Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo


  • This topic is locked This topic is locked
15 replies to this topic

#1 maryba

maryba

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 24 February 2008 - 01:00 AM

I've got a Vundo infection. Antivir detects it in form of "ddccy.dll" in c:\Windows\system32 and says it's a form of "TR/Vundo/Gen".

Spybot, AdAware, and COMODO Firewall variously detect it as Virtumundo or not at all and none can remove it. Using HiJackThis to tell Windows to suppress ddccy.dll from starting on reboot doesn't work - though I think I see why.

Adaware and Antivir can no longer get virus-definition automatic updates. I've been able to manually update Adaware.

Actions occuring:
- the Antivir detection occurs anytime a new browser session (IE) starts up
- extra browser ad-based windows open occasionally
- Windows Explorer windows take a very long time to display folder/file names
- anytime Outlook Express is started, Windows Messenger is started - this didn't use to happen
- when running HiJackThis, AntiVir is detecting ddccy.dll/Vundo like crazy - every 2-3 seconds - throughout entire session
There's probably a few other things that also are happening since the infection occurred but can't think of them right now.

I did an AdAware scan and TAC files removal prior to running the HJT session that created the accompanying log. On reboot into Safe mode, AdAware showed no detections.

Any help would be greatly appreciated.

Mike

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:31 AM

Posted 25 February 2008 - 09:44 PM

Hello maryba,

Welcome to Bleeping Computer :thumbsup:

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 27 February 2008 - 01:09 AM

Tea,

Shut off TeaTimer, ran combofix (very, very long, sorta scary). After combofix rebooted and displayed its log, I couldn't use computer. Only desktop was showing but no Windows Start button or toolbar (at bottom of screen). Was able to Ctrl-Alt-Del up a session of TaskManager but couldn't do anything else. So, did a warm reboot and everything restarted ok.

When I started a Windows Explorer session, AntiVir detected Vundo again (running in c:\windows\system32\ddccy.dll). However, when I ran a session of HiJackThis, there were no Vundo detects as there had continously been prior to running combofix.

Then, when I started a session of IE, Vundo was detected again, as has been usual since first infected.

Here's combofix's log followed by current HJT log:

ComboFix 08-02-25.3 - HP_Owner 2008-02-26 21:36:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.124 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
* Created a new restore point
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe
C:\WINDOWS\s32.txt
C:\WINDOWS\system32\ddcccya.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\yccdd.ini
C:\WINDOWS\system32\yccdd.ini2
C:\WINDOWS\ws386.ini
D:\Autorun.inf
F:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://toolbar.google.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_DRIVER


((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))
.

