 Vundo Trojan - Sneaky Little Rrrrr.... Take 2, Needs steps to remove Vundo on WinXP |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Jul 22 2008, 05:33 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 14 Joined: 21-July 08 Member No.: 224,281  |
SteamWiz, I was unable to locate either of the two files you referenced from the HiJackThis scan: (04 - HKLM\..\Run: [a48535aa] rundll32.exe C:\WINDOWS\System32\jaytfvjn.dll MAIN.TXT Deckard's System Scanner v20071014.68 Run by Owner on 2008-07-22 15:05:57 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 60: 2008-07-22 22:06:08 UTC - RP496 - Deckard's System Scanner Restore Point 59: 2008-07-22 18:50:31 UTC - RP495 - System Checkpoint 58: 2008-07-21 02:47:53 UTC - RP494 - System Checkpoint 57: 2008-07-19 00:29:52 UTC - RP493 - Last known good configuration 56: 2008-07-19 00:29:15 UTC - RP492 - System Checkpoint -- First Restore Point -- 1: 2008-07-19 00:28:04 UTC - RP437 - System Checkpoint Backed up registry hives. Performed disk cleanup. Total Physical Memory: 479 MiB (512 MiB recommended). -- HijackThis (run as Owner.exe) ----------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:07:01 PM, on 7/22/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Sonic Shared\CineTray.exe C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\WISPTIS.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\rundll32.exe C:\Documents and Settings\Owner\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {313907D9-4A98-43BD-BDD6-020BC0B5FB0C} - C:\WINDOWS\system32\rqRJCSMf.dll O2 - BHO: {169a3674-20f8-3c08-1f74-35335cfc6dd3} - {3dd6cfc5-3353-47f1-80c3-8f024763a961} - C:\WINDOWS\system32\bchbis.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: (no name) - {5E3813EF-24EC-4D5F-B33E-5B4AFFEC578E} - C:\WINDOWS\system32\iifccBrp.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [a48535aa] rundll32.exe "C:\WINDOWS\system32\fvppkpjh.dll",b O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = ? O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163311471359 O20 - Winlogon Notify: rqRJCSMf - C:\WINDOWS\SYSTEM32\rqRJCSMf.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe -- End of file - 7138 bytes -- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) ----------- backup-20080721-165418-617 O4 - HKLM\..\Run: [a48535aa] rundll32.exe "C:\WINDOWS\system32\jaytfvjn.dll",b -- File Associations ----------------------------------------------------------- .js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver 4\Dreamweaver.exe,2 .js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver 4\Dreamweaver.exe" "%1" -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R2 AMON - c:\windows\system32\drivers\amon.sys <Not Verified; Eset; NOD32 Antivirus System> R2 LBeepKE - c:\windows\system32\drivers\lbeepke.sys <Not Verified; Logitech, Inc.; Logitech SetPoint™> S2 LMIInfo (LogMeIn Kernel Information Provider) - c:\program files\logmein\x86\rainfo.sys (file missing) S3 LHidUsbK (Logitech SetPoint USB Receiver device driver) - c:\windows\system32\drivers\lhidusbk.sys <Not Verified; Logitech, Inc.; Logitech SetPoint™> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour> S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Intel® PRO/Wireless 2200BG Network Connection Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_12F5103C&REV_05\4&16793A72&0&30F0 Manufacturer: Intel® Corporation Name: Intel® PRO/Wireless 2200BG Network Connection PNP Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_12F5103C&REV_05\4&16793A72&0&30F0 Service: w29n51 Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: 1394 Net Adapter Device ID: V1394\NIC1394\4093ADC09F00 Manufacturer: Microsoft Name: 1394 Net Adapter PNP Device ID: V1394\NIC1394\4093ADC09F00 Service: NIC1394 -- Scheduled Tasks ------------------------------------------------------------- 2008-07-21 15:56:19 422 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{FFA9D7DF-C273-47A2-9CE6-8A9B150E4364}.job -- Files created between 2008-06-22 and 2008-07-22 ----------------------------- 2008-07-22 14:59:48 94848 --a------ C:\WINDOWS\system32\fvppkpjh.dll 2008-07-22 14:59:44 116352 --a------ C:\WINDOWS\system32\bchbis.dll 2008-07-22 14:59:42 116352 --a------ C:\WINDOWS\system32\qgmialbr.dll 2008-07-21 14:57:06 116864 --a------ C:\WINDOWS\system32\rrmonv.dll 2008-07-21 14:57:04 116864 --a------ C:\WINDOWS\system32\cpaiowxv.dll 2008-07-21 14:57:01 92672 --a------ C:\WINDOWS\system32\jaytfvjn.dll 2008-07-21 11:13:14 0 d-------- C:\Program Files\Trend Micro 2008-07-20 14:58:14 116352 --a------ C:\WINDOWS\system32\rihdzf.dll 2008-07-20 14:58:12 116352 --a------ C:\WINDOWS\system32\trlptbir.dll 2008-07-19 10:38:44 116864 --a------ C:\WINDOWS\system32\pahdmf.dll 2008-07-19 10:38:43 116864 --a------ C:\WINDOWS\system32\mvqbgkrr.dll 2008-07-18 19:14:55 0 d-------- C:\Program Files\Antivirus 2009 2008-07-18 17:30:57 116864 --a------ C:\WINDOWS\system32\qbbkvd.dll 2008-07-18 17:30:54 116864 --a------ C:\WINDOWS\system32\awcweayt.dll 2008-07-18 17:27:52 397810 --ahs---- C:\WINDOWS\system32\prBccfii.ini2 2008-07-18 17:27:39 322816 --a------ C:\WINDOWS\system32\iifccBrp.dll 2008-07-18 17:22:31 33664 --a------ C:\WINDOWS\system32\fccdaaya.dll 2008-07-18 17:22:30 33664 --a------ C:\WINDOWS\system32\rqRJCSMf.dll 2008-07-09 12:38:26 0 d-------- C:\Documents and Settings\Owner\Application Data\Yahoo! 2008-07-09 12:38:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2008-07-03 18:32:54 0 dr-h----- C:\Documents and Settings\Owner\Recent -- Find3M Report --------------------------------------------------------------- 2008-07-21 23:09:07 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM 2008-07-21 17:20:17 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla 2008-07-08 14:55:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe 2008-07-08 14:54:15 0 d-------- C:\Program Files\Yahoo! 2008-06-27 12:29:03 0 d-------- C:\Program Files\Picasa2 -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{313907D9-4A98-43BD-BDD6-020BC0B5FB0C}] 07/18/2008 05:22 PM 33664 --a------ C:\WINDOWS\system32\rqRJCSMf.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3dd6cfc5-3353-47f1-80c3-8f024763a961}] 07/22/2008 02:59 PM 116352 --a------ C:\WINDOWS\system32\bchbis.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E3813EF-24EC-4D5F-B33E-5B4AFFEC578E}] 07/18/2008 05:27 PM 322816 --a------ C:\WINDOWS\system32\iifccBrp.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "a48535aa"="C:\WINDOWS\system32\fvppkpjh.dll" [07/22/2008 02:59 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "RunNarrator"=Narrator.exe [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [3/30/2007 1:14:43 PM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 2:19:50 AM] Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [9/12/2007 12:17:29 PM] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM] Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [9/5/2007 9:34:20 AM] Sonic CinePlayer Quick Launch.lnk - C:\Program Files\Common Files\Sonic Shared\CineTray.exe [7/25/2006 3:01:00 AM] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [06/08/2005 10:02 AM 86016] "{313907D9-4A98-43BD-BDD6-020BC0B5FB0C}"= C:\WINDOWS\system32\rqRJCSMf.dll [07/18/2008 05:22 PM 33664] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] LMIinit.dll 11/15/2007 07:46 PM 87352 C:\WINDOWS\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRJCSMf] rqRJCSMf.dll 07/18/2008 05:22 PM 33664 C:\WINDOWS\system32\rqRJCSMf.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\iifccBrp [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] AutoRun\command- F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a239cc2-501a-11db-8bd5-00c09f80d436}] AutoRun\command- rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{854e5cb7-f900-11dc-8d5d-00c09f80d436}] AutoRun\command- G:\PortableRoboForm.exe RoboForm2Go\command- G:\PortableRoboForm.exe -- End of Deckard's System Scanner: finished at 2008-07-22 15:07:51 ------------ EXTRA.TXT Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Home Edition (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel® Pentium® M processor 1.50GHz Percentage of Memory in Use: 61% Physical Memory (total/avail): 478.42 MiB / 184.5 MiB Pagefile Memory (total/avail): 1121.07 MiB / 734.93 MiB Virtual Memory (total/avail): 2047.88 MiB / 1929.74 MiB C: is Fixed (NTFS) - 55.88 GiB total, 23.25 GiB free. D: is CDROM (No Media) \\.