Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Can't seem to get rid of "vundo" virus
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 02-22-2009, 12:04 AM   #1 (permalink)
Registered User
 
Join Date: Feb 2009
Posts: 9
OS: xp sp 3


Can't seem to get rid of "vundo" virus
From reading some other posts on this forum, I think I have been infected with the (at least) Vundo virus. Trend Micro (apparently a terrible product) says it successfully quarantines the "TROJAN_VUNDO.*" but I still see indications that it remains (or has opened the door for other problems). It (Trend Micro) also says it "Ignored Successfully" several "TROJAN_Generic.DIT" entries. I can't turn on Windows update and on my last restart, I got a popup that new programs had been installed - the "new" programs were comprised of about half of the existing programs on my computer.

I am also unable to upload (can't even browse or type in the location of file I want to upload) my Attach.zip file. The space for the file location is greyed out and when I click the space or the "browse" button I get the MS hourglass and then ... nothing.

Here is my dds.txt:


DDS (Ver_09-02-01.01) - NTFSx86
Run by John at 21:54:09.81 on Sat 02/21/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.464 [GMT -8:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Hummingbird\Connectivity\11.00\InetD\inetd32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Hummingbird\Connectivity\11.00\HostExplorer\PrintServices\PESRV.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uDefault_Search_URL =
uDefault_Page_URL =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
mDefault_Search_URL = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
mSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {287fd2d0-5736-627a-9e94-0688782116b1}: {1b611287-8860-49e9-a726-63750d2df782} - c:\windows\system32\pwzihy.dll
BHO: REALBAR: {4e7bd74f-2b8d-469e-c0ff-fd60b590a87d} - c:\progra~1\common~1\real\toolbar\realbar.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: ooVoo Toolbar: {a057a204-bacc-4d26-8087-36ee87e26986} - c:\progra~1\oovoot~1\OOVOOT~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
BHO: {fad3201d-138e-4ba6-9ee1-905e4338fbac} - c:\windows\system32\iifcCsTN.dll
TB: REALBAR: {4e7bd74f-2b8d-469e-c0ff-fd60b590a87d} - c:\progra~1\common~1\real\toolbar\realbar.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: ooVoo Toolbar: {a057a204-bacc-4d26-8087-36ee87e26986} - c:\progra~1\oovoot~1\OOVOOT~1.DLL
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [<NO NAME>]
uRun: [ATI Launchpad]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [oovoo.exe] c:\program files\oovoo\oovoo.exe /minimized
mRun: [nForce Tray Options] sstray.exe /r
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [BDSwitchAgent] "c:\progra~1\softwin\bitdef~1\bdswitch.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HumMeteringClient] rundll32.exe "c:\program files\hummingbird\connectivity\11.00\accessories\MeteringClient.dll",RegisterProduct
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [PRISMSVR.EXE] "c:\windows\system32\PRISMSVR.EXE" /APPLY
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [SRUUninstall] "c:\windows\system32\msiexec.exe" /l*v c:\windows\temp\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
StartupFolder: c:\docume~1\john\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\hummingbird\connectivity\11.00\exceed\humshmx.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/30a209cfe9be244af904/netzip/RdxIE601.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168730387296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_3_1_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: ljJDWPij -
AppInit_DLLs: pwzihy.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\iifcCsTN

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\tzoxubli.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2003-9-22 97530]
R1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys [2007-3-25 21632]
R2 PESRV;Hummingbird HostExplorer Print Services;c:\program files\hummingbird\connectivity\11.00\hostexplorer\printservices\PESRV.exe [2005-10-27 149152]
R2 SDPASVC;SDPAUMS server service;c:\windows\system32\sdpasvc.exe -service --> c:\windows\system32\sdpasvc.exe -service [?]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-1-28 49680]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-1-28 492888]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-1-29 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-1-28 677128]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-7-30 334352]
S3 acfva;acfva;c:\windows\system32\drivers\acfva.sys [2003-11-25 28445]
S3 ProxyEngine;Hummingbird Proxy Server;c:\program files\hummingbird\connectivity\11.00\accessories\ProxyEngine.exe [2005-10-27 120496]

=============== Created Last 30 ================

2009-02-21 08:59 16,384 a------- c:\windows\DCEBoot.exe
2009-02-20 21:03 5,943 a------- c:\windows\system32\tcwfubdf.dll
2009-02-20 21:00 5,944 a------- c:\windows\system32\cxjwkvjj.dll
2009-02-20 09:03 5,944 a------- c:\windows\system32\celgjepv.dll
2009-02-20 09:00 5,943 a------- c:\windows\system32\reiqupnq.dll
2009-02-19 21:35 <DIR> --d----- c:\documents and settings\john\.housecall6.6
2009-02-19 21:31 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-19 21:31 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-19 21:03 5,944 a------- c:\windows\system32\vmmwcnrg.dll
2009-02-19 21:00 5,943 a------- c:\windows\system32\hnglvqsv.dll
2009-02-19 09:02 5,944 a------- c:\windows\system32\ikcqcfue.dll
2009-02-19 08:59 5,943 a------- c:\windows\system32\kymdblec.dll
2009-02-18 21:00 5,943 a------- c:\windows\system32\wkkkskig.dll
2009-02-18 20:58 5,944 a------- c:\windows\system32\bqhxswxj.dll
2009-02-17 10:17 1,619,467 a--sh--- c:\windows\system32\vjvbdhts.ini
2009-02-17 10:15 129,024 a------- c:\windows\system32\pwzihy.dll
2009-02-17 10:15 129,024 a------- c:\windows\system32\mwujuflm.dll
2009-02-16 16:59 1,571,654 a--sh--- c:\windows\system32\hfnynuvo.ini
2009-02-15 17:02 1,583,467 a--sh--- c:\windows\system32\blpqeaqh.ini
2009-02-15 17:01 72,704 a------- c:\windows\system32\hqaeqplb.dll
2009-02-15 16:40 5,319 a--sh--- c:\windows\system32\NTsCcfii.ini2
2009-02-15 16:40 5,319 a--sh--- c:\windows\system32\NTsCcfii.ini
2009-02-15 16:39 302,592 a------- c:\windows\system32\iifcCsTN.dll
2009-01-29 20:45 1,195,384 a------- c:\windows\system32\drivers\vsapint.sys
2009-01-29 20:45 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-01-29 20:45 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-01-28 09:44 49,680 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-01-28 09:44 144,912 a------- c:\windows\system32\drivers\tmcomm.sys
2009-01-28 09:44 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-01-27 22:00 46,456 a----r-- c:\windows\system32\exitwx.exe
2009-01-27 21:58 <DIR> --d----- c:\program files\Trend Micro(TM) Internet Security

==================== Find3M ====================

2008-12-20 15:15 826,368 a------- c:\windows\system32\wininet.dll
2008-03-07 14:37 85,000 a------- c:\docume~1\john\applic~1\GDIPFONTCACHEV1.DAT
2007-08-15 20:37 87,608 a------- c:\docume~1\john\applic~1\inst.exe
2007-08-15 20:37 47,360 a------- c:\docume~1\john\applic~1\pcouffin.sys
2006-05-11 07:54 459 a------- c:\program files\INSTALL.LOG
2005-12-16 08:48 37 a------- c:\documents and settings\john\getfile.dat
2004-12-30 13:02 565 a------- c:\documents and settings\john\DMOrganizer.dat
2004-12-27 08:04 284 a------- c:\docume~1\john\applic~1\ViewerApp.dat
2008-08-26 02:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 21:56:34.48 ===============
jsmd7921 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 02-23-2009, 04:30 AM   #2 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: Can't seem to get rid of "vundo" virus
Hello and welcome to TSF

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

========

Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear.

Please DO NOT Attach logs to your posts unless you are advised to do so.

=========

Can you copy/paste the ark and attach.txt into your reply rather than attaching.

=========

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review, along with the ark and attach.txt.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 10:14 PM   #3 (permalink)
Registered User
 
Join Date: Feb 2009
Posts: 9
OS: xp sp 3


Re: Can't seem to get rid of "vundo" virus
TheBruce1,

I just ran ComboFix and already a significant improvement - I can now attach files again. I have attached the three of the files you requested: ark.txt, attach.zip, and ComboFix.txt. I am not certain though, that all of the antivirus stuff was turned off because I got a couple of pop-ups while ComboFix was running that Trend Micro was warning me about something. Hopefully there is enough information for you to diagnose whether or not my computer is "clean".

ComboFix 09-02-21.01 - John 2009-02-24 20:34:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.359 [GMT -8:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\John\Application Data\inst.exe
c:\program files\INSTALL.LOG
c:\windows\system32\hqaeqplb.dll
c:\windows\system32\iifcCsTN.dll
c:\windows\system32\mwujuflm.dll
c:\windows\system32\NTsCcfii.ini
c:\windows\system32\NTsCcfii.ini2
c:\windows\system32\pwzihy.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-24 20:31 . 2009-02-24 20:32 <DIR> d-------- C:\32788R22FWJFW
2009-02-23 21:13 . 2009-02-23 21:13 5,944 --a------ c:\windows\system32\yjpq***l.dll
2009-02-23 21:13 . 2009-02-23 21:13 5,943 --a------ c:\windows\system32\sqtjxmxm.dll
2009-02-22 21:52 . 2009-02-22 21:52 5,944 --a------ c:\windows\system32\oqhdovnk.dll
2009-02-22 21:52 . 2009-02-22 21:52 5,943 --a------ c:\windows\system32\spkqtgcw.dll
2009-02-22 08:55 . 2009-02-24 20:57 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-22 08:55 . 2009-02-22 08:55 1,409 --a------ c:\windows\QTFont.for
2009-02-21 22:01 . 2009-02-21 22:01 250 --a------ c:\windows\gmer.ini
2009-02-21 08:59 . 2009-02-21 09:03 16,384 --a------ c:\windows\DCEBoot.exe
2009-02-20 21:03 . 2009-02-20 21:03 5,943 --a------ c:\windows\system32\tcwfubdf.dll
2009-02-20 21:00 . 2009-02-20 21:00 5,944 --a------ c:\windows\system32\cxjwkvjj.dll
2009-02-20 09:03 . 2009-02-20 09:03 5,944 --a------ c:\windows\system32\celgjepv.dll
2009-02-20 09:00 . 2009-02-20 09:00 5,943 --a------ c:\windows\system32\reiqupnq.dll
2009-02-19 21:35 . 2009-02-19 22:27 <DIR> d-------- c:\documents and settings\John\.housecall6.6
2009-02-19 21:33 . 2009-02-19 21:33 <DIR> d-------- c:\windows\Sun
2009-02-19 21:31 . 2009-02-19 21:30 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-19 21:31 . 2009-02-19 21:30 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-19 21:30 . 2009-02-19 21:30 <DIR> d-------- c:\program files\Java
2009-02-19 21:03 . 2009-02-19 21:03 5,944 --a------ c:\windows\system32\vmmwcnrg.dll
2009-02-19 21:00 . 2009-02-19 21:00 5,943 --a------ c:\windows\system32\hnglvqsv.dll
2009-02-19 09:02 . 2009-02-19 09:02 5,944 --a------ c:\windows\system32\ikcqcfue.dll
2009-02-19 08:59 . 2009-02-19 08:59 5,943 --a------ c:\windows\system32\kymdblec.dll
2009-02-19 07:38 . 2009-02-19 07:39 <DIR> d-------- c:\program files\Windows Defender
2009-02-18 21:00 . 2009-02-18 21:00 5,943 --a------ c:\windows\system32\wkkkskig.dll
2009-02-18 20:58 . 2009-02-18 20:58 5,944 --a------ c:\windows\system32\bqhxswxj.dll
2009-02-17 10:17 . 2009-02-21 08:42 1,619,467 --ahs---- c:\windows\system32\vjvbdhts.ini
2009-02-16 16:59 . 2009-02-16 16:59 1,571,654 --ahs---- c:\windows\system32\hfnynuvo.ini
2009-02-15 17:02 . 2009-02-15 17:03 1,583,467 --ahs---- c:\windows\system32\blpqeaqh.ini
2009-01-29 20:45 . 2008-11-26 17:39 1,195,384 --a------ c:\windows\system32\drivers\vsapint.sys
2009-01-29 20:45 . 2008-11-26 17:42 205,328 --a------ c:\windows\system32\drivers\tmxpflt.sys
2009-01-29 20:45 . 2008-11-26 17:42 36,368 --a------ c:\windows\system32\drivers\tmpreflt.sys
2009-01-28 09:44 . 2008-08-04 00:16 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-28 09:44 . 2008-08-04 00:16 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2009-01-28 09:44 . 2008-08-04 00:16 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2009-01-27 22:00 . 2007-08-22 10:16 46,456 -ra------ c:\windows\system32\exitwx.exe
2009-01-27 21:58 . 2009-01-27 21:59 <DIR> d-------- c:\program files\Trend Micro(TM) Internet Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-25 04:59 --------- d-----w c:\documents and settings\John\Application Data\Skype
2009-02-25 04:58 --------- d-----w c:\documents and settings\John\Application Data\skypePM
2009-02-19 05:09 --------- d-----w c:\documents and settings\John\Application Data\oovooToolbar
2009-02-18 05:28 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-02-16 00:09 --------- d-----w c:\program files\ooVoo
2009-02-08 04:43 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-01-28 17:44 --------- d-----w c:\program files\Trend Micro
2009-01-25 08:53 --------- d-----w c:\documents and settings\John\Application Data\RipIt4Me
2009-01-22 03:12 --------- d-----w c:\documents and settings\John\Application Data\ooVoo Details
2009-01-22 03:09 --------- d-----w c:\program files\oovooToolbar
2009-01-22 03:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-26 00:21 --------- d-----w c:\program files\Microsoft LifeCam
2008-12-25 23:52 --------- d-----w c:\program files\Skype
2008-12-25 23:52 --------- d-----w c:\program files\Common Files\Skype
2008-12-25 23:52 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-03-07 22:37 85,000 ----a-w c:\documents and settings\John\Application Data\GDIPFONTCACHEV1.DAT
2007-08-16 04:37 47,360 ----a-w c:\documents and settings\John\Application Data\pcouffin.sys
2005-12-16 16:48 37 ----a-w c:\documents and settings\John\getfile.dat
2004-12-30 21:02 565 ----a-w c:\documents and settings\John\DMOrganizer.dat
2004-12-27 16:04 284 ----a-w c:\documents and settings\John\Application Data\ViewerApp.dat
2008-08-26 10:07 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-8087-36EE87E26986}]
2008-12-11 11:08 1912280 --a------ c:\progra~1\OOVOOT~1\OOVOOT~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-8087-36EE87E26986}"= "c:\progra~1\OOVOOT~1\OOVOOT~1.DLL" [2008-12-11 1912280]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-8087-36ee87e26986}]
[HKEY_CLASSES_ROOT\oovooToolbar.OOVOOTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A057A204-BACC-4D26-8087-36EE87E26986}"= "c:\progra~1\OOVOOT~1\OOVOOT~1.DLL" [2008-12-11 1912280]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-8087-36ee87e26986}]
[HKEY_CLASSES_ROOT\oovooToolbar.OOVOOTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-06-07 4670968]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]
"oovoo.exe"="c:\program files\ooVoo\oovoo.exe" [2008-11-20 14202672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 94208]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-12-12 33792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-01-17 180269]
"HumMeteringClient"="c:\program files\Hummingbird\Connectivity\11.00\Accessories\MeteringClient.dll" [2005-10-27 153288]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-14 267064]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-30 970808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888]
"nForce Tray Options"="sstray.exe" [2002-11-12 c:\windows\system32\sstray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-07-13 95352]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="c:\windows\system32\msiexec.exe" [2008-04-13 78848]

