Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Malware - Vundo - Trats!inf


  • This topic is locked This topic is locked
13 replies to this topic

#1 mreimpell

mreimpell

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 28 February 2008 - 11:36 AM

I got a suggestion from Shaba to join this forum and upload a log from hijackthis. I have a computer with Norton antivirus who is INFECTED and it seems I have done all I know to try to clean it. I'm detecting mmllmk and can't delete it because it ?in use". I have tried in safe mode with no success. I run norton and detect viruses that are quarentined and when I initiate windows in normal mode thay all come back again... Please help!

I'm attaching my hijackthis here... Thanks in advance!

I was told that the hijackversion version I had was an old one. I had version 2.0.2 which I think is the newest. Any way, I unistall and downloaded aga. Here is the new log.

******************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:21 PM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [fcd9ef24] rundll32.exe "C:\WINDOWS\system32\tolycjxj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145627198062
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 4386 bytes

Attached Files


Edited by mreimpell, 28 February 2008 - 01:48 PM.


BC AdBot (Login to Remove)

 


#2 mreimpell

mreimpell
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 29 February 2008 - 12:49 PM

Every time I open IE the security level is to its minimum. I keep reseting it.
My windows definitions are up to date, windows firewall is on.
I have run:
Norton (many times). Definitions are up-to-date
Spybot (many times)
Panda
spysweeper
stinger
bitdefender
fixvundo from symantec (does not do ANYTHING)
Ad-ware 2007 (4 times)

I also downloaded autoruns.The file that is driving me crazy is mllmk. Autoruns tells me that the dll is under:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages

Grrrrr I have never seen one here!

The vptray of norton is infected so, if I delete the infections it won't work! I keep unistalling ot and re-installing :thumbsup:

I really need to get this solved... do you guys thik I should just format the computer? I have post so many topics in so many forums and haven't got not even ONE reply!!!

Here is my new log. If you guys do ot know what can be done, would you please let me know so I just go ahead and format this monster? An please don't even think I'm disappointed... I'm just sooooo frustrated and tired.. I use my pc for work! ahhhhhhhh Thanks again!

******************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:35 PM, on 2/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\D esktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [fcd9ef24] rundll32.exe "C:\WINDOWS\system32\jahhqtxl.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlin k/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145627198062
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceServ ice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 4430 bytes

#3 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:02:38 PM

Posted 29 February 2008 - 01:22 PM

Hello mreimpell,

Welcome to the Bleeping Computer Malware Removal Forum Reply to this thread only by using the Add Reply and not start a New Topic or your posts will be all over the forum and we won't be able to keep track of you.

Create a new folder on your C:\Program Files folder and name it HJT , then Cut HJT from where you currently have it installed and Paste it into the new folder...this is for backup purposes.


Run these programs in the order listed please, I need to see the report for each program and after you run the last program ( Combofix) then post a new HJT log.

Download VundoFix to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.





Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a Hijackthis log.





Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.



1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#4 mreimpell

mreimpell
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 03 March 2008 - 08:56 AM

Hello HJT Team and thanks for your reply. I treied to reply before instead of posting a new topic and I got a message saying that only memeber of the HJT Team could reply? Or maybe I did something wrong... Oh well, Below you will find my logs...

****************************

VUNDOFIX.TXT:


VundoFix V6.7.10

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 2:05:32 PM 2/29/2008

Listing files found while scanning....

