Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.vundo-variant/f


  • This topic is locked This topic is locked
10 replies to this topic

#1 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:31 AM

Posted 10 April 2008 - 09:26 PM

Hey Guys,

Ran my periodical scans today and SAS identified the following files as being Vundo:
  • C:\System Volume Information\_Restore{856B109D-E1E8-4BA7-B781-DB73A9F1904F}\RP70\A0012927.dll
  • C:\System Volume Information\_Restore{856B109D-E1E8-4BA7-B781-DB73A9F1904F}\RP71\A0013408.dll
  • C:\TEMP\HP_WEBRELEASE\UTIL\CFGMGR32.DLL
  • C:\WINDOWS\ASSEMBLY\NATIVIMAGES1_V1.1.4322\SYSTEM.DRAWING.DESIGN\1.0.5000_B03F5F7F11D50A3A_62E0468F
    \SYSTEM.DRAWING.DESIGN.DLL
I did a HJT scan and didn't find any signs of Vundo in the O2 and O20 entries.
I also searched the BC File Data Base for CFGMGR32.DLL and SYSTEM.DRAWING.DESIGN.DLL, which listed them as being legitimate, but in a different location.
I had SAS Quarantine the items.
Are these false positives? I had just updated SAS prior to the scan and noticed that the update was for this particular Vundo Variant.

A Thousand Apologies for posting in the wrong forum prior... :thumbsup:

Here is the Kaspersky Report:

Thursday, April 10, 2008 7:30:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/04/2008
Kaspersky Anti-Virus database records: 696397
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 61751
Number of viruses found 1
Number of infected objects 1
Number of suspicious objects 0
Duration of the scan process 00:44:49

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Cody\Application Data\Mozilla\Firefox\Profiles\3zw2ktjj.default\cert8.db Object is locked skipped
C:\Documents and Settings\Cody\Application Data\Mozilla\Firefox\Profiles\3zw2ktjj.default\history.dat Object is locked skipped
C:\Documents and Settings\Cody\Application Data\Mozilla\Firefox\Profiles\3zw2ktjj.default\key3.db Object is locked skipped
C:\Documents and Settings\Cody\Application Data\Mozilla\Firefox\Profiles\3zw2ktjj.default\parent.lock Object is locked skipped
C:\Documents and Settings\Cody\Application Data\Mozilla\Firefox\Profiles\3zw2ktjj.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Cody\Application Data\Mozilla\Firefox\Profiles\3zw2ktjj.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Cody\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Cody\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Cody\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Cody\Local Settings\Application Data\Mozilla\Firefox\Profiles\3zw2ktjj.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Cody\Local Settings\Application Data\Mozilla\Firefox\Profiles\3zw2ktjj.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Cody\Local Settings\Application Data\Mozilla\Firefox\Profiles\3zw2ktjj.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Cody\Local Settings\Application Data\Mozilla\Firefox\Profiles\3zw2ktjj.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Cody\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cody\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Cody\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cody\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Cody\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{856B109D-E1E8-4BA7-B781-DB73A9F1904F}\RP108\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\TODD.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\kbhookdll.dll Infected: not-a-virus:Monitor.Win32.KeyLogger.w skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT0358d.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT055fc.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000005-00000000-00000006-00001102-00000004-20021102}.CDF Object is locked skipped
Scan process completed.

Here is the DSS Report:

Deckard's System Scanner v20071014.68
Run by Cody on 2008-04-10 22:11:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
80: 2008-04-11 02:11:36 UTC - RP109 - Deckard's System Scanner Restore Point
79: 2008-04-10 02:28:47 UTC - RP108 - System Checkpoint
78: 2008-04-08 20:35:31 UTC - RP107 - Software Distribution Service 3.0
77: 2008-04-06 22:40:17 UTC - RP106 - System Checkpoint
76: 2008-04-05 21:25:40 UTC - RP105 - System Checkpoint


