Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Trojan - Sneaky Little Rrrrr.... Take 2


  • This topic is locked This topic is locked
22 replies to this topic

#1 The_Mighty_Phoenix

The_Mighty_Phoenix

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 22 July 2008 - 05:33 PM

As per request from SteamWiz, here are the Log Files titled MAIN.TXT and EXTRA.TXT from the program dss.exe (Deckards' System Scanner)

SteamWiz, I was unable to locate either of the two files you referenced from the HiJackThis scan:
(04 - HKLM\..\Run: [a48535aa] rundll32.exe
C:\WINDOWS\System32\jaytfvjn.dll


MAIN.TXT
Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-22 15:05:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
60: 2008-07-22 22:06:08 UTC - RP496 - Deckard's System Scanner Restore Point
59: 2008-07-22 18:50:31 UTC - RP495 - System Checkpoint
58: 2008-07-21 02:47:53 UTC - RP494 - System Checkpoint
57: 2008-07-19 00:29:52 UTC - RP493 - Last known good configuration
56: 2008-07-19 00:29:15 UTC - RP492 - System Checkpoint


-- First Restore Point --
1: 2008-07-19 00:28:04 UTC - RP437 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 479 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:01 PM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {313907D9-4A98-43BD-BDD6-020BC0B5FB0C} - C:\WINDOWS\system32\rqRJCSMf.dll
O2 - BHO: {169a3674-20f8-3c08-1f74-35335cfc6dd3} - {3dd6cfc5-3353-47f1-80c3-8f024763a961} - C:\WINDOWS\system32\bchbis.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5E3813EF-24EC-4D5F-B33E-5B4AFFEC578E} - C:\WINDOWS\system32\iifccBrp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [a48535aa] rundll32.exe "C:\WINDOWS\system32\fvppkpjh.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163311471359
O20 - Winlogon Notify: rqRJCSMf - C:\WINDOWS\SYSTEM32\rqRJCSMf.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 7138 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080721-165418-617 O4 - HKLM\..\Run: [a48535aa] rundll32.exe "C:\WINDOWS\system32\jaytfvjn.dll",b

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver 4\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver 4\Dreamweaver.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AMON - c:\windows\system32\drivers\amon.sys <Not Verified; Eset; NOD32 Antivirus System>
R2 LBeepKE - c:\windows\system32\drivers\lbeepke.sys <Not Verified; Logitech, Inc.; Logitech SetPoint™>

S2 LMIInfo (LogMeIn Kernel Information Provider) - c:\program files\logmein\x86\rainfo.sys (file missing)
S3 LHidUsbK (Logitech SetPoint USB Receiver device driver) - c:\windows\system32\drivers\lhidusbk.sys <Not Verified; Logitech, Inc.; Logitech SetPoint™>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/Wireless 2200BG Network Connection
Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_12F5103C&REV_05\4&16793A72&0&30F0
Manufacturer: Intel® Corporation
Name: Intel® PRO/Wireless 2200BG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_12F5103C&REV_05\4&16793A72&0&30F0
Service: w29n51

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\4093ADC09F00
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\4093ADC09F00
Service: NIC1394


-- Scheduled Tasks -------------------------------------------------------------

2008-07-21 15:56:19 422 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{FFA9D7DF-C273-47A2-9CE6-8A9B150E4364}.job


-- Files created between 2008-06-22 and 2008-07-22 -----------------------------

2008-07-22 14:59:48 94848 --a------ C:\WINDOWS\system32\fvppkpjh.dll
2008-07-22 14:59:44 116352 --a------ C:\WINDOWS\system32\bchbis.dll
2008-07-22 14:59:42 116352 --a------ C:\WINDOWS\system32\qgmialbr.dll
2008-07-21 14:57:06 116864 --a------ C:\WINDOWS\system32\rrmonv.dll
2008-07-21 14:57:04 116864 --a------ C:\WINDOWS\system32\cpaiowxv.dll
2008-07-21 14:57:01 92672 --a------ C:\WINDOWS\system32\jaytfvjn.dll
2008-07-21 11:13:14 0 d-------- C:\Program Files\Trend Micro
2008-07-20 14:58:14 116352 --a------ C:\WINDOWS\system32\rihdzf.dll
2008-07-20 14:58:12 116352 --a------ C:\WINDOWS\system32\trlptbir.dll
2008-07-19 10:38:44 116864 --a------ C:\WINDOWS\system32\pahdmf.dll
2008-07-19 10:38:43 116864 --a------ C:\WINDOWS\system32\mvqbgkrr.dll
2008-07-18 19:14:55 0 d-------- C:\Program Files\Antivirus 2009
2008-07-18 17:30:57 116864 --a------ C:\WINDOWS\system32\qbbkvd.dll
2008-07-18 17:30:54 116864 --a------ C:\WINDOWS\system32\awcweayt.dll
2008-07-18 17:27:52 397810 --ahs---- C:\WINDOWS\system32\prBccfii.ini2
2008-07-18 17:27:39 322816 --a------ C:\WINDOWS\system32\iifccBrp.dll
2008-07-18 17:22:31 33664 --a------ C:\WINDOWS\system32\fccdaaya.dll
2008-07-18 17:22:30 33664 --a------ C:\WINDOWS\system32\rqRJCSMf.dll
2008-07-09 12:38:26 0 d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-07-09 12:38:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-03 18:32:54 0 dr-h----- C:\Documents and Settings\Owner\Recent