c:\documents and settings\John\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-06-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-11-26 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2004-12-25 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2004-12-25 106496]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-03 54776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=pwzihy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\F:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\ImageJ\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Hummingbird\\Connectivity\\11.00\\Exceed\\exceed.exe"=
"c:\\Program Files\\Hummingbird\\Connectivity\\11.00\\Exceed\\xstart.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2003-09-22 97530]
R1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys [2007-03-25 21632]
R2 PESRV;Hummingbird HostExplorer Print Services;c:\program files\Hummingbird\Connectivity\11.00\HostExplorer\PrintServices\PESRV.exe [2005-10-27 149152]
R2 SDPASVC;SDPAUMS server service;c:\windows\System32\sdpasvc.exe -service --> c:\windows\System32\sdpasvc.exe -service [?]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-01-28 49680]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-01-28 492888]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-01-29 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-01-28 677128]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-07-30 334352]
S3 acfva;acfva;c:\windows\system32\drivers\acfva.sys [2003-11-25 28445]
S3 ProxyEngine;Hummingbird Proxy Server;c:\program files\Hummingbird\Connectivity\11.00\Accessories\ProxyEngine.exe [2005-10-27 120496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{709c13ad-4270-11d9-9cbd-000c6e8529dc}]
\Shell\AutoRun\command - f:\jdsecure\Windows\JDSecure20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{35DFFE62-9F48-4236-9249-9EAB5C7123C9}]
"c:\program files\Hummingbird\Connectivity\11.00\Accessories\HumSettings.exe" INSTALL=ALL
.
Contents of the 'Scheduled Tasks' folder

2009-02-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:15]

2009-02-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1b611287-8860-49e9-a726-63750d2df782} - c:\windows\system32\pwzihy.dll
BHO-{D093750D-FF57-4184-9D95-29FE6650B9CB} - c:\windows\system32\iifcCsTN.dll
HKCU-Run-ATI Launchpad - (no file)
HKLM-Run-BDSwitchAgent - c:\progra~1\softwin\bitdef~1\bdswitch.exe
HKLM-Run-PRISMSVR.EXE - c:\windows\system32\PRISMSVR.EXE
Notify-ljJDWPij - (no file)


.
------- Supplementary Scan -------
.
uDefault_Search_URL =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
LSP: c:\program files\Hummingbird\Connectivity\11.00\Exceed\humshmx.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\tzoxubli.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 20:57:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{44DDD7DB-C851-F5D8-43BBD1CB976AABCC}\{47326943-CE6C-E3D1-74FCCAE0772B4FAB}\{FA8F0E33-B888-6EFF-6240990870DDF055}*]
"S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50,
9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,c3,f8,22,10,23,
07,3c,58,c8,28,51,af,b0,29,a3,98,06,5f,33,40,d1,92,10,6a,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,f2,8c,2c,55,81,
19,da,e0,71,3b,04,66,8b,46,0d,96,42,a0,9d,06,82,1a,44,f2,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,36,7a,e3,4f,9d,
39,c9,26,25,da,ec,7e,55,20,c9,26,c7,3f,2b,df,4d,a3,db,8e,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,87,c9,53,45,1e,
dd,ea,17,3e,1e,9e,e0,57,5a,93,61,f4,b7,ef,b7,30,0d,01,dc,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,fa,e2,8e,71,6c,
5f,6c,b4,cd,44,cd,b9,a6,33,6c,cd,39,0a,85,f6,1a,7e,0c,f5,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,db,6d,2f,40,d8,
03,8a,99,b0,18,ed,a7,3f,8d,37,a4,1e,a9,3e,21,3b,49,f0,29,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,40,20,4b,e7,44,
b6,24,2d,31,77,e1,ba,b1,f8,68,02,c3,58,29,09,16,9e,6c,01,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,76,c4,39,3c,0f,
74,8a,85,83,6c,56,8b,a0,85,96,ab,f8,8c,fa,88,12,d7,4a,da,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,c2,57,46,5d,35,
27,18,4e,51,fa,6e,91,28,9e,14,cc,8b,24,f9,2a,58,e5,e2,43,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,05,6c,08,af,bc,
10,ec,57,b1,cd,45,5a,a8,c4,f8,b9,0a,55,07,8c,2a,98,6b,67,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,ec,90,73,59,0f,
05,10,6a,e3,0e,66,d5,eb,bc,2f,6b,bd,1b,1f,db,61,32,a7,39,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,4e,9c,bb,4f,a9,
aa,e1,89,fa,ea,66,7f,d4,3b,6b,70,9d,40,ec,b0,3f,21,b1,3d,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Hummingbird\Connectivity\11.00\InetD\inetd32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\sdpasvc.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\windows\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2009-02-24 21:04:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-25 05:04:32

Pre-Run: 35,708,141,568 bytes free
Post-Run: 35,775,193,088 bytes free

349 --- E O F --- 2009-02-11 06:32:00
Attached Files
File Type: txt ark.txt (14.0 KB, 2 views)
File Type: zip Attach.zip (7.0 KB, 3 views)
File Type: txt ComboFix.txt (23.0 KB, 1 views)
Last edited by TheBruce1; 02-25-2009 at 04:59 AM.
jsmd7921 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-25-2009, 06:03 AM   #4 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: Can't seem to get rid of "vundo" virus
Hello again

DO NOT attach logs to your posts unless you are advised to do so, copy/paste the logs into your replies.

---------

You did not install the recovery console, it can be useful if anything happens to go wrong, follow instructions below for installing the recovery console.

You need to download the installation package for the Setup Disks for Floppy Boot Install from Microsoft so that it can be used to install the Recovery Console on your computer. No validation required! Please select the download link below that's appropriate for your Operating System then download and save the setup package to your desktop. If necessary, change the language version to match your installation. Do NOT change the name of the downloaded file!Microsoft Windows XP Home Edition
Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Combofix will then ask if you wish to continue scanning for malware, select No

============

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

Java 2 Runtime Environment Standard Edition v1.3.1_15
Java Runtime Environment 1.1
Leave Java(TM) 6 Update 12 installed
Viewpoint Manager<---Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

Additional Information Here

We also recommend you uninstall programs such as Uniblue Registry Booster ,they can do more harm than good.

Read my colleague`s blog on the dangers of such programs.
http://miekiemoes.blogspot.com/2008/...eaking_13.html

=============

Open notepad and copy/paste the text in the quotebox below into it:

Code:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/348790-can-t-seem-get-rid-vundo-virus.html

Collect::
c:\windows\system32\yjpq***l.dll
c:\windows\system32\sqtjxmxm.dll
c:\windows\system32\oqhdovnk.dll
c:\windows\system32\spkqtgcw.dll
c:\windows\system32\tcwfubdf.dll
c:\windows\system32\cxjwkvjj.dll
c:\windows\system32\celgjepv.dll
c:\windows\system32\reiqupnq.dll
c:\windows\system32\vmmwcnrg.dll
c:\windows\system32\hnglvqsv.dll
c:\windows\system32\ikcqcfue.dll
c:\windows\system32\kymdblec.dll
c:\windows\system32\wkkkskig.dll
c:\windows\system32\bqhxswxj.dll
c:\windows\system32\vjvbdhts.ini
c:\windows\system32\hfnynuvo.ini
c:\windows\system32\blpqeaqh.ini

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{44DDD7DB-C851-F5D8-43BBD1CB976AABCC}\{47326943-CE6C-E3D1-74FCCAE0772B4FAB}\{FA8F0E33-B888-6EFF-6240990870DDF055}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

DDS::
uDefault_Search_URL =
Save this as CFscript







Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file(s).

===============

Download ATF-Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you have Firefox installed:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you have Opera installed:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

=============

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

This animation will guide you through the process:




To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

==============
Logs Required
C:\Combofix.txt
Kaspersky Scan Report

An update on how your system is behaving
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
Last edited by TheBruce1; 02-25-2009 at 06:04 AM.
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-26-2009, 03:47 PM   #5 (permalink)
Registered User
 
Join Date: Feb 2009
Posts: 9
OS: xp sp 3


Re: Can't seem to get rid of "vundo" virus
I have pasted in my CF-RC.txt below and the new ComboFix.txt. I can't get Kaspersky scanner to complete. I start it and come back a few hours later to find my computer rebooted. I'll keep trying with Kaspersky and hopefully post it soon. I think I only have one obvious remaining issue with the system that I believe is related to the virus - when I send documents to my printer it prints intermittently; i.e., it prints a couple lines, waits 10s to 5 minutes, prints a couple more, and eventually makes it way through the whole print job.

thanks.




WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn




ComboFix 09-02-25.02 - John 2009-02-25 21:34:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.439 [GMT -8:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John\Desktop\CFscript.txt
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\blpqeaqh.ini
c:\windows\system32\bqhxswxj.dll
c:\windows\system32\celgjepv.dll
c:\windows\system32\cxjwkvjj.dll
c:\windows\system32\hfnynuvo.ini
c:\windows\system32\hnglvqsv.dll
c:\windows\system32\ikcqcfue.dll
c:\windows\system32\kymdblec.dll
c:\windows\system32\oqhdovnk.dll
c:\windows\system32\reiqupnq.dll
c:\windows\system32\spkqtgcw.dll
c:\windows\system32\sqtjxmxm.dll
c:\windows\system32\tcwfubdf.dll
c:\windows\system32\vjvbdhts.ini
c:\windows\system32\vmmwcnrg.dll
c:\windows\system32\wkkkskig.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.