-- First Restore Point --
1: 2008-01-12 13:14:45 UTC - RP30 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Cody.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:39 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Documents and Settings\Cody\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Cody.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6967 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys

S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_10DE&DEV_0059&SUBSYS_812A1043&REV_A2\3&2411E6FE&0&20
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_10DE&DEV_0059&SUBSYS_812A1043&REV_A2\3&2411E6FE&0&20
Service:

Class GUID: {4D36E980-E325-11CE-BFC1-08002BE10318}
Description: Floppy disk drive
Device ID: FDC\GENERIC_FLOPPY_DRIVE\4&15E2DB85&0&0
Manufacturer: (Standard floppy disk drives)
Name: Floppy disk drive
PNP Device ID: FDC\GENERIC_FLOPPY_DRIVE\4&15E2DB85&0&0
Service: flpydisk


-- Files created between 2008-03-10 and 2008-04-10 -----------------------------

2008-04-10 18:28:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-10 18:28:50 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-05 16:35:44 0 d-------- C:\Program Files\ZoneAlarmSB
2008-03-27 20:25:10 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-27 20:25:07 0 d-------- C:\Fraps
2008-03-17 17:03:13 38771 -----n--- C:\WINDOWS\hpomdl03.dat
2008-03-17 17:03:13 29409 --a------ C:\WINDOWS\hpoins03.dat
2008-03-17 16:57:57 278528 --a------ C:\WINDOWS\system32\hpdjaio <Not Verified; HP; HP DeskJet>
2008-03-17 16:57:48 278528 --a------ C:\WINDOWS\system32\hpdj <Not Verified; HP; HP DeskJet>
2008-03-17 16:51:23 0 d-------- C:\temp
2008-03-16 09:03:10 102912 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-03-16 09:03:10 209008 --a------ C:\WINDOWS\system32\kbhookdll.dll
2008-03-15 14:07:07 0 d-------- C:\Documents and Settings\Cody\Application Data\OpenOffice.org2
2008-03-15 14:05:21 0 d-------- C:\Program Files\OpenOffice.org 2.3
2008-03-15 10:22:57 0 d-------- C:\WINDOWS\system32\appmgmt


-- Find3M Report ---------------------------------------------------------------

2008-04-10 19:34:14 0 d-------- C:\Documents and Settings\Cody\Application Data\U3
2008-04-10 16:48:43 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-05 16:35:54 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-03-23 10:48:16 0 d-------- C:\Program Files\a-squared Free
2008-03-17 17:16:01 0 d-------- C:\Program Files\HP
2008-03-15 14:05:11 0 d-------- C:\Program Files\Java
2008-02-24 18:06:25 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-17 23:38:51 0 d-------- C:\Program Files\MSXML 4.0
2008-02-16 17:51:52 0 d-------- C:\Program Files\Common Files
2008-02-16 17:51:52 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-02-16 17:50:00 0 d-------- C:\Program Files\Common Files\HP
2008-02-16 15:53:55 0 d-------- C:\Documents and Settings\Cody\Application Data\Intuit
2008-02-16 15:49:26 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-16 15:49:26 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-16 15:47:23 0 d-------- C:\Program Files\Common Files\Intuit
2008-02-16 15:42:26 0 d-------- C:\Program Files\TurboTax
2008-02-09 05:23:42 3440 --a------ C:\WINDOWS\unins000.dat
2008-02-09 05:15:46 691545 --a------ C:\WINDOWS\unins000.exe
2008-01-14 08:52:00 81920 --a------ C:\WINDOWS\system32\frapsvid.dll <Not Verified; Beepa P/L; FRAPS>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
04/05/2008 04:35 PM 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [04/05/2008 04:35 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [12/19/2007 09:12 PM]
"CTHelper"="CTHELPER.EXE" [08/11/2006 06:56 PM C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [08/11/2006 06:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/10/2005 05:06 AM]
"nwiz"="nwiz.exe" [12/10/2005 05:06 AM C:\WINDOWS\system32\nwiz.exe]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [06/10/2005 05:21 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 03:50 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/10/2005 05:06 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 03:09 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/10/2008 04:27 PM]
"DXDllRegExe"="dxdllreg.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [08/04/2003 05:28 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [12/22/2003 08:38 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [08/09/2005 06:28 PM]