-- Find3M Report ---------------------------------------------------------------

2008-07-21 23:09:07 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-07-21 17:20:17 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-07-08 14:55:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-07-08 14:54:15 0 d-------- C:\Program Files\Yahoo!
2008-06-27 12:29:03 0 d-------- C:\Program Files\Picasa2


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{313907D9-4A98-43BD-BDD6-020BC0B5FB0C}]
07/18/2008 05:22 PM 33664 --a------ C:\WINDOWS\system32\rqRJCSMf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3dd6cfc5-3353-47f1-80c3-8f024763a961}]
07/22/2008 02:59 PM 116352 --a------ C:\WINDOWS\system32\bchbis.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E3813EF-24EC-4D5F-B33E-5B4AFFEC578E}]
07/18/2008 05:27 PM 322816 --a------ C:\WINDOWS\system32\iifccBrp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"a48535aa"="C:\WINDOWS\system32\fvppkpjh.dll" [07/22/2008 02:59 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [3/30/2007 1:14:43 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 2:19:50 AM]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [9/12/2007 12:17:29 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [9/5/2007 9:34:20 AM]
Sonic CinePlayer Quick Launch.lnk - C:\Program Files\Common Files\Sonic Shared\CineTray.exe [7/25/2006 3:01:00 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [06/08/2005 10:02 AM 86016]
"{313907D9-4A98-43BD-BDD6-020BC0B5FB0C}"= C:\WINDOWS\system32\rqRJCSMf.dll [07/18/2008 05:22 PM 33664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 11/15/2007 07:46 PM 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRJCSMf]
rqRJCSMf.dll 07/18/2008 05:22 PM 33664 C:\WINDOWS\system32\rqRJCSMf.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\iifccBrp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a239cc2-501a-11db-8bd5-00c09f80d436}]
AutoRun\command- rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{854e5cb7-f900-11dc-8d5d-00c09f80d436}]
AutoRun\command- G:\PortableRoboForm.exe
RoboForm2Go\command- G:\PortableRoboForm.exe

-- End of Deckard's System Scanner: finished at 2008-07-22 15:07:51 ------------

EXTRA.TXT
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.50GHz
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 478.42 MiB / 184.5 MiB
Pagefile Memory (total/avail): 1121.07 MiB / 734.93 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1929.74 MiB

C: is Fixed (NTFS) - 55.88 GiB total, 23.25 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST960822A - 55.89 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 55.88 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.