2009-02-24 22:37 . 2009-02-24 22:37 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-24 22:37 . 2009-02-25 20:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-23 21:13 . 2009-02-23 21:13 5,944 --a------ c:\windows\system32\yjpq***l.dll
2009-02-22 08:55 . 2009-02-24 20:57 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-22 08:55 . 2009-02-22 08:55 1,409 --a------ c:\windows\QTFont.for
2009-02-21 22:01 . 2009-02-21 22:01 250 --a------ c:\windows\gmer.ini
2009-02-21 08:59 . 2009-02-21 09:03 16,384 --a------ c:\windows\DCEBoot.exe
2009-02-19 21:35 . 2009-02-19 22:27 <DIR> d-------- c:\documents and settings\John\.housecall6.6
2009-02-19 21:33 . 2009-02-19 21:33 <DIR> d-------- c:\windows\Sun
2009-02-19 21:31 . 2009-02-19 21:30 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-19 21:31 . 2009-02-19 21:30 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-19 21:30 . 2009-02-19 21:30 <DIR> d-------- c:\program files\Java
2009-02-19 07:38 . 2009-02-19 07:39 <DIR> d-------- c:\program files\Windows Defender
2009-01-29 20:45 . 2008-11-26 17:39 1,195,384 --a------ c:\windows\system32\drivers\vsapint.sys
2009-01-29 20:45 . 2008-11-26 17:42 205,328 --a------ c:\windows\system32\drivers\tmxpflt.sys
2009-01-29 20:45 . 2008-11-26 17:42 36,368 --a------ c:\windows\system32\drivers\tmpreflt.sys
2009-01-28 09:44 . 2008-08-04 00:16 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-28 09:44 . 2008-08-04 00:16 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2009-01-28 09:44 . 2008-08-04 00:16 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2009-01-27 22:00 . 2007-08-22 10:16 46,456 -ra------ c:\windows\system32\exitwx.exe
2009-01-27 21:58 . 2009-01-27 21:59 <DIR> d-------- c:\program files\Trend Micro(TM) Internet Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 05:40 --------- d-----w c:\documents and settings\John\Application Data\Skype
2009-02-26 05:27 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-26 04:55 --------- d-----w c:\documents and settings\John\Application Data\skypePM
2009-02-19 05:09 --------- d-----w c:\documents and settings\John\Application Data\oovooToolbar
2009-02-18 05:28 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-02-16 00:09 --------- d-----w c:\program files\ooVoo
2009-02-08 04:43 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-01-28 17:44 --------- d-----w c:\program files\Trend Micro
2009-01-25 08:53 --------- d-----w c:\documents and settings\John\Application Data\RipIt4Me
2009-01-22 03:12 --------- d-----w c:\documents and settings\John\Application Data\ooVoo Details
2009-01-22 03:09 --------- d-----w c:\program files\oovooToolbar
2008-12-26 00:21 --------- d-----w c:\program files\Microsoft LifeCam
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-03-07 22:37 85,000 ----a-w c:\documents and settings\John\Application Data\GDIPFONTCACHEV1.DAT
2007-08-16 04:37 47,360 ----a-w c:\documents and settings\John\Application Data\pcouffin.sys
2005-12-16 16:48 37 ----a-w c:\documents and settings\John\getfile.dat
2004-12-30 21:02 565 ----a-w c:\documents and settings\John\DMOrganizer.dat
2004-12-27 16:04 284 ----a-w c:\documents and settings\John\Application Data\ViewerApp.dat
2008-08-26 10:07 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-24_21.02.35.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-17 19:02:19 8,461,312 -c----w c:\windows\system32\dllcache\shell32.dll
- 2008-04-14 00:12:05 8,461,312 ----a-w c:\windows\system32\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\system32\shell32.dll
- 2007-11-30 11:18:51 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
+ 2009-02-26 04:54:25 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_744.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-8087-36EE87E26986}]
2008-12-11 11:08 1912280 --a------ c:\progra~1\OOVOOT~1\OOVOOT~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-8087-36EE87E26986}"= "c:\progra~1\OOVOOT~1\OOVOOT~1.DLL" [2008-12-11 1912280]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-8087-36ee87e26986}]
[HKEY_CLASSES_ROOT\oovooToolbar.OOVOOTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A057A204-BACC-4D26-8087-36EE87E26986}"= "c:\progra~1\OOVOOT~1\OOVOOT~1.DLL" [2008-12-11 1912280]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-8087-36ee87e26986}]
[HKEY_CLASSES_ROOT\oovooToolbar.OOVOOTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 94208]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-30 970808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888]
"nForce Tray Options"="sstray.exe" [2002-11-12 c:\windows\system32\sstray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-07-13 95352]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="c:\windows\system32\msiexec.exe" [2008-04-13 78848]

c:\documents and settings\John\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-06-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-11-26 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Picture Package Menu.lnk.disabled [2004-12-25 763]
Picture Package VCD Maker.lnk.disabled [2004-12-25 813]
ymetray.lnk.disabled [2007-07-23 1916]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\F:\0autocheck autochk *

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"oovoo.exe"=c:\program files\ooVoo\oovoo.exe /minimized
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HumMeteringClient"=rundll32.exe "c:\program files\Hummingbird\Connectivity\11.00\Accessories\MeteringClient.dll",RegisterProduct
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"WinampAgent"=c:\program files\Winamp\winampa.exe
"YBrowser"=c:\progra~1\Yahoo!\browser\ybrwicon.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\ImageJ\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Hummingbird\\Connectivity\\11.00\\Exceed\\exceed.exe"=
"c:\\Program Files\\Hummingbird\\Connectivity\\11.00\\Exceed\\xstart.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2003-09-22 97530]
R1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys [2007-03-25 21632]
R2 PESRV;Hummingbird HostExplorer Print Services;c:\program files\Hummingbird\Connectivity\11.00\HostExplorer\PrintServices\PESRV.exe [2005-10-27 149152]
R2 SDPASVC;SDPAUMS server service;c:\windows\System32\sdpasvc.exe -service --> c:\windows\System32\sdpasvc.exe -service [?]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-01-28 49680]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-01-28 492888]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-01-29 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-01-28 677128]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-07-30 334352]
S3 acfva;acfva;c:\windows\system32\drivers\acfva.sys [2003-11-25 28445]
S3 ProxyEngine;Hummingbird Proxy Server;c:\program files\Hummingbird\Connectivity\11.00\Accessories\ProxyEngine.exe [2005-10-27 120496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{709c13ad-4270-11d9-9cbd-000c6e8529dc}]
\Shell\AutoRun\command - f:\jdsecure\Windows\JDSecure20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{35DFFE62-9F48-4236-9249-9EAB5C7123C9}]
"c:\program files\Hummingbird\Connectivity\11.00\Accessories\HumSettings.exe" INSTALL=ALL
.
Contents of the 'Scheduled Tasks' folder

2009-02-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:15]

2009-02-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
LSP: c:\program files\Hummingbird\Connectivity\11.00\Exceed\humshmx.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\tzoxubli.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 21:40:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,4e,9c,bb,4f,a9,
aa,e1,89,fa,ea,66,7f,d4,3b,6b,70,9d,40,ec,b0,3f,21,b1,3d,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-25 21:44:21
ComboFix-quarantined-files.txt 2009-02-26 05:44:07
ComboFix2.txt 2009-02-25 05:04:50

Pre-Run: 53,849,260,032 bytes free
Post-Run: 53,832,912,896 bytes free

261 --- E O F --- 2009-02-25 06:01:44
jsmd7921 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-27-2009, 04:11 AM   #6 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: Can't seem to get rid of "vundo" virus
Hello again


Please go to: VirusTotal
  • In the middle of the page you'll find a "Browse" button.



    Click the "Browse" button and browse to this file in RED:

    c:\windows\system32\yjpq***l.dll

  • Click "Open".
  • Then click the "Send File" button at the bottom of the VirusTotal page.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.

Do the same with these files as well.

c:\windows\DCEBoot.exe
c:\windows\system32\exitwx.exe
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-01-2009, 10:31 PM   #7 (permalink)
Registered User
 
Join Date: Feb 2009
Posts: 9
OS: xp sp 3


Re: Can't seem to get rid of "vundo" virus
I am going to start Kaspersky again now... Here is the result from the first file you indicated:


File yjpq***l.dll received on 03.02.2009 06:22:31 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/39 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.02 -
AhnLab-V3 5.0.0.2 2009.02.27 -
AntiVir 7.9.0.98 2009.03.01 -
Authentium 5.1.0.4 2009.03.01 -
Avast 4.8.1335.0 2009.03.01 -
AVG 8.0.0.237 2009.03.01 -
BitDefender 7.2 2009.03.02 -
CAT-QuickHeal 10.00 2009.02.28 -
ClamAV 0.94.1 2009.03.02 -
Comodo 986 2009.02.20 -
DrWeb 4.44.0.09170 2009.03.02 -
eSafe 7.0.17.0 2009.02.26 -
eTrust-Vet 31.6.6379 2009.03.02 -
F-Prot 4.4.4.56 2009.03.01 -
F-Secure 8.0.14470.0 2009.03.01 -
Fortinet 3.117.0.0 2009.03.02 -
GData 19 2009.03.02 -
Ikarus T3.1.1.45.0 2009.03.02 -
K7AntiVirus 7.10.649 2009.02.27 -
Kaspersky 7.0.0.125 2009.03.02 -
McAfee 5540 2009.03.01 -
McAfee+Artemis 5540 2009.03.01 -
Microsoft 1.4306 2009.03.01 -
NOD32 3899 2009.03.02 -
Norman 6.00.06 2009.02.27 -
nProtect 2009.1.8.0 2009.03.02 -
Panda 10.0.0.10 2009.03.01 -
PCTools 4.4.2.0 2009.03.01 -
Prevx1 V2 2009.03.02 -
Rising 21.19.00.00 2009.03.02 -
SecureWeb-Gateway 6.7.6 2009.03.02 -
Sophos 4.39.0 2009.03.02 -
Sunbelt 3.2.1858.2 2009.02.28 -
Symantec 10 2009.03.02 -
TheHacker 6.3.2.6.268 2009.03.01 -
TrendMicro 8.700.0.1004 2009.03.02 -
VBA32 3.12.10.1 2009.03.01 -
ViRobot 2009.2.28.1629 2009.03.02 -
VirusBuster 4.5.11.0 2009.03.01 -
Additional information
File size: 5944 bytes
MD5...: ba18a20fb2c4a6192a73107511702a11
SHA1..: 9d0ef5697cce122c6d9a3aebbae5a84d9c845773
SHA256: 01096712eaf478dcb3b1afad1b02c54f7b78991035b1720f4ac916b0a8a50578
SHA512: a04753702da3a773d38b795481e0b00025f55993d31f1bb4da6c92642386b16c
bb0b5fe3b5cbbede48019db512c696b6ce820e3be17ac120480cf725a4e29ea2
ssdeep: 96:Soy1TUNX7Rpi/ZmQJMaWGl18ApOFH++DM4aR54ID88tvE1NEWcA:S3xUZRpi/
ZmcMaWE18SOFGl8K88tvGcA
PEiD..: -
TrID..: File type identification
HyperText Markup Language with DOCTYPE (80.6%)
HyperText Markup Language (19.3%)
PEInfo: -






Second file:


File DCEBoot.exe received on 03.02.2009 06:28:21 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/39 (2.57%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.02 -
AhnLab-V3 5.0.0.2 2009.02.27 -
AntiVir 7.9.0.98 2009.03.01 -
Authentium 5.1.0.4 2009.03.01 -
Avast 4.8.1335.0 2009.03.01 -
AVG 8.0.0.237 2009.03.01 -
BitDefender 7.2 2009.03.02 -
CAT-QuickHeal 10.00 2009.02.28 -
ClamAV 0.94.1 2009.03.02 -
Comodo 986 2009.02.20 -
DrWeb 4.44.0.09170 2009.03.02 -
eSafe 7.0.17.0 2009.02.26 Win32.Banker
eTrust-Vet 31.6.6379 2009.03.02 -
F-Prot 4.4.4.56 2009.03.01 -
F-Secure 8.0.14470.0 2009.03.01 -
Fortinet 3.117.0.0 2009.03.02 -
GData 19 2009.03.02 -
Ikarus T3.1.1.45.0 2009.03.02 -
K7AntiVirus 7.10.649 2009.02.27 -
Kaspersky 7.0.0.125 2009.03.02 -
McAfee 5540 2009.03.01 -
McAfee+Artemis 5540 2009.03.01 -
Microsoft 1.4306 2009.03.01 -
NOD32 3899 2009.03.02 -
Norman 6.00.06 2009.02.27 -
nProtect 2009.1.8.0 2009.03.02 -
Panda 10.0.0.10 2009.03.01 -
PCTools 4.4.2.0 2009.03.01 -
Prevx1 V2 2009.03.02 -
Rising 21.19.00.00 2009.03.02 -
SecureWeb-Gateway 6.7.6 2009.03.02 -
Sophos 4.39.0 2009.03.02 -
Sunbelt 3.2.1858.2 2009.02.28 -
Symantec 10 2009.03.02 -
TheHacker 6.3.2.6.268 2009.03.01 -
TrendMicro 8.700.0.1004 2009.03.02 -
VBA32 3.12.10.1 2009.03.01 -
ViRobot 2009.2.28.1629 2009.03.02 -
VirusBuster 4.5.11.0 2009.03.01 -
Additional information
File size: 16384 bytes
MD5...: af8c97d4c9de70a545b7886302b49384
SHA1..: e7480010a0c9003d3c67fe846611374e0380572a
SHA256: 459d24433b8960acf7413f861013940200c3481071cfbe79bbf049df1e85f98a
SHA512: 96191742c9b29083dd0c3a4a748caab0b7c58e119175f9eaa6c70a4cf516acbc
f8eb60007f038ee7491bf1abf4bfe8f91d739e4d1ba8eab3d046e74119fa0b58
ssdeep: 192:9YjU/gCH5T3h47EJyJgOA8cv7Yp6q6f6SOq7aOymYoC49f0inqJ/kEqzzIBN
t7fz:9KQryGMq17MmYoH9f07hqgBbfwHL5
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2c1b
timedatestamp.....: 0x486b3d7d (Wed Jul 02 08:34:05 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3270 0x3400 6.01 502909cefe76e2e1571427bc17d7db08
.data 0x5000 0x880 0x600 7.18 ab97fc35fc4954f0032226de0bcb291c
.reloc 0x6000 0x1c8 0x200 4.53 6efe11fc6944756ddeab30e519ecdd7a

