Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help!-virtumonde, Mljjk.exe


  • This topic is locked This topic is locked
11 replies to this topic

#1 mysilver81

mysilver81

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 25 January 2008 - 03:44 PM

PLease help i have been working on my computer all week trying to figure out whats wrong and now i have it, but still no luck extracting the problem.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:11 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hardrocopsv/
F3 - REG:win.ini: load=C:\WINDOWS\system32\mljjk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) -
O16 - DPF: {DAAC8ECF-DB09-4821-8126-E2C9499A20BA} - http://hardrocopsv/installregterm.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hrhchicago.net
O17 - HKLM\Software\..\Telephony: DomainName = hrhchicago.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hrhchicago.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hrhchicago.net
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe

--
End of file - 5755 bytes

BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:59 AM

Posted 25 January 2008 - 04:02 PM

Hello mysilver81,

Welcome to Bleeping Computer :thumbsup:

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 mysilver81

mysilver81
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 28 January 2008 - 11:34 AM

Well after running the combofix and hijackthis scanners it looks like the programs erased my problems. PLease let me know what else i should do-thanks!

COMBO FIX LOG

ComboFix 08-01-28.2 - dalvarez 2008-01-28 10:06:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.207 [GMT -6:00]
Running from: C:\Documents and Settings\dalvarez\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\xvthbijk.dll
C:\Program Files\Helper
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OinFP.exe
C:\Program Files\outerinfo\OiUninstaller.exe
C:\WINDOWS\system32\ahttvqsy.dll
C:\WINDOWS\system32\ahttvqsy.dllbox
C:\WINDOWS\system32\cgfdylsf.ini
C:\WINDOWS\system32\cxnceldq.ini
C:\WINDOWS\system32\dkoihhjq.dll
C:\WINDOWS\system32\dkoihhjq.dllbox
C:\WINDOWS\system32\ediwelro.dll
C:\WINDOWS\system32\fnkkmvru.ini
C:\WINDOWS\system32\gbonbtca.dllbox
C:\WINDOWS\system32\kjjlm.ini
C:\WINDOWS\system32\kjjlm.ini2
C:\WINDOWS\system32\lyexrmqg.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\system32\pcnbuxfx.dllbox
C:\WINDOWS\system32\peosjylc.dll
C:\WINDOWS\system32\qoppppp.dll
C:\WINDOWS\system32\qoxiemdf.dll
C:\WINDOWS\system32\sxvuyxdh.dll
C:\WINDOWS\system32\uebcwbuk.dll
C:\WINDOWS\system32\urvmkknf.dll
C:\WINDOWS\system32\vccwiphp.dll
C:\WINDOWS\system32\vfhyftvk.dll
C:\WINDOWS\system32\xvthbijk.dll
C:\WINDOWS\system32\xvthbijk.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 )))))))))))))))))))))))))))))))
.

