\program files\ProductKeyExplorer
2008-12-15 16:37 6,168,960 a------- e:\windows\system32\nv4_disp.dll.tmp
2008-12-12 17:44 268 a---h--- E:\sqmdata02.sqm
2008-12-12 17:44 244 a---h--- E:\sqmnoopt02.sqm
2008-12-12 16:55 268 a---h--- E:\sqmdata01.sqm
2008-12-12 16:55 244 a---h--- E:\sqmnoopt01.sqm
2008-12-12 16:36 <DIR> --d----- e:\program files\Systweak
2008-12-12 13:20 <DIR> --d----- e:\program files\iTunes
2008-12-12 13:20 <DIR> --d----- e:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-11 20:37 42,320 a------- e:\windows\system32\xfcodec.dll
2008-12-10 18:02 <DIR> --d----- e:\program files\NavNet
2008-12-07 01:00 <DIR> --d----- e:\program files\Western Digital Corp
2008-12-06 16:54 <DIR> --d----- e:\program files\Symantec
2008-12-06 13:10 <DIR> --d----- e:\program files\OO Software
2008-12-03 10:03 <DIR> --d----- e:\program files\Microsoft Games for Windows - LIVE
2008-12-03 07:59 <DIR> --d----- e:\program files\DAEMON Tools Toolbar
2008-12-03 07:58 <DIR> --d----- e:\program files\DAEMON Tools Lite
2008-12-02 23:11 1,253,376 a------- e:\windows\system32\NvPVEnc.ax
2008-12-02 13:25 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Hagel Technologies
2008-12-02 13:25 <DIR> --d----- e:\program files\DU Meter

==================== Find3M ====================

2008-12-28 14:57 8,572 a------- e:\windows\system32\d3d9caps.dat
2008-12-27 21:21 204,296 a------- e:\windows\system32\GDIPFONTCACHEV1.DAT
2008-12-19 20:29 139,280 a------- e:\windows\system32\drivers\PnkBstrK.sys
2008-12-19 20:29 202,000 a------- e:\windows\system32\PnkBstrB.exe
2008-12-17 15:12 66,872 a------- e:\windows\system32\PnkBstrA.exe
2008-12-12 06:26 453,152 a------- e:\windows\system32\NVUNINST.EXE
2008-12-03 19:52 38,496 a------- e:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- e:\windows\system32\drivers\mbam.sys
2008-12-02 22:57 717,296 a------- e:\windows\system32\drivers\sptd.sys
2008-11-22 15:33 34,308 a------- e:\windows\system32\Chip.dll
2008-11-22 15:33 22,004 a------- e:\windows\system32\Pvt.tmp
2008-11-15 01:30 40,896 a------- e:\windows\system32\drivers\usbsnoop.sys
2008-11-10 05:43 410,984 a------- e:\windows\system32\deploytk.dll
2008-10-31 02:05 22,328 a------- e:\docume~1\tomwhy~1\applic~1\PnkBstrK.sys
2008-10-31 02:04 2,250,024 a------- e:\windows\system32\pbsvc.exe
2008-10-28 17:41 14,303,392 a------- e:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 a------- e:\windows\system32\xlivefnt.dll
2008-10-23 13:01 283,648 a------- e:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- e:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- e:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- e:\windows\system32\muweb.dll
2008-10-14 01:03 20,992 a------- e:\windows\system32\vncmirror.dll
2008-10-05 13:47 118,784 a------- e:\windows\web\wallpaper\.html.exe
2008-10-03 10:15 247,326 a------- e:\windows\system32\strmdll.dll
2008-10-02 22:50 81,920 a------- e:\windows\system32\frapsvid.dll
2008-02-08 13:29 32 a------- e:\docume~1\alluse~1\applic~1\ezsid.dat
2007-12-17 17:23 1,136,640 a------- e:\program files\common files\ewutils2.dll
2004-12-20 00:04 13,824 a------- e:\documents and settings\tom whyte\dmg2iso.exe

============= FINISH: 18:09:59.25 ===============
Whytey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-29-2008, 01:47 PM   #20 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,882
OS: WinXP and Vista


Re: Trojan.Vundo, Rogue.VirusRemover Reappear from weeks ago
Ok, let's act quickly.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT - Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on combofix.exe & follow the prompts. Do allow the install of the Recovery Console if you are prompted.

When the tool is finished, post the ComboFix.txt for further review.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 3 1 23

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 04:39 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85