Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winfix/vundo Problem


  • This topic is locked This topic is locked
2 replies to this topic

#1 maliszewski

maliszewski

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 26 October 2007 - 09:45 AM

Hi all,

My computer was infected with vundo and I have followed the preparation guidelines. I have also run combofix and also run vundofix. I am not see popups now, but everytime I run vundofix it keeps detecting this file: C:\Windows\system32\xxywxwt.dll Vundofix tells me to reboot in order to remove the file, but it keeps coming up.

Here is my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:45 AM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\autodown.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4227 bytes


Here is my combofix log:

ComboFix 07-10-26.4 - HP_Owner 2007-10-26 10:25:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.142 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-26 to 2007-10-26 )))))))))))))))))))))))))))))))
.

2007-10-26 09:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-26 09:46 83,008 --a------ C:\WINDOWS\system32\eirjmmfy.dll
2007-10-26 09:27 <DIR> d-------- C:\VundoFix Backups
2007-10-26 08:37 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-26 08:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-26 08:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-25 15:02 66,048 --a------ C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-10-25 14:20 26,787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-10-25 14:06 25,088 --a------ C:\WINDOWS\system32\shfolder.dll
2007-10-25 14:06 25,088 --a------ C:\WINDOWS\system32\dllcache\shfolder.dll
2007-10-25 12:52 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-25 09:36 84,544 --a------ C:\WINDOWS\system32\odwtlwqf.dll
2007-10-25 08:20 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-10-25 08:20 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2007-10-25 08:19 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-25 08:19 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-10-20 11:28 53,258 --a------ C:\WINDOWS\system32\kjdsrngo.exe
2007-10-20 06:42 118,784 --a------ C:\WINDOWS\system32\artchker.exe
2007-10-20 06:42 45,056 --a------ C:\WINDOWS\system32\katzppd.exe
2007-10-20 06:42 45,056 --a------ C:\WINDOWS\system32\katzpftec.exe
2007-10-20 06:42 44,922 --a------ C:\WINDOWS\system32\IKatzuUninstall.exe
2007-10-20 06:42 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-20 06:41 <DIR> d-------- C:\WINDOWS\system32\xx1
2007-10-20 06:41 <DIR> d-------- C:\WINDOWS\system32\od2
2007-10-20 06:41 <DIR> d-------- C:\WINDOWS\system32\ib1
2007-10-20 06:41 <DIR> d-------- C:\WINDOWS\system32\cp1
2007-10-20 06:41 <DIR> d-------- C:\WINDOWS\system32\bo2
2007-10-20 06:41 <DIR> d-------- C:\WINDOWS\system32\ap1
2007-10-05 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HipSoft
2007-09-26 22:06 <DIR> d-------- C:\Program Files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 11:45 --------- d-----w C:\Program Files\Java
2007-10-25 18:19 879,832 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys
2007-10-25 18:19 108,360 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-10-25 18:18 74,864 ----a-w C:\WINDOWS\system32\VetRedir.dll
2007-10-25 18:18 21,031 ----a-w C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-10-25 18:18 15,735 ----a-w C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-10-25 18:18 15,478 ----a-w C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-10-25 18:18 115,824 ----a-w C:\WINDOWS\UnVet32.exe
2007-10-25 18:18 111,728 ----a-w C:\WINDOWS\AVShlExt.dll
2007-10-25 18:05 --------- d-----w C:\Program Files\Common Files\scanner
2007-10-21 10:54 --------- d-----w C:\Program Files\Google
2007-10-21 00:44 --------- d-----w C:\Program Files\Oberon Media
2007-10-21 00:44 --------- d-----w C:\Program Files\MSN Games
2007-10-10 10:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-07 03:39 --------- d-----w C:\Program Files\PlayFirst
2007-10-06 02:35 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\PlayFirst
2007-09-30 12:23 --------- d-----w C:\Program Files\iTunes
2007-09-30 12:23 --------- d-----w C:\Program Files\iPod
2007-09-30 11:59 --------- d-----w C:\Program Files\Apple Software Update
2007-09-28 02:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-09-27 02:06 --------- d-----w C:\Program Files\Real
2007-09-27 02:06 --------- d-----w C:\Program Files\Common Files\Real
2007-09-27 02:05 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-09-23 18:20 --------- d-----w C:\Program Files\activePDF
2007-09-23 18:15 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AdobeUM
2007-09-06 10:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-06 00:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-09-01 08:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\GameHouse
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ----a-w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ----a-w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ----a-w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ----a-w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ----a-w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ----a-w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 23:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2007-01-06 01:32 774 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2006-12-02 10:02 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-02-19 08:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 C:\WINDOWS\ALCXMNTR.EXE]
"eTrustPPAP"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe" [2007-10-25 14:16]
"QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe" [2007-10-25 14:18]
"CaAvTray"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" [2007-10-25 14:18]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-10-25 14:18]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Aim6"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=C:\WINDOWS\pss\APC UPS Status.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=C:\WINDOWS\pss\Forget Me Not.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]
"C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
"C:\Windows\Creator\Remind_XP.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-16 00:12:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-21 01:13:38 C:\WINDOWS\Tasks\Disk Cleanup.job"
"2007-10-26 01:14:00 C:\WINDOWS\Tasks\eTrust EZ Antivirus.job"
- C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\CAV.exe
"2007-10-26 05:33:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-26 10:30:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-26 10:32:06
C:\ComboFix2.txt ... 2007-10-26 10:11
.
--- E O F ---

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:32 AM

Posted 04 November 2007 - 11:44 PM

Hello maliszewski,

I see you ran ComboFix twice and posted the log from the second run. :thumbsup:
Why did you run ComboFix twice? It is supposed to run only once and under supervision.

I need to see the first run of ComboFix.
It is here C:\ComboFix2.txt, so please post it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:32 AM

Posted 10 November 2007 - 05:03 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users