2008-01-25 12:08 . 2008-01-25 12:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 10:57 . 2008-01-28 10:03 <DIR> d-------- C:\Program Files\Security Task Manager
2008-01-25 08:50 . 2008-01-25 11:14 <DIR> d-------- C:\Documents and Settings\dalvarez\Application Data\GetRightToGo
2008-01-25 08:44 . 2008-01-25 08:44 163,904 --a------ C:\WINDOWS\system32\pcnbuxfx.dll.vir
2008-01-24 15:50 . 2008-01-24 15:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-24 08:37 . 2008-01-25 08:39 1,882,697 ---hs---- C:\WINDOWS\system32\ohqkavsk.ini
2008-01-23 12:21 . 2008-01-28 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-22 13:37 . 2008-01-28 10:03 <DIR> d-------- C:\QUARANTINE
2008-01-22 13:27 . 2008-01-22 13:27 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-01-22 13:27 . 2008-01-22 13:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-22 13:27 . 2007-10-25 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-01-22 13:27 . 2007-10-25 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-01-22 13:26 . 2007-10-16 20:50 171,272 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-22 13:26 . 2007-10-16 20:50 72,680 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-22 13:26 . 2007-10-16 20:50 64,168 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-01-22 13:26 . 2007-10-16 20:50 51,944 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-01-22 13:26 . 2007-10-16 20:50 33,960 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-22 13:24 . 2008-01-22 13:27 <DIR> d-------- C:\Program Files\McAfee
2008-01-22 13:24 . 2008-01-22 13:24 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-22 13:22 . 2008-01-22 13:22 <DIR> d-------- C:\WINDOWS\system32\Debug
2008-01-22 10:17 . 2008-01-22 10:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-22 10:17 . 2008-01-22 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-22 10:13 . 2008-01-22 10:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-18 17:07 . 2008-01-18 17:07 163,904 --a------ C:\WINDOWS\system32\gbonbtca.dll.vir
2008-01-18 17:03 . 2008-01-25 09:28 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-18 16:51 . 2008-01-18 16:52 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-17 13:49 . 2008-01-28 09:57 673 --a------ C:\WINDOWS\wininit.ini
2008-01-17 10:21 . 2008-01-17 10:21 40,448 --a------ C:\WINDOWS\system32\awtssrs.dll.vir
2008-01-15 10:42 . 2008-01-15 10:42 <DIR> d-------- C:\Program Files\QuickZip4
2008-01-09 11:39 . 2008-01-17 10:28 <DIR> d-------- C:\Program Files\iTunes
2008-01-09 11:39 . 2008-01-09 11:39 <DIR> d-------- C:\Program Files\iPod
2008-01-08 11:33 . 2008-01-08 11:33 <DIR> d-------- C:\Program Files\Free Audio Pack
2008-01-08 11:30 . 2008-01-08 11:30 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.bmp
2008-01-08 11:30 . 2008-01-08 11:30 3,625 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2008-01-02 08:47 . 2008-01-02 08:47 818,322 --a------ C:\Program Files\iDump_Setup.exe
2007-12-31 08:34 . 2007-04-08 00:00 262,144 --a------ C:\WINDOWS\system32\adfactry.dll
2007-12-31 08:34 . 2007-04-08 00:00 78,336 --a------ C:\WINDOWS\system32\sfxbe324.dll
2007-12-31 08:34 . 2007-04-08 00:00 77,824 --a------ C:\WINDOWS\system32\sfxbe322.dll
2007-12-31 08:34 . 2007-04-08 00:00 58,368 --a------ C:\WINDOWS\system32\sfxfe321.exe
2007-12-31 08:34 . 2007-04-08 00:00 53,760 --a------ C:\WINDOWS\system32\sfxfe32.exe
2007-12-31 08:34 . 2007-12-31 08:34 111 --ah----- C:\sys38318.bin
2007-12-31 08:34 . 2007-12-31 08:35 111 --ah----- C:\sys24035.bin
2007-12-31 08:33 . 2008-01-08 09:38 <DIR> d-------- C:\Program Files\FileStream
2007-12-31 08:33 . 2007-12-31 11:07 111 --ah----- C:\sys30824.bin
2007-12-31 08:32 . 2007-12-31 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2007-12-31 08:21 . 2007-12-31 08:23 <DIR> d-------- C:\Program Files\ExtractNow
2007-12-28 09:00 . 2007-12-28 09:00 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 15:19 --------- d-----w C:\Documents and Settings\dalvarez\Application Data\SlimBrowser
2008-01-28 14:37 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-17 16:28 --------- d-----w C:\Program Files\QuickTime
2008-01-16 18:25 --------- d-----w C:\Program Files\CA
2008-01-08 15:39 --------- d-----w C:\Program Files\YouTubeRobot
2008-01-08 15:35 --------- d-----w C:\Program Files\Naevius YouTube Converter
2008-01-07 20:12 --------- d-----w C:\Program Files\SlimBrowser
2008-01-04 14:14 7,886,336 ----a-w C:\Program Files\setup.msi
2008-01-02 14:47 --------- d-----w C:\Program Files\iDump
2007-12-31 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-21 16:21 --------- d-----w C:\Documents and Settings\dalvarez\Application Data\dBpoweramp
2007-12-21 16:08 --------- d-----w C:\Documents and Settings\dalvarez\Application Data\AccurateRip
2007-07-24 14:02 17,944 ----a-w C:\Documents and Settings\dalvarez\Application Data\GDIPFONTCACHEV1.DAT
.
<pre>
----a-w		 1,289,000 2008-01-22 15:34:11  C:\Program Files\Microsoft ActiveSync\wcescomm   .exe
----a-w		 1,289,000 2008-01-22 20:22:47  C:\Program Files\Microsoft ActiveSync\wcescomm  .exe
----a-w		 1,289,000 2008-01-22 20:22:48  C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w			15,360 2008-01-25 15:28:04  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 07:18 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [ ]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mljjk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-12-17 11:28 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Realtime Monitor]
C:\PROGRA~1\CA\ETRUST~1\realmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)