\PHYSICALDRIVE0 - ST960822A - 55.89 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 55.88 GiB - C: -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is enabled. FirstRunDisabled is set. AntiVirusDisableNotify is set. AV: Eset NOD32 antivirus system 2.51 v2.51 (Eset) [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Macromedia\\Dreamweaver 4\\Dreamweaver.exe"="C:\\Program Files\\Macromedia\\Dreamweaver 4\\Dreamweaver.exe:*:Enabled:Dreamweaver" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "D:\\Setup.exe"="D:\\Setup.exe:*:Enabled:Setup" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes" "C:\\Program Files\\Aleric\\MyIVO\\bin\\myivosrv.exe"="C:\\Program Files\\Aleric\\MyIVO\\bin\\myivosrv.exe:*:Disabled:MyIVO" "C:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"="C:\\Program Files\\CrossLoop\\CrossLoopConnect.exe:*:Enabled:CrossLoop - Simple Secure Screen Sharing" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour" "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Owner\Application Data CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=THEMEETINGGUY ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Owner LOGONSERVER=\\THEMEETINGGUY NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Microsoft Office\OFFICE11\Business Contact Manager\IM;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft Office\OFFICE11\Business Contact Manager\;C:\Program Files\QuickTime\QTSystem\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0d08 ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp USERDOMAIN=THEMEETINGGUY USERNAME=Owner USERPROFILE=C:\Documents and Settings\Owner windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Owner (admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E7DC12A-3597-4A94-9429-F6C6987361B1}\setup.exe" -l0x9 -removeonly --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DADB304-AF20-48C3-A780-4B4133A08817}\setup.exe" -l0x9 -removeonly --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C423CF6-2DAA-4A37-94B8-59D7ECC7DB13}\setup.exe" -l0x9 -removeonly --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA6CC4B4-7741-4F8D-8E81-15C4BAB9869B}\setup.exe" -l0x9 -removeonly --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf 7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe" Adobe Acrobat 6.0 Standard --> MsiExec.exe /I{AC76BA86-1033-0000-BA7E-000000000001} Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95} Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61} Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394} Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23} Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C} Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C} Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9} Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8} Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029} Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5} Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D} Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD} Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe" Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2} Adobe Flash Player 9 --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B} Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245} Adobe Illustrator CS3 --> C:\Program Files\Common Files\Adobe\Installers\a04a925a57548091300ada368235fc6\Setup.exe Adobe Illustrator CS3 --> MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A} Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078} Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C} Adobe Photoshop 5.5 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 5.5\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 5.5\Uninst.dll" Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002} Adobe Setup --> MsiExec.exe /I{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9} Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183} Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312} Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8} Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5} Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6} Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923} Advanced