2008-02-15 03:12 . 2008-02-15 03:12 <DIR> d-------- C:\Program Files\COMODO
2008-02-15 03:12 . 2008-02-15 03:12 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Comodo
2008-02-15 03:12 . 2008-02-15 03:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-02-15 03:12 . 2008-02-15 03:12 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2008-02-15 03:12 . 2008-02-19 21:18 84,856 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-02-15 03:12 . 2008-02-15 03:12 23,800 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-02-10 20:04 . 2008-02-10 20:03 691,545 --a------ C:\WINDOWS\unins002.exe
2008-02-10 20:04 . 2008-02-10 20:04 3,448 --a------ C:\WINDOWS\unins002.dat
2008-01-28 06:19 . 2008-01-28 12:33 25,630 --ahs---- C:\WINDOWS\system32\ofsyjkjg.dllbox-x
2008-01-27 18:14 . 2008-01-27 18:14 333,312 --------- C:\WINDOWS\system32\ddccy.dll
2008-01-27 10:41 . 2008-01-27 10:40 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-27 10:39 . 2008-01-28 06:15 <DIR> d-------- C:\Documents and Settings\HP_Owner\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-27 05:01 --------- d-----w C:\Program Files\RMP2
2008-02-11 02:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 02:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-10 04:20 --------- d-----w C:\Program Files\Trend Micro
2008-02-06 05:53 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Skype
2008-01-05 10:02 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\vlc
2008-01-05 09:55 --------- d-----w C:\Program Files\VideoLAN
2008-01-05 09:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\GRETECH
2008-01-05 09:46 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\GRETECH
2008-01-05 09:45 --------- d-----w C:\Program Files\GRETECH
2008-01-02 09:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 09:27 --------- d-----w C:\Program Files\Google
2007-02-15 03:23 2,240,441 ----a-w C:\Program Files\v3.3 upgrade 2959ab438dfb.zip
2006-11-27 02:25 774,144 ----a-w C:\Program Files\xRngInterstitial.dll
2006-11-17 03:16 6 ----a-w C:\Documents and Settings\HP_Owner\ex.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{019E78B4-FE13-43F4-BBAC-E44BE347991B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C23A48CA-809A-4BE3-9453-C30D6B3ED4B7}]
2008-01-27 18:14 333312 --------- C:\WINDOWS\system32\ddccy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe"="1&1 EasyLogin HIDE" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 09:06 1667584]
"1&1 EasyLogin"="C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe" [2008-01-02 12:00 1545216]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-08 18:18 68856]
"Wise-FTP Scheduler"="C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe" [2004-05-12 10:47 542720]
"Sonic RecordNow!"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 09:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-03 19:43 118784]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 19:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 19:42 659456]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 21:02 61440]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 18:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 17:57 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 03:21 50176 C:\WINDOWS\ALCXMNTR.EXE]
"VTTimer"="VTTimer.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 15:03 180269]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-10-25 02:41 95960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [2007-05-18 15:28 36972]
"SSC_UserPrompt"="c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 15:59 218240]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 21:43 233472]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-07 15:20 98304]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152]
"NAV CfgWiz"="c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" [2004-01-20 18:25 124056]
"jEdit Server"="C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe" [2004-08-07 13:36 28779]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-04-21 19:28 286720]
"IS CfgWiz"="c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe" [2004-01-20 18:25 124056]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-06-27 10:01 169984]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2004-10-04 19:53 176216]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 16:45 71280]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-10 16:44 249896]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 01:18 57344]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-02-19 21:17 1502976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 07:52 218232]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
RMP2.lnk - C:\Program Files\RMP2\RMP2.exe [2007-03-28 15:17:57 1073152]
WinMySQLadmin.lnk - C:\mysql\bin\winmysqladmin.exe [2006-06-27 09:14:45 936448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AcceleRun.lnk - C:\Program Files\AcceleRun\accelerunagent.exe [2006-07-18 13:20:55 406528]
Giganews Accelerator.lnk - C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe [2007-10-08 10:56:50 757760]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 06:31:38 241664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 08:05:56 65588]
Monitor Apache Servers.lnk - C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe [2004-03-18 10:15:54 41042]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"SFCDisable"=dword:00000004

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcccya]
ddcccya.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ofsyjkjg]
ofsyjkjg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL C:\WINDOWS\system32\guard32.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\AntiVir PersonalEdition Classic\\avcenter.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"G:\\drives - from other computers\\fujitsu - original from Pentium II - 4gb\\WINDOWS NT (G)\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"C:\\mysql\\bin\\mysqld.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2007-09-05 18:46]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2007-09-05 18:46]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-02-19 21:18]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-02-15 03:12]
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{188e81e4-9fb4-11d9-8924-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-02-27 05:10:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 23:02:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\system32\drivers

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\Program Files\\1&1\\1&1 EasyLogin\\EasyLogin.exe"="\"1&1 EasyLogin\" HIDE"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\mysql\bin\mysqld.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-26 23:25:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-27 05:17:44







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:49 PM, on 2/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\mysql\bin\mysqld.exe
C:\WINDOWS\system32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\mysql\bin\winmysqladmin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Trellian BHO Impl - {24180B00-2EB6-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C23A48CA-809A-4BE3-9453-C30D6B3ED4B7} - C:\WINDOWS\system32\ddccy.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Trellian &Toolbar - {71AAABE5-1F0F-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [jEdit Server] "C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe" -Xms64M -Xmx192M -jar "C:\Program Files\jEdit\jedit.jar" -background -nogui
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [1&1 EasyLogin] "C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe" HIDE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Wise-FTP Scheduler] C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe
O4 - HKCU\..\Run: [Sonic RecordNow!] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - Startup: RMP2.lnk = C:\Program Files\RMP2\RMP2.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: AcceleRun.lnk = C:\Program Files\AcceleRun\accelerunagent.exe
O4 - Global Startup: Giganews Accelerator.lnk = C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .aiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: www.mosaic.com
O15 - Trusted Zone: www.mosaicsalessolutions.com
O15 - Trusted IP range: 63.77.193.76
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\SuperCD\IntraLaunch.CAB
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: ofsyjkjg - ofsyjkjg.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.germaglow.com/i/t1.jpg