R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-10-25 13:40]
R2 LogWatch;Event Log Watch;"C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe" [2002-09-20 10:29]
R2 NMSSvc;Intel® NMS;C:\WINDOWS\system32\NMSSvc.exe [2002-02-27 08:57]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\system32\drivers\NMSCFG.SYS [2002-02-27 08:57]
S3 94dc49ed-15c1-464d-8d59-f361ba9ba6e3;94dc49ed-15c1-464d-8d59-f361ba9ba6e3;D:\Player\cds300.dll []
S3 CA_LIC_CLNT;CA License Client;"C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe" [2002-09-20 10:27]
S3 CA_LIC_SRVR;CA License Server;"C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe" [2002-09-20 10:41]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-14 23:37:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-28 10:13:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\WINDOWS\system32\userinit.exe
.
**************************************************************************
.
Completion time: 2008-01-28 10:16:57 - machine was rebooted [Dalvarez]
ComboFix-quarantined-files.txt 2008-01-28 16:16:46
.
2008-01-09 22:55:01 --- E O F ---



HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26, on 2008-01-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hardrocopsv/
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) -
O16 - DPF: {DAAC8ECF-DB09-4821-8126-E2C9499A20BA} - http://hardrocopsv/installregterm.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hrhchicago.net
O17 - HKLM\Software\..\Telephony: DomainName = hrhchicago.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hrhchicago.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hrhchicago.net
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe

--
End of file - 6519 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:59 AM

Posted 28 January 2008 - 02:35 PM

Hello,

You're most welcome. :thumbsup: Even though it's running well, there are still some nasties present, and other things to take care of.

Use Windows Search (Start > Search > For Files or Folders), to search for the following file:
sys38318.bin

Please go to VirusTotal and submit the file for a scan and post the results in your next reply.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

RenV::
----a-w 1,289,000 2008-01-22 15:34:11 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,289,000 2008-01-22 20:22:47 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,289,000 2008-01-22 20:22:48 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 15,360 2008-01-25 15:28:04 C:\WINDOWS\system32\ctfmon .exe

File::
C:\WINDOWS\system32\pcnbuxfx.dll.vir
C:\WINDOWS\system32\ohqkavsk.ini
C:\WINDOWS\system32\gbonbtca.dll.vir
C:\WINDOWS\system32\awtssrs.dll.vir
C:\WINDOWS\system32\mljjk


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 mysilver81

mysilver81
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 28 January 2008 - 05:38 PM

Well i scan my computer for sys38318.bin and found only two Combofix.txt files that came up, but no sys38318.bin. I don't know if this is a good thing or not? Let me know if i should skip this part and go to the copy/paste part with Combofix.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:59 AM

Posted 28 January 2008 - 05:53 PM

Hello,

Please go ahead and post the reports for me. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 mysilver81

mysilver81
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 29 January 2008 - 09:28 AM