( 1 imports )
> ntdll.dll: NtWriteFile, NtReadFile, NtCreateFile, NtQueryInformationFile, NtSetInformationFile, NtClose, ZwSetInformationFile, NtDeleteFile, NtOpenKey, NtQueryValueKey, NtSetValueKey, RtlInitUnicodeString, RtlCreateHeap, wcsncpy, memset, RtlDestroyHeap, RtlFreeHeap, RtlDosPathNameToNtPathName_U, RtlAllocateHeap, NtDisplayString, RtlTimeToTimeFields, RtlSystemTimeToLocalTime, NtQuerySystemTime, RtlAdjustPrivilege, memmove, NtTerminateProcess, _chkstk, DbgPrint, RtlAnsiCharToUnicodeChar, RtlUnhandledExceptionFilter, RtlUnwind

( 0 exports )
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=af8c97d4c9de70a545b7886302b49384' target='_blank'>http://www.threatexpert.com/report.aspx?md5=af8c97d4c9de70a545b7886302b49384</a>
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=af8c97d4c9de70a545b7886302b49384' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=af8c97d4c9de70a545b7886302b49384</a>





Third file:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.02 -
AhnLab-V3 5.0.0.2 2009.02.27 -
AntiVir 7.9.0.98 2009.03.01 -
Authentium 5.1.0.4 2009.03.01 -
Avast 4.8.1335.0 2009.03.01 -
AVG 8.0.0.237 2009.03.01 -
BitDefender 7.2 2009.03.02 -
CAT-QuickHeal 10.00 2009.02.28 -
ClamAV 0.94.1 2009.03.02 -
Comodo 986 2009.02.20 -
DrWeb 4.44.0.09170 2009.03.02 -
eSafe 7.0.17.0 2009.02.26 -
eTrust-Vet 31.6.6379 2009.03.02 -
F-Prot 4.4.4.56 2009.03.01 -
F-Secure 8.0.14470.0 2009.03.01 -
Fortinet 3.117.0.0 2009.03.02 -
GData 19 2009.03.02 -
Ikarus T3.1.1.45.0 2009.03.02 -
K7AntiVirus 7.10.649 2009.02.27 -
Kaspersky 7.0.0.125 2009.03.02 -
McAfee 5540 2009.03.01 -
McAfee+Artemis 5540 2009.03.01 -
Microsoft 1.4306 2009.03.01 -
NOD32 3899 2009.03.02 -
Norman 6.00.06 2009.02.27 -
nProtect 2009.1.8.0 2009.03.02 -
Panda 10.0.0.10 2009.03.01 -
PCTools 4.4.2.0 2009.03.01 -
Prevx1 V2 2009.03.02 -
Rising 21.19.00.00 2009.03.02 -
SecureWeb-Gateway 6.7.6 2009.03.02 -
Sophos 4.39.0 2009.03.02 -
Sunbelt 3.2.1858.2 2009.02.28 -
Symantec 10 2009.03.02 -
TheHacker 6.3.2.6.268 2009.03.01 -
TrendMicro 8.700.0.1004 2009.03.02 -
VBA32 3.12.10.1 2009.03.01 -
ViRobot 2009.2.28.1629 2009.03.02 -
VirusBuster 4.5.11.0 2009.03.01 -
Additional information
File size: 46456 bytes
MD5...: 3f2663140ac0af4cc772e3fb0914e630
SHA1..: 1e4854afabbb56f08b64cc9847a6ca46bbd580d6
SHA256: 4416825da549a44392fba1d2101fc7f24c45fd58a556623fbae315be99a19361
SHA512: 956ef0887a85d1fcf983e206785c49a08fd4fae4e619596c4d8eaae579739298
229fd522b500f62a32008c9b1e9a7aba47b13206d67e18048e8d6e6583d548d0
ssdeep: 768:XwoCstikAUYMFpOnKGWqnCdCB9ocWfKADA8L+bd:XwoCXMrOnKACIBYKA08q
d
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1c6e
timedatestamp.....: 0x40a18876 (Wed May 12 02:14:14 2004)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5a22 0x6000 6.41 821e958e286d3949f28c7250b86b0ab7
.rdata 0x7000 0xb56 0x1000 4.26 50f1b6aae03bf3cb489484e0b1809f0e
.data 0x8000 0x201c 0x1000 1.52 5683cd9f32fdaa383a77e214429db31e
.rsrc 0xb000 0x980 0x1000 1.81 c7490b6cd1e802751c9c52d52cc56374

( 3 imports )
> KERNEL32.dll: SetFileAttributesA, SetCurrentDirectoryA, ExitProcess, RemoveDirectoryA, DeleteFileA, Sleep, CompareStringW, CompareStringA, GetCurrentProcess, GetLastError, OpenMutexA, GetVersionExA, FindFirstFileA, FindNextFileA, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, SetEnvironmentVariableA, GetCurrentDirectoryA, GetFullPathNameA, GetDriveTypeA, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, TerminateProcess, HeapAlloc, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, HeapDestroy, HeapCreate, VirtualFree, HeapFree, RtlUnwind, WriteFile, GetTimeZoneInformation, SetFilePointer, GetCPInfo, GetACP, GetOEMCP, MultiByteToWideChar, LCMapStringA, LCMapStringW, VirtualAlloc, HeapReAlloc, GetProcAddress, LoadLibraryA, SetStdHandle, GetStringTypeA, GetStringTypeW, FlushFileBuffers, CloseHandle
> USER32.dll: ExitWindowsEx
> ADVAPI32.dll: LookupPrivilegeValueA, AdjustTokenPrivileges, OpenProcessToken

( 0 exports )
jsmd7921 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-02-2009, 03:40 AM   #8 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: Can't seem to get rid of "vundo" virus
Let me know if you have any problems running the Kaspersky scan.
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-02-2009, 10:01 PM   #9 (permalink)
Registered User
 
Join Date: Feb 2009
Posts: 9
OS: xp sp 3


Re: Can't seem to get rid of "vundo" virus
Kaspersky was able to scan to finish scanning without a reboot when I checked it later (below). I left the Trend Micro antivirus on while it scanned this time - maybe that had something to do with it having errors before.

thanks TheBruce1




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, March 2, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 02, 2009 00:25:54
Records in database: 1860751
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 321438
Threat name: 7
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 07:56:59


File name / Threat name / Threats count
C:\Documents and Settings\John\Desktop\DVD Burning Software\dvd wizard pro stuff\dvd download stuff\divx5.exe Infected: not-a-virus:AdWare.Win32.Gator.3202 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\11.tmp Infected: Trojan.Win32.Monderb.ajop 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\12.tmp Infected: Trojan.Win32.Monder.bbwh 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\13.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.jos 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\1A.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.jos 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\1B.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.jmn 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\1C.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.jmn 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\1D.tmp Infected: Trojan.Win32.Monderb.ajop 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\A0162036.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.jos 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\A0162037.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.jmn 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\A0162038.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.jmn 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\A0162039.dll Infected: Trojan.Win32.Monderb.ajop 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\byXQHxus.dll Infected: Trojan.Win32.Monder.atxg 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\TZSVLJ.DLL Infected: not-a-virus:AdWare.Win32.SuperJuan.jos 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hqaeqplb.dll.vir Infected: Trojan.Win32.Monder.bazz 1

The selected area was scanned.
jsmd7921 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-03-2009, 04:28 AM   #10 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: Can't seem to get rid of "vundo" virus
Hello again

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"
for %%g in (
"C:\Documents and Settings\John\Desktop\DVD Burning Software\dvd wizard pro stuff\dvd download stuff\divx5.exe "
"c:\windows\system32\yjpq***l.dll"
"c:\windows\system32\exitwx.exe"
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause

nircmd wait 7000
del %0
Run DDS again and post the DDS.txt in your reply. Also how is your system running now.
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-03-2009, 10:53 PM   #11 (permalink)
Registered User
 
Join Date: Feb 2009
Posts: 9
OS: xp sp 3


Re: Can't seem to get rid of "vundo" virus
TheBruce1,

I wasn't sure what you wanted me to do with the code you attached in your last reply, so I didn't use it. Below is my new dds.txt. The system seems to be running as it did prior to the virus, although I am still skeptical since the onset of the intermittent printing issue seems to have coincided with the virus infection (although it may be entirely unrelated). I am curious also, have you seen any indications as to how my computer became infected (prone programs or just unlucky...)?

thanks.





DDS (Ver_09-02-01.01) - NTFSx86
Run by John at 21:40:35.62 on Tue 03/03/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.356 [GMT -8:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Hummingbird\Connectivity\11.00\InetD\inetd32.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hummingbird\Connectivity\11.00\HostExplorer\PrintServices\PESRV.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: REALBAR: {4e7bd74f-2b8d-469e-c0ff-fd60b590a87d} - c:\progra~1\common~1\real\toolbar\realbar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: ooVoo Toolbar: {a057a204-bacc-4d26-8087-36ee87e26986} - c:\progra~1\oovoot~1\OOVOOT~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: REALBAR: {4e7bd74f-2b8d-469e-c0ff-fd60b590a87d} - c:\progra~1\common~1\real\toolbar\realbar.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: ooVoo Toolbar: {a057a204-bacc-4d26-8087-36ee87e26986} - c:\progra~1\oovoot~1\OOVOOT~1.DLL
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [nForce Tray Options] sstray.exe /r
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [SRUUninstall] "c:\windows\system32\msiexec.exe" /l*v c:\windows\temp\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
StartupFolder: c:\docume~1\john\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Picture Package Menu.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Picture Package VCD Maker.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\ymetray.lnk.disabled
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\program files\hummingbird\connectivity\11.00\exceed\humshmx.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168730387296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\tzoxubli.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2003-9-22 97530]
R1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys [2007-3-25 21632]
R2 PESRV;Hummingbird HostExplorer Print Services;c:\program files\hummingbird\connectivity\11.00\hostexplorer\printservices\PESRV.exe [2005-10-27 149152]
R2 SDPASVC;SDPAUMS server service;c:\windows\system32\sdpasvc.exe -service --> c:\windows\system32\sdpasvc.exe -service [?]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-1-28 49680]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-1-28 492888]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-1-29 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-1-28 677128]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-7-30 334352]
S3 acfva;acfva;c:\windows\system32\drivers\acfva.sys [2003-11-25 28445]
S3 ProxyEngine;Hummingbird Proxy Server;c:\program files\hummingbird\connectivity\11.00\accessories\ProxyEngine.exe [2005-10-27 120496]

=============== Created Last 30 ================

2009-02-25 21:32 <DIR> --d----- C:\ComboFix
2009-02-25 21:16 <DIR> a-dshr-- C:\cmdcons
2009-02-24 22:37 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-24 22:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-24 20:32 161,792 a------- c:\windows\SWREG.exe
2009-02-24 20:32 98,816 a------- c:\windows\sed.exe
2009-02-23 21:13 5,944 a------- c:\windows\system32\yjpq***l.dll
2009-02-22 08:55 1,409 a------- c:\windows\QTFont.for
2009-02-22 08:55 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-21 22:01 250 a------- c:\windows\gmer.ini
2009-02-21 08:59 16,384 a------- c:\windows\DCEBoot.exe
2009-02-19 21:35 <DIR> --d----- c:\documents and settings\john\.housecall6.6
2009-02-19 21:31 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-19 21:31 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2008-12-20 15:15 826,368 a------- c:\windows\system32\wininet.dll
2008-03-07 14:37 85,000 a------- c:\docume~1\john\applic~1\GDIPFONTCACHEV1.DAT
2007-08-15 20:37 47,360 a------- c:\docume~1\john\applic~1\pcouffin.sys
2005-12-16 08:48 37 a------- c:\documents and settings\john\getfile.dat
2004-12-30 13:02 565 a------- c:\documents and settings\john\DMOrganizer.dat
2004-12-27 08:04 284 a------- c:\docume~1\john\applic~1\ViewerApp.dat
2008-08-26 02:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 21:42:15.06 ===============
jsmd7921 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-04-2009, 04:44 AM   #12 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: Can't seem to get rid of "vundo" virus
Hello again

Sorry about that.

========

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

=========

I still see reference to Norton on your system, please download and run the Norton Removal Tool

=========

Open notepad and copy/paste the text in the quotebox below into it:

Code:
File::
C:\Documents and Settings\John\Desktop\DVD Burning Software\dvd wizard pro stuff\dvd download stuff\divx5.exe 
c:\windows\system32\yjpq***l.dll
c:\windows\system32\exitwx.exe
c:\windows\temp\SND532unin.txt

Folder::
C:\Program Files\Java\jre1.6.0_07

DDS::
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Save this as CFscript







Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the C:\Combofix.txt in you reply for review.
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
Last edited by TheBruce1; 03-04-2009 at 04:49 AM.
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-05-2009, 09:55 PM   #13 (permalink)
Registered User
 
Join Date: Feb 2009
Posts: 9
OS: xp sp 3


Re: Can't seem to get rid of "vundo" virus
Here's my latest ComboFix.txt

thanks.