Email Verifier --> C:\PROGRA~1\G-LOCK~1\AEV5\\UNWISE.EXE C:\PROGRA~1\G-LOCK~1\AEV5\\INSTALL.LOG Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB} Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4} AskWeb --> "C:\Program Files\AW\1.0\unins000.exe" AVI Splitter version 1.0 --> "C:\Program Files\AVISplitter\unins000.exe" Business Contact Manager for Outlook 2003 --> MsiExec.exe /I{66563AD8-637B-407F-BCA7-0233A16891AB} CDDRV_Installer --> MsiExec.exe /I{8CC990CD-87C8-475C-AC32-8A7984E2FCFA} Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE} Conexant AC-Link Audio --> CIAunwdm.exe CrossLoop 2.11 --> "C:\Program Files\CrossLoop\unins000.exe" GoToMeeting/GoToWebinar 3.0.0.198 --> C:\Program Files\Citrix\GoToMeeting\198\G2MUninstall.exe /uninstall GraphicView 32 --> C:\PROGRA~1\GRAPHI~1\UNWISE.EXE C:\PROGRA~1\GRAPHI~1\INSTALL.LOG HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582 iTunes --> MsiExec.exe /I{4F5CE18C-D97D-48FF-A510-A0D90C918294} J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060} Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010} Karen's Replicator --> C:\Program Files\Karen's Power Tools\Replicator\uninst.exe KhalSetup --> MsiExec.exe /I{C89C8D86-4423-4A58-AA40-DD259ACE07C1} Logitech SetPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9 -removeonly Macromedia Dreamweaver 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ABDA9912-5D00-11D4-BAE7-9367CA097955}\Setup.exe" mmUninstall Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" mmUninstall Macromedia Flash 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C93C363-414E-11D4-9756-00C04F8EEB39}\Setup.exe" UNINSTALL Macromedia Generator 2 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Macromedia\Generator 2\Uninst.isu" -c"C:\Program Files\Macromedia\Generator 2\bin\uninstall.dll" Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe" Microsoft Office Small Business Edition 2003 --> MsiExec.exe /I{91CA0409-6000-11D3-8CFE-0150048383C9} Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7} Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe MPEG Splitter version 2.2 --> "C:\Program Files\MPEGSPLITTER\unins000.exe" MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL Outlook Duplicates Remover 5.0 --> C:\PROGRA~1\OUTLOO~2\UNWISE.EXE C:\PROGRA~1\OUTLOO~2\INSTALL.LOG PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5} Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe" Quicken 2006 --> MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5} QuickTime --> MsiExec.exe /I{9763E36A-08E9-4228-BBCE-12989A4EB1A8} RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 Rhapsody Player Engine --> MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52} SoftV90 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_3080103C\HXFSETUP.EXE -U -Ihpm30805.inf Sonic CinePlayer DVD Pack --> MsiExec.exe /I{D4576E0D-2295-4B8E-B663-B68086B00EE5} Sony Picture Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe" -l0x9 /removeonly uninstall -removeonly Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL SyncBack --> "C:\Program Files\2BrightSparks\SyncBack\unins000.exe" Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{70CEDB87-A750-498A-B168-36F66C4A2090} VistaPrint Electronic Business Card --> MsiExec.exe /X{253FCC55-E03D-40D4-A407-3470BE4101C0} Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE -- Application Event Log ------------------------------------------------------- Event Record #/Type818 / Warning Event Submitted/Written: 07/21/2008 05:02:50 PM Event ID/Source: 19011 / MSSQL$MICROSOFTBCM Event Description: (SpnRegister) : Error 1355 Event Record #/Type813 / Warning Event Submitted/Written: 07/21/2008 03:49:13 PM Event ID/Source: 19011 / MSSQL$MICROSOFTBCM Event Description: (SpnRegister) : Error 1355 Event Record #/Type808 / Warning Event Submitted/Written: 07/21/2008 03:44:30 PM Event ID/Source: 19011 / MSSQL$MICROSOFTBCM Event Description: (SpnRegister) : Error 1355 Event Record #/Type806 / Error Event Submitted/Written: 07/21/2008 02:36:23 PM Event ID/Source: 1000 / Application Error Event Description: Faulting application hijackthis.exe, version 2.0.0.2, faulting module iifccbrp.dll, version 0.0.0.0, fault address 