C:\Documents and Settings\Cody\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [8/17/2007 9:57:56 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [9/16/2003 5:19:24 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 05:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 05:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f97e17d7-ad5e-11dc-9ad2-806d6172696f}]
AutoRun\command- D:\ASUSACPI.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

8144 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-10 22:13:10 ------------

The "Extra DSS Report" is attached as instructed

Thanks!

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:31 PM

Posted 20 April 2008 - 01:48 PM

Hi there,

Do you still need help with this? :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 DocSatan

DocSatan

    Bleepin' Wanna-Be

  • Topic Starter

  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:31 AM

Posted 20 April 2008 - 03:23 PM

Hi Teacup61!

Well, i got that Vundo thing from SAS 10 days ago, but I haven't been having any issues with the PC. Thought I would check with you guys just in case.

I know the that the 2 files in the System Restore are of no concern, but I wasn't familiar with the other 2. Ironically, today I figured out that they must have come from .NET Framework. Turbo Tax program initiated that. Not sure why SAS pegged all 4 files as being Vundo though. :blink:

The only thing peculiar that happens once and a while is that the "Magnifying Cursor" (that's what I call it) has come on after start up. I guess it's for reading, but I've never used it before. I get it to go away by ending "point32.exe" in the Task Manager.

What do you think...am I clean? :thumbsup:

By-the-Bye...I thought that we had to remove the Donation Thing from our signatures...are we taking donations again?

Edited by DocSatan, 20 April 2008 - 03:24 PM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:31 PM

Posted 21 April 2008 - 02:28 AM

Hi there,

What do you think...am I clean?

I have no idea. The log you originally posted is 12 days old now and it would be very wrong of me to make a diagnosis on a log that old. Do you know why? :thumbsup:

By-the-Bye...I thought that we had to remove the Donation Thing from our signatures...

That would be accurate for site donations. :blink:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 DocSatan

DocSatan

    Bleepin' Wanna-Be

  • Topic Starter

  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:31 AM

Posted 21 April 2008 - 06:37 AM

Hello T-Cup!

The log you originally posted is 12 days old now and it would be very wrong of me to make a diagnosis on a log that old. Do you know why?


Umm....because things change in 12 days? :thumbsup: <--- Total Guess

I'm posting a new DSS Report, but I'm gonna skip Kaspersky (takes too long). Plus I'm pretty sure (with my very limited experience of such things) that I've accounted for those files as being not Bad. But then again I would be even more secure in this idea if you were to reinforce my accounting. :blink:

Old Deckard didn't give me a 2nd "Extra Report," hope that is not a problemo.

DECKARD'S SYSTEM SCANNER REPORT

Deckard's System Scanner v20071014.68
Run by Cody on 2008-04-21 07:22:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Cody.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:48 AM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cody\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Cody.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7062 bytes

-- Files created between 2008-03-21 and 2008-04-21 -----------------------------

2008-04-17 16:19:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-04-10 18:28:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-10 18:28:50 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-05 16:35:44 0 d-------- C:\Program Files\ZoneAlarmSB
2008-03-27 20:25:10 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-27 20:25:07 0 d-------- C:\Fraps