ComboFix 09-03-04.01 - John 2009-03-05 20:32:47.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.368 [GMT -8:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John\Desktop\CFscript.txt
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\documents and settings\John\Desktop\DVD Burning Software\dvd wizard pro stuff\dvd download stuff\divx5.exe
c:\windows\system32\exitwx.exe
c:\windows\temp\SND532unin.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\John\Desktop\DVD Burning Software\dvd wizard pro stuff\dvd download stuff\divx5.exe
c:\program files\Java\jre1.6.0_07
c:\program files\Java\jre1.6.0_07\bin\awt.dll
c:\program files\Java\jre1.6.0_07\bin\axbridge.dll
c:\program files\Java\jre1.6.0_07\bin\client\classes.jsa
c:\program files\Java\jre1.6.0_07\bin\client\jvm.dll
c:\program files\Java\jre1.6.0_07\bin\client\Xusage.txt
c:\program files\Java\jre1.6.0_07\bin\cmm.dll
c:\program files\Java\jre1.6.0_07\bin\dcpr.dll
c:\program files\Java\jre1.6.0_07\bin\deploy.dll
c:\program files\Java\jre1.6.0_07\bin\dt_shmem.dll
c:\program files\Java\jre1.6.0_07\bin\dt_socket.dll
c:\program files\Java\jre1.6.0_07\bin\fontmanager.dll
c:\program files\Java\jre1.6.0_07\bin\hpi.dll
c:\program files\Java\jre1.6.0_07\bin\hprof.dll
c:\program files\Java\jre1.6.0_07\bin\instrument.dll
c:\program files\Java\jre1.6.0_07\bin\ioser12.dll
c:\program files\Java\jre1.6.0_07\bin\j2pcsc.dll
c:\program files\Java\jre1.6.0_07\bin\j2pkcs11.dll
c:\program files\Java\jre1.6.0_07\bin\jaas_nt.dll
c:\program files\Java\jre1.6.0_07\bin\java-rmi.exe
c:\program files\Java\jre1.6.0_07\bin\java.dll
c:\program files\Java\jre1.6.0_07\bin\java.exe
c:\program files\Java\jre1.6.0_07\bin\java_crw_demo.dll
c:\program files\Java\jre1.6.0_07\bin\javacpl.cpl
c:\program files\Java\jre1.6.0_07\bin\javacpl.exe
c:\program files\Java\jre1.6.0_07\bin\javaw.exe
c:\program files\Java\jre1.6.0_07\bin\javaws.exe
c:\program files\Java\jre1.6.0_07\bin\jawt.dll
c:\program files\Java\jre1.6.0_07\bin\JdbcOdbc.dll
c:\program files\Java\jre1.6.0_07\bin\jdwp.dll
c:\program files\Java\jre1.6.0_07\bin\jli.dll
c:\program files\Java\jre1.6.0_07\bin\jpeg.dll
c:\program files\Java\jre1.6.0_07\bin\jpicom.dll
c:\program files\Java\jre1.6.0_07\bin\jpiexp.dll
c:\program files\Java\jre1.6.0_07\bin\jpinscp.dll
c:\program files\Java\jre1.6.0_07\bin\jpioji.dll
c:\program files\Java\jre1.6.0_07\bin\jpishare.dll
c:\program files\Java\jre1.6.0_07\bin\jsound.dll
c:\program files\Java\jre1.6.0_07\bin\jsoundds.dll
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
c:\program files\Java\jre1.6.0_07\bin\jureg.exe
c:\program files\Java\jre1.6.0_07\bin\jusched.exe
c:\program files\Java\jre1.6.0_07\bin\keytool.exe
c:\program files\Java\jre1.6.0_07\bin\kinit.exe
c:\program files\Java\jre1.6.0_07\bin\klist.exe
c:\program files\Java\jre1.6.0_07\bin\ktab.exe
c:\program files\Java\jre1.6.0_07\bin\management.dll
c:\program files\Java\jre1.6.0_07\bin\mlib_image.dll
c:\program files\Java\jre1.6.0_07\bin\msvcr71.dll
c:\program files\Java\jre1.6.0_07\bin\net.dll
c:\program files\Java\jre1.6.0_07\bin\nio.dll
c:\program files\Java\jre1.6.0_07\bin\npjava11.dll
c:\program files\Java\jre1.6.0_07\bin\npjava12.dll
c:\program files\Java\jre1.6.0_07\bin\npjava13.dll
c:\program files\Java\jre1.6.0_07\bin\npjava14.dll
c:\program files\Java\jre1.6.0_07\bin\npjava32.dll
c:\program files\Java\jre1.6.0_07\bin\npjpi160_07.dll
c:\program files\Java\jre1.6.0_07\bin\npoji610.dll
c:\program files\Java\jre1.6.0_07\bin\npt.dll
c:\program files\Java\jre1.6.0_07\bin\orbd.exe
c:\program files\Java\jre1.6.0_07\bin\pack200.exe
c:\program files\Java\jre1.6.0_07\bin\policytool.exe
c:\program files\Java\jre1.6.0_07\bin\regutils.dll
c:\program files\Java\jre1.6.0_07\bin\rmi.dll
c:\program files\Java\jre1.6.0_07\bin\rmid.exe
c:\program files\Java\jre1.6.0_07\bin\rmiregistry.exe
c:\program files\Java\jre1.6.0_07\bin\servertool.exe
c:\program files\Java\jre1.6.0_07\bin\splashscreen.dll
c:\program files\Java\jre1.6.0_07\bin\ssv.dll
c:\program files\Java\jre1.6.0_07\bin\ssvagent.exe
c:\program files\Java\jre1.6.0_07\bin\sunmscapi.dll
c:\program files\Java\jre1.6.0_07\bin\tnameserv.exe
c:\program files\Java\jre1.6.0_07\bin\unpack.dll
c:\program files\Java\jre1.6.0_07\bin\unpack200.exe
c:\program files\Java\jre1.6.0_07\bin\verify.dll
c:\program files\Java\jre1.6.0_07\bin\w2k_lsa_auth.dll
c:\program files\Java\jre1.6.0_07\bin\wsdetect.dll
c:\program files\Java\jre1.6.0_07\bin\zip.dll
c:\program files\Java\jre1.6.0_07\COPYRIGHT
c:\program files\Java\jre1.6.0_07\lib\calendars.properties
c:\program files\Java\jre1.6.0_07\lib\classlist
c:\program files\Java\jre1.6.0_07\lib\cmm\CIEXYZ.pf
c:\program files\Java\jre1.6.0_07\lib\cmm\GRAY.pf
c:\program files\Java\jre1.6.0_07\lib\cmm\LINEAR_RGB.pf
c:\program files\Java\jre1.6.0_07\lib\cmm\sRGB.pf
c:\program files\Java\jre1.6.0_07\lib\content-types.properties
c:\program files\Java\jre1.6.0_07\lib\deploy.jar
c:\program files\Java\jre1.6.0_07\lib\deploy\ffjcext.zip
c:\program files\Java\jre1.6.0_07\lib\deploy\messages.properties
c:\program files\Java\jre1.6.0_07\lib\deploy\messages_de.properties
c:\program files\Java\jre1.6.0_07\lib\deploy\messages_es.properties
c:\program files\Java\jre1.6.0_07\lib\deploy\messages_fr.properties
c:\program files\Java\jre1.6.0_07\lib\deploy\messages_it.properties
c:\program files\Java\jre1.6.0_07\lib\deploy\messages_ja.properties
c:\program files\Java\jre1.6.0_07\lib\deploy\messages_ko.properties
c:\program files\Java\jre1.6.0_07\lib\deploy\messages_sv.properties
c:\program files\Java\jre1.6.0_07\lib\deploy\messages_zh_CN.properties
c:\program files\Java\jre1.6.0_07\lib\deploy\messages_zh_HK.properties
c:\program files\Java\jre1.6.0_07\lib\deploy\messages_zh_TW.properties
c:\program files\Java\jre1.6.0_07\lib\deploy\splash.jpg
c:\program files\Java\jre1.6.0_07\lib\ext\dnsns.jar
c:\program files\Java\jre1.6.0_07\lib\ext\meta-index
c:\program files\Java\jre1.6.0_07\lib\ext\sunjce_provider.jar
c:\program files\Java\jre1.6.0_07\lib\ext\sunmscapi.jar
c:\program files\Java\jre1.6.0_07\lib\ext\sunpkcs11.jar
c:\program files\Java\jre1.6.0_07\lib\flavormap.properties
c:\program files\Java\jre1.6.0_07\lib\fontconfig.98.bfc
c:\program files\Java\jre1.6.0_07\lib\fontconfig.98.properties.src
c:\program files\Java\jre1.6.0_07\lib\fontconfig.bfc
c:\program files\Java\jre1.6.0_07\lib\fontconfig.properties.src
c:\program files\Java\jre1.6.0_07\lib\fonts\LucidaSansRegular.ttf
c:\program files\Java\jre1.6.0_07\lib\i386\jvm.cfg
c:\program files\Java\jre1.6.0_07\lib\im\indicim.jar
c:\program files\Java\jre1.6.0_07\lib\im\thaiim.jar
c:\program files\Java\jre1.6.0_07\lib\images\cursors\cursors.properties
c:\program files\Java\jre1.6.0_07\lib\images\cursors\invalid32x32.gif
c:\program files\Java\jre1.6.0_07\lib\images\cursors\win32_CopyDrop32x32.gif
c:\program files\Java\jre1.6.0_07\lib\images\cursors\win32_CopyNoDrop32x32.gif
c:\program files\Java\jre1.6.0_07\lib\images\cursors\win32_LinkDrop32x32.gif
c:\program files\Java\jre1.6.0_07\lib\images\cursors\win32_LinkNoDrop32x32.gif
c:\program files\Java\jre1.6.0_07\lib\images\cursors\win32_MoveDrop32x32.gif
c:\program files\Java\jre1.6.0_07\lib\images\cursors\win32_MoveNoDrop32x32.gif
c:\program files\Java\jre1.6.0_07\lib\javaws.jar
c:\program files\Java\jre1.6.0_07\lib\jce.jar
c:\program files\Java\jre1.6.0_07\lib\jsse.jar
c:\program files\Java\jre1.6.0_07\lib\jvm.hprof.txt
c:\program files\Java\jre1.6.0_07\lib\logging.properties
c:\program files\Java\jre1.6.0_07\lib\management-agent.jar
c:\program files\Java\jre1.6.0_07\lib\management\jmxremote.access
c:\program files\Java\jre1.6.0_07\lib\management\jmxremote.password.template
c:\program files\Java\jre1.6.0_07\lib\management\management.properties
c:\program files\Java\jre1.6.0_07\lib\management\snmp.acl.template
c:\program files\Java\jre1.6.0_07\lib\meta-index
c:\program files\Java\jre1.6.0_07\lib\net.properties
c:\program files\Java\jre1.6.0_07\lib\plugin.jar
c:\program files\Java\jre1.6.0_07\lib\psfont.properties.ja
c:\program files\Java\jre1.6.0_07\lib\psfontj2d.properties
c:\program files\Java\jre1.6.0_07\lib\resources.jar
c:\program files\Java\jre1.6.0_07\lib\rt.jar
c:\program files\Java\jre1.6.0_07\lib\security\cacerts
c:\program files\Java\jre1.6.0_07\lib\security\java.policy
c:\program files\Java\jre1.6.0_07\lib\security\java.security
c:\program files\Java\jre1.6.0_07\lib\security\javaws.policy
c:\program files\Java\jre1.6.0_07\lib\security\local_policy.jar
c:\program files\Java\jre1.6.0_07\lib\security\US_export_policy.jar
c:\program files\Java\jre1.6.0_07\lib\servicetag\jdk_header.png
c:\program files\Java\jre1.6.0_07\lib\sound.properties
c:\program files\Java\jre1.6.0_07\lib\tzmappings
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Abidjan
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Accra
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Addis_Ababa
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Algiers
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Asmara
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Bamako
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Bangui
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Banjul
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Bissau
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Blantyre
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Brazzaville
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Bujumbura
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Cairo
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Casablanca
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Ceuta
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Conakry
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Dakar
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Dar_es_Salaam
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Djibouti
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Douala
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\El_Aaiun
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Freetown
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Gaborone
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Harare
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Johannesburg
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Kampala
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Khartoum
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Kigali
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Kinshasa
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Lagos
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Libreville
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Lome
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Luanda
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Lubumbashi
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Lusaka
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Malabo
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Maputo
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Maseru
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Mbabane
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Mogadishu
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Monrovia
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Nairobi
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Ndjamena
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Niamey
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Nouakchott
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Ouagadougou
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Porto-Novo
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Sao_Tome
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Tripoli
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Tunis
c:\program files\Java\jre1.6.0_07\lib\zi\Africa\Windhoek
c:\program files\Java\jre1.6.0_07\lib\zi\America\Adak
c:\program files\Java\jre1.6.0_07\lib\zi\America\Anchorage
c:\program files\Java\jre1.6.0_07\lib\zi\America\Anguilla
c:\program files\Java\jre1.6.0_07\lib\zi\America\Antigua
c:\program files\Java\jre1.6.0_07\lib\zi\America\Araguaina
c:\program files\Java\jre1.6.0_07\lib\zi\America\Argentina\Buenos_Aires
c:\program files\Java\jre1.6.0_07\lib\zi\America\Argentina\Catamarca
c:\program files\Java\jre1.6.0_07\lib\zi\America\Argentina\Cordoba
c:\program files\Java\jre1.6.0_07\lib\zi\America\Argentina\Jujuy
c:\program files\Java\jre1.6.0_07\lib\zi\America\Argentina\La_Rioja
c:\program files\Java\jre1.6.0_07\lib\zi\America\Argentina\Mendoza
c:\program files\Java\jre1.6.0_07\lib\zi\America\Argentina\Rio_Gallegos
c:\program files\Java\jre1.6.0_07\lib\zi\America\Argentina\San_Juan
c:\program files\Java\jre1.6.0_07\lib\zi\America\Argentina\San_Luis
c:\program files\Java\jre1.6.0_07\lib\zi\America\Argentina\Tucuman
c:\program files\Java\jre1.6.0_07\lib\zi\America\Argentina\Ushuaia
c:\program files\Java\jre1.6.0_07\lib\zi\America\Aruba
c:\program files\Java\jre1.6.0_07\lib\zi\America\Asuncion
c:\program files\Java\jre1.6.0_07\lib\zi\America\Atikokan
c:\program files\Java\jre1.6.0_07\lib\zi\America\Bahia
c:\program files\Java\jre1.6.0_07\lib\zi\America\Barbados
c:\program files\Java\jre1.6.0_07\lib\zi\America\Belem
c:\program files\Java\jre1.6.0_07\lib\zi\America\Belize
c:\program files\Java\jre1.6.0_07\lib\zi\America\Blanc-Sablon
c:\program files\Java\jre1.6.0_07\lib\zi\America\Boa_Vista
c:\program files\Java\jre1.6.0_07\lib\zi\America\Bogota
c:\program files\Java\jre1.6.0_07\lib\zi\America\Boise
c:\program files\Java\jre1.6.0_07\lib\zi\America\Cambridge_Bay
c:\program files\Java\jre1.6.0_07\lib\zi\America\Campo_Grande
c:\program files\Java\jre1.6.0_07\lib\zi\America\Cancun
c:\program files\Java\jre1.6.0_07\lib\zi\America\Caracas
c:\program files\Java\jre1.6.0_07\lib\zi\America\Cayenne
c:\program files\Java\jre1.6.0_07\lib\zi\America\Cayman
c:\program files\Java\jre1.6.0_07\lib\zi\America\Chicago
c:\program files\Java\jre1.6.0_07\lib\zi\America\Chihuahua
c:\program files\Java\jre1.6.0_07\lib\zi\America\Costa_Rica
c:\program files\Java\jre1.6.0_07\lib\zi\America\Cuiaba
c:\program files\Java\jre1.6.0_07\lib\zi\America\Curacao
c:\program files\Java\jre1.6.0_07\lib\zi\America\Danmarkshavn
c:\program files\Java\jre1.6.0_07\lib\zi\America\Dawson
c:\program files\Java\jre1.6.0_07\lib\zi\America\Dawson_Creek
c:\program files\Java\jre1.6.0_07\lib\zi\America\Denver
c:\program files\Java\jre1.6.0_07\lib\zi\America\Detroit
c:\program files\Java\jre1.6.0_07\lib\zi\America\Dominica
c:\program files\Java\jre1.6.0_07\lib\zi\America\Edmonton
c:\program files\Java\jre1.6.0_07\lib\zi\America\Eirunepe
c:\program files\Java\jre1.6.0_07\lib\zi\America\El_Salvador
c:\program files\Java\jre1.6.0_07\lib\zi\America\Fortaleza
c:\program files\Java\jre1.6.0_07\lib\zi\America\Glace_Bay
c:\program files\Java\jre1.6.0_07\lib\zi\America\Godthab
c:\program files\Java\jre1.6.0_07\lib\zi\America\Goose_Bay
c:\program files\Java\jre1.6.0_07\lib\zi\America\Grand_Turk
c:\program files\Java\jre1.6.0_07\lib\zi\America\Grenada
c:\program files\Java\jre1.6.0_07\lib\zi\America\Guadeloupe
c:\program files\Java\jre1.6.0_07\lib\zi\America\Guatemala
c:\program files\Java\jre1.6.0_07\lib\zi\America\Guayaquil
c:\program files\Java\jre1.6.0_07\lib\zi\America\Guyana
c:\program files\Java\jre1.6.0_07\lib\zi\America\Halifax
c:\program files\Java\jre1.6.0_07\lib\zi\America\Havana
c:\program files\Java\jre1.6.0_07\lib\zi\America\Hermosillo
c:\program files\Java\jre1.6.0_07\lib\zi\America\Indiana\Indianapolis
c:\program files\Java\jre1.6.0_07\lib\zi\America\Indiana\Knox
c:\program files\Java\jre1.6.0_07\lib\zi\America\Indiana\Marengo
c:\program files\Java\jre1.6.0_07\lib\zi\America\Indiana\Petersburg
c:\program files\Java\jre1.6.0_07\lib\zi\America\Indiana\Tell_City
c:\program files\Java\jre1.6.0_07\lib\zi\America\Indiana\Vevay
c:\program files\Java\jre1.6.0_07\lib\zi\America\Indiana\Vincennes
c:\program files\Java\jre1.6.0_07\lib\zi\America\Indiana\Winamac
c:\program files\Java\jre1.6.0_07\lib\zi\America\Inuvik
c:\program files\Java\jre1.6.0_07\lib\zi\America\Iqaluit
c:\program files\Java\jre1.6.0_07\lib\zi\America\Jamaica
c:\program files\Java\jre1.6.0_07\lib\zi\America\Juneau
c:\program files\Java\jre1.6.0_07\lib\zi\America\Kentucky\Louisville
c:\program files\Java\jre1.6.0_07\lib\zi\America\Kentucky\Monticello
c:\program files\Java\jre1.6.0_07\lib\zi\America\La_Paz
c:\program files\Java\jre1.6.0_07\lib\zi\America\Lima
c:\program files\Java\jre1.6.0_07\lib\zi\America\Los_Angeles
c:\program files\Java\jre1.6.0_07\lib\zi\America\Maceio
c:\program files\Java\jre1.6.0_07\lib\zi\America\Managua
c:\program files\Java\jre1.6.0_07\lib\zi\America\Manaus
c:\program files\Java\jre1.6.0_07\lib\zi\America\Martinique
c:\program files\Java\jre1.6.0_07\lib\zi\America\Mazatlan
c:\program files\Java\jre1.6.0_07\lib\zi\America\Menominee
c:\program files\Java\jre1.6.0_07\lib\zi\America\Merida
c:\program files\Java\jre1.6.0_07\lib\zi\America\Mexico_City
c:\program files\Java\jre1.6.0_07\lib\zi\America\Miquelon
c:\program files\Java\jre1.6.0_07\lib\zi\America\Moncton
c:\program files\Java\jre1.6.0_07\lib\zi\America\Monterrey
c:\program files\Java\jre1.6.0_07\lib\zi\America\Montevideo
c:\program files\Java\jre1.6.0_07\lib\zi\America\Montreal
c:\program files\Java\jre1.6.0_07\lib\zi\America\Montserrat
c:\program files\Java\jre1.6.0_07\lib\zi\America\Nassau
c:\program files\Java\jre1.6.0_07\lib\zi\America\New_York
c:\program files\Java\jre1.6.0_07\lib\zi\America\Nipigon
c:\program files\Java\jre1.6.0_07\lib\zi\America\Nome
c:\program files\Java\jre1.6.0_07\lib\zi\America\Noronha
c:\program files\Java\jre1.6.0_07\lib\zi\America\North_Dakota\Center
c:\program files\Java\jre1.6.0_07\lib\zi\America\North_Dakota\New_Salem
c:\program files\Java\jre1.6.0_07\lib\zi\America\Panama
c:\program files\Java\jre1.6.0_07\lib\zi\America\Pangnirtung
c:\program files\Java\jre1.6.0_07\lib\zi\America\Paramaribo
c:\program files\Java\jre1.6.0_07\lib\zi\America\Phoenix
c:\program files\Java\jre1.6.0_07\lib\zi\America\Port-au-Prince
c:\program files\Java\jre1.6.0_07\lib\zi\America\Port_of_Spain
c:\program files\Java\jre1.6.0_07\lib\zi\America\Porto_Velho
c:\program files\Java\jre1.6.0_07\lib\zi\America\Puerto_Rico
c:\program files\Java\jre1.6.0_07\lib\zi\America\Rainy_River
c:\program files\Java\jre1.6.0_07\lib\zi\America\Rankin_Inlet
c:\program files\Java\jre1.6.0_07\lib\zi\America\Recife
c:\program files\Java\jre1.6.0_07\lib\zi\America\Regina
c:\program files\Java\jre1.6.0_07\lib\zi\America\Resolute
c:\program files\Java\jre1.6.0_07\lib\zi\America\Rio_Branco
c:\program files\Java\jre1.6.0_07\lib\zi\America\Santiago
c:\program files\Java\jre1.6.0_07\lib\zi\America\Santo_Domingo
c:\program files\Java\jre1.6.0_07\lib\zi\America\Sao_Paulo
c:\program files\Java\jre1.6.0_07\lib\zi\America\Scoresbysund
c:\program files\Java\jre1.6.0_07\lib\zi\America\St_Johns
c:\program files\Java\jre1.6.0_07\lib\zi\America\St_Kitts
c:\program files\Java\jre1.6.0_07\lib\zi\America\St_Lucia
c:\program files\Java\jre1.6.0_07\lib\zi\America\St_Thomas
c:\program files\Java\jre1.6.0_07\lib\zi\America\St_Vincent
c:\program files\Java\jre1.6.0_07\lib\zi\America\Swift_Current
c:\program files\Java\jre1.6.0_07\lib\zi\America\Tegucigalpa
c:\program files\Java\jre1.6.0_07\lib\zi\America\Thule
c:\program files\Java\jre1.6.0_07\lib\zi\America\Thunder_Bay
c:\program files\Java\jre1.6.0_07\lib\zi\America\Tijuana
c:\program files\Java\jre1.6.0_07\lib\zi\America\Toronto
c:\program files\Java\jre1.6.0_07\lib\zi\America\Tortola
c:\program files\Java\jre1.6.0_07\lib\zi\America\Vancouver
c:\program files\Java\jre1.6.0_07\lib\zi\America\Whitehorse
c:\program files\Java\jre1.6.0_07\lib\zi\America\Winnipeg
c:\program files\Java\jre1.6.0_07\lib\zi\America\Yakutat
c:\program files\Java\jre1.6.0_07\lib\zi\America\Yellowknife
c:\program files\Java\jre1.6.0_07\lib\zi\Antarctica\Casey
c:\program files\Java\jre1.6.0_07\lib\zi\Antarctica\Davis
c:\program files\Java\jre1.6.0_07\lib\zi\Antarctica\DumontDUrville
c:\program files\Java\jre1.6.0_07\lib\zi\Antarctica\Mawson
c:\program files\Java\jre1.6.0_07\lib\zi\Antarctica\McMurdo
c:\program files\Java\jre1.6.0_07\lib\zi\Antarctica\Palmer
c:\program files\Java\jre1.6.0_07\lib\zi\Antarctica\Rothera
c:\program files\Java\jre1.6.0_07\lib\zi\Antarctica\Syowa
c:\program files\Java\jre1.6.0_07\lib\zi\Antarctica\Vostok
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Aden
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Almaty
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Amman
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Anadyr
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Aqtau
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Aqtobe
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Ashgabat
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Baghdad
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Bahrain
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Baku
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Bangkok
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Beirut
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Bishkek
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Brunei
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Choibalsan
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Chongqing
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Colombo
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Damascus
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Dhaka
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Dili
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Dubai
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Dushanbe
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Gaza
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Harbin
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Ho_Chi_Minh
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Hong_Kong
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Hovd
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Irkutsk
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Jakarta
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Jayapura
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Jerusalem
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Kabul
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Kamchatka
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Karachi
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Kashgar
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Katmandu
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Kolkata
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Krasnoyarsk
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Kuala_Lumpur
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Kuching
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Kuwait
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Macau
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Magadan
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Makassar
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Manila
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Muscat
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Nicosia
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Novosibirsk
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Omsk
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Oral
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Phnom_Penh
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Pontianak
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Pyongyang
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Qatar
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Qyzylorda
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Rangoon
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Riyadh
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Riyadh87
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Riyadh88
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Riyadh89
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Sakhalin
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Samarkand
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Seoul
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Shanghai
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Singapore
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Taipei
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Tashkent
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Tbilisi
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Tehran
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Thimphu
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Tokyo
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Ulaanbaatar
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Urumqi
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Vientiane
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Vladivostok
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Yakutsk
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Yekaterinburg
c:\program files\Java\jre1.6.0_07\lib\zi\Asia\Yerevan
c:\program files\Java\jre1.6.0_07\lib\zi\Atlantic\Azores
c:\program files\Java\jre1.6.0_07\lib\zi\Atlantic\Bermuda
c:\program files\Java\jre1.6.0_07\lib\zi\Atlantic\Canary
c:\program files\Java\jre1.6.0_07\lib\zi\Atlantic\Cape_Verde
c:\program files\Java\jre1.6.0_07\lib\zi\Atlantic\Faroe
c:\program files\Java\jre1.6.0_07\lib\zi\Atlantic\Madeira
c:\program files\Java\jre1.6.0_07\lib\zi\Atlantic\Reykjavik
c:\program files\Java\jre1.6.0_07\lib\zi\Atlantic\South_Georgia
c:\program files\Java\jre1.6.0_07\lib\zi\Atlantic\St_Helena
c:\program files\Java\jre1.6.0_07\lib\zi\Atlantic\Stanley
c:\program files\Java\jre1.6.0_07\lib\zi\Australia\Adelaide
c:\program files\Java\jre1.6.0_07\lib\zi\Australia\Brisbane
c:\program files\Java\jre1.6.0_07\lib\zi\Australia\Broken_Hill
c:\program files\Java\jre1.6.0_07\lib\zi\Australia\Currie
c:\program files\Java\jre1.6.0_07\lib\zi\Australia\Darwin
c:\program files\Java\jre1.6.0_07\lib\zi\Australia\Eucla
c:\program files\Java\jre1.6.0_07\lib\zi\Australia\Hobart
c:\program files\Java\jre1.6.0_07\lib\zi\Australia\Lindeman
c:\program files\Java\jre1.6.0_07\lib\zi\Australia\Lord_Howe
c:\program files\Java\jre1.6.0_07\lib\zi\Australia\Melbourne
c:\program files\Java\jre1.6.0_07\lib\zi\Australia\Perth
c:\program files\Java\jre1.6.0_07\lib\zi\Australia\Sydney
c:\program files\Java\jre1.6.0_07\lib\zi\CET
c:\program files\Java\jre1.6.0_07\lib\zi\CST6CDT
c:\program files\Java\jre1.6.0_07\lib\zi\EET
c:\program files\Java\jre1.6.0_07\lib\zi\EST
c:\program files\Java\jre1.6.0_07\lib\zi\EST5EDT
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT-1
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT-10
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT-11
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT-12
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT-13
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT-14
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT-2
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT-3
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT-4
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT-5
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT-6
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT-7
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT-8
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT-9
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT+1
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT+10
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT+11
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT+12
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT+2
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT+3
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT+4
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT+5
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT+6
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT+7
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT+8
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\GMT+9
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\UCT
c:\program files\Java\jre1.6.0_07\lib\zi\Etc\UTC
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Amsterdam
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Andorra
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Athens
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Belgrade
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Berlin
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Brussels
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Bucharest
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Budapest
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Chisinau
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Copenhagen
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Dublin
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Gibraltar
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Helsinki
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Istanbul
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Kaliningrad
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Kiev
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Lisbon
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\London
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Luxembourg
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Madrid
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Malta
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Minsk
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Monaco
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Moscow
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Oslo
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Paris
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Prague
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Riga
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Rome
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Samara
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Simferopol
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Sofia
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Stockholm
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Tallinn
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Tirane
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Uzhgorod
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Vaduz
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Vienna
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Vilnius
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Volgograd
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Warsaw
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Zaporozhye
c:\program files\Java\jre1.6.0_07\lib\zi\Europe\Zurich
c:\program files\Java\jre1.6.0_07\lib\zi\GMT
c:\program files\Java\jre1.6.0_07\lib\zi\HST
c:\program files\Java\jre1.6.0_07\lib\zi\Indian\Antananarivo
c:\program files\Java\jre1.6.0_07\lib\zi\Indian\Chagos
c:\program files\Java\jre1.6.0_07\lib\zi\Indian\Christmas
c:\program files\Java\jre1.6.0_07\lib\zi\Indian\Cocos
c:\program files\Java\jre1.6.0_07\lib\zi\Indian\Comoro
c:\program files\Java\jre1.6.0_07\lib\zi\Indian\Kerguelen
c:\program files\Java\jre1.6.0_07\lib\zi\Indian\Mahe
c:\program files\Java\jre1.6.0_07\lib\zi\Indian\Maldives
c:\program files\Java\jre1.6.0_07\lib\zi\Indian\Mauritius
c:\program files\Java\jre1.6.0_07\lib\zi\Indian\Mayotte
c:\program files\Java\jre1.6.0_07\lib\zi\Indian\Reunion
c:\program files\Java\jre1.6.0_07\lib\zi\MET
c:\program files\Java\jre1.6.0_07\lib\zi\MST
c:\program files\Java\jre1.6.0_07\lib\zi\MST7MDT
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Apia
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Auckland
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Chatham
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Easter
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Efate
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Enderbury
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Fakaofo
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Fiji
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Funafuti
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Galapagos
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Gambier
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Guadalcanal
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Guam
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Honolulu
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Johnston
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Kiritimati
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Kosrae
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Kwajalein
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Majuro
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Marquesas
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Midway
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Nauru
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Niue
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Norfolk
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Noumea
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Pago_Pago
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Palau
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Pitcairn
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Ponape
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Port_Moresby
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Rarotonga
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Saipan
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Tahiti
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Tarawa
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Tongatapu
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Truk
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Wake
c:\program files\Java\jre1.6.0_07\lib\zi\Pacific\Wallis
c:\program files\Java\jre1.6.0_07\lib\zi\PST8PDT
c:\program files\Java\jre1.6.0_07\lib\zi\SystemV\AST4
c:\program files\Java\jre1.6.0_07\lib\zi\SystemV\AST4ADT
c:\program files\Java\jre1.6.0_07\lib\zi\SystemV\CST6
c:\program files\Java\jre1.6.0_07\lib\zi\SystemV\CST6CDT
c:\program files\Java\jre1.6.0_07\lib\zi\SystemV\EST5
c:\program files\Java\jre1.6.0_07\lib\zi\SystemV\EST5EDT
c:\program files\Java\jre1.6.0_07\lib\zi\SystemV\HST10
c:\program files\Java\jre1.6.0_07\lib\zi\SystemV\MST7
c:\program files\Java\jre1.6.0_07\lib\zi\SystemV\MST7MDT
c:\program files\Java\jre1.6.0_07\lib\zi\SystemV\PST8
c:\program files\Java\jre1.6.0_07\lib\zi\SystemV\PST8PDT
c:\program files\Java\jre1.6.0_07\lib\zi\SystemV\YST9
c:\program files\Java\jre1.6.0_07\lib\zi\SystemV\YST9YDT
c:\program files\Java\jre1.6.0_07\lib\zi\WET
c:\program files\Java\jre1.6.0_07\lib\zi\ZoneInfoMappings
c:\program files\Java\jre1.6.0_07\LICENSE
c:\program files\Java\jre1.6.0_07\PATCH.ERR
c:\program files\Java\jre1.6.0_07\README.txt
c:\program files\Java\jre1.6.0_07\THIRDPARTYLICENSEREADME.txt
c:\program files\Java\jre1.6.0_07\Welcome.html
c:\windows\system32\exitwx.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-06 to 2009-03-06 )))))))))))))))))))))))))))))))
.