AV: Eset NOD32 antivirus system 2.51 v2.51 (Eset)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Macromedia\\Dreamweaver 4\\Dreamweaver.exe"="C:\\Program Files\\Macromedia\\Dreamweaver 4\\Dreamweaver.exe:*:Enabled:Dreamweaver"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\\Setup.exe"="D:\\Setup.exe:*:Enabled:Setup"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Aleric\\MyIVO\\bin\\myivosrv.exe"="C:\\Program Files\\Aleric\\MyIVO\\bin\\myivosrv.exe:*:Disabled:MyIVO"
"C:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"="C:\\Program Files\\CrossLoop\\CrossLoopConnect.exe:*:Enabled:CrossLoop - Simple Secure Screen Sharing"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=THEMEETINGGUY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\THEMEETINGGUY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Microsoft Office\OFFICE11\Business Contact Manager\IM;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft Office\OFFICE11\Business Contact Manager\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=THEMEETINGGUY
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E7DC12A-3597-4A94-9429-F6C6987361B1}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DADB304-AF20-48C3-A780-4B4133A08817}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C423CF6-2DAA-4A37-94B8-59D7ECC7DB13}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA6CC4B4-7741-4F8D-8E81-15C4BAB9869B}\setup.exe" -l0x9 -removeonly
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe"
Adobe Acrobat 6.0 Standard --> MsiExec.exe /I{AC76BA86-1033-0000-BA7E-000000000001}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player 9 --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Illustrator CS3 --> C:\Program Files\Common Files\Adobe\Installers\a04a925a57548091300ada368235fc6\Setup.exe
Adobe Illustrator CS3 --> MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop 5.5 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 5.5\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 5.5\Uninst.dll"
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Setup --> MsiExec.exe /I{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Advanced Email Verifier --> C:\PROGRA~1\G-LOCK~1\AEV5\\UNWISE.EXE C:\PROGRA~1\G-LOCK~1\AEV5\\INSTALL.LOG
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AskWeb --> "C:\Program Files\AW\1.0\unins000.exe"
AVI Splitter version 1.0 --> "C:\Program Files\AVISplitter\unins000.exe"
Business Contact Manager for Outlook 2003 --> MsiExec.exe /I{66563AD8-637B-407F-BCA7-0233A16891AB}
CDDRV_Installer --> MsiExec.exe /I{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant AC-Link Audio --> CIAunwdm.exe
CrossLoop 2.11 --> "C:\Program Files\CrossLoop\unins000.exe"
GoToMeeting/GoToWebinar 3.0.0.198 --> C:\Program Files\Citrix\GoToMeeting\198\G2MUninstall.exe /uninstall
GraphicView 32 --> C:\PROGRA~1\GRAPHI~1\UNWISE.EXE C:\PROGRA~1\GRAPHI~1\INSTALL.LOG
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
iTunes --> MsiExec.exe /I{4F5CE18C-D97D-48FF-A510-A0D90C918294}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Karen's Replicator --> C:\Program Files\Karen's Power Tools\Replicator\uninst.exe
KhalSetup --> MsiExec.exe /I{C89C8D86-4423-4A58-AA40-DD259ACE07C1}
Logitech SetPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9 -removeonly
Macromedia Dreamweaver 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ABDA9912-5D00-11D4-BAE7-9367CA097955}\Setup.exe" mmUninstall
Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" mmUninstall
Macromedia Flash 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C93C363-414E-11D4-9756-00C04F8EEB39}\Setup.exe" UNINSTALL
Macromedia Generator 2 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Macromedia\Generator 2\Uninst.isu" -c"C:\Program Files\Macromedia\Generator 2\bin\uninstall.dll"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Small Business Edition 2003 --> MsiExec.exe /I{91CA0409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MPEG Splitter version 2.2 --> "C:\Program Files\MPEGSPLITTER\unins000.exe"
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
Outlook Duplicates Remover 5.0 --> C:\PROGRA~1\OUTLOO~2\UNWISE.EXE C:\PROGRA~1\OUTLOO~2\INSTALL.LOG
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Quicken 2006 --> MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
QuickTime --> MsiExec.exe /I{9763E36A-08E9-4228-BBCE-12989A4EB1A8}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
SoftV90 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_3080103C\HXFSETUP.EXE -U -Ihpm30805.inf
Sonic CinePlayer DVD Pack --> MsiExec.exe /I{D4576E0D-2295-4B8E-B663-B68086B00EE5}
Sony Picture Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe" -l0x9 /removeonly uninstall -removeonly
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
SyncBack --> "C:\Program Files\2BrightSparks\SyncBack\unins000.exe"
Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{70CEDB87-A750-498A-B168-36F66C4A2090}
VistaPrint Electronic Business Card --> MsiExec.exe /X{253FCC55-E03D-40D4-A407-3470BE4101C0}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE


-- Application Event Log -------------------------------------------------------

Event Record #/Type818 / Warning
Event Submitted/Written: 07/21/2008 05:02:50 PM
Event ID/Source: 19011 / MSSQL$MICROSOFTBCM
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type813 / Warning
Event Submitted/Written: 07/21/2008 03:49:13 PM
Event ID/Source: 19011 / MSSQL$MICROSOFTBCM
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type808 / Warning
Event Submitted/Written: 07/21/2008 03:44:30 PM
Event ID/Source: 19011 / MSSQL$MICROSOFTBCM
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type806 / Error
Event Submitted/Written: 07/21/2008 02:36:23 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hijackthis.exe, version 2.0.0.2, faulting module iifccbrp.dll, version 0.0.0.0, fault address 0x00063293.
Processing media-specific event for [hijackthis.exe!ws!]