C:\WINDOWS\system32\afkhxnwp.dll
C:\WINDOWS\system32\arejnnfc.dll
C:\WINDOWS\system32\ayquhuxg.dll
C:\WINDOWS\system32\bkkieioo.dll
C:\WINDOWS\system32\cbuwvtth.dll
C:\WINDOWS\system32\claevvon.dll
C:\WINDOWS\system32\dfovtptg.dll
C:\WINDOWS\system32\djtrafce.dll
C:\WINDOWS\system32\dtthatsm.ini
C:\WINDOWS\system32\dxsbbnxm.dll
C:\WINDOWS\system32\fgrcwpqa.dll
C:\WINDOWS\system32\fpyooaoj.dll
C:\WINDOWS\system32\fxeloxbx.dll
C:\WINDOWS\system32\fxxvvgic.dll
C:\WINDOWS\system32\hpanqhdw.dll
C:\WINDOWS\system32\jahhqtxl.dll
C:\WINDOWS\system32\jjcagkoe.dll
C:\WINDOWS\system32\kkovcunp.dll
C:\WINDOWS\system32\kqxytjbp.dll
C:\WINDOWS\system32\ktdvtxht.dll
C:\WINDOWS\system32\lxtqhhaj.ini
C:\WINDOWS\system32\mcogcsbv.dll
C:\WINDOWS\system32\mstahttd.dll
C:\WINDOWS\system32\nqqkpoxu.dll
C:\WINDOWS\system32\ooieikkb.ini
C:\WINDOWS\system32\ptoglcqi.dll
C:\WINDOWS\system32\qkgkbglo.dll
C:\WINDOWS\system32\qpmgbopt.dll
C:\WINDOWS\system32\sykspywi.dll
C:\WINDOWS\system32\thxtvdtk.ini
C:\WINDOWS\system32\tprtiatm.dll
C:\WINDOWS\system32\uimwdcvm.dll
C:\WINDOWS\system32\umkuglvn.dll
C:\WINDOWS\system32\vdfmoueg.dll
C:\WINDOWS\system32\vdohfwrb.dll
C:\WINDOWS\system32\vqpxqixq.dll
C:\WINDOWS\system32\wbwpxles.dll
C:\WINDOWS\system32\wkxamloj.dll
C:\WINDOWS\system32\xaqcnldt.dll
C:\WINDOWS\system32\xbxolexf.ini
C:\WINDOWS\system32\xcrlvdeb.dll
C:\WINDOWS\system32\xpcvmjqp.dll
C:\WINDOWS\system32\xslkwpej.dll
C:\WINDOWS\system32\yibqlqeo.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\afkhxnwp.dll
C:\WINDOWS\system32\afkhxnwp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\arejnnfc.dll
C:\WINDOWS\system32\arejnnfc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ayquhuxg.dll
C:\WINDOWS\system32\ayquhuxg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bkkieioo.dll
C:\WINDOWS\system32\bkkieioo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbuwvtth.dll
C:\WINDOWS\system32\cbuwvtth.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\claevvon.dll
C:\WINDOWS\system32\claevvon.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dfovtptg.dll
C:\WINDOWS\system32\dfovtptg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\djtrafce.dll
C:\WINDOWS\system32\djtrafce.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dtthatsm.ini
C:\WINDOWS\system32\dtthatsm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\dxsbbnxm.dll
C:\WINDOWS\system32\dxsbbnxm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fgrcwpqa.dll
C:\WINDOWS\system32\fgrcwpqa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fpyooaoj.dll
C:\WINDOWS\system32\fpyooaoj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fxeloxbx.dll
C:\WINDOWS\system32\fxeloxbx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fxxvvgic.dll
C:\WINDOWS\system32\fxxvvgic.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hpanqhdw.dll
C:\WINDOWS\system32\hpanqhdw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jahhqtxl.dll
C:\WINDOWS\system32\jahhqtxl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjcagkoe.dll
C:\WINDOWS\system32\jjcagkoe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kkovcunp.dll
C:\WINDOWS\system32\kkovcunp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kqxytjbp.dll
C:\WINDOWS\system32\kqxytjbp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ktdvtxht.dll
C:\WINDOWS\system32\ktdvtxht.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lxtqhhaj.ini
C:\WINDOWS\system32\lxtqhhaj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mcogcsbv.dll
C:\WINDOWS\system32\mcogcsbv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mstahttd.dll
C:\WINDOWS\system32\mstahttd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqqkpoxu.dll
C:\WINDOWS\system32\nqqkpoxu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ooieikkb.ini
C:\WINDOWS\system32\ooieikkb.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ptoglcqi.dll
C:\WINDOWS\system32\ptoglcqi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qkgkbglo.dll
C:\WINDOWS\system32\qkgkbglo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qpmgbopt.dll
C:\WINDOWS\system32\qpmgbopt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sykspywi.dll
C:\WINDOWS\system32\sykspywi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\thxtvdtk.ini
C:\WINDOWS\system32\thxtvdtk.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\tprtiatm.dll
C:\WINDOWS\system32\tprtiatm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uimwdcvm.dll
C:\WINDOWS\system32\uimwdcvm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\umkuglvn.dll
C:\WINDOWS\system32\umkuglvn.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\vdfmoueg.dll
C:\WINDOWS\system32\vdfmoueg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vdohfwrb.dll
C:\WINDOWS\system32\vdohfwrb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vqpxqixq.dll
C:\WINDOWS\system32\vqpxqixq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wbwpxles.dll
C:\WINDOWS\system32\wbwpxles.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wkxamloj.dll
C:\WINDOWS\system32\wkxamloj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xaqcnldt.dll
C:\WINDOWS\system32\xaqcnldt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbxolexf.ini
C:\WINDOWS\system32\xbxolexf.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\xcrlvdeb.dll
C:\WINDOWS\system32\xcrlvdeb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xpcvmjqp.dll
C:\WINDOWS\system32\xpcvmjqp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xslkwpej.dll
C:\WINDOWS\system32\xslkwpej.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yibqlqeo.dll
C:\WINDOWS\system32\yibqlqeo.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.10

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 2:32:11 PM 2/29/2008

Listing files found while scanning....

C:\WINDOWS\system32\nvlgukmu.ini
C:\WINDOWS\system32\umkuglvn.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\nvlgukmu.ini
C:\WINDOWS\system32\nvlgukmu.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\umkuglvn.dll
C:\WINDOWS\system32\umkuglvn.dll Has been deleted!

Performing Repairs to the registry.
Done!

****************************************************

MALWAREBYTES ANTI-MALWARE

Malwarebytes' Anti-Malware 1.05
Database version: 442

Scan type: Quick Scan
Objects scanned: 45055
Time elapsed: 6 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 21
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\quemjrht.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\mllmk.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5adbfad2-e1f0-4b6a-a1eb-d6fac4459b69} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5adbfad2-e1f0-4b6a-a1eb-d6fac4459b69} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndshell3.bho (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndshell3.bho.1 (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{bbb05d9e-0297-404d-a6bf-d8f2876b84a6} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\docume~1\guest\locals~1\temp\mllmk -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\quemjrht.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\thrjmeuq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\mllmk.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Guest\Local Settings\Temp\mllmk.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\kmllm.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\kmllm.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Install (Rogue.Multiple) -> Quarantined and deleted successfully.

