Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 frozenbutt

frozenbutt

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 02 August 2008 - 10:39 PM

Well I buggered it up now :-) I had this Vundo thing last winter and was able to get rid of it but I can't find the sheets that I had before that gave me the instructions. I have it on 2 computers now and of course it is my fault but I got caught with my pants down thinking everything was ok and installed something on my daughters computer and now she has it too. I am running bitdefender on mine and noticed today that it was gone from the task bar. When I started it again it popped up right away with the vundo crap. I tried SAS and it didn't find anything. I tried MAM and it found it all. Deleted most and asked for a reboot to get rid of the rest. I did that but it came right back. Tried safe mode with the same results. Ran combofix and made things worse as it screwed up my bitdefender and I had to fix that.

I have the usual jumble of letters 6 or 8 long.dll files in the windows\system32 folder. 2 dll files and 1 ini file keep coming back

So I thought maybe I better stop while I can still get online and ask for help...

As per instructions here is the dss log first.

Deckard's System Scanner v20071014.68
Run by prc on 2008-08-02 23:23:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-08-03 03:23:24 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2008-08-03 03:07:09 UTC - RP2 - Last known good configuration
1: 2008-08-03 03:06:58 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as prc.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:24, on 2008-08-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\FolderSize\FolderSizeSvc.exe
F:\Program Files\Logitech\Easy Synchronization\servicestub.exe
F:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
F:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\IoctlSvc.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\TrippLite\PowerAlert\engine\pa.exe
F:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
F:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
F:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
F:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
F:\Program Files\Logitech\SetPoint\LBTWiz.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
F:\Program Files\DS Clock\dsclock.exe
F:\PROGRA~1\MI3AA1~1\rapimgr.exe
F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\WINDOWS\System32\svchost.exe
F:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
F:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
F:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler.exe
F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
F:\Documents and Settings\prc\Start Menu\Programs\Startup\UltraMon.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\UltraMon\UltraMonTaskbar.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
F:\WINDOWS\explorer.exe
C:\AV\dss.exe
C:\AV\HJT\prc.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.macromedia.com/shockwave/downlo...om/default.html
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: {b7ca37a3-dce7-1169-1ab4-8c37e2850597} - {7950582e-73c8-4ba1-9611-7ecd3a73ac7b} - F:\WINDOWS\system32\pfpjla.dll
O2 - BHO: (no name) - {90B37118-33A1-4E9C-8A95-31FC2B13C6B2} - F:\WINDOWS\system32\wvUNExVO.dll (file missing)
O2 - BHO: (no name) - {912DEA58-2F29-4DEF-98D7-0BE98B5ECD21} - F:\WINDOWS\system32\jvcwxgke.dll (file missing)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - F:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LanTalk.NET] F:\Program Files\CEZEO software\LanTalk NET\LanTalk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [PALogView] F:\Program Files\TrippLite\PowerAlert\console\logview.exe /s
O4 - HKLM\..\Run: [PAStatus] F:\Program Files\TrippLite\PowerAlert\console\pastatus.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BMff179419] Rundll32.exe "F:\WINDOWS\system32\jkyfupfw.dll",s
O4 - HKLM\..\Run: [20e01e4f] rundll32.exe "F:\WINDOWS\system32\ppcttgrv.dll",b
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DS Clock] "F:\Program Files\DS Clock\dsclock.exe"
O4 - HKCU\..\Run: [WeatherEye] F:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [AnyDVD] F:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: FreeCommander.lnk = F:\Program Files\UltraMon\UltraMonShortcuts.exe
O4 - Startup: Metacafe.lnk = F:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Startup: NuonSoft Wallpaper Cycler.lnk = F:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler.exe
O4 - Startup: Shortcut to loader.exe.lnk = F:\Program Files\Trillian\loader.exe
O4 - Startup: Stardock ObjectDock.lnk = F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: UltraMon.exe
O4 - Startup: Yahoo! Widgets.lnk = F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Metacafe.lnk = F:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Global Startup: NCProTray.lnk = ?
O4 - Global Startup: PalTalk.lnk = F:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - F:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: pfpjla.dll
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: geBrpnOf - F:\WINDOWS\SYSTEM32\geBrpnOf.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Folder Size (FolderSize) - Brio - F:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - F:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Logitech Easy Synchronization - Unknown owner - F:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: MagicTuneEngine - Unknown owner - F:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - F:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - F:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PowerAlert Agent - Unknown owner - F:\Program Files\TrippLite\PowerAlert\engine/pa.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - F:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - F:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 9987 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BootScreen - f:\windows\\systemroot\system32\drivers\vidstub.sys (file missing)
R1 NCPro - f:\windows\system32\drivers\mtictwl.sys
R2 UltraMonUtility (UltraMon Utility Driver) - f:\program files\common files\realtime soft\ultramonmirrordrv\x32\ultramonutility.sys <Not Verified; Realtime Soft; UltraMon>
R3 AL101 (Airlink101 802.11g PCI Driver) - f:\windows\system32\drivers\al101.sys <Not Verified; Ralink Technology Inc.; Ralink 802.11 Wireless Adapters>
R3 BDSelfPr - f:\program files\bitdefender\bitdefender 2008\bdselfpr.sys <Not Verified; BitDefender S.R.L.; BitDefender>
R3 pcouffin (VSO Software pcouffin) - f:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 UltraMonMirror - f:\windows\system32\drivers\ultramonmirror.sys <Not Verified; Realtime Soft; UltraMon>
R3 vsbus (Virtual Serial Bus Enumerator) - f:\windows\system32\drivers\vsb.sys <Not Verified; ELTIMA Software; ELTIMA Virtual Serial Bus>