--
End of file - 13394 bytes



Tea, is there any hope?

Thanks in advance for your help.

Mike
====

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:31 AM

Posted 27 February 2008 - 01:27 AM

Hello Mike,

Yes, there's hope. :blink: This stuff is just nasty. We'll get it. :thumbsup:

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page").

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\ddcccya.dll
C:\WINDOWS\system32\ofsyjkjg.dllbox-x

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{019E78B4-FE13-43F4-BBAC-E44BE347991B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C23A48CA-809A-4BE3-9453-C30D6B3ED4B7}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcccya]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ofsyjkjg]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 27 February 2008 - 04:36 AM

Tea,

No Vundo detects! See combofix and HJT logs and tell me I'm all well.

If by chance this might be your last communication back to me, then:
- thanks big time for the fix
- can you recommend a good, simple 2-way firewall? I had installed COMODO for its 2way but find that it a whole bunch more - asking permission for everything that's happening while it's still in learning process. While it's interesting and pretty informative/revealing, it mostly gets in the way. I should be ok enough with a good malware detector/blocker. Speaking of which, whould you have any recommendation for that?
- could you give me the URL for the ComboFix use instructions? I saw it on an interim dialog while executing CF, but didn't think to note the URL until after I'd hit the OK button.

If you don't have time or inclination to answer, I'll understand. But, thanks again for the removal guidance.


logs:

ComboFix 08-02-25.3 - HP_Owner 2008-02-27 2:17:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.402 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript
* Created a new restore point

FILE ::
C:\WINDOWS\system32\ddcccya.dll
C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\ofsyjkjg.dllbox-x
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\ofsyjkjg.dllbox-x

.
((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))
.