*********************************************

COMBOFIX.TXT

ComboFix 08-03-01 - Owner 2008-03-03 8:35:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.626 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Owner\g2mdlhlpx.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\adhirpfg.ini
C:\WINDOWS\system32\alueiplh.ini
C:\WINDOWS\system32\aplwbbsc.ini
C:\WINDOWS\system32\aqwuviqw.ini
C:\WINDOWS\system32\awsmtevo.ini
C:\WINDOWS\system32\bhssekfy.ini
C:\WINDOWS\system32\ccyfyfsu.ini
C:\WINDOWS\system32\cfvlxqmt.ini
C:\WINDOWS\system32\ciqlsxpv.ini
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\dhbmdxym.ini
C:\WINDOWS\system32\djaickoc.ini
C:\WINDOWS\system32\dlqalfop.ini
C:\WINDOWS\system32\dpyfocdy.dll
C:\WINDOWS\system32\ecvylenk.ini
C:\WINDOWS\system32\ektbjalx.ini
C:\WINDOWS\system32\fagbuovh.ini
C:\WINDOWS\system32\fboarurw.ini
C:\WINDOWS\system32\freudowe.ini
C:\WINDOWS\system32\gbhybboo.ini
C:\WINDOWS\system32\gqpvmaib.dll
C:\WINDOWS\system32\gwmljqmd.dll
C:\WINDOWS\system32\halydpae.ini
C:\WINDOWS\system32\haybishw.ini
C:\WINDOWS\system32\hdqekury.ini
C:\WINDOWS\system32\hnldtfeq.ini
C:\WINDOWS\system32\hubnpsrq.dll
C:\WINDOWS\system32\idjxvneh.ini
C:\WINDOWS\system32\ihghcddc.ini
C:\WINDOWS\system32\jlyjvhed.ini
C:\WINDOWS\system32\jolmaxkw.ini
C:\WINDOWS\system32\jtwfuujs.ini
C:\WINDOWS\system32\jxukmnld.ini
C:\WINDOWS\system32\jylbqhol.ini
C:\WINDOWS\system32\kiplkhsm.ini
C:\WINDOWS\system32\klnegidw.dll
C:\WINDOWS\system32\kruxxjli.ini
C:\WINDOWS\system32\ktjptpia.ini
C:\WINDOWS\system32\kvttmsxq.ini
C:\WINDOWS\system32\lgqebaot.ini
C:\WINDOWS\system32\llaewacl.ini
C:\WINDOWS\system32\lpldoeai.ini
C:\WINDOWS\system32\lxddnlqq.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mkebjigp.dll
C:\WINDOWS\system32\muafmjuc.ini
C:\WINDOWS\system32\nhhcnhko.ini
C:\WINDOWS\system32\nkrujyot.ini
C:\WINDOWS\system32\nyiksuxe.ini
C:\WINDOWS\system32\oewatapn.ini
C:\WINDOWS\system32\ofcjdcxu.dll
C:\WINDOWS\system32\plxjphyu.ini
C:\WINDOWS\system32\pricdiuq.dll
C:\WINDOWS\system32\qgepfemk.dll
C:\WINDOWS\system32\qghagtjc.ini
C:\WINDOWS\system32\qoljhwpa.dll
C:\WINDOWS\system32\quidcirp.ini
C:\WINDOWS\system32\qxiqxpqv.ini
C:\WINDOWS\system32\rbpxuima.ini
C:\WINDOWS\system32\rhcwjogp.ini
C:\WINDOWS\system32\rjagtsjb.ini
C:\WINDOWS\system32\rogkoifq.ini
C:\WINDOWS\system32\rubnwqdv.ini
C:\WINDOWS\system32\ryvgpctc.ini
C:\WINDOWS\system32\sbthlyxt.dll
C:\WINDOWS\system32\scabowsw.ini
C:\WINDOWS\system32\ssklynbq.ini
C:\WINDOWS\system32\suertimp.ini
C:\WINDOWS\system32\tqrvuyiy.dll
C:\WINDOWS\system32\tsedmkud.ini
C:\WINDOWS\system32\tuwwiwrg.ini
C:\WINDOWS\system32\tvtjshol.dll
C:\WINDOWS\system32\ukwwtyft.ini
C:\WINDOWS\system32\uthesyjp.ini
C:\WINDOWS\system32\uubcfaat.ini
C:\WINDOWS\system32\vianlcww.ini
C:\WINDOWS\system32\vvkwlpxo.ini
C:\WINDOWS\system32\vwyaurpp.ini
C:\WINDOWS\system32\vxoyhcqn.ini
C:\WINDOWS\system32\wneodlrt.ini
C:\WINDOWS\system32\wrrbqwod.ini
C:\WINDOWS\system32\wuvmgner.ini
C:\WINDOWS\system32\xesxuruq.dll
C:\WINDOWS\system32\xqqefrew.ini
C:\WINDOWS\system32\xrwhhagq.ini
C:\WINDOWS\system32\xuuaqrjt.ini
C:\WINDOWS\system32\ykkvbejv.ini
C:\WINDOWS\system32\ymxsweap.ini
C:\WINDOWS\system32\ynkhhfgm.ini
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://au.download.windowsup§j
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-03 08:13 . 2008-03-03 08:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-03 08:12 . 2008-03-03 08:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-03 08:12 . 2008-03-03 08:12 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-03-03 08:12 . 2008-03-03 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-29 14:05 . 2008-02-29 14:31 <DIR> d-------- C:\VundoFix Backups
2008-02-29 13:58 . 2008-02-29 13:59 <DIR> d-------- C:\Program Files\HJT
2008-02-29 08:34 . 2008-02-29 09:41 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-28 21:34 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-28 21:33 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\vukwpmoommyh.sys
2008-02-28 21:19 . 2008-02-28 21:19 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-28 21:19 . 2008-02-28 21:19 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-28 21:19 . 2008-02-28 21:19 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-28 21:18 . 2008-02-28 22:25 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-28 19:33 . 2008-02-28 19:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-28 19:33 . 2008-02-28 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 19:32 . 2008-02-28 19:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-28 17:01 . 2008-02-28 18:03 <DIR> d-------- C:\temp
2008-02-28 13:37 . 2008-02-28 13:37 294 ---hs---- C:\WINDOWS\system32\jxjcylot.ini
2008-02-15 11:59 . 2008-02-15 11:59 <DIR> d-------- C:\Program Files\Webroot
2008-02-15 11:59 . 2008-02-15 11:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-02-08 13:27 . 2008-02-08 13:26 123,619 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-02-08 13:27 . 2008-02-08 13:26 83,672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-08 13:27 . 2008-02-08 13:26 73,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-08 13:26 . 2008-02-08 13:26 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2008-02-08 13:26 . 2008-02-08 13:27 <DIR> d-------- C:\Program Files\Symantec
2008-02-08 10:30 . 2008-02-08 10:30 <DIR> d-------- C:\Documents and Settings\KLAFAY~1~CO\LOCALS~1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 09:23 --------- d-----w C:\Program Files\LogMeIn
2008-02-15 19:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-08 18:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-08 18:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-06 14:03 --------- d-----w C:\Program Files\Plaxo
2008-02-06 14:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-02-05 19:58 --------- d-----w C:\Program Files\Viewpoint
2008-02-05 19:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-01 23:55 --------- d-----w C:\Program Files\iTunes
2008-01-30 23:38 722,176 ----a-w C:\Documents and Settings\Owner\gotomypc_428.exe