2009-03-04 21:59 . 2009-03-04 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-02-25 22:05 . 2009-02-25 22:05 <DIR> d-------- c:\program files\Common Files\Java
2009-02-24 22:37 . 2009-02-24 22:37 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-24 22:37 . 2009-02-25 20:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-23 21:13 . 2009-02-23 21:13 5,944 --a------ c:\windows\system32\yjpq***l.dll
2009-02-22 08:55 . 2009-02-24 20:57 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-22 08:55 . 2009-02-22 08:55 1,409 --a------ c:\windows\QTFont.for
2009-02-21 22:01 . 2009-02-21 22:01 250 --a------ c:\windows\gmer.ini
2009-02-21 08:59 . 2009-02-21 09:03 16,384 --a------ c:\windows\DCEBoot.exe
2009-02-19 21:35 . 2009-02-19 22:27 <DIR> d-------- c:\documents and settings\John\.housecall6.6
2009-02-19 21:33 . 2009-02-19 21:33 <DIR> d-------- c:\windows\Sun
2009-02-19 21:31 . 2009-02-19 21:30 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-19 21:31 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-19 21:30 . 2009-03-05 20:39 <DIR> d-------- c:\program files\Java
2009-02-19 07:38 . 2009-02-19 07:39 <DIR> d-------- c:\program files\Windows Defender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 00:05 --------- d-----w c:\documents and settings\John\Application Data\skypePM
2009-03-05 15:46 --------- d-----w c:\documents and settings\John\Application Data\Skype
2009-02-26 05:27 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-19 05:09 --------- d-----w c:\documents and settings\John\Application Data\oovooToolbar
2009-02-18 05:28 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-02-16 00:09 --------- d-----w c:\program files\ooVoo
2009-02-08 04:43 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-01-28 17:44 --------- d-----w c:\program files\Trend Micro
2009-01-28 05:59 --------- d-----w c:\program files\Trend Micro(TM) Internet Security
2009-01-25 08:53 --------- d-----w c:\documents and settings\John\Application Data\RipIt4Me
2009-01-22 03:12 --------- d-----w c:\documents and settings\John\Application Data\ooVoo Details
2009-01-22 03:09 --------- d-----w c:\program files\oovooToolbar
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-03-07 22:37 85,000 ----a-w c:\documents and settings\John\Application Data\GDIPFONTCACHEV1.DAT
2007-08-16 04:37 47,360 ----a-w c:\documents and settings\John\Application Data\pcouffin.sys
2005-12-16 16:48 37 ----a-w c:\documents and settings\John\getfile.dat
2004-12-30 21:02 565 ----a-w c:\documents and settings\John\DMOrganizer.dat
2004-12-27 16:04 284 ----a-w c:\documents and settings\John\Application Data\ViewerApp.dat
2008-08-26 10:07 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-24_21.02.35.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-17 19:02:19 8,461,312 -c----w c:\windows\system32\dllcache\shell32.dll
- 2009-02-20 05:30:46 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-06-10 09:21:01 135,168 ----a-w c:\windows\system32\java.exe
- 2009-02-20 05:30:46 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-06-10 09:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
- 2009-02-20 05:30:46 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-06-10 10:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
- 2008-04-14 00:12:05 8,461,312 ----a-w c:\windows\system32\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\system32\shell32.dll
- 2007-11-30 11:18:51 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-8087-36EE87E26986}]
2008-12-11 11:08 1912280 --a------ c:\progra~1\OOVOOT~1\OOVOOT~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-8087-36EE87E26986}"= "c:\progra~1\OOVOOT~1\OOVOOT~1.DLL" [2008-12-11 1912280]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-8087-36ee87e26986}]
[HKEY_CLASSES_ROOT\oovooToolbar.OOVOOTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A057A204-BACC-4D26-8087-36EE87E26986}"= "c:\progra~1\OOVOOT~1\OOVOOT~1.DLL" [2008-12-11 1912280]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-8087-36ee87e26986}]
[HKEY_CLASSES_ROOT\oovooToolbar.OOVOOTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 94208]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-30 970808]
"nForce Tray Options"="sstray.exe" [2002-11-12 c:\windows\system32\sstray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="c:\windows\system32\msiexec.exe" [2008-04-13 78848]