2008-02-15 03:12 . 2008-02-15 03:12 <DIR> d-------- C:\Program Files\COMODO
2008-02-15 03:12 . 2008-02-15 03:12 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Comodo
2008-02-15 03:12 . 2008-02-15 03:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-02-15 03:12 . 2008-02-15 03:12 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2008-02-15 03:12 . 2008-02-19 21:18 84,856 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-02-15 03:12 . 2008-02-15 03:12 23,800 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-02-10 20:04 . 2008-02-10 20:03 691,545 --a------ C:\WINDOWS\unins002.exe
2008-02-10 20:04 . 2008-02-10 20:04 3,448 --a------ C:\WINDOWS\unins002.dat
2008-01-27 10:41 . 2008-01-27 10:40 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-27 10:39 . 2008-01-28 06:15 <DIR> d-------- C:\Documents and Settings\HP_Owner\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-27 05:48 --------- d-----w C:\Program Files\RMP2
2008-02-11 02:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 02:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-10 04:20 --------- d-----w C:\Program Files\Trend Micro
2008-02-06 05:53 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Skype
2008-01-05 10:02 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\vlc
2008-01-05 09:55 --------- d-----w C:\Program Files\VideoLAN
2008-01-05 09:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\GRETECH
2008-01-05 09:46 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\GRETECH
2008-01-05 09:45 --------- d-----w C:\Program Files\GRETECH
2008-01-02 09:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 09:27 --------- d-----w C:\Program Files\Google
2007-02-15 03:23 2,240,441 ----a-w C:\Program Files\v3.3 upgrade 2959ab438dfb.zip
2006-11-27 02:25 774,144 ----a-w C:\Program Files\xRngInterstitial.dll
2006-11-17 03:16 6 ----a-w C:\Documents and Settings\HP_Owner\ex.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C23A48CA-809A-4BE3-9453-C30D6B3ED4B7}]
C:\WINDOWS\system32\ddccy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe"="1&1 EasyLogin HIDE" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 09:06 1667584]
"1&1 EasyLogin"="C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe" [2008-01-02 12:00 1545216]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-08 18:18 68856]
"Wise-FTP Scheduler"="C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe" [2004-05-12 10:47 542720]
"Sonic RecordNow!"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 09:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-03 19:43 118784]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 19:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 19:42 659456]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 21:02 61440]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 18:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 17:57 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 03:21 50176 C:\WINDOWS\ALCXMNTR.EXE]
"VTTimer"="VTTimer.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 15:03 180269]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-10-25 02:41 95960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [2007-05-18 15:28 36972]
"SSC_UserPrompt"="c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 15:59 218240]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 21:43 233472]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-07 15:20 98304]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152]
"NAV CfgWiz"="c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" [2004-01-20 18:25 124056]
"jEdit Server"="C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe" [2004-08-07 13:36 28779]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-04-21 19:28 286720]
"IS CfgWiz"="c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe" [2004-01-20 18:25 124056]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-06-27 10:01 169984]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2004-10-04 19:53 176216]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 16:45 71280]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-10 16:44 249896]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 01:18 57344]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-02-19 21:17 1502976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 07:52 218232]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
RMP2.lnk - C:\Program Files\RMP2\RMP2.exe [2007-03-28 15:17:57 1073152]
WinMySQLadmin.lnk - C:\mysql\bin\winmysqladmin.exe [2006-06-27 09:14:45 936448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AcceleRun.lnk - C:\Program Files\AcceleRun\accelerunagent.exe [2006-07-18 13:20:55 406528]
Giganews Accelerator.lnk - C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe [2007-10-08 10:56:50 757760]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 06:31:38 241664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 08:05:56 65588]
Monitor Apache Servers.lnk - C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe [2004-03-18 10:15:54 41042]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ofsyjkjg]
ofsyjkjg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL C:\WINDOWS\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\AntiVir PersonalEdition Classic\\avcenter.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"G:\\drives - from other computers\\fujitsu - original from Pentium II - 4gb\\WINDOWS NT (G)\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"C:\\mysql\\bin\\mysqld.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2007-09-05 18:46]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2007-09-05 18:46]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-02-19 21:18]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-02-15 03:12]
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{188e81e4-9fb4-11d9-8924-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-02-27 09:05:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-27 03:05:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\Program Files\\1&1\\1&1 EasyLogin\\EasyLogin.exe"="\"1&1 EasyLogin\" HIDE"
.
Completion time: 2008-02-27 3:06:13
ComboFix-quarantined-files.txt 2008-02-27 09:06:04
ComboFix2.txt 2008-02-27 05:25:21









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:46 AM, on 2/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\mysql\bin\mysqld.exe
C:\WINDOWS\system32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\mysql\bin\winmysqladmin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Trellian BHO Impl - {24180B00-2EB6-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Trellian &Toolbar - {71AAABE5-1F0F-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [jEdit Server] "C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe" -Xms64M -Xmx192M -jar "C:\Program Files\jEdit\jedit.jar" -background -nogui
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [1&1 EasyLogin] "C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe" HIDE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Wise-FTP Scheduler] C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe
O4 - HKCU\..\Run: [Sonic RecordNow!] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - Startup: RMP2.lnk = C:\Program Files\RMP2\RMP2.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: AcceleRun.lnk = C:\Program Files\AcceleRun\accelerunagent.exe
O4 - Global Startup: Giganews Accelerator.lnk = C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .aiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: www.mosaic.com
O15 - Trusted Zone: www.mosaicsalessolutions.com
O15 - Trusted IP range: 63.77.193.76
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\SuperCD\IntraLaunch.CAB
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL C:\WINDOWS\system32\guard32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)

--
End of file - 13201 bytes





Mike
====

#6 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 27 February 2008 - 02:58 PM

Uhhh... Tea,

I just got an AntiVir detect of TR/Trash.gen (I think it was gen) from C:\System Volume Information folder.