2008-01-30 12:55 --------- d-----w C:\Program Files\RcvSystem
2008-01-30 12:55 --------- d-----w C:\Program Files\QuickTime
2008-01-26 17:29 --------- d-----w C:\Program Files\AIM
2008-01-25 21:04 --------- d-----w C:\Program Files\Winamp
2008-01-25 15:59 --------- d-----w C:\Program Files\Picasa2
2008-01-25 15:59 --------- d-----w C:\Program Files\Digital Media Reader
2008-01-24 20:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\HP
2008-01-19 22:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-06 04:32 --------- d-----w C:\Documents and Settings\klafay@embarqmail.co\Application Data\Apple Computer
.
<pre>
----a-w		   307,200 2008-01-25 16:00:24  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w			67,160 2008-01-25 21:17:52  C:\Program Files\AIM\aim .exe
----a-w			50,792 2008-01-25 16:00:06  C:\Program Files\Common Files\AOL\1145629970\ee\AOLSoftware .exe
----a-w		   124,520 2008-01-25 21:17:49  C:\Program Files\Common Files\AOL\IPHSend\IPHSend .exe
----a-w		   135,168 2008-01-25 16:00:00  C:\Program Files\Digital Media Reader\shwiconem .exe
----a-w			49,152 2008-01-25 16:00:09  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w		   267,048 2008-01-25 21:17:52  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		   196,608 2007-12-24 00:44:48  C:\Program Files\Logitech\Video\ManifestEngine .exe
----a-w			65,602 2008-01-25 16:31:09  C:\Program Files\Logitech\VideoCall\VideoCall .exe
----a-w			63,048 2008-01-25 21:17:52  C:\Program Files\LogMeIn\x86\LogMeInSystray .exe
----a-w		 1,694,208 2008-01-25 16:24:36  C:\Program Files\Messenger\msmsgs .exe
----a-w		   335,872 2008-01-25 16:00:00  C:\Program Files\Picasa2\PicasaMediaDetector .exe
----a-w		   183,367 2008-01-25 16:00:17  C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper .exe
----a-w		   286,720 2008-01-25 16:00:12  C:\Program Files\QuickTime\QTTask			 .exe
----a-w		   286,720 2008-01-25 16:00:08  C:\Program Files\QuickTime\QTTask			.exe
----a-w		   286,720 2008-01-24 20:21:00  C:\Program Files\QuickTime\QTTask		   .exe
----a-w		   286,720 2008-01-23 22:03:13  C:\Program Files\QuickTime\QTTask		  .exe
----a-w		   286,720 2008-01-23 20:18:14  C:\Program Files\QuickTime\QTTask		 .exe
----a-w		   286,720 2008-01-19 02:12:05  C:\Program Files\QuickTime\QTTask		.exe
----a-w		   286,720 2008-01-19 01:35:59  C:\Program Files\QuickTime\QTTask	   .exe
----a-w		   286,720 2008-01-17 23:07:59  C:\Program Files\QuickTime\QTTask	  .exe
----a-w		   286,720 2008-01-17 19:07:29  C:\Program Files\QuickTime\QTTask	 .exe
----a-w		   286,720 2008-01-17 18:58:44  C:\Program Files\QuickTime\QTTask	.exe
----a-w		   286,720 2008-01-10 13:10:53  C:\Program Files\QuickTime\QTTask   .exe
----a-w		   286,720 2008-01-09 17:00:54  C:\Program Files\QuickTime\QTTask  .exe
----a-w		   286,720 2008-01-08 01:41:53  C:\Program Files\QuickTime\QTTask .exe
----a-w			26,112 2008-01-24 20:20:58  C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w			77,824 2008-02-08 18:39:21  C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray .exe
----a-w		   158,208 2008-02-28 16:29:06  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w			15,360 2008-03-03 13:09:39  C:\WINDOWS\system32\ctfmon .exe
----a-w		   221,184 2008-01-25 16:00:03  C:\WINDOWS\system32\LVCOMSX .EXE
----a-w		17,642,616 2008-01-13 18:42:48  C:\WINDOWS\system32\MRT .exe
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-03-03 08:10 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
pmnligg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Virtual Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Virtual Assistant.lnk
backup=C:\WINDOWS\pss\Virtual Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2004-05-17 20:30 543232 C:\WINDOWS\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-03-03 08:10 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 12:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fcd9ef24]
C:\WINDOWS\system32\taafcbuu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2008-01-19 19:51 50792 C:\Program Files\Common Files\AOL\1145629970\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2008-01-24 15:20 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LexPPS.exe]
C:\WINDOWS\system32\lexpps.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\DOCUME~1\Guest\LOCALS~1\Temp\mllmk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-01-18 17:37 217088 C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2008-01-30 19:39 221184 C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--------- 2001-07-09 13:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2008-01-30 18:43 335872 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule10]
C:\Program Files\QdrModule\QdrModule10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule12]
C:\Program Files\QdrModule\QdrModule12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]
C:\Program Files\QdrPack\QdrPack11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack12]
C:\Program Files\QdrPack\QdrPack12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-01-26 12:30 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 22:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
--a------ 2003-09-19 11:09 36864 C:\WINDOWS\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-12-01 18:54 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2008-02-28 13:28 3054592 C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-03-04 12:36 36975 C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2008-01-25 10:59 135168 C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2008-01-25 11:00 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoCall]
--a------ 2008-01-30 18:43 65602 C:\Program Files\Logitech\VideoCall\VideoCall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\wianmpa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1145629970\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1145629970\\ee\\aim6.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Logitech\\VideoCall\\VideoCall .exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9988:TCP"= 9988:TCP:BitComet 9988 TCP
"9988:UDP"= 9988:UDP:BitComet 9988 UDP