0x00063293. Processing media-specific event for [hijackthis.exe!ws!] Event Record #/Type800 / Warning Event Submitted/Written: 07/21/2008 02:01:54 PM Event ID/Source: 19011 / MSSQL$MICROSOFTBCM Event Description: (SpnRegister) : Error 1355 -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type85892 / Error Event Submitted/Written: 07/22/2008 10:09:29 AM Event ID/Source: 7011 / Service Control Manager Event Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service. Event Record #/Type85891 / Warning Event Submitted/Written: 07/22/2008 10:09:15 AM Event ID/Source: 1003 / Dhcp Event Description: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0012F01BD036. The following error occurred: %%1223. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server. Event Record #/Type85889 / Warning Event Submitted/Written: 07/22/2008 10:08:36 AM Event ID/Source: 1003 / Dhcp Event Description: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0012F01BD036. The following error occurred: %%10038. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server. Event Record #/Type85876 / Error Event Submitted/Written: 07/21/2008 09:07:31 PM Event ID/Source: 10005 / DCOM Event Description: DCOM got error "%%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} Event Record #/Type85841 / Error Event Submitted/Written: 07/21/2008 05:22:54 PM Event ID/Source: 10005 / DCOM Event Description: DCOM got error "%%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} -- End of Deckard's System Scanner: finished at 2008-07-22 15:07:51 ------------ |
 |
 
|
|
Jul 22 2008, 05:44 PM
Post
#2
|
|
|
New Member Group: Members Posts: 14 Joined: 21-July 08 Member No.: 224,281 |
As per instructions, I attempted to Download and Run Kaspersky Online Scanner.
The program opens and begins to install components.. but each time it gets to KOS update (?) or KOS Definitions (?) it just kills my Firefox browser. BLAM! Everything disappears. I've recreated this event 3x; happens in just about the same place each time. Eeeek! Please advise...? Thank you, David |
|
|
|
|
Jul 22 2008, 06:19 PM
Post
#3
|
|
 Forum Addict Group: HJT Team Posts: 1,019 Joined: 14-February 08 Member No.: 190,186 |
Hi David
The Online Scanner service offered by Kaspersky Lab uses Microsoft ActiveX technology. Microsoft ActiveX Technology and the Kaspersky Online Scanner work only with MS Internet Explorer 6.0 or higher ... You HAVE to use Internet Explorer  It's way past midnight here now, so I'll check you other logs tomorrow, You certainly have a lot of malware showing in the DSS log ... steam -------------------- MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004 member of U.N.I.T.E If I have helped you, please consider a small donation to help me continue my online fight in the war against malware  |
|
|
|
|
Jul 22 2008, 06:41 PM
Post
#4
|
|
|
New Member Group: Members Posts: 14 Joined: 21-July 08 Member No.: 224,281 |
Hi Steam,
Thanks for the tip on IE for Kaspersky. - However - since I couldn't run it on Firefox, I simply by-passed that step and went directly to Malwarebytes Anti-Malware. - It found 46 instances of Vundo. - LOG FILE report is here below. PLEASE NOTE the attached Screen Shot, of a few interesting notices that appeared on Restart: MALWARE BYTES report: Malwarebytes' Anti-Malware 1.22 Database version: 980 Windows 5.1.2600 Service Pack 2 4:27:13 PM 7/22/2008 mbam-log-7-22-2008 (16-27-12).txt Scan type: Quick Scan Objects scanned: 42367 Time elapsed: 8 minute(s), 40 second(s) Memory Processes Infected: 0 Memory Modules Infected: 5 Registry Keys Infected: 12 Registry Values Infected: 2 Registry Data Items Infected: 2 Folders Infected: 1 Files Infected: 21 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\fvppkpjh.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINDOWS\system32\iifccBrp.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINDOWS\system32\rqRJCSMf.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINDOWS\system32\rrmonv.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINDOWS\system32\bchbis.dll (Trojan.Vundo) -> Unloaded module successfully. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3dd6cfc5-3353-47f1-80c3-8f024763a961} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{3dd6cfc5-3353-47f1-80c3-8f024763a961} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5e3813ef-24ec-4d5f-b33e-5b4affec578e} (Trojan.Vundo) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{5e3813ef-24ec-4d5f-b33e-5b4affec578e} (Trojan.Vundo) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{313907d9-4a98-43bd-bdd6-020bc0b5fb0c} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{313907d9-4a98-43bd-bdd6-020bc0b5fb0c} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrjcsmf (Trojan.Vundo) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a48535aa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{313907d9-4a98-43bd-bdd6-020bc0b5fb0c} (Trojan.Vundo) -> Delete on reboot. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifccbrp -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifccbrp -> Delete on reboot. Folders Infected: C:\Program Files\Antivirus 2009 (Rogue.Antivirus2008) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\bchbis.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\iifccBrp.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\prBccfii.ini (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\prBccfii.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\fvppkpjh.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\hjpkppvf.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\jaytfvjn.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\njvftyaj.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\rqRJCSMf.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\rrmonv.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\cpaiowxv.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\awcweayt.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\fccdaaya.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\qbbkvd.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\qgmialbr.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\trlptbir.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\rihdzf.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2TFYIPFO\kb767887[1] (Trojan.Vundo) -> Delete on reboot. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL489VS2\kb456456[1] (Trojan.Vundo) -> Delete on reboot. C:\Program Files\Antivirus 2009\av2009.exe.tmp (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
Attached File(s)
|
|
|
|
|
Jul 23 2008, 12:32 PM
Post
#5
|
|
|
New Member Group: Members Posts: 14 Joined: 21-July 08 Member No.: 224,281 |
Hi Steamwiz,
I hope you got some good rest last night! Please review the mbam log, and if you would be so kind, please let me know your opinion: Is my hard drive safe now? Thank you! David |
|
|
|
|
Jul 23 2008, 03:44 PM
Post
#6
|
|
|
Forum Addict Group: HJT Team Posts: 1,019 Joined: 14-February 08 Member No.: 190,186 |
Hi David
We're not done yet ... but well on the way RE: LULnchr.exe the application C:\WINDOWS\system32\rqRJCSMf.dll is not a valid windows image ... The C:\WINDOWS\system32\rqRJCSMf.dll was probably supposed to create the LULnchr.exe when run, but the rqRJCSMf.dll was corrupt ... this file was a vundo Trojan & has now been deleted ... so the problem is no more The second screen shot is not related & and is just a firefox popup alerting you to firefox updates ... A lot of the files found by Malwarebytes' Anti-Malware required a reboot to remove, sometimes they are stubborn and don't go at the first attempt ... so please run Malwarebytes' Anti-Malware again & post the new log ( it will be a lot smaller or even clean) Then I need you to run another program :- Please follow these directions to run Combofix & post a log. http://www.bleepingcomputer.com/combofix/how-to-use-combofix - Why don't you want to use IE to run the KASPERSKY scan ? It is an excellent deep scan (may take several hours) & may find something the other scans have missed ... steam -------------------- MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004 member of U.N.I.T.E If I have helped you, please consider a small donation to help me continue my online fight in the war against malware |
|
|
|
|
Jul 24 2008, 03:13 PM
Post
#7
|
|
|
New Member Group: Members Posts: 14 Joined: 21-July 08 Member No.: 224,281 |
Wow it's amazing. This goes on and on.