Event Record #/Type800 / Warning
Event Submitted/Written: 07/21/2008 02:01:54 PM
Event ID/Source: 19011 / MSSQL$MICROSOFTBCM
Event Description:
(SpnRegister) : Error 1355



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type85892 / Error
Event Submitted/Written: 07/22/2008 10:09:29 AM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

Event Record #/Type85891 / Warning
Event Submitted/Written: 07/22/2008 10:09:15 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0012F01BD036. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type85889 / Warning
Event Submitted/Written: 07/22/2008 10:08:36 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0012F01BD036. The following
error occurred:
%%10038.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type85876 / Error
Event Submitted/Written: 07/21/2008 09:07:31 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type85841 / Error
Event Submitted/Written: 07/21/2008 05:22:54 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

-- End of Deckard's System Scanner: finished at 2008-07-22 15:07:51 ------------

BC AdBot (Login to Remove)

 


m

#2 The_Mighty_Phoenix

The_Mighty_Phoenix
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 22 July 2008 - 05:44 PM

As per instructions, I attempted to Download and Run Kaspersky Online Scanner.
The program opens and begins to install components.. but each time it gets to KOS update (?) or KOS Definitions (?) it just kills my Firefox browser. BLAM! Everything disappears. I've recreated this event 3x; happens in just about the same place each time. Eeeek! Please advise...?
Thank you,
David

#3 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 22 July 2008 - 06:19 PM

Hi David

The Online Scanner service offered by Kaspersky Lab uses Microsoft ActiveX technology. Microsoft ActiveX Technology and the Kaspersky Online Scanner work only with MS Internet Explorer 6.0 or higher ... You HAVE to use Internet Explorer :thumbsup:

It's way past midnight here now, so I'll check you other logs tomorrow, You certainly have a lot of malware showing in the DSS log ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#4 The_Mighty_Phoenix

The_Mighty_Phoenix
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 22 July 2008 - 06:41 PM

Hi Steam,

Thanks for the tip on IE for Kaspersky. - However - since I couldn't run it on Firefox, I simply by-passed that step and went directly to Malwarebytes Anti-Malware. - It found 46 instances of Vundo. - LOG FILE report is here below.
PLEASE NOTE the attached Screen Shot, of a few interesting notices that appeared on Restart:

MALWARE BYTES report:

Malwarebytes' Anti-Malware 1.22
Database version: 980
Windows 5.1.2600 Service Pack 2

4:27:13 PM 7/22/2008
mbam-log-7-22-2008 (16-27-12).txt

Scan type: Quick Scan
Objects scanned: 42367
Time elapsed: 8 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fvppkpjh.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\iifccBrp.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\rqRJCSMf.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\rrmonv.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\bchbis.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3dd6cfc5-3353-47f1-80c3-8f024763a961} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3dd6cfc5-3353-47f1-80c3-8f024763a961} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5e3813ef-24ec-4d5f-b33e-5b4affec578e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5e3813ef-24ec-4d5f-b33e-5b4affec578e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{313907d9-4a98-43bd-bdd6-020bc0b5fb0c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{313907d9-4a98-43bd-bdd6-020bc0b5fb0c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrjcsmf (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a48535aa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{313907d9-4a98-43bd-bdd6-020bc0b5fb0c} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifccbrp -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifccbrp -> Delete on reboot.

Folders Infected:
C:\Program Files\Antivirus 2009 (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\bchbis.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\iifccBrp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\prBccfii.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\prBccfii.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fvppkpjh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hjpkppvf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jaytfvjn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\njvftyaj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRJCSMf.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rrmonv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\cpaiowxv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awcweayt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccdaaya.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qbbkvd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qgmialbr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\trlptbir.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rihdzf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2TFYIPFO\kb767887[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL489VS2\kb456456[1] (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\Antivirus 2009\av2009.exe.tmp (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.

Attached Files



#5 The_Mighty_Phoenix

The_Mighty_Phoenix
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 23 July 2008 - 12:32 PM

Hi Steamwiz,

I hope you got some good rest last night!

Please review the mbam log, and if you would be so kind, please let me know your opinion: Is my hard drive safe now?

Thank you!