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-10 14:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-02-28 22:09:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 08:41:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-03 8:44:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-03 13:43:56
.
2008-02-29 13:25:44 --- E O F ---


**********************************************************
HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:49 AM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145627198062
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4512 bytes

**************************************

I Really hope you will be able to help me out with this... it really looks like Chinese to me!!!!

Thanks in advance!

#5 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:02:38 PM

Posted 03 March 2008 - 12:35 PM

Hello,

Thanks for all the logs, you posted them all correctly :thumbsup: What we are up against is that the Vundo Infection you have is the latest variant and includes the ability to infect files and programs on your system, if you look in the Blue Code Box in your Combofix log , all those files and programs have been infected by this nasty trojan.


Drag Combofix to the trash and use the same link to download a fresh copy to your desktop, then do this.

Open Notepad ( this will only work in Notepad )and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Killall::

Killall::

RenV::
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
C:\Program Files\AIM\aim .exe
C:\Program Files\Common Files\AOL\1145629970\ee\AOLSoftware .exe
C:\Program Files\Common Files\AOL\IPHSend\IPHSend .exe
C:\Program Files\Digital Media Reader\shwiconem .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Logitech\Video\ManifestEngine .exe
C:\Program Files\Logitech\VideoCall\VideoCall .exe
C:\Program Files\LogMeIn\x86\LogMeInSystray .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Picasa2\PicasaMediaDetector .exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper .exe
C:\Program Files\QuickTime\QTTask			 .exe
C:\Program Files\QuickTime\QTTask			.exe
C:\Program Files\QuickTime\QTTask		   .exe
C:\Program Files\QuickTime\QTTask		  .exe
C:\Program Files\QuickTime\QTTask		 .exe
C:\Program Files\QuickTime\QTTask		.exe
C:\Program Files\QuickTime\QTTask	   .exe
C:\Program Files\QuickTime\QTTask	  .exe
C:\Program Files\QuickTime\QTTask	 .exe
C:\Program Files\QuickTime\QTTask	.exe
C:\Program Files\QuickTime\QTTask   .exe
C:\Program Files\QuickTime\QTTask  .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\Real\RealPlayer\RealPlay .exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray .exe
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\LVCOMSX .EXE
C:\WINDOWS\system32\MRT .exe

File::
C:\WINDOWS\system32\jxjcylot.ini


Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#6 mreimpell

mreimpell
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 03 March 2008 - 01:26 PM

Below is the log of the new combofix and the corresponding HijackThis:

ComboFix 08-03-03.15 - Owner 2008-03-03 13:11:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.628 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\jxjcylot.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\afkhxnwp.dll.bad
C:\VundoFix Backups\arejnnfc.dll.bad
C:\VundoFix Backups\ayquhuxg.dll.bad
C:\VundoFix Backups\bkkieioo.dll.bad
C:\VundoFix Backups\cbuwvtth.dll.bad
C:\VundoFix Backups\claevvon.dll.bad
C:\VundoFix Backups\dfovtptg.dll.bad
C:\VundoFix Backups\djtrafce.dll.bad
C:\VundoFix Backups\dtthatsm.ini.bad
C:\VundoFix Backups\dxsbbnxm.dll.bad
C:\VundoFix Backups\fgrcwpqa.dll.bad
C:\VundoFix Backups\fpyooaoj.dll.bad
C:\VundoFix Backups\fxeloxbx.dll.bad
C:\VundoFix Backups\fxxvvgic.dll.bad
C:\VundoFix Backups\hpanqhdw.dll.bad
C:\VundoFix Backups\jahhqtxl.dll.bad
C:\VundoFix Backups\jjcagkoe.dll.bad
C:\VundoFix Backups\kkovcunp.dll.bad
C:\VundoFix Backups\kqxytjbp.dll.bad
C:\VundoFix Backups\ktdvtxht.dll.bad
C:\VundoFix Backups\lxtqhhaj.ini.bad
C:\VundoFix Backups\mcogcsbv.dll.bad
C:\VundoFix Backups\mstahttd.dll.bad
C:\VundoFix Backups\nqqkpoxu.dll.bad
C:\VundoFix Backups\nvlgukmu.ini.bad
C:\VundoFix Backups\ooieikkb.ini.bad
C:\VundoFix Backups\ptoglcqi.dll.bad
C:\VundoFix Backups\qkgkbglo.dll.bad
C:\VundoFix Backups\qpmgbopt.dll.bad
C:\VundoFix Backups\sykspywi.dll.bad
C:\VundoFix Backups\thxtvdtk.ini.bad
C:\VundoFix Backups\tprtiatm.dll.bad
C:\VundoFix Backups\uimwdcvm.dll.bad
C:\VundoFix Backups\umkuglvn.dll.bad
C:\VundoFix Backups\vdfmoueg.dll.bad
C:\VundoFix Backups\vdohfwrb.dll.bad
C:\VundoFix Backups\vqpxqixq.dll.bad
C:\VundoFix Backups\wbwpxles.dll.bad
C:\VundoFix Backups\wkxamloj.dll.bad
C:\VundoFix Backups\xaqcnldt.dll.bad
C:\VundoFix Backups\xbxolexf.ini.bad
C:\VundoFix Backups\xcrlvdeb.dll.bad
C:\VundoFix Backups\xpcvmjqp.dll.bad
C:\VundoFix Backups\xslkwpej.dll.bad
C:\VundoFix Backups\yibqlqeo.dll.bad
C:\WINDOWS\system32\jxjcylot.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-03 08:13 . 2008-03-03 08:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-03 08:12 . 2008-03-03 08:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-03 08:12 . 2008-03-03 08:12 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-03-03 08:12 . 2008-03-03 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-29 13:58 . 2008-03-03 08:46 <DIR> d-------- C:\Program Files\HJT
2008-02-29 08:34 . 2008-02-29 09:41 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-28 21:34 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-28 21:33 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\vukwpmoommyh.sys
2008-02-28 21:19 . 2008-02-28 21:19 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-28 21:19 . 2008-02-28 21:19 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-28 21:19 . 2008-02-28 21:19 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-28 21:18 . 2008-02-28 22:25 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-28 19:33 . 2008-02-28 19:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-28 19:33 . 2008-02-28 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 19:32 . 2008-02-28 19:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-28 17:01 . 2008-02-28 18:03 <DIR> d-------- C:\temp
2008-02-28 11:29 . 2008-02-28 11:29 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2008-02-15 11:59 . 2008-02-15 11:59 <DIR> d-------- C:\Program Files\Webroot
2008-02-15 11:59 . 2008-02-15 11:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-02-08 13:27 . 2008-02-08 13:26 123,619 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-02-08 13:27 . 2008-02-08 13:26 83,672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-08 13:27 . 2008-02-08 13:26 73,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-08 13:26 . 2008-02-08 13:26 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2008-02-08 13:26 . 2008-02-08 13:27 <DIR> d-------- C:\Program Files\Symantec
2008-02-08 10:30 . 2008-02-08 10:30 <DIR> d-------- C:\Documents and Settings\KLAFAY~1~CO\LOCALS~1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 18:11 --------- d-----w C:\Program Files\QuickTime
2008-03-03 18:11 --------- d-----w C:\Program Files\Picasa2
2008-03-03 18:11 --------- d-----w C:\Program Files\iTunes
2008-03-03 18:11 --------- d-----w C:\Program Files\Digital Media Reader
2008-03-03 18:11 --------- d-----w C:\Program Files\AIM
2008-03-03 09:23 --------- d-----w C:\Program Files\LogMeIn
2008-02-15 19:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-08 18:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-08 18:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-06 14:03 --------- d-----w C:\Program Files\Plaxo
2008-02-06 14:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-02-05 19:58 --------- d-----w C:\Program Files\Viewpoint
2008-02-05 19:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-30 23:38 722,176 ----a-w C:\Documents and Settings\Owner\gotomypc_428.exe
2008-01-30 12:55 --------- d-----w C:\Program Files\RcvSystem
2008-01-25 21:04 --------- d-----w C:\Program Files\Winamp
2008-01-24 20:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\HP
2008-01-19 22:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-06 04:32 --------- d-----w C:\Documents and Settings\klafay@embarqmail.co\Application Data\Apple Computer
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-03-03 08:09 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
pmnligg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Virtual Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Virtual Assistant.lnk
backup=C:\WINDOWS\pss\Virtual Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2008-01-25 16:17 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2004-05-17 20:30 543232 C:\WINDOWS\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-03-03 08:09 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 12:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fcd9ef24]
C:\WINDOWS\system32\taafcbuu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2008-01-25 11:00 50792 C:\Program Files\Common Files\AOL\1145629970\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2008-01-25 11:00 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
--a------ 2008-01-25 16:17 124520 C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LexPPS.exe]
C:\WINDOWS\system32\lexpps.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-01-18 17:37 217088 C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--a------ 2008-01-25 16:17 63048 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2008-01-25 11:00 221184 C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-01-25 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--------- 2001-07-09 13:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2008-01-25 11:00 335872 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
--a------ 2008-01-25 11:00 183367 C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule10]
C:\Program Files\QdrModule\QdrModule10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule12]
C:\Program Files\QdrModule\QdrModule12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]
C:\Program Files\QdrPack\QdrPack11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack12]
C:\Program Files\QdrPack\QdrPack12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-07 20:41 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-01-24 15:20 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 22:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
--a------ 2003-09-19 11:09 36864 C:\WINDOWS\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-12-01 18:54 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2008-02-28 13:28 3054592 C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-03-04 12:36 36975 C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2008-01-25 11:00 135168 C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoCall]
--a------ 2008-01-25 11:31 65602 C:\Program Files\Logitech\VideoCall\VideoCall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2008-02-08 13:39 77824 C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\wianmpa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1145629970\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1145629970\\ee\\aim6.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9988:TCP"= 9988:TCP:BitComet 9988 TCP
"9988:UDP"= 9988:UDP:BitComet 9988 UDP