c:\documents and settings\John\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-06-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-11-26 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Picture Package Menu.lnk.disabled [2004-12-25 763]
Picture Package VCD Maker.lnk.disabled [2004-12-25 813]
ymetray.lnk.disabled [2007-07-23 1916]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\F:\0autocheck autochk *

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"oovoo.exe"=c:\program files\ooVoo\oovoo.exe /minimized
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HumMeteringClient"=rundll32.exe "c:\program files\Hummingbird\Connectivity\11.00\Accessories\MeteringClient.dll",RegisterProduct
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"WinampAgent"=c:\program files\Winamp\winampa.exe
"YBrowser"=c:\progra~1\Yahoo!\browser\ybrwicon.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\ImageJ\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Hummingbird\\Connectivity\\11.00\\Exceed\\exceed.exe"=
"c:\\Program Files\\Hummingbird\\Connectivity\\11.00\\Exceed\\xstart.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2003-09-22 97530]
R1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys [2007-03-25 21632]
R2 PESRV;Hummingbird HostExplorer Print Services;c:\program files\Hummingbird\Connectivity\11.00\HostExplorer\PrintServices\PESRV.exe [2005-10-27 149152]
R2 SDPASVC;SDPAUMS server service;c:\windows\System32\sdpasvc.exe -service --> c:\windows\System32\sdpasvc.exe -service [?]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-01-28 49680]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-01-28 492888]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-01-29 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-01-28 677128]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-07-30 334352]
S3 acfva;acfva;c:\windows\system32\drivers\acfva.sys [2003-11-25 28445]
S3 ProxyEngine;Hummingbird Proxy Server;c:\program files\Hummingbird\Connectivity\11.00\Accessories\ProxyEngine.exe [2005-10-27 120496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{709c13ad-4270-11d9-9cbd-000c6e8529dc}]
\Shell\AutoRun\command - f:\jdsecure\Windows\JDSecure20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{35DFFE62-9F48-4236-9249-9EAB5C7123C9}]
"c:\program files\Hummingbird\Connectivity\11.00\Accessories\HumSettings.exe" INSTALL=ALL
.
Contents of the 'Scheduled Tasks' folder

2009-02-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:15]

2009-03-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exe
HKU-Default-Run-Symantec NetDriver Warning - c:\progra~1\SYMNET~1\SNDWarn.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
LSP: c:\program files\Hummingbird\Connectivity\11.00\Exceed\humshmx.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\tzoxubli.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 20:45:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,4e,9c,bb,4f,a9,
aa,e1,89,fa,ea,66,7f,d4,3b,6b,70,9d,40,ec,b0,3f,21,b1,3d,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-05 20:51:38
ComboFix-quarantined-files.txt 2009-03-06 04:51:32
ComboFix2.txt 2009-02-26 05:44:25
ComboFix3.txt 2009-02-25 05:04:50

Pre-Run: 53,533,614,080 bytes free
Post-Run: 53,591,552,000 bytes free

842 --- E O F --- 2009-03-06 00:50:59
jsmd7921 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-06-2009, 05:05 AM   #14 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: Can't seem to get rid of "vundo" virus
Hello again

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs :

ooVoo
ooVoo Toolbar
http://www.threatexpert.com/files/oovooToolbar.dll.html
http://www.threatexpert.com/report.a...ae533aca2d86a4

==========

Open notepad and copy/paste the text in the quotebox below into it:

Code:
FileLook::
c:\windows\system32\yjpq***l.dll

Folder::
c:\program files\Viewpoint

RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

DDS::
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
Save this as CFscript







Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the C:\Combofix.txt in your reply for review.
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-06-2009, 11:52 PM   #15 (permalink)
Registered User
 
Join Date: Feb 2009
Posts: 9
OS: xp sp 3


Re: Can't seem to get rid of "vundo" virus
ComboFix 09-03-04.01 - John 2009-03-06 22:36:15.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.423 [GMT -8:00]
Latest ComboFix.txt from the script you posted...

thanks.