Here we go--

ComboFix 08-01-28.2 - dalvarez 2008-01-29 8:11:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.256 [GMT -6:00]
Running from: C:\Documents and Settings\dalvarez\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-28 12:02 . 2008-01-28 12:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-28 12:02 . 2008-01-28 12:02 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-25 12:08 . 2008-01-25 12:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 10:57 . 2008-01-28 10:03 <DIR> d-------- C:\Program Files\Security Task Manager
2008-01-25 08:50 . 2008-01-25 11:14 <DIR> d-------- C:\Documents and Settings\dalvarez\Application Data\GetRightToGo
2008-01-25 08:44 . 2008-01-25 08:44 163,904 --a------ C:\WINDOWS\system32\pcnbuxfx.dll.vir
2008-01-24 15:50 . 2008-01-24 15:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-24 08:37 . 2008-01-25 08:39 1,882,697 ---hs---- C:\WINDOWS\system32\ohqkavsk.ini
2008-01-23 12:21 . 2008-01-28 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-22 13:37 . 2008-01-28 10:03 <DIR> d-------- C:\QUARANTINE
2008-01-22 13:27 . 2008-01-22 13:27 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-01-22 13:27 . 2008-01-22 13:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-22 13:27 . 2007-10-25 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-01-22 13:27 . 2007-10-25 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-01-22 13:26 . 2007-10-16 20:50 171,272 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-22 13:26 . 2007-10-16 20:50 72,680 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-22 13:26 . 2007-10-16 20:50 64,168 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-01-22 13:26 . 2007-10-16 20:50 51,944 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-01-22 13:26 . 2007-10-16 20:50 33,960 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-22 13:24 . 2008-01-22 13:27 <DIR> d-------- C:\Program Files\McAfee
2008-01-22 13:24 . 2008-01-22 13:24 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-22 13:22 . 2008-01-22 13:22 <DIR> d-------- C:\WINDOWS\system32\Debug
2008-01-22 10:17 . 2008-01-22 10:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-22 10:17 . 2008-01-22 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-22 10:13 . 2008-01-22 10:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-18 17:07 . 2008-01-18 17:07 163,904 --a------ C:\WINDOWS\system32\gbonbtca.dll.vir
2008-01-18 17:03 . 2008-01-25 09:28 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-18 16:51 . 2008-01-18 16:52 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-17 13:49 . 2008-01-28 09:57 673 --a------ C:\WINDOWS\wininit.ini
2008-01-17 10:21 . 2008-01-17 10:21 40,448 --a------ C:\WINDOWS\system32\awtssrs.dll.vir
2008-01-15 10:42 . 2008-01-15 10:42 <DIR> d-------- C:\Program Files\QuickZip4
2008-01-09 11:39 . 2008-01-17 10:28 <DIR> d-------- C:\Program Files\iTunes
2008-01-09 11:39 . 2008-01-09 11:39 <DIR> d-------- C:\Program Files\iPod
2008-01-08 11:33 . 2008-01-08 11:33 <DIR> d-------- C:\Program Files\Free Audio Pack
2008-01-08 11:30 . 2008-01-08 11:30 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.bmp
2008-01-08 11:30 . 2008-01-08 11:30 3,625 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2008-01-07 19:16 . 2008-01-07 19:16 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-01-04 15:59 . 2008-01-04 15:59 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-01-04 15:59 . 2008-01-04 15:59 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-01-04 15:58 . 2008-01-04 15:58 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 15:58 . 2008-01-04 15:58 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-01-04 15:58 . 2008-01-04 15:58 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-01-04 15:56 . 2008-01-04 15:56 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 15:56 . 2008-01-04 15:56 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-01-02 08:47 . 2008-01-02 08:47 818,322 --a------ C:\Program Files\iDump_Setup.exe
2007-12-31 08:34 . 2007-04-08 00:00 262,144 --a------ C:\WINDOWS\system32\adfactry.dll
2007-12-31 08:34 . 2007-04-08 00:00 78,336 --a------ C:\WINDOWS\system32\sfxbe324.dll
2007-12-31 08:34 . 2007-04-08 00:00 77,824 --a------ C:\WINDOWS\system32\sfxbe322.dll
2007-12-31 08:34 . 2007-04-08 00:00 58,368 --a------ C:\WINDOWS\system32\sfxfe321.exe
2007-12-31 08:34 . 2007-04-08 00:00 53,760 --a------ C:\WINDOWS\system32\sfxfe32.exe
2007-12-31 08:34 . 2007-12-31 08:34 111 --ah----- C:\sys38318.bin
2007-12-31 08:34 . 2007-12-31 08:35 111 --ah----- C:\sys24035.bin
2007-12-31 08:33 . 2008-01-08 09:38 <DIR> d-------- C:\Program Files\FileStream
2007-12-31 08:33 . 2007-12-31 11:07 111 --ah----- C:\sys30824.bin
2007-12-31 08:32 . 2007-12-31 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2007-12-31 08:21 . 2007-12-31 08:23 <DIR> d-------- C:\Program Files\ExtractNow