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-10 14:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-02-28 22:09:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 13:14:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-03 13:19:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-03 18:19:10
.
2008-02-29 13:25:44 --- E O F ---

---------------------------------------------------

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:27 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145627198062
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4530 bytes

--------------

I'll keep my fingers crossed.. Once again, thanks for your help..

#7 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:02:38 PM

Posted 03 March 2008 - 02:01 PM

Hello,

Things are looking better.

Open Notepad ( this will only work in Notepad )and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
C:\WINDOWS\system32\taafcbuu.dll

Folder::
C:\Program Files\QdrModule

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule10]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule12]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack12]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fcd9ef24]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#8 mreimpell

mreimpell
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 03 March 2008 - 02:17 PM

Ok, hopefully it will get better each time. Here is my new combofic\x and HijackThis logs:

ComboFix 08-03-03.15 - Owner 2008-03-03 14:12:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.604 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\taafcbuu.dll
.

((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-03 08:13 . 2008-03-03 08:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-03 08:12 . 2008-03-03 08:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-03 08:12 . 2008-03-03 08:12 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-03-03 08:12 . 2008-03-03 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-29 13:58 . 2008-03-03 13:22 <DIR> d-------- C:\Program Files\HJT
2008-02-29 08:34 . 2008-02-29 09:41 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-28 21:34 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-28 21:33 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\vukwpmoommyh.sys
2008-02-28 21:19 . 2008-02-28 21:19 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-28 21:19 . 2008-02-28 21:19 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-28 21:19 . 2008-02-28 21:19 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-28 21:18 . 2008-02-28 22:25 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-28 19:33 . 2008-02-28 19:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-28 19:33 . 2008-02-28 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 19:32 . 2008-02-28 19:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-28 17:01 . 2008-02-28 18:03 <DIR> d-------- C:\temp
2008-02-28 11:29 . 2008-02-28 11:29 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2008-02-15 11:59 . 2008-02-15 11:59 <DIR> d-------- C:\Program Files\Webroot
2008-02-15 11:59 . 2008-02-15 11:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-02-08 13:27 . 2008-02-08 13:26 123,619 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-02-08 13:27 . 2008-02-08 13:26 83,672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-08 13:27 . 2008-02-08 13:26 73,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-08 13:26 . 2008-02-08 13:26 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2008-02-08 13:26 . 2008-02-08 13:27 <DIR> d-------- C:\Program Files\Symantec
2008-02-08 10:30 . 2008-02-08 10:30 <DIR> d-------- C:\Documents and Settings\KLAFAY~1~CO\LOCALS~1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 18:11 --------- d-----w C:\Program Files\QuickTime
2008-03-03 18:11 --------- d-----w C:\Program Files\Picasa2
2008-03-03 18:11 --------- d-----w C:\Program Files\iTunes
2008-03-03 18:11 --------- d-----w C:\Program Files\Digital Media Reader
2008-03-03 18:11 --------- d-----w C:\Program Files\AIM
2008-03-03 13:09 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-03-03 09:23 --------- d-----w C:\Program Files\LogMeIn
2008-02-28 16:29 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
2008-02-15 19:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-08 18:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-08 18:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-06 14:03 --------- d-----w C:\Program Files\Plaxo
2008-02-06 14:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-02-05 19:58 --------- d-----w C:\Program Files\Viewpoint
2008-02-05 19:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-31 00:14 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp
2008-01-30 23:38 722,176 ----a-w C:\Documents and Settings\Owner\gotomypc_428.exe
2008-01-30 12:55 --------- d-----w C:\Program Files\RcvSystem
2008-01-25 21:04 --------- d-----w C:\Program Files\Winamp
2008-01-25 16:00 221,184 ----a-w C:\WINDOWS\system32\LVCOMSX.EXE
2008-01-24 20:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\HP
2008-01-23 19:56 4,213 ----a-w C:\WINDOWS\system32\hbvxmycu.dll
2008-01-23 19:53 4,213 ----a-w C:\WINDOWS\system32\tfusikgb.dll
2008-01-23 19:49 4,477 ----a-w C:\WINDOWS\system32\kwrbmfab.dll
2008-01-23 01:05 4,477 ----a-w C:\WINDOWS\system32\tojdlkqg.dll
2008-01-22 10:31 4,477 ----a-w C:\WINDOWS\system32\bdnaimbb.dll
2008-01-19 22:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-01-17 17:19 4,477 ----a-w C:\WINDOWS\system32\fhewlyvf.dll
2008-01-17 17:16 4,477 ----a-w C:\WINDOWS\system32\maliotcn.dll
2008-01-17 17:13 4,477 ----a-w C:\WINDOWS\system32\pulywscy.dll
2008-01-17 17:10 4,477 ----a-w C:\WINDOWS\system32\kiyeqact.dll
2008-01-17 17:04 4,477 ----a-w C:\WINDOWS\system32\ryglkoqs.dll
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-06 04:32 --------- d-----w C:\Documents and Settings\klafay@embarqmail.co\Application Data\Apple Computer
2007-12-29 13:00 4,477 ----a-w C:\WINDOWS\system32\vhodaggf.dll
2007-12-29 12:57 4,477 ----a-w C:\WINDOWS\system32\puyqwfsj.dll
2007-12-29 12:54 4,477 ----a-w C:\WINDOWS\system32\vbvyshfd.dll
2007-12-29 12:51 4,477 ----a-w C:\WINDOWS\system32\wxtvqgjl.dll
2007-12-28 12:59 4,477 ----a-w C:\WINDOWS\system32\sarmiras.dll
2007-12-28 12:56 4,477 ----a-w C:\WINDOWS\system32\emfmtdeh.dll
2007-12-28 12:53 4,477 ----a-w C:\WINDOWS\system32\gmyrkhmp.dll
2007-12-28 12:50 4,477 ----a-w C:\WINDOWS\system32\syinocxu.dll
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-03-03 08:09 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
pmnligg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Virtual Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Virtual Assistant.lnk
backup=C:\WINDOWS\pss\Virtual Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2008-01-25 16:17 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2004-05-17 20:30 543232 C:\WINDOWS\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-03-03 08:09 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 12:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2008-01-25 11:00 50792 C:\Program Files\Common Files\AOL\1145629970\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2008-01-25 11:00 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
--a------ 2008-01-25 16:17 124520 C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LexPPS.exe]
C:\WINDOWS\system32\lexpps.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-01-18 17:37 217088 C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--a------ 2008-01-25 16:17 63048 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2008-01-25 11:00 221184 C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-01-25 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--------- 2001-07-09 13:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2008-01-25 11:00 335872 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
--a------ 2008-01-25 11:00 183367 C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-07 20:41 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-01-24 15:20 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 22:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
--a------ 2003-09-19 11:09 36864 C:\WINDOWS\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-12-01 18:54 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2008-02-28 13:28 3054592 C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-03-04 12:36 36975 C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2008-01-25 11:00 135168 C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoCall]
--a------ 2008-01-25 11:31 65602 C:\Program Files\Logitech\VideoCall\VideoCall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2008-02-08 13:39 77824 C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\wianmpa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1145629970\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1145629970\\ee\\aim6.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9988:TCP"= 9988:TCP:BitComet 9988 TCP
"9988:UDP"= 9988:UDP:BitComet 9988 UDP