David

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 23 July 2008 - 03:44 PM

Hi David

We're not done yet ... but well on the way :thumbsup:

RE: LULnchr.exe the application C:\WINDOWS\system32\rqRJCSMf.dll is not a valid windows image ...

The C:\WINDOWS\system32\rqRJCSMf.dll was probably supposed to create the LULnchr.exe when run, but the rqRJCSMf.dll was corrupt ... this file was a vundo Trojan & has now been deleted ... so the problem is no more :)

The second screen shot is not related & and is just a firefox popup alerting you to firefox updates ...

A lot of the files found by Malwarebytes' Anti-Malware required a reboot to remove, sometimes they are stubborn and don't go at the first attempt ... so please run Malwarebytes' Anti-Malware again & post the new log ( it will be a lot smaller or even clean)

Then I need you to run another program :-

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

-
Why don't you want to use IE to run the KASPERSKY scan ? It is an excellent deep scan (may take several hours) & may find something the other scans have missed ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 The_Mighty_Phoenix

The_Mighty_Phoenix
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 24 July 2008 - 03:13 PM

Wow it's amazing. This goes on and on.

Steamwiz, I will now post 3 logs:
1) Combofix
2) Malwarebyte
3) Kaspersky

I ran these in reverse order today (Kaspersky first)
Kaspersky found eleven infected files - but did nothing to fix them.
Malwarebyte found 5 infected files - but did nothging to fix them. (apparently the innoculation/fix feature was disabled)
Combofix found ?? infected files - I'm not sure what was done.

Here are the logs, and I'm definitely standing by... THANK YOU.

David

*************************************************************
ComboFix 08-07-23.5 - Owner 2008-07-24 12:34:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.184 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\g2mdlhlpx.exe
C:\WINDOWS\system32\bchbis.dll
C:\WINDOWS\system32\bpsxyclu.ini
C:\WINDOWS\system32\iifccBrp.dll
C:\WINDOWS\system32\mdgwlwvm.ini
C:\WINDOWS\system32\mvqbgkrr.dll
C:\WINDOWS\system32\nsyxptfr.ini
C:\WINDOWS\system32\pahdmf.dll
C:\WINDOWS\system32\prBccfii.ini
C:\WINDOWS\system32\rqRJCSMf.dll
C:\WINDOWS\system32\rrmonv.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.

2008-07-24 06:53 . 2008-07-24 06:53 <DIR> d-------- C:\Program Files\Sun
2008-07-22 16:17 . 2008-07-22 16:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-22 16:16 . 2008-07-22 16:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-22 16:16 . 2008-07-22 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-22 16:16 . 2008-07-20 20:25 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-22 16:16 . 2008-07-20 20:25 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-22 15:05 . 2008-07-22 15:05 <DIR> d-------- C:\Deckard
2008-07-22 14:59 . 2008-07-22 14:59 94,848 --------- C:\WINDOWS\system32\fvppkpjh.dll
2008-07-21 11:13 . 2008-07-21 11:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-09 12:38 . 2008-07-09 12:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-07-09 12:38 . 2008-07-09 12:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-24 13:52 --------- d-----w C:\Program Files\Java
2008-07-22 06:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-07-08 21:54 --------- d-----w C:\Program Files\Yahoo!
2008-07-08 21:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-27 19:29 --------- d-----w C:\Program Files\Picasa2
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 17:04 5562368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-03-30 13:14:43 155648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50 217193]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-12 12:17:29 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-09-05 09:34:20 688128]
Sonic CinePlayer Quick Launch.lnk - C:\Program Files\Common Files\Sonic Shared\CineTray.exe [2006-07-25 03:01:00 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [2005-06-08 10:02 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver 4\\Dreamweaver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-05-25 00:53]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-09-12 10:20]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a239cc2-501a-11db-8bd5-00c09f80d436}]
\Shell\AutoRun\command - rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{854e5cb7-f900-11dc-8d5d-00c09f80d436}]
\Shell\AutoRun\command - G:\PortableRoboForm.exe
\Shell\RoboForm2Go\command - G:\PortableRoboForm.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-07-24 00:27:09 C:\WINDOWS\Tasks\User_Feed_Synchronization-{FFA9D7DF-C273-47A2-9CE6-8A9B150E4364}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Settings,ProxyOverride = *.local


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 12:38:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-24 12:39:40
ComboFix-quarantined-files.txt 2008-07-24 19:39:33