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 14:10 --------- d-----w C:\Documents and Settings\dalvarez\Application Data\SlimBrowser
2008-01-28 19:26 --------- d-----w C:\Program Files\DivX
2008-01-28 17:52 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-17 16:28 --------- d-----w C:\Program Files\QuickTime
2008-01-16 18:25 --------- d-----w C:\Program Files\CA
2008-01-07 20:12 --------- d-----w C:\Program Files\SlimBrowser
2008-01-04 14:14 7,886,336 ----a-w C:\Program Files\setup.msi
2008-01-02 14:47 --------- d-----w C:\Program Files\iDump
2007-12-31 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-28 15:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\DivX
2007-12-21 16:21 --------- d-----w C:\Documents and Settings\dalvarez\Application Data\dBpoweramp
2007-12-21 16:08 --------- d-----w C:\Documents and Settings\dalvarez\Application Data\AccurateRip
2007-07-24 14:02 17,944 ----a-w C:\Documents and Settings\dalvarez\Application Data\GDIPFONTCACHEV1.DAT
.
<pre>
----a-w		 1,289,000 2008-01-22 15:34:11  C:\Program Files\Microsoft ActiveSync\wcescomm   .exe
----a-w		 1,289,000 2008-01-22 20:22:47  C:\Program Files\Microsoft ActiveSync\wcescomm  .exe
----a-w		 1,289,000 2008-01-22 20:22:48  C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w			15,360 2008-01-25 15:28:04  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 07:18 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [ ]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mljjk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-12-17 11:28 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Realtime Monitor]
C:\PROGRA~1\CA\ETRUST~1\realmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)

R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-10-25 13:40]
R2 LogWatch;Event Log Watch;"C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe" [2002-09-20 10:29]
S2 NMSSvc;Intel® NMS;C:\WINDOWS\system32\NMSSvc.exe [2002-02-27 08:57]
S3 94dc49ed-15c1-464d-8d59-f361ba9ba6e3;94dc49ed-15c1-464d-8d59-f361ba9ba6e3;D:\Player\cds300.dll []
S3 CA_LIC_CLNT;CA License Client;"C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe" [2002-09-20 10:27]
S3 CA_LIC_SRVR;CA License Server;"C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe" [2002-09-20 10:41]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 23:36:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 08:16:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-01-29 8:17:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 14:17:47
ComboFix2.txt 2008-01-28 16:16:57
.
2008-01-09 22:55:01 --- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:19, on 2008-01-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hardrocopsv/
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) -
O16 - DPF: {DAAC8ECF-DB09-4821-8126-E2C9499A20BA} - http://hardrocopsv/installregterm.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hrhchicago.net
O17 - HKLM\Software\..\Telephony: DomainName = hrhchicago.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hrhchicago.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hrhchicago.net
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe

--
End of file - 6316 bytes

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:59 AM

Posted 30 January 2008 - 02:11 AM

Hello,

Please download and run Bit Defender 8 online scanner
  • Install the program and then follow the prompts to download all available updates.
  • Select Antivirus and then click the Settings button. Click Default. Click Ok.
  • Select Local Drives and click Scan.
  • When the scan is complete save the log and post it back here in your next reply.
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 mysilver81

mysilver81
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 30 January 2008 - 03:05 PM

And hopfully this did the trick-fingers crossed.

BitDefender Online Scanner



Scan report generated at: Wed, Jan 30, 2008 - 13:52:26





Scan path: A:\;C:\;D:\;







Statistics

Time
02:39:59

Files
152860

Folders
4897

Boot Sectors
2

Archives
1478

Packed Files
7549




Results

Identified Viruses
7

Infected Files
67

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
67




Engines Info

Virus Definitions
978212

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
16

Archive plugins
41

Unpack plugins
7

E-mail plugins
6

System plugins
5




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\All Users\Application Data\SecTaskMan\nfolkuhv.dll.q_8042A41_q
Infected with: Trojan.Vundo.DVC

C:\Documents and Settings\All Users\Application Data\SecTaskMan\nfolkuhv.dll.q_8042A41_q
Disinfection failed

C:\Documents and Settings\All Users\Application Data\SecTaskMan\nfolkuhv.dll.q_8042A41_q
Deleted

C:\Documents and Settings\All Users\Application Data\SecTaskMan\qgrjxaru.dll.q_8042A41_q
Infected with: Trojan.Vundo.DVC

C:\Documents and Settings\All Users\Application Data\SecTaskMan\qgrjxaru.dll.q_8042A41_q
Disinfection failed