-- Find3M Report ---------------------------------------------------------------

2008-04-21 07:00:33 0 d-------- C:\Documents and Settings\Cody\Application Data\OpenOffice.org2
2008-04-19 00:46:15 0 d-------- C:\Documents and Settings\Cody\Application Data\U3
2008-04-19 00:34:19 0 d-------- C:\Program Files\a-squared Free
2008-04-17 17:18:48 0 d-------- C:\Program Files\Java
2008-04-17 14:26:29 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-05 16:35:54 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-03-23 10:40:59 29409 --a------ C:\WINDOWS\hpoins03.dat
2008-03-17 17:16:01 0 d-------- C:\Program Files\HP
2008-03-16 09:03:10 102912 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-03-15 14:05:34 0 d-------- C:\Program Files\OpenOffice.org 2.3
2008-02-24 18:06:25 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-09 05:23:42 3440 --a------ C:\WINDOWS\unins000.dat
2008-02-09 05:15:46 691545 --a------ C:\WINDOWS\unins000.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
04/05/2008 04:35 PM 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [04/05/2008 04:35 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [12/19/2007 09:12 PM]
"CTHelper"="CTHELPER.EXE" [08/11/2006 06:56 PM C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [08/11/2006 06:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/10/2005 05:06 AM]
"nwiz"="nwiz.exe" [12/10/2005 05:06 AM C:\WINDOWS\system32\nwiz.exe]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [06/10/2005 05:21 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 03:50 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/10/2005 05:06 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 03:09 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/10/2008 04:27 PM]
"DXDllRegExe"="dxdllreg.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [08/04/2003 05:28 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [12/22/2003 08:38 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [08/09/2005 06:28 PM]

C:\Documents and Settings\Cody\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [8/17/2007 9:57:56 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [9/16/2003 5:19:24 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 05:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 05:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f97e17d7-ad5e-11dc-9ad2-806d6172696f}]
AutoRun\command- D:\ASUSACPI.exe




-- End of Deckard's System Scanner: finished at 2008-04-21 07:23:14 ------------

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:31 PM

Posted 21 April 2008 - 12:53 PM

Hi there,

Your total guess is right. :thumbsup: I have a user at another forum that in just 12 hours, the time it takes me to get a night of sleep and grab something to eat, has turned off system restore, run tools on his own, and heaven knows what else. Can you imagine what could have happened in 12 days? :blink:

One itsy bitsy thing about your log:
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
Read here:
http://www.castlecops.com/s798-CTHELPER_EXE.html

What do you think we should do about it? :wacko:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 DocSatan

DocSatan

    Bleepin' Wanna-Be

  • Topic Starter

  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:31 AM

Posted 21 April 2008 - 03:44 PM

One itsy bitsy thing about your log:
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
What do you think we should do about it?


I'm gonna say.....Disable it!! :thumbsup:

I can use Spybot S&D to remove it from the Start-up, right? (I'm guessing yes)

So, can I remove the 4 files in question from the SAS quarantine? :blink:

Any idea why SAS labeled them as Vundo? :)

Thanks for your help T-Cup...you were fun to work with. :wacko:

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:31 PM

Posted 21 April 2008 - 04:13 PM

Hi there,

Thanks. :thumbsup: I teach at other forums, so I tend to ask questions like that. :blink:

Disable it, yes! :wacko: Now....since the point of you being here is to learn HijackThis, how would HijackThis work to disable that entry? Do you know how HijackThis handles any 04?

Yes, you can get rid of the files in SAS quarantine. They are deleted when you do that, but empty your Recycle Bin and reboot afterwards to be sure. As to the why of being identified as Vundo, I really couldn't say without seeing the log itself.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 DocSatan

DocSatan

    Bleepin' Wanna-Be

  • Topic Starter

  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:31 AM

Posted 22 April 2008 - 12:57 AM

I think that fixing O4's just removes the entry, but does not delete the file. Not sure if that's the same as being removed from the Start Up list. I was going to refresh my memory but I can no longer access my bookmarks because I have been removed from the HJT Training Program. :blink:

Wish they gave me a heads up, I would have thrown a PL up on the forum. :wacko:

Thanks for your help and guidance T-Cup!

Hope to be back in the HJT again some day. :thumbsup:

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:31 PM

Posted 22 April 2008 - 01:09 AM

HHmmmm.......I'm sorry to hear it. I had no idea. :thumbsup:

You're welcome...........Best to you....

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:31 PM

Posted 26 April 2008 - 02:18 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users