Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Vundo.n Please Help ^.^


  • Please log in to reply
1 reply to this topic

#1 Demikun

Demikun

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 08 May 2008 - 11:17 AM

Hey all,

This is my first time posting so please be gentle. A couple of days ago my AVG found the following---Trojan horse Vundo.N and Trojan horse Generic 10.THQ. I have supplied my Hijackthis log below:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-08 11:22:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-05-08 16:22:44 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:36 AM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Owner.JOJO-WB8V7BI8RF.001\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.walmartbenefits.com/MyBenefitsR...egistration.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1D0B1B2F-4D44-48DC-AE5A-F4BBBAE2A83F} - C:\WINDOWS\system32\khfGxXom.dll
O2 - BHO: {e90b99ad-532b-226b-9f44-c560303a5162} - {2615a303-065c-44f9-b622-b235da99b09e} - C:\WINDOWS\system32\ogfodbhk.dll
O2 - BHO: (no name) - {3D911140-FE2F-42B9-A610-AC673D1166B2} - C:\WINDOWS\system32\jkkHYonK.dll
O2 - BHO: (no name) - {72EF51B3-8036-4865-AF8E-D6F1D5454D8F} - C:\WINDOWS\system32\vtUkhHXO.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {C5BE3478-76C5-47B9-9AE5-8E64F5D21370} - C:\WINDOWS\system32\ssqnKbca.dll (file missing)
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [e40d0f9d] rundll32.exe "C:\WINDOWS\system32\nynyofpn.dll",b
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {20050325-D35A-4233-926E-2E801AE25949} (NMJPStarter15 Class) - http://www.netmarble.jp/_common/cab/NMStarterJP5.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://file.netmarble.jp/Control/NMJTransX.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O20 - Winlogon Notify: khfGxXom - C:\WINDOWS\SYSTEM32\khfGxXom.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 8828 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.reg - regfile - shell\open\command - NOTEPAD.EXE %1
.scr - scrfile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 d346bus - c:\windows\system32\drivers\d346bus.sys
R0 d346prt - c:\windows\system32\drivers\d346prt.sys
R0 prohlp02 (StarForce Protection Helper Driver v2) - c:\windows\system32\drivers\prohlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 prosync1 (StarForce Protection Synchronization Driver v1) - c:\windows\system32\drivers\prosync1.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp01 (StarForce Protection Helper Driver) - c:\windows\system32\drivers\sfhlp01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 ANVOSDNT (ASUS Keyboard Filter Driver) - c:\windows\system32\drivers\anvosdnt.sys <Not Verified; ASUS; ASUS keyboard filter driver>
R1 FileDisk - c:\windows\system32\drivers\filedisk.sys <Not Verified; iolo technologies, LLC (based on original work by Bo BrantÚn); filedisk (based on original work by Bo BrantÚn)>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R1 prodrv06 (StarForce Protection Environment Driver v6) - c:\windows\system32\drivers\prodrv06.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 VIAPFD - c:\windows\system32\drivers\viapfd.sys <Not Verified; VIA Technologies. Inc.; VIA PFD driver>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager« (32-bit)>
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S0 ElbyVCD - c:\windows\system32\drivers\elbyvcd.sys (file missing)
S1 ANVIOCTL - c:\windows\system32\drivers\anvioctl.sys <Not Verified; ASUSTeK; ASUS VGA Driver for Windows 2000/XP>
S1 asuskbnt - c:\windows\system32\drivers\asuskbnt.sys (file missing)
S2 Aspi32 - c:\windows\system32\drivers\aspi32.sys (file missing)
S2 NAVAPEL - c:\program files\navnt\navapel.sys (file missing)
S3 dtscsi - c:\windows\system32\drivers\dtscsi.sys (file missing)
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 EIO - c:\windows\system32\drivers\eio.sys <Not Verified; ASUSTeK Computer Inc.; ASUS Kernel Mode Driver for NT>
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 fsbl (F-Secure BlackLight Engine Driver) - c:\program files\f-secure internet security\anti-virus\fsbl5948.sys (file missing)
S3 NAVAP - c:\progra~1\navnt\navap.sys (file missing)
S3 NC100 (Network Everywhere Fast Ethernet Adapter(NC100 v2)) - c:\windows\system32\drivers\nc100a.sys <Not Verified; Network Everywhere; Network Everywhere Fast Ethernet Adapter(NC100 v2)>
S3 ossrv (Creative OS Services Driver) - c:\windows\system32\drivers\ctoss2k.sys (file missing)
S3 PciCon - d:\pcicon.sys (file missing)
S3 PSSdk21 - c:\windows\system32\drivers\hnpssdk.drv (file missing)
S3 WBHWDOCT (Winbond GPIO Driver1) - c:\windows\system32\drivers\wbhwdoct.sys (file missing)
S4 axwhisky - c:\windows\system32\drivers\axwhisky.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 IOLO_SRV (iolo System Guard) - c:\program files\iolo\system mechanic professional 6\iolosgctrl.exe