C:\Documents and Settings\All Users\Application Data\SecTaskMan\qgrjxaru.dll.q_8042A41_q
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\ahttvqsy.dll.vir
Infected with: Trojan.Vundo.DWB

C:\QooBox\Quarantine\C\WINDOWS\system32\ahttvqsy.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\dkoihhjq.dll.vir
Infected with: Trojan.Vundo.DWB

C:\QooBox\Quarantine\C\WINDOWS\system32\dkoihhjq.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\ediwelro.dll.vir
Infected with: Trojan.Vundo.DVC

C:\QooBox\Quarantine\C\WINDOWS\system32\ediwelro.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\ediwelro.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\lyexrmqg.dll.vir
Infected with: Trojan.Vundo.DWB

C:\QooBox\Quarantine\C\WINDOWS\system32\lyexrmqg.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\mljjk.dll.vir
Infected with: Trojan.Vundo.DWK

C:\QooBox\Quarantine\C\WINDOWS\system32\mljjk.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\peosjylc.dll.vir
Infected with: Trojan.Vundo.DVC

C:\QooBox\Quarantine\C\WINDOWS\system32\peosjylc.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\peosjylc.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\qoppppp.dll.vir
Infected with: Trojan.Vundo.DWU

C:\QooBox\Quarantine\C\WINDOWS\system32\qoppppp.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\qoxiemdf.dll.vir
Infected with: Trojan.Vundo.DWB

C:\QooBox\Quarantine\C\WINDOWS\system32\qoxiemdf.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\sxvuyxdh.dll.vir
Infected with: Trojan.Vundo.DVC

C:\QooBox\Quarantine\C\WINDOWS\system32\sxvuyxdh.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\sxvuyxdh.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\uebcwbuk.dll.vir
Infected with: Trojan.Vundo.DWB

C:\QooBox\Quarantine\C\WINDOWS\system32\uebcwbuk.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\vccwiphp.dll.vir
Infected with: Trojan.Vundo.DVC

C:\QooBox\Quarantine\C\WINDOWS\system32\vccwiphp.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\vccwiphp.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\vfhyftvk.dll.vir
Infected with: Trojan.Vundo.DWB

C:\QooBox\Quarantine\C\WINDOWS\system32\vfhyftvk.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\xvthbijk.dll.vir
Infected with: Trojan.Vundo.DWB

C:\QooBox\Quarantine\C\WINDOWS\system32\xvthbijk.dll.vir
Deleted

C:\QooBox\Quarantine\catchme2008-01-28_101334.85.zip=>xvthbijk.dll
Infected with: Trojan.Vundo.DWB

C:\QooBox\Quarantine\catchme2008-01-28_101334.85.zip=>xvthbijk.dll
Deleted

C:\QooBox\Quarantine\catchme2008-01-28_101334.85.zip
Updated

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP442\A0032558.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP442\A0032558.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP442\A0032558.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP442\A0032630.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP442\A0032630.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP442\A0032630.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP443\A0032643.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP443\A0032643.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP443\A0032643.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP444\A0032647.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP444\A0032647.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP444\A0032647.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP445\A0034829.exe
Infected with: Generic.Malware.Yd!.B23B8AEB

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP445\A0034829.exe
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP445\A0034829.exe
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP446\A0034928.dll
Infected with: Trojan.Vundo.DVC

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP446\A0034928.dll
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP446\A0034928.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP446\A0034929.dll
Infected with: Trojan.Vundo.DWB

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP446\A0034929.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP446\A0034983.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP446\A0034983.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP446\A0034983.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP449\A0037300.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP449\A0037300.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP449\A0037300.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP449\A0038299.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP449\A0038299.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP449\A0038299.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP449\A0038310.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP449\A0038310.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP449\A0038310.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP450\A0038316.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP450\A0038316.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP450\A0038316.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP450\A0038393.rbf
Infected with: Generic.Malware.Yd!.B23B8AEB

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP450\A0038393.rbf
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP450\A0038393.rbf
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP451\A0038432.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP451\A0038432.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP451\A0038432.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038470.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038470.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038470.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038486.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038486.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038486.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038505.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038505.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038505.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038515.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038515.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038515.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038523.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038523.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038523.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038539.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038539.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038539.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038560.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038560.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP452\A0038560.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP454\snapshot\MFEX-1.DAT
Infected with: Trojan.Vundo.DWB