Steamwiz, I will now post 3 logs: 1) Combofix 2) Malwarebyte 3) Kaspersky I ran these in reverse order today (Kaspersky first) Kaspersky found eleven infected files - but did nothing to fix them. Malwarebyte found 5 infected files - but did nothging to fix them. (apparently the innoculation/fix feature was disabled) Combofix found ?? infected files - I'm not sure what was done. Here are the logs, and I'm definitely standing by... THANK YOU. David ************************************************************* ComboFix 08-07-23.5 - Owner 2008-07-24 12:34:18.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.184 [GMT -7:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Owner\g2mdlhlpx.exe C:\WINDOWS\system32\bchbis.dll C:\WINDOWS\system32\bpsxyclu.ini C:\WINDOWS\system32\iifccBrp.dll C:\WINDOWS\system32\mdgwlwvm.ini C:\WINDOWS\system32\mvqbgkrr.dll C:\WINDOWS\system32\nsyxptfr.ini C:\WINDOWS\system32\pahdmf.dll C:\WINDOWS\system32\prBccfii.ini C:\WINDOWS\system32\rqRJCSMf.dll C:\WINDOWS\system32\rrmonv.dll . ((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 ))))))))))))))))))))))))))))))) . 2008-07-24 06:53 . 2008-07-24 06:53 <DIR> d-------- C:\Program Files\Sun 2008-07-22 16:17 . 2008-07-22 16:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes 2008-07-22 16:16 . 2008-07-22 16:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-22 16:16 . 2008-07-22 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-22 16:16 . 2008-07-20 20:25 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-07-22 16:16 . 2008-07-20 20:25 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-07-22 15:05 . 2008-07-22 15:05 <DIR> d-------- C:\Deckard 2008-07-22 14:59 . 2008-07-22 14:59 94,848 --------- C:\WINDOWS\system32\fvppkpjh.dll 2008-07-21 11:13 . 2008-07-21 11:13 <DIR> d-------- C:\Program Files\Trend Micro 2008-07-09 12:38 . 2008-07-09 12:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo! 2008-07-09 12:38 . 2008-07-09 12:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-24 13:52 --------- d-----w C:\Program Files\Java 2008-07-22 06:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM 2008-07-08 21:54 --------- d-----w C:\Program Files\Yahoo! 2008-07-08 21:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! 2008-06-27 19:29 --------- d-----w C:\Program Files\Picasa2 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 17:04 5562368] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\system32\narrator.exe] C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-03-30 13:14:43 155648] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50 217193] Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-12 12:17:29 113664] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-09-05 09:34:20 688128] Sonic CinePlayer Quick Launch.lnk - C:\Program Files\Common Files\Sonic Shared\CineTray.exe [2006-07-25 03:01:00 114688] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [2005-06-08 10:02 86016] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Macromedia\\Dreamweaver 4\\Dreamweaver.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-05-25 00:53] R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-09-12 10:20] S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a239cc2-501a-11db-8bd5-00c09f80d436}] \Shell\AutoRun\command - rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{854e5cb7-f900-11dc-8d5d-00c09f80d436}] \Shell\AutoRun\command - G:\PortableRoboForm.exe \Shell\RoboForm2Go\command - G:\PortableRoboForm.exe *Newly Created Service* - CATCHME *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder "2008-07-24 00:27:09 C:\WINDOWS\Tasks\User_Feed_Synchronization-{FFA9D7DF-C273-47A2-9CE6-8A9B150E4364}.job" - C:\WINDOWS\system32\msfeedssync.exe . . ------- Supplementary Scan ------- . R1 -: HKCU-Internet Settings,ProxyOverride = *.local ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-24 12:38:22 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-07-24 12:39:40 ComboFix-quarantined-files.txt 2008-07-24 19:39:33 Pre-Run: 24,709,156,864 bytes free Post-Run: 24,826,130,432 bytes free 124 --- E O F --- 2008-07-13 23:52:43 ************************************************************* Malwarebytes' Anti-Malware 1.22 Database version: 980 Windows 5.1.2600 Service Pack 2 4:27:13 PM 7/22/2008 mbam-log-7-22-2008 (16-27-12).txt Scan type: Quick Scan Objects scanned: 42367 Time elapsed: 8 minute(s), 40 second(s) Memory Processes Infected: 0 Memory Modules Infected: 5 Registry Keys Infected: 12 Registry Values Infected: 2 Registry Data Items Infected: 2 Folders Infected: 1 Files Infected: 21 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\fvppkpjh.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINDOWS\system32\iifccBrp.