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 YEDIEx - c:\windows\system32\yediex.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-09 09:56:56 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-11-13 09:07:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2003-03-06 19:48:32 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-04-08 and 2008-05-08 -----------------------------

2008-05-09 02:16:52 151648 --a------ C:\WINDOWS\system32\xpsf2.exe
2008-05-08 21:47:57 106560 --a------ C:\WINDOWS\system32\tymyquyd.dll
2008-05-08 21:44:57 96832 -----n--- C:\WINDOWS\system32\vepfmubf.dll
2008-05-08 21:41:57 2112 --a------ C:\WINDOWS\system32\uaualvep.exe
2008-05-08 10:15:43 96832 --a------ C:\WINDOWS\system32\nynyofpn.dll
2008-05-08 10:12:43 2112 --a------ C:\WINDOWS\system32\ydnuvswc.exe
2008-05-08 10:12:09 0 d-------- C:\Program Files\Trend Micro
2008-05-08 10:09:43 106560 --a------ C:\WINDOWS\system32\ogfodbhk.dll
2008-05-08 10:05:33 2112 --a------ C:\WINDOWS\system32\usfstteh.exe
2008-05-07 12:22:35 2112 --a------ C:\WINDOWS\system32\wqgknhkh.exe
2008-05-07 12:19:35 108608 --a------ C:\WINDOWS\system32\svhimyxi.dll
2008-05-06 05:08:43 107584 --a------ C:\WINDOWS\system32\oaqbbvpb.dll
2008-05-05 22:34:59 96832 --a------ C:\WINDOWS\system32\ghlniyiv.dll
2008-05-05 22:28:58 1051123 --ahs---- C:\WINDOWS\system32\KnoYHkkj.ini2
2008-05-05 22:28:55 280064 --a------ C:\WINDOWS\system32\jkkHYonK.dll
2008-05-04 10:44:02 0 d-------- C:\Documents and Settings\Owner.JOJO-WB8V7BI8RF.001\Application Data\Ahead
2008-05-03 01:26:18 519815 --ahs---- C:\WINDOWS\system32\OXHhkUtv.ini2
2008-05-01 18:05:20 368640 --a------ C:\WINDOWS\system32\TwnLib4.dll <Not Verified; Pegasus Imaging Corporation; TwnLib4 - TwainPRO v4.0 - Utility Library>
2008-05-01 18:05:19 802816 --a------ C:\WINDOWS\system32\imagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-05-01 18:05:19 258048 --a------ C:\WINDOWS\system32\imagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-05-01 18:05:18 1757184 --a------ C:\WINDOWS\system32\imagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-05-01 18:05:15 0 d-------- C:\Program Files\Nero
2008-04-29 01:45:49 39424 --a------ C:\WINDOWS\system32\efcawtSk.dll
2008-04-29 01:15:05 39424 --a------ C:\WINDOWS\system32\ddcaATjG.dll
2008-04-29 01:03:26 39424 --a------ C:\WINDOWS\system32\hgGyxUNE.dll
2008-04-29 00:58:42 39424 --a------ C:\WINDOWS\system32\nnnoPhET.dll
2008-04-28 21:59:52 0 d-------- C:\Program Files\Common Files\Nero
2008-04-28 21:53:18 531385 --ahs---- C:\WINDOWS\system32\acbKnqss.ini2
2008-04-28 21:48:08 39424 --a------ C:\WINDOWS\system32\khfGxXom.dll
2008-04-16 23:55:36 0 d-------- C:\Program Files\The Rosetta Stone


-- Find3M Report ---------------------------------------------------------------

2008-05-09 02:17:01 0 d-------- C:\Program Files\SpeeDefrag
2008-05-05 22:53:28 0 d-------- C:\Documents and Settings\Owner.JOJO-WB8V7BI8RF.001\Application Data\AVG7
2008-05-04 10:31:56 0 d-------- C:\Program Files\Common Files\Ahead
2008-05-04 02:04:17 0 d-------- C:\Documents and Settings\Owner.JOJO-WB8V7BI8RF.001\Application Data\Azureus
2008-04-30 18:40:50 208994 --a------ C:\WINDOWS\system32\xpsf.exe
2008-04-29 02:29:49 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-28 23:21:37 0 d-a------ C:\Program Files\Common Files
2008-04-18 12:37:43 0 d-------- C:\Program Files\Azureus
2008-03-29 19:09:09 4 --a------ C:\WINDOWS\system32\56971D
2008-03-13 21:59:56 0 d-------- C:\Documents and Settings\Owner.JOJO-WB8V7BI8RF.001\Application Data\Nero
2008-03-13 13:24:33 0 d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-03-13 13:24:24 0 d-------- C:\Program Files\DVDVideoSoft
2008-03-09 01:50:42 0 d-------- C:\Documents and Settings\Owner.JOJO-WB8V7BI8RF.001\Application Data\Adobe
2008-03-08 19:44:09 96 --a------ C:\AUTOEXEC.BAT
2008-03-08 19:43:58 0 d-------- C:\Program Files\DivX