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP454\snapshot\MFEX-1.DAT
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP457\snapshot\MFEX-1.DAT
Infected with: Trojan.Vundo.DWB

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP457\snapshot\MFEX-1.DAT
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP458\snapshot\MFEX-1.DAT
Infected with: Trojan.Vundo.DWB

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP458\snapshot\MFEX-1.DAT
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP459\A0038623.dll
Infected with: Trojan.Vundo.DVC

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP459\A0038623.dll
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP459\A0038623.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP464\A0039674.dll
Infected with: Trojan.Vundo.DWB

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP464\A0039674.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP464\A0039675.dll
Infected with: Trojan.Vundo.DWU

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP464\A0039675.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP465\A0040850.dll
Infected with: Trojan.Vundo.DXF

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP465\A0040850.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP465\A0040856.dll
Infected with: Trojan.Vundo.DWB

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP465\A0040856.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP469\A0041168.dll
Infected with: Trojan.Vundo.DVC

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP469\A0041168.dll
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP469\A0041168.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP471\A0041213.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP471\A0041213.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP471\A0041213.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP472\A0041260.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP472\A0041260.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP472\A0041260.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP474\A0041308.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP474\A0041308.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP474\A0041308.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP475\A0041360.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP475\A0041360.ini
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP475\A0041360.ini
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041433.dll
Infected with: Trojan.Vundo.DWB

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041433.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041434.dll
Infected with: Trojan.Vundo.DWB

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041434.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041435.dll
Infected with: Trojan.Vundo.DVC

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041435.dll
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041435.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041436.dll
Infected with: Trojan.Vundo.DWB

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041436.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041437.dll
Infected with: Trojan.Vundo.DWK

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041437.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041438.dll
Infected with: Trojan.Vundo.DVC

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041438.dll
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041438.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041439.dll
Infected with: Trojan.Vundo.DWU

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041439.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041440.dll
Infected with: Trojan.Vundo.DWB

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041440.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041441.dll
Infected with: Trojan.Vundo.DVC

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041441.dll
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041441.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041442.dll
Infected with: Trojan.Vundo.DWB

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041442.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041444.dll
Infected with: Trojan.Vundo.DVC

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041444.dll
Disinfection failed

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041444.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041445.dll
Infected with: Trojan.Vundo.DWB

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041445.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041455.dll
Infected with: Trojan.Vundo.DWB

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041455.dll
Deleted

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041459.dll
Infected with: Trojan.Vundo.DWB

C:\System Volume Information\_restore{E966EBB9-580A-47C4-8979-F392594CF951}\RP477\A0041459.dll
Deleted

C:\WINDOWS\system32\awtssrs.dll.vir
Infected with: Trojan.Vundo.DWU

C:\WINDOWS\system32\awtssrs.dll.vir
Deleted

C:\WINDOWS\system32\gbonbtca.dll.vir
Infected with: Trojan.Vundo.DWB

C:\WINDOWS\system32\gbonbtca.dll.vir
Deleted

C:\WINDOWS\system32\pcnbuxfx.dll.vir
Infected with: Trojan.Vundo.DWB

C:\WINDOWS\system32\pcnbuxfx.dll.vir
Deleted

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:59 AM

Posted 31 January 2008 - 12:37 AM

Hello,

How is it running please?

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

I'd like one more online scan, please :

Navigate (using Internet Explorer only, other browsers won't work) to the following site: http://www.kaspersky.com/virusscanner

Click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").

* In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
* When you get the Windows dialog asking if you want to install this software, click the "Install" button.
* The scanner will download the latest definition files. When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
* Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
* Under "Please select a target to scan:", click My Computer to start the scan.

When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop. Close the Kaspersky On-line Scanner window. Please post the report in your reply. :thumbsup:

Thanks,
tea

Edited by teacup61, 31 January 2008 - 12:37 AM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 mysilver81

mysilver81
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 31 January 2008 - 12:02 PM

Well you did it-Thanks

i think my computer has never run so smoothly-GReat JOb!

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:59 AM

Posted 12 February 2008 - 08:18 PM

You're most welcome, and I'm so glad. :thumbsup:

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users