Running from: c:\documents and settings\John\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Viewpoint
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\s.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_av.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_cp.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_up.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bg.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bottom.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab_bg.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_off.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_on.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_off.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_on.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vwpt_logo.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\options.ini
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\viewpoint.ico
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\vmctrl.html
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll
c:\program files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305000D.dll
c:\program files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
c:\program files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\AtmoHWConfig.txt
c:\program files\Viewpoint\Viewpoint Media Player\Components\atmosphere.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\AvatarsDefault.prf
c:\program files\Viewpoint\Viewpoint Media Player\Components\BlueStreak.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\BookmarksDefault.prf
c:\program files\Viewpoint\Viewpoint Media Player\Components\DefaultAvatarIcon.jpg
c:\program files\Viewpoint\Viewpoint Media Player\Components\DefaultWorldIcon.jpg
c:\program files\Viewpoint\Viewpoint Media Player\Components\ExtremeShot.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\InternetChatHelp.url
c:\program files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\LensFlares.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\Mts2Reader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\ObjectMovie.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\ServiceComponent.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VectorView.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VETsdk.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\ZoomView.dll
c:\program files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\AtmoHWConfig.txt
c:\program files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\AvatarsDefault.prf
c:\program files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\BookmarksDefault.prf
c:\program files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\DefaultAvatarIcon.jpg
c:\program files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\DefaultWorldIcon.jpg
c:\program files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\InternetChatHelp.url
c:\program files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
c:\program files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
c:\program files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\AtmoHWConfig.txt
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\AvatarsDefault.prf
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\BookmarksDefault.prf
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\Cursors.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\DefaultAvatarIcon.jpg
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\DefaultWorldIcon.jpg
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\InternetChatHelp.url
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt

.
((((((((((((((((((((((((( Files Created from 2009-02-07 to 2009-03-07 )))))))))))))))))))))))))))))))
.

2009-03-04 21:59 . 2009-03-04 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-02-25 22:05 . 2009-02-25 22:05 <DIR> d-------- c:\program files\Common Files\Java
2009-02-24 22:37 . 2009-02-24 22:37 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-24 22:37 . 2009-02-25 20:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-23 21:13 . 2009-02-23 21:13 5,944 --a------ c:\windows\system32\yjpq***l.dll
2009-02-22 08:55 . 2009-02-24 20:57 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-22 08:55 . 2009-02-22 08:55 1,409 --a------ c:\windows\QTFont.for
2009-02-21 22:01 . 2009-02-21 22:01 250 --a------ c:\windows\gmer.ini
2009-02-21 08:59 . 2009-02-21 09:03 16,384 --a------ c:\windows\DCEBoot.exe
2009-02-19 21:35 . 2009-02-19 22:27 <DIR> d-------- c:\documents and settings\John\.housecall6.6
2009-02-19 21:33 . 2009-02-19 21:33 <DIR> d-------- c:\windows\Sun
2009-02-19 21:31 . 2009-02-19 21:30 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-19 21:31 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-19 21:30 . 2009-03-05 20:39 <DIR> d-------- c:\program files\Java
2009-02-19 07:38 . 2009-02-19 07:39 <DIR> d-------- c:\program files\Windows Defender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 06:32 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-07 06:32 --------- d-----w c:\program files\oovooToolbar
2009-03-07 06:32 --------- d-----w c:\program files\ooVoo
2009-03-07 00:08 --------- d-----w c:\documents and settings\John\Application Data\skypePM
2009-03-06 17:09 --------- d-----w c:\documents and settings\John\Application Data\Skype
2009-02-18 05:28 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-02-08 04:43 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-01-28 17:44 --------- d-----w c:\program files\Trend Micro
2009-01-28 05:59 --------- d-----w c:\program files\Trend Micro(TM) Internet Security
2009-01-25 08:53 --------- d-----w c:\documents and settings\John\Application Data\RipIt4Me
2009-01-22 03:12 --------- d-----w c:\documents and settings\John\Application Data\ooVoo Details
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-03-07 22:37 85,000 ----a-w c:\documents and settings\John\Application Data\GDIPFONTCACHEV1.DAT
2007-08-16 04:37 47,360 ----a-w c:\documents and settings\John\Application Data\pcouffin.sys
2005-12-16 16:48 37 ----a-w c:\documents and settings\John\getfile.dat
2004-12-30 21:02 565 ----a-w c:\documents and settings\John\DMOrganizer.dat
2004-12-27 16:04 284 ----a-w c:\documents and settings\John\Application Data\ViewerApp.dat
2008-08-26 10:07 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\yjpq***l.dll -- Invalid filepath or file no longer exist


((((((((((((((((((((((((((((( SnapShot@2009-02-24_21.02.35.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-17 19:02:19 8,461,312 -c----w c:\windows\system32\dllcache\shell32.dll
- 2009-02-20 05:30:46 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-06-10 09:21:01 135,168 ----a-w c:\windows\system32\java.exe
- 2009-02-20 05:30:46 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-06-10 09:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
- 2009-02-20 05:30:46 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-06-10 10:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
- 2008-04-14 00:12:05 8,461,312 ----a-w c:\windows\system32\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\system32\shell32.dll
- 2007-11-30 11:18:51 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2008-03-24 218496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 94208]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-30 970808]
"nForce Tray Options"="sstray.exe" [2002-11-12 c:\windows\system32\sstray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="c:\windows\system32\msiexec.exe" [2008-04-13 78848]

c:\documents and settings\John\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-06-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-11-26 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Picture Package Menu.lnk.disabled [2004-12-25 763]
Picture Package VCD Maker.lnk.disabled [2004-12-25 813]
ymetray.lnk.disabled [2007-07-23 1916]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\F:\0autocheck autochk *

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"oovoo.exe"=c:\program files\ooVoo\oovoo.exe /minimized
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HumMeteringClient"=rundll32.exe "c:\program files\Hummingbird\Connectivity\11.00\Accessories\MeteringClient.dll",RegisterProduct
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"WinampAgent"=c:\program files\Winamp\winampa.exe
"YBrowser"=c:\progra~1\Yahoo!\browser\ybrwicon.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\ImageJ\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Hummingbird\\Connectivity\\11.00\\Exceed\\exceed.exe"=
"c:\\Program Files\\Hummingbird\\Connectivity\\11.00\\Exceed\\xstart.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2003-09-22 97530]
R1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys [2007-03-25 21632]
R2 PESRV;Hummingbird HostExplorer Print Services;c:\program files\Hummingbird\Connectivity\11.00\HostExplorer\PrintServices\PESRV.exe [2005-10-27 149152]
R2 SDPASVC;SDPAUMS server service;c:\windows\System32\sdpasvc.exe -service --> c:\windows\System32\sdpasvc.exe -service [?]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-01-28 49680]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-01-28 492888]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-01-29 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-01-28 677128]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-07-30 334352]
S3 acfva;acfva;c:\windows\system32\drivers\acfva.sys [2003-11-25 28445]
S3 ProxyEngine;Hummingbird Proxy Server;c:\program files\Hummingbird\Connectivity\11.00\Accessories\ProxyEngine.exe [2005-10-27 120496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{709c13ad-4270-11d9-9cbd-000c6e8529dc}]
\Shell\AutoRun\command - f:\jdsecure\Windows\JDSecure20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{35DFFE62-9F48-4236-9249-9EAB5C7123C9}]
"c:\program files\Hummingbird\Connectivity\11.00\Accessories\HumSettings.exe" INSTALL=ALL
.
Contents of the 'Scheduled Tasks' folder

2009-02-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:15]

2009-03-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A057A204-BACC-4D26-8087-36EE87E26986} - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
LSP: c:\program files\Hummingbird\Connectivity\11.00\Exceed\humshmx.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\tzoxubli.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-06 22:43:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-06 22:47:42
ComboFix-quarantined-files.txt 2009-03-07 06:47:35
ComboFix2.txt 2009-03-06 04:51:42
ComboFix3.txt 2009-02-26 05:44:25
ComboFix4.txt 2009-02-25 05:04:50

Pre-Run: 53,509,021,696 bytes free
Post-Run: 53,486,649,344 bytes free

297 --- E O F --- 2009-03-06 00:50:59
jsmd7921 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-08-2009, 05:20 AM   #16 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: Can't seem to get rid of "vundo" virus
Hello again

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:
(don't forget to copy and paste REGEDIT4)

Quote:
REGEDIT4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"=-
"443:UDP"=-
"37674:TCP"=-
"37674:UDP"=-
"37675:UDP"=-
Save the file as "Fix.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the Fix.reg file and choose yes to merge/add it to the registry. You may delete the file afterwards.

===========

If there are no further issues, continue below.

===========

Delete DDS from your desktop.

Click Start>Run and type or copy/paste the following command then hit enter to uninstall gmer.

%systemroot%\gmer_uninstall.cmd


You can keep ATF-Cleaner if you wish, otherwise delete from desktop.

============

Well done, your logs are clean.

Click start>run>type(or copy/paste command into run box):

ComboFix /u

Click ok.

==============

Clear IE7 cookies

*On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab.
*On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too].
*Click OK, and then click OK again.


Clear Firefox cookies/cache

• Select "Tools"
• Select "Options".
• Select "Privacy".
• In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want.
• Click OK.
• In Private area click "Clear Now".

-------------------------------------------------------------------------------------------

MICROSOFT UPDATES

1.Click Start,Run, type sysdm.cpl, and then press OK.
2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended).

Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday".

------------------------------------------------------------------------------------------

Useful Information and Programs to keep you safe.

WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites.

WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites.


For Internet Explorer users:
WOT for IE

--------------------------------------------------------------------------------------

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Avant
Firefox
Opera
K-Meleon

------------------------------------------------------------------------------------------

Free Antispyware Products
SuperAntiSpyware
Malwarebytes ' Anti-Malware

SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items

------------------------------------------------------------------

The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

If your having trouble downloading & extracting,see link below for guidance:
http://www.mvps.org/winhelp2002/hosts2.htm

Once you have extracted the host file,double click on it and a new window will open.

Double-click on mvps.batand follow the prompts

---------------------------------------------------------------

Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

----------------------------------------

SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users.

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

==============================================

Secunia PSI is a programme that will alert you to vulnerabilities and outdated programs you have installed, such as Java, Flash Player and many more.

It can also alert you if you have not installed the latest patches from Microsoft.

==============================================

Also, please take a look at this well written article:

PC Safety and Security--What Do I Need?

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Please reply to this thread once more, as we may mark this as resolved, thanks.
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-10-2009, 12:10 AM   #17 (permalink)
Registered User
 
Join Date: Feb 2009
Posts: 9
OS: xp sp 3


Re: Can't seem to get rid of "vundo" virus
Thanks for all the help. Initially I almost took it to a local computer "repair" shop who told me when a computer is infected there is essentially nothing you can do but wipe the hard drive and reinstall the OS (complete data loss). He was particularly condescending when I told him I was going to try to remove it first, which made TSF all the more attractive. My system is running as good as ever and I have downloaded all of the additional security tools you recommended (I am somewhat surprised they do not seem to conflict). Thanks again.

JS.
jsmd7921 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-10-2009, 04:44 AM   #18 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: Can't seem to get rid of "vundo" virus
We generally only recommend a format as a last resort, with certain types of infections a format would be the first option, but this is in a small amount of infections.

Glad to hear that your system is running as it should, surf safely
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 03:01 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85