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D0B1B2F-4D44-48DC-AE5A-F4BBBAE2A83F}]
04/28/2008 09:48 PM 39424 --a------ C:\WINDOWS\system32\khfGxXom.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2615a303-065c-44f9-b622-b235da99b09e}]
05/08/2008 10:09 AM 106560 --a------ C:\WINDOWS\system32\ogfodbhk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D911140-FE2F-42B9-A610-AC673D1166B2}]
05/05/2008 10:28 PM 280064 --a------ C:\WINDOWS\system32\jkkHYonK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72EF51B3-8036-4865-AF8E-D6F1D5454D8F}]
C:\WINDOWS\system32\vtUkhHXO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5BE3478-76C5-47B9-9AE5-8E64F5D21370}]
C:\WINDOWS\system32\ssqnKbca.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [03/21/2002 11:41 PM]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [08/20/2002 10:29 AM]
"ioloDelayModule"="C:\Program Files\iolo\System Mechanic Professional 6\delay.exe" [06/08/2005 02:31 PM]
"SystemGuardAlerter"="C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe" [12/20/2006 06:47 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/16/2008 03:17 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/29/2007 12:43 AM]
"nwiz"="nwiz.exe" [06/29/2007 12:43 AM C:\WINDOWS\system32\nwiz.exe]
"USB2Check"="C:\WINDOWS\system32\PCLECoInst.dll" [11/06/2006 02:31 PM]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" []
"e40d0f9d"="C:\WINDOWS\system32\nynyofpn.dll" [05/08/2008 10:15 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe" [12/20/2006 06:47 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"System Mechanic Popup Blocker"="C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe" [12/20/2006 06:47 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1D0B1B2F-4D44-48DC-AE5A-F4BBBAE2A83F}"= C:\WINDOWS\system32\khfGxXom.dll [04/28/2008 09:48 PM 39424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfGxXom]
khfGxXom.dll 04/28/2008 09:48 PM 39424 C:\WINDOWS\system32\khfGxXom.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkHYonK

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp psc 700 series) - 1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp psc 700 series) - 1.lnk
backup=C:\WINDOWS\pss\HPAiODevice(hp psc 700 series) - 1.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Philips FunCam Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Philips FunCam Monitor.lnk
backup=C:\WINDOWS\pss\Philips FunCam Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner.JOJO-WB8V7BI8RF.001^Start Menu^Programs^Startup^MEMonitor.lnk]
path=C:\Documents and Settings\Owner.JOJO-WB8V7BI8RF.001\Start Menu\Programs\Startup\MEMonitor.lnk
backup=C:\WINDOWS\pss\MEMonitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner.JOJO-WB8V7BI8RF.001^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\Owner.JOJO-WB8V7BI8RF.001\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner.JOJO-WB8V7BI8RF.001^Start Menu^Programs^Startup^Update Grokster.lnk]
path=C:\Documents and Settings\Owner.JOJO-WB8V7BI8RF.001\Start Menu\Programs\Startup\Update Grokster.lnk
backup=C:\WINDOWS\pss\Update Grokster.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\409a2.exe]
409a2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\anti_troj]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anvshell]
anvshell.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\auto__antiav__key]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
"C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"C:\Program Files\D-Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e40d0f9d]
rundll32.exe "C:\WINDOWS\system32\ghlniyiv.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
C:\WINDOWS\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Startup Wizard]
"C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]
"C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\PROGRA~1\MICROS~4\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1133162381\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iolo Task Agent]
C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveNote]
livenote.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
"C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\system32\\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\POP]
C:\Program Files\POP\PopSrv146.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\poyldufonurbo]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
"C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlo]
D:\Installs\WorkFlow.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YEDIEx"=2 (0x2)
"Schedule"=2 (0x2)
"RasMan"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt hpqcxs08 hpqddsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19fc9cc8-1ab8-11dc-8c98-00179a38e016}]
AutoRun\command- F:\DLair.exe




-- End of Deckard's System Scanner: finished at 2008-05-08 11:27:05 ------------




I hope this helps.

Edited by Demikun, 08 May 2008 - 11:30 AM.


BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:40 AM

Posted 10 May 2008 - 05:15 PM

Hello Demikun and welcome to BC. Let's see what else we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users