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-10 14:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-02-28 22:09:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 14:13:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-03-03 14:13:52
ComboFix-quarantined-files.txt 2008-03-03 19:13:36
ComboFix2.txt 2008-03-03 18:19:14
.
2008-02-29 13:25:44 --- E O F ---


-------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:43 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145627198062
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4563 bytes

Thanks!

#9 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:02:38 PM

Posted 03 March 2008 - 06:17 PM

Hello,

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\



Open Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
C:\WINDOWS\system32\hbvxmycu.dll
C:\WINDOWS\system32\tfusikgb.dll
C:\WINDOWS\system32\kwrbmfab.dll
C:\WINDOWS\system32\tojdlkqg.dll
C:\WINDOWS\system32\bdnaimbb.dll
C:\WINDOWS\system32\fhewlyvf.dll
C:\WINDOWS\system32\maliotcn.dll
C:\WINDOWS\system32\pulywscy.dll
C:\WINDOWS\system32\kiyeqact.dll
C:\WINDOWS\system32\ryglkoqs.dll
C:\WINDOWS\system32\vhodaggf.dll
C:\WINDOWS\system32\puyqwfsj.dll
C:\WINDOWS\system32\vbvyshfd.dll
C:\WINDOWS\system32\wxtvqgjl.dll
C:\WINDOWS\system32\sarmiras.dll
C:\WINDOWS\system32\emfmtdeh.dll
C:\WINDOWS\system32\gmyrkhmp.dll
C:\WINDOWS\system32\syinocxu.dll

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#10 mreimpell

mreimpell
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 04 March 2008 - 08:26 AM

Below you will find my new combifix and hijackthis logs:

ComboFix 08-03-03.15 - Owner 2008-03-04 8:19:14.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.593 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\bdnaimbb.dll
C:\WINDOWS\system32\emfmtdeh.dll
C:\WINDOWS\system32\fhewlyvf.dll
C:\WINDOWS\system32\gmyrkhmp.dll
C:\WINDOWS\system32\hbvxmycu.dll
C:\WINDOWS\system32\kiyeqact.dll
C:\WINDOWS\system32\kwrbmfab.dll
C:\WINDOWS\system32\maliotcn.dll
C:\WINDOWS\system32\pulywscy.dll
C:\WINDOWS\system32\puyqwfsj.dll
C:\WINDOWS\system32\ryglkoqs.dll
C:\WINDOWS\system32\sarmiras.dll
C:\WINDOWS\system32\syinocxu.dll
C:\WINDOWS\system32\tfusikgb.dll
C:\WINDOWS\system32\tojdlkqg.dll
C:\WINDOWS\system32\vbvyshfd.dll
C:\WINDOWS\system32\vhodaggf.dll
C:\WINDOWS\system32\wxtvqgjl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bdnaimbb.dll
C:\WINDOWS\system32\emfmtdeh.dll
C:\WINDOWS\system32\fhewlyvf.dll
C:\WINDOWS\system32\gmyrkhmp.dll
C:\WINDOWS\system32\hbvxmycu.dll
C:\WINDOWS\system32\kiyeqact.dll
C:\WINDOWS\system32\kwrbmfab.dll
C:\WINDOWS\system32\maliotcn.dll
C:\WINDOWS\system32\pulywscy.dll
C:\WINDOWS\system32\puyqwfsj.dll
C:\WINDOWS\system32\ryglkoqs.dll
C:\WINDOWS\system32\sarmiras.dll
C:\WINDOWS\system32\syinocxu.dll
C:\WINDOWS\system32\tfusikgb.dll
C:\WINDOWS\system32\tojdlkqg.dll
C:\WINDOWS\system32\vbvyshfd.dll
C:\WINDOWS\system32\vhodaggf.dll
C:\WINDOWS\system32\wxtvqgjl.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-03 08:13 . 2008-03-03 08:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-03 08:12 . 2008-03-03 08:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-03 08:12 . 2008-03-03 08:12 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-03-03 08:12 . 2008-03-03 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-29 13:58 . 2008-03-04 08:15 <DIR> d-------- C:\Program Files\HJT
2008-02-29 08:34 . 2008-02-29 09:41 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-28 21:34 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-28 21:33 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\vukwpmoommyh.sys
2008-02-28 21:19 . 2008-02-28 21:19 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-28 21:19 . 2008-02-28 21:19 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-28 21:19 . 2008-02-28 21:19 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-28 21:18 . 2008-02-28 22:25 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-28 19:33 . 2008-02-28 19:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-28 19:33 . 2008-02-28 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 19:32 . 2008-02-28 19:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-28 17:01 . 2008-02-28 18:03 <DIR> d-------- C:\temp
2008-02-28 11:29 . 2008-02-28 11:29 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2008-02-15 11:59 . 2008-02-15 11:59 <DIR> d-------- C:\Program Files\Webroot
2008-02-15 11:59 . 2008-02-15 11:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-02-08 13:27 . 2008-02-08 13:26 123,619 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-02-08 13:27 . 2008-02-08 13:26 83,672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-08 13:27 . 2008-02-08 13:26 73,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-08 13:26 . 2008-02-08 13:26 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2008-02-08 13:26 . 2008-02-08 13:27 <DIR> d-------- C:\Program Files\Symantec
2008-02-08 10:30 . 2008-02-08 10:30 <DIR> d-------- C:\Documents and Settings\KLAFAY~1~CO\LOCALS~1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 13:13 --------- d-----w C:\Program Files\LogMeIn
2008-03-03 18:11 --------- d-----w C:\Program Files\QuickTime
2008-03-03 18:11 --------- d-----w C:\Program Files\Picasa2
2008-03-03 18:11 --------- d-----w C:\Program Files\iTunes
2008-03-03 18:11 --------- d-----w C:\Program Files\Digital Media Reader
2008-03-03 18:11 --------- d-----w C:\Program Files\AIM
2008-03-03 13:09 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-02-28 16:29 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
2008-02-15 19:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-08 18:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-08 18:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-06 14:03 --------- d-----w C:\Program Files\Plaxo
2008-02-06 14:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-02-05 19:58 --------- d-----w C:\Program Files\Viewpoint
2008-02-05 19:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-31 00:14 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp
2008-01-30 23:38 722,176 ----a-w C:\Documents and Settings\Owner\gotomypc_428.exe
2008-01-30 12:55 --------- d-----w C:\Program Files\RcvSystem
2008-01-25 21:04 --------- d-----w C:\Program Files\Winamp
2008-01-25 16:00 221,184 ----a-w C:\WINDOWS\system32\LVCOMSX.EXE
2008-01-24 20:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\HP
2008-01-19 22:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-06 04:32 --------- d-----w C:\Documents and Settings\klafay@embarqmail.co\Application Data\Apple Computer
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-03-03 08:09 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Virtual Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Virtual Assistant.lnk
backup=C:\WINDOWS\pss\Virtual Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2008-01-25 16:17 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2004-05-17 20:30 543232 C:\WINDOWS\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-03-03 08:09 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 12:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2008-01-25 11:00 50792 C:\Program Files\Common Files\AOL\1145629970\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2008-01-25 11:00 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
--a------ 2008-01-25 16:17 124520 C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LexPPS.exe]
C:\WINDOWS\system32\lexpps.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-01-18 17:37 217088 C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--a------ 2008-01-25 16:17 63048 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2008-01-25 11:00 221184 C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-01-25 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--------- 2001-07-09 13:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2008-01-25 11:00 335872 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
--a------ 2008-01-25 11:00 183367 C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-07 20:41 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-01-24 15:20 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 22:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
--a------ 2003-09-19 11:09 36864 C:\WINDOWS\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-12-01 18:54 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2008-02-28 13:28 3054592 C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-03-04 12:36 36975 C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2008-01-25 11:00 135168 C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoCall]
--a------ 2008-01-25 11:31 65602 C:\Program Files\Logitech\VideoCall\VideoCall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2008-02-08 13:39 77824 C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\wianmpa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1145629970\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1145629970\\ee\\aim6.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9988:TCP"= 9988:TCP:BitComet 9988 TCP
"9988:UDP"= 9988:UDP:BitComet 9988 UDP

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-10 14:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-02-28 22:09:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 08:22:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-03-04 8:22:44
ComboFix-quarantined-files.txt 2008-03-04 13:22:29
ComboFix2.txt 2008-03-03 19:13:53
ComboFix3.txt 2008-03-03 18:19:14
.
2008-03-03 20:05:24 --- E O F ---

---------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:45 AM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145627198062
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4357 bytes

Thanks!

#11 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:02:38 PM

Posted 04 March 2008 - 12:15 PM

Your log looks fine :thumbsup: Did you uninstall Mcafee recently ? Its still showing in your start up.

How are things running now??

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#12 mreimpell

mreimpell
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 04 March 2008 - 01:35 PM

Am I ok??? I'm ssoooooo haaappyyyyyy !!!!!Thanks, Thanks Thanks!!! You deserve the best!

In regards to McAfee, this computer came with the trila version and was unistalled a while ago... I have symantec, which I"m planning to unistall and reinstall....

Is there anything you would suggest to prevent this to happen again????

#13 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:02:38 PM

Posted 04 March 2008 - 06:31 PM

Hello,

Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

If you saved the file correctly it should look like this Posted Image





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
  • Spybot Search and Destroy 1.5
    Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  • IE-Spyad
    IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 2.0.0.12 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Glad we could help

Safe Surfn
Ken

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#14 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:02:38 PM

Posted 16 March 2008 - 08:57 AM

Since this issue is resolved this thread will now be closed. Thank you for using Bleeping Computer.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users