Pre-Run: 24,709,156,864 bytes free
Post-Run: 24,826,130,432 bytes free

124 --- E O F --- 2008-07-13 23:52:43
*************************************************************
Malwarebytes' Anti-Malware 1.22
Database version: 980
Windows 5.1.2600 Service Pack 2

4:27:13 PM 7/22/2008
mbam-log-7-22-2008 (16-27-12).txt

Scan type: Quick Scan
Objects scanned: 42367
Time elapsed: 8 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fvppkpjh.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\iifccBrp.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\rqRJCSMf.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\rrmonv.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\bchbis.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3dd6cfc5-3353-47f1-80c3-8f024763a961} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3dd6cfc5-3353-47f1-80c3-8f024763a961} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5e3813ef-24ec-4d5f-b33e-5b4affec578e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5e3813ef-24ec-4d5f-b33e-5b4affec578e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{313907d9-4a98-43bd-bdd6-020bc0b5fb0c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{313907d9-4a98-43bd-bdd6-020bc0b5fb0c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrjcsmf (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a48535aa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{313907d9-4a98-43bd-bdd6-020bc0b5fb0c} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifccbrp -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifccbrp -> Delete on reboot.

Folders Infected:
C:\Program Files\Antivirus 2009 (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\bchbis.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\iifccBrp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\prBccfii.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\prBccfii.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fvppkpjh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hjpkppvf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jaytfvjn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\njvftyaj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRJCSMf.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rrmonv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\cpaiowxv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awcweayt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccdaaya.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qbbkvd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qgmialbr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\trlptbir.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rihdzf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2TFYIPFO\kb767887[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL489VS2\kb456456[1] (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\Antivirus 2009\av2009.exe.tmp (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
********************************************************************************************
KASPERSKY ONLINE SCANNER 7 REPORT

file:///C:/Documents%20and%20Settings/Owner/My%20Documents/kaspersky%20report.html

Thursday, July 24, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, July 24, 2008 13:51:41
Records in database: 1002876
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 85178
Threat name 9
Infected objects 13
Suspicious objects 1
Duration of the scan 02:25:21

File name Threat name Threats count
C:\Documents and Settings\Owner\My Documents\Files\crossloopsetup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
C:\Documents and Settings\Owner\My Documents\Files\crossloopsetup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Eudora files\InBox_Archive_1998-2003.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Program Files\CrossLoop\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Program Files\CrossLoop\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
C:\Program Files\ESET\infected\5G3NJFDA.NQF Infected: Trojan-Downloader.Win32.Small.ykf 1
C:\Program Files\ESET\infected\F3U3HZBA.NQF Infected: Trojan-Downloader.Win32.Zlob.aky 1
C:\Program Files\ESET\infected\GCDIVSAA.NQF Infected: Trojan.Win32.Diamin.ji 1
C:\Program Files\ESET\infected\JEN4ILBA.NQF Infected: Trojan-Downloader.Win32.Zlob.aqc 1
C:\Program Files\ESET\infected\QA33FFDA.NQF Infected: Trojan-Downloader.Win32.Zlob.aky 1
C:\Program Files\ESET\infected\STN55WDA.NQF Infected: Trojan-Downloader.Win32.Zlob.aky 1
C:\what is this old files\sdsetup.exe Infected: Trojan-Downloader.Win32.Delf.gcy 1
C:\WINDOWS\system32\mvqbgkrr.dll Infected: Trojan.Win32.Monder.amg 1
C:\WINDOWS\system32\pahdmf.dll Infected: Trojan.Win32.Monder.amg 1
The selected area was scanned.

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 24 July 2008 - 03:31 PM

Hi

I'm just looking through your logs now ...

You've posted the old Malwarebytes' Anti-Malware log ... same one as before ...

4:27:13 PM 7/22/2008
mbam-log-7-22-2008 (16-27-12).txt

Please post the new one :thumbsup:

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 The_Mighty_Phoenix

The_Mighty_Phoenix
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 24 July 2008 - 07:19 PM

Hi Steam,
I don't know why it gave it the same name. Modified date on my machine is 07/24.
Also, I ran the Full Scan.. it did NOT auto-open a .txt file this time... and as I said, there was no option to fix or repair anything.
I will try again.... thank you!
David

#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 25 July 2008 - 02:58 PM

Hi David

Don't worry we'll get to the bottom of it :thumbsup:

It isn't the date which has been changed on the log, it's exactly the same log. If you are seeing a log dated 07/24, then that is the log I want you to post, people often post the wrong log by mistake, it happens a lot :)

Even though Malwarebytes' didn't show you a log, it should have saved it anyway.