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINDOWS\system32\rqRJCSMf.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINDOWS\system32\rrmonv.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINDOWS\system32\bchbis.dll (Trojan.Vundo) -> Unloaded module successfully. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3dd6cfc5-3353-47f1-80c3-8f024763a961} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{3dd6cfc5-3353-47f1-80c3-8f024763a961} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5e3813ef-24ec-4d5f-b33e-5b4affec578e} (Trojan.Vundo) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{5e3813ef-24ec-4d5f-b33e-5b4affec578e} (Trojan.Vundo) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{313907d9-4a98-43bd-bdd6-020bc0b5fb0c} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{313907d9-4a98-43bd-bdd6-020bc0b5fb0c} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrjcsmf (Trojan.Vundo) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a48535aa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{313907d9-4a98-43bd-bdd6-020bc0b5fb0c} (Trojan.Vundo) -> Delete on reboot. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifccbrp -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifccbrp -> Delete on reboot. Folders Infected: C:\Program Files\Antivirus 2009 (Rogue.Antivirus2008) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\bchbis.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\iifccBrp.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\prBccfii.ini (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\prBccfii.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\fvppkpjh.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\hjpkppvf.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\jaytfvjn.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\njvftyaj.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\rqRJCSMf.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\rrmonv.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\cpaiowxv.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\awcweayt.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\fccdaaya.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\qbbkvd.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\qgmialbr.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\trlptbir.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\rihdzf.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2TFYIPFO\kb767887[1] (Trojan.Vundo) -> Delete on reboot. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL489VS2\kb456456[1] (Trojan.Vundo) -> Delete on reboot. C:\Program Files\Antivirus 2009\av2009.exe.tmp (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully. ******************************************************************************** ************ KASPERSKY ONLINE SCANNER 7 REPORT file:///C:/Documents%20and%20Settings/Owner/My%20Documents/kaspersky%20report.html Thursday, July 24, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Thursday, July 24, 2008 13:51:41 Records in database: 1002876 Scan settings Scan using the following database extended Scan archives yes Scan mail databases yes Scan area My Computer C:\ D:\ Scan statistics Files scanned 85178 Threat name 9 Infected objects 13 Suspicious objects 1 Duration of the scan 02:25:21 File name Threat name Threats count C:\Documents and Settings\Owner\My Documents\Files\crossloopsetup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1 C:\Documents and Settings\Owner\My Documents\Files\crossloopsetup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1 C:\Eudora files\InBox_Archive_1998-2003.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 1 C:\Program Files\CrossLoop\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1 C:\Program Files\CrossLoop\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1 C:\Program Files\ESET\infected\5G3NJFDA.NQF Infected: Trojan-Downloader.Win32.Small.ykf 1 C:\Program Files\ESET\infected\F3U3HZBA.NQF Infected: Trojan-Downloader.Win32.Zlob.aky 1 C:\Program Files\ESET\infected\GCDIVSAA.NQF Infected: Trojan.Win32.Diamin.ji 1 C:\Program Files\ESET\infected\JEN4ILBA.NQF Infected: Trojan-Downloader.Win32.Zlob.aqc 1 C:\Program Files\ESET\infected\QA33FFDA.NQF Infected: Trojan-Downloader.Win32.Zlob.aky 1 C:\Program Files\ESET\infected\STN55WDA.NQF Infected: Trojan-Downloader.Win32.Zlob.aky 1 C:\what is this old files\sdsetup.exe Infected: Trojan-Downloader.Win32.Delf.gcy 1 C:\WINDOWS\system32\mvqbgkrr.dll Infected: Trojan.Win32.Monder.amg 1 C:\WINDOWS\system32\pahdmf.dll Infected: Trojan.Win32.Monder.amg 1 The selected area was scanned. |
|
|
|
|
Jul 24 2008, 03:31 PM
Post
|