It apparently wasn't in response to any application use. I was away from computer at time and only open windows were Excel, Outlook Express, IE, and Windows Explorer. Like maybe AntiVir was just going about a background scan?

I seem to remember getting earlier (prior to Vundo infection) occasional detects from stuff in System Volume Information because I remember not being able to access or even view folder contents.

Any resaon to be concerned?

Mike

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:31 AM

Posted 27 February 2008 - 03:55 PM

Hi Mike,

Not to worry. Those aren't a threat, and we can fix it. :wacko:

Please open Notepad and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well):

REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C23A48CA-809A-4BE3-9453-C30D6B3ED4B7}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ofsyjkjg]

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Now to get to your questions. :blink:

Keep Comodo, especially if you don't use a router. Comodo is what I use, and after you "teach" it most of the places you go, it won't get in the way as much. :thumbsup:

ComboFix is not a general use tool. That's why I asked you to delete it. You can render your system totally useless if you aren't careful.

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

It is very important to maintain your Firewall.
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Hope this helps. Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 28 February 2008 - 12:43 AM

Hi tea,

Have done all your last set of steps. Will review and take to heart your recommendations. I must say, I've been standoffish about doing Windows updates since I've read and heard horror stories about some of the failures and complications that arise. But, I suppose now that I've had the good sense to follow your instructions and do a restorepoint, a Windows update doesn't have to be such a threat.

Is there any complications that arise from simultaneous running of multiple virus checkers/blockers and multiple firewalls? Thought I understood that there should only be one firewall running at a time. But I like having Windows firewall running because I can always see its log contents - and I haven't yet been able to view similar, all-inclusive detail in COMODO.

Also, I noted your comment about keeping Comodo, especially if no router. It happens that all my internet connection runs through a router. It's been a while since I looked at its documentation, but does it likely have a two-way firewall? That's all I'm primarily interested in.

I'll check out the links you've given me re the programs and the tutorial on firewalls so you don't have to spin your wheels any further.

My sincere thanks for your help.

Mike

p.s. Combofix is gone. Rest easy.

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:31 AM

Posted 28 February 2008 - 12:52 AM

Hi there Mike,

Yes, there are complications. When you run 2 AVs, or 2 Firewalls, they fight for resources and can actually cause system instability. In your specific case, since you run a router I think you'll be all right running Windows Firewall. I'd certainly be more emphatic if you weren't. :blink: Uninstall Comodo if that's what you're going to do. Please do look at the explanation for firewalls. I don't consider answering your questions spinning my wheels.....how else will you ever know? And will I have helped you by not answering them? Besides, I had to ask the same questions myself once upon a time. :thumbsup:

Best,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 28 February 2008 - 05:38 AM

tea,

Have any idea why I'm not able to ftp into some sites that I had been able to prior to the Vundo crises? Don't think I tried to do so until after doing fixes.

I can't WS-FTP into 2 sites but I can IE ftp into one of the two sites. I've tried both with COMODO off, COMODO and Windows firewall of - still get same results.

I appreciate this might be outside your realm but thought I should ask.

Mike

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:31 AM

Posted 28 February 2008 - 10:24 AM

Hello,

Yes, definitely not my forte. Silly question, perhaps, but you use 1&1........? In your logs I see an entry for 1&1 and it says file missing. You can tell by the "[]". Might be something to do with that, if you haven't already looked into it. Heh, or it might not......I'm just not sure. If this isn't the problem, you can ask in one of the Windows forums here. You'll likely get more informed answers on the subject. :thumbsup:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 28 February 2008 - 11:31 AM

Tea,

One of the sites is 1&1. I'll check out your recommendations.

Thanks,

Mike

#13 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 29 February 2008 - 01:26 AM

Tea,

FYI: FTP problem went away with uninstall of COMODO. I'll figure another 2-way firewall solution later.

Mike

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:31 AM

Posted 29 February 2008 - 11:32 PM

Hi Mike,

Thanks for letting me know. All the little bits and bobs help, and if I come upon this again I'll know to have them try what you did. :thumbsup:

Regards,
tea Posted Image
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 01 March 2008 - 04:20 AM

tea,

Glad to add.

Again, thanks a bunch.

Mike




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users