Run the Malwarebytes Anti-Malware from the icon on your desktop, select the Logs tab & see if you can see the new log ?

I don't know why you were not given the option to repair/remove any malware, but if I can see the log, we can always remove anything found with another program or manually.

These files shown in your first Malwarebytes log (& some registry keys/values) were scheduled to be removed on a reboot ... did you reboot after running Malwarebytes the first time ?

Because those files were not removed at the time ...

C:\WINDOWS\system32\bchbis.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\iifccBrp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\prBccfii.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fvppkpjh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rqRJCSMf.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rrmonv.dll (Trojan.Vundo) -> Delete on reboot.

However they were removed later by Combofix

Kaspersky found eleven infected files - but did nothing to fix them.


Kaspersky doesn't fix anything, it just alerts us to possible malware ...

There are just 2 "baddies" in the Kaspersky log ..

C:\WINDOWS\system32\mvqbgkrr.dll Infected: Trojan.Win32.Monder.amg 1
C:\WINDOWS\system32\pahdmf.dll Infected: Trojan.Win32.Monder.amg 1

Both of these were deleted by Combofix ...

Everything else is in quarantine or I suspect a "false positive"

I take it YOU installed this program & know what it is ?

C:\Program Files\CrossLoop

-
This :-

C:\what is this old files\sdsetup.exe Infected: Trojan-Downloader.Win32.Delf.gcy 1

is probably the Spyware Doctor setup file ...

Looking at where it is, you don't know what it is, so you have 2 choices ... delete it or have it scanned first if you intend to run it, let me know if you want to scan it & I'll tell you how/where you can do this ...

-
This may be another "false positive"

C:\Eudora files\InBox_Archive_1998-2003.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 1

But it looks old, & I doubt you need it now ... to save time you could just delete it.

-
Please run this on-line scan :-

http://www.bitdefender.com/scan8/ie.html

Scan the whole computer & let it Disinfect/delete all it finds ...

copy & paste here its report here please.

steam

Edited by steamwiz, 25 July 2008 - 03:01 PM.
to correct bold tags

MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 The_Mighty_Phoenix

The_Mighty_Phoenix
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 28 July 2008 - 11:13 AM

Hi Steam,

I am just returned from 3 days away.

Last night, I ran MalWare Bytes again - This time, it behaved as expected; found two instances of Vundo, gave me the option to Remove them (I did) and auto-generated a Log File. (Posted here, below)

I must leave for a meeting now.. so will not have a chance to run the new Scan you just suggested. - I will run the new scan when I return tonight.

In the meantime, I hope this new Malware Log File proves edifying.. and as always, WOW AMAZING THANK YOU!!!!
You Rock Hard and I don't know what I can do to properly acknowledge you... I'm open to suggestions! :-)

David

*****************MALWARE LOG FILE**********************

Malwarebytes' Anti-Malware 1.22
Database version: 980
Windows 5.1.2600 Service Pack 2

7:26:04 PM 7/27/2008
mbam-log-7-27-2008 (19-25-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 120051
Time elapsed: 52 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{04132E25-9E51-4F1E-BBEA-F7BE182076D0}\RP493\A0055188.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{04132E25-9E51-4F1E-BBEA-F7BE182076D0}\RP493\A0055208.dll (Trojan.Vundo) -> No action taken.

#12 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 28 July 2008 - 03:17 PM

Hi David

The 2 instances of (Trojan.Vundo) found by Malwarebytes were in system restore points, they can't do any harm from there (unless you perform a system restore) & the last thing we shall do is purge system restore to make sure nothing else is hiding in there :thumbsup: ... so it would not matter whether you have Malwarebytes delete those or not ...

The Malwarebytes log is essentially clean :)

Please look at all the points I raised in my last post and give me an answer where you can... I look forward to seeing your bitdefender scan log :)

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#13 The_Mighty_Phoenix

The_Mighty_Phoenix
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 28 July 2008 - 09:40 PM

Hi Steamwiz,

On a few points from above:
the Eudora log is from a file that I hope to keep and use some day... so I am loathe to delete the entire file.
I attempted to search the Wordpad version of that file for the infected file you found.. but it could not find it.
Please advise on that.

Yes, I installed Crossloop. However, I am happy to delete it, as I am not using it at all.

I ran BitDefender... it says my machine is still infected. The log files are attached.

Wow man this is a crazy scene. (As they say in California! :-) )

Thanks, hope you have a good night, and as always, I await your further wisdom.

David

Attached Files



#14 The_Mighty_Phoenix

The_Mighty_Phoenix
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 28 July 2008 - 11:49 PM

Posting a new ComboFix Log File also.

Onward!

David

*********COMBOFIX LOG FILE 072608************

ComboFix 08-07-23.5 - Owner 2008-07-28 21:18:45.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-29 )))))))))))))))))))))))))))))))
.

2008-07-28 15:25 . 2008-07-28 15:25 <DIR> d-------- C:\WINDOWS\LastGood
2008-07-28 15:25 . 2008-07-28 16:46 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-07-24 15:34 . 2008-07-24 15:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-24 15:34 . 2008-07-24 15:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-24 06:53 . 2008-07-24 06:53 <DIR> d-------- C:\Program Files\Sun
2008-07-22 16:17 . 2008-07-22 16:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-22 16:16 . 2008-07-22 16:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-22 16:16 . 2008-07-22 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-22 16:16 . 2008-07-20 20:25 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-22 16:16 . 2008-07-20 20:25 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-22 15:05 . 2008-07-22 15:05 <DIR> d-------- C:\Deckard
2008-07-22 14:59 . 2008-07-22 14:59 94,848 --------- C:\WINDOWS\system32\fvppkpjh.dll
2008-07-21 11:13 . 2008-07-21 11:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-09 12:38 . 2008-07-09 12:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-07-09 12:38 . 2008-07-09 12:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 15:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-07-24 13:52 --------- d-----w C:\Program Files\Java
2008-07-08 21:54 --------- d-----w C:\Program Files\Yahoo!
2008-07-08 21:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-27 19:29 --------- d-----w C:\Program Files\Picasa2
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-24_12.39.18.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-28 22:27:11 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll
+ 2008-07-28 22:27:12 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll
+ 2008-07-28 22:27:12 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll
+ 2008-07-28 22:27:15 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2008-01-09 22:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2008-01-09 22:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2008-07-28 22:27:17 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll
+ 2008-07-28 22:27:12 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll
+ 2008-01-09 22:01:48 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
+ 2008-01-09 22:01:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll
+ 2008-01-09 22:01:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll
- 2008-07-22 23:34:07 61,660 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-28 22:20:20 61,660 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-22 23:34:07 401,652 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-28 22:20:20 401,652 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-28 22:16:08 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_618.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 17:04 5562368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-03-30 13:14:43 155648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50 217193]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-12 12:17:29 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-09-05 09:34:20 688128]
Sonic CinePlayer Quick Launch.lnk - C:\Program Files\Common Files\Sonic Shared\CineTray.exe [2006-07-25 03:01:00 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [2005-06-08 10:02 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver 4\\Dreamweaver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-05-25 00:53]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-09-12 10:20]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a239cc2-501a-11db-8bd5-00c09f80d436}]
\Shell\AutoRun\command - rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{854e5cb7-f900-11dc-8d5d-00c09f80d436}]
\Shell\AutoRun\command - G:\PortableRoboForm.exe
\Shell\RoboForm2Go\command - G:\PortableRoboForm.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-07-28 05:23:17 C:\WINDOWS\Tasks\User_Feed_Synchronization-{FFA9D7DF-C273-47A2-9CE6-8A9B150E4364}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 21:22:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-28 21:23:59
ComboFix-quarantined-files.txt 2008-07-29 04:23:54
ComboFix2.txt 2008-07-24 19:39:41

Pre-Run: 24,679,915,520 bytes free
Post-Run: 24,718,254,080 bytes free

131 --- E O F --- 2008-07-13 23:52:43

#15 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 30 July 2008 - 03:02 PM

Hi David

Sorry about the late reply, My internet connection was as good as down yesterday, (out of my control) I couldn't even open a web page... But it's back OK again today :thumbsup:

On a few points from above:
the Eudora log is from a file that I hope to keep and use some day... so I am loathe to delete the entire file.
I attempted to search the Wordpad version of that file for the infected file you found.. but it could not find it.
Please advise on that.


It looks like the BitDefender Online Scan has removed the threat posed by the Eudora file :)

BitDefender Has removed a lot of infected files :)

All the logs are looking a lot better, but now I need you to re-run some of the scans, so that we can see just what malware is left ...

First...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\fvppkpjh.dll


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users