S3 MagicTune - f:\windows\system32\drivers\mtictwl.sys
S3 MBAMCatchMe - f:\windows\system32\drivers\mbamcatchme.sys (file missing)
S3 usbbus (LGE CDMA Composite USB Device) - f:\windows\system32\drivers\lgusbbus.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Multi function Driver>
S3 UsbDiag (LGE CDMA USB Serial Port) - f:\windows\system32\drivers\lgusbdiag.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Diagnostics Driver>
S3 USBModem (LGE CDMA USB Modem) - f:\windows\system32\drivers\lgusbmodem.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Modem Driver>
S3 vserial (ELTIMA Virtual Serial Ports Driver) - f:\windows\system32\drivers\vserial.sys <Not Verified; ELTIMA Software; ELTIMA Virtual Serial Ports>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 FolderSize (Folder Size) - "f:\program files\foldersize\foldersizesvc.exe" <Not Verified; Brio; Folder Size for Windows>
R2 Logitech Easy Synchronization - f:\program files\logitech\easy synchronization\servicestub.exe
R2 Nero BackItUp Scheduler 3 - f:\program files\nero\nero8\nero backitup\nbservice.exe
R2 PLFlash DeviceIoControl Service - f:\windows\system32\ioctlsvc.exe <Not Verified; Prolific Technology Inc.; IoctlSvc Application>
R2 PowerAlert Agent - f:\program files\tripplite\poweralert\engine/pa.exe -service

S2 MagicTuneEngine - f:\program files\magictune premium\magictuneengine.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\ATK0110\1010110
Manufacturer:
Name:
PNP Device ID: ACPI\ATK0110\1010110
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_283E&SUBSYS_81EC1043&REV_02\3&11583659&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_283E&SUBSYS_81EC1043&REV_02\3&11583659&0&FB
Service:


-- Files created between 2008-07-02 and 2008-08-02 -----------------------------

2008-08-02 23:22:53 81984 --a------ F:\WINDOWS\system32\bdod.bin
2008-08-02 23:12:49 100864 --a------ F:\WINDOWS\system32\pfpjla.dll
2008-08-02 22:49:56 25600 --a------ F:\WINDOWS\system32\geBrpnOf.dll
2008-08-02 22:44:52 68096 --a------ F:\WINDOWS\zip.exe
2008-08-02 22:44:52 49152 --a------ F:\WINDOWS\VFind.exe
2008-08-02 22:44:52 212480 --a------ F:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-02 22:44:52 136704 --a------ F:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-02 22:44:52 161792 --a------ F:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-02 22:44:52 98816 --a------ F:\WINDOWS\sed.exe
2008-08-02 22:44:52 80412 --a------ F:\WINDOWS\grep.exe
2008-08-02 22:44:52 89504 --a------ F:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-31 14:18:11 0 d-------- F:\Program Files\SEC
2008-07-31 08:24:26 0 --a------ F:\WINDOWS\nsreg.dat
2008-07-31 08:24:20 0 d-------- F:\Documents and Settings\LocalService\Application Data\Mozilla
2008-07-31 08:15:00 13312 --a------ F:\WINDOWS\system32\drivers\MTictwl.sys
2008-07-31 08:14:40 0 d-------- F:\Program Files\MagicTune Premium
2008-07-20 21:07:57 356352 --a------ F:\WINDOWS\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-07-20 21:07:40 0 d-------- F:\Program Files\Common Files\DeskShare Shared
2008-07-20 21:07:35 0 d-------- F:\Program Files\Deskshare
2008-07-17 23:15:10 0 d-------- F:\Program Files\Westtek
2008-07-16 23:20:29 162816 --a------ F:\WINDOWS\system32\fmod.dll <Not Verified; Firelight Technologies Pty, Ltd; FMOD>
2008-07-16 23:13:47 90112 --a------ F:\WINDOWS\RSetupCE.exe
2008-07-16 23:13:43 0 d-------- F:\Program Files\Resco
2008-07-09 23:21:56 0 d-------- F:\Documents and Settings\prc\Application Data\Duality Software


-- Find3M Report ---------------------------------------------------------------

2008-08-02 23:19:42 0 d-------- F:\Program Files\Mozilla Firefox 3 Beta 5
2008-08-02 23:03:29 0 d-------- F:\Program Files\Mozilla Thunderbird
2008-08-02 22:59:33 0 d-------- F:\Program Files\FreeCommander
2008-08-02 22:51:09 0 d-------- F:\Program Files\Trillian
2008-08-02 22:49:54 0 d-------- F:\Program Files\Common Files\Akamai
2008-08-02 22:45:55 0 d-------- F:\Program Files\Common Files
2008-08-02 22:04:53 0 d-------- F:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 21:46:28 0 d-------- F:\Documents and Settings\prc\Application Data\Metacafe
2008-07-31 14:18:09 0 d--h----- F:\Program Files\InstallShield Installation Information
2008-07-31 07:34:22 0 d-------- F:\Program Files\Quicken
2008-07-27 21:36:50 0 d-------- F:\Documents and Settings\prc\Application Data\uTorrent
2008-07-24 21:36:08 0 d-------- F:\Program Files\Microsoft ActiveSync
2008-07-19 21:06:37 0 d-------- F:\Program Files\eMule
2008-07-10 14:08:58 0 d-------- F:\Program Files\Java
2008-07-09 23:21:56 0 d-------- F:\Program Files\DS Clock
2008-07-01 19:36:40 0 d-------- F:\Program Files\Common Files\Logishrd
2008-07-01 19:35:21 0 d-------- F:\Documents and Settings\prc\Application Data\InstallShield
2008-06-27 16:04:42 0 d-------- F:\Program Files\MP3 Splitter & Joiner
2008-06-18 19:47:21 0 d-------- F:\Program Files\Metacafe
2008-06-18 19:14:13 0 d-------- F:\Program Files\Conduits Pocket Player
2008-06-18 18:43:35 0 d-------- F:\Program Files\My Mobile
2008-06-18 06:48:47 0 d-------- F:\Documents and Settings\prc\Application Data\Vso
2008-06-18 06:48:45 668 --a------ F:\Documents and Settings\prc\Application Data\vso_ts_preview.xml
2008-06-17 19:30:22 34 --a------ F:\Documents and Settings\prc\Application Data\pcouffin.log
2008-06-17 19:30:17 47360 --a------ F:\Documents and Settings\prc\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-06-17 19:30:17 1144 --a------ F:\Documents and Settings\prc\Application Data\pcouffin.inf
2008-06-17 19:30:17 7887 --a------ F:\Documents and Settings\prc\Application Data\pcouffin.cat
2008-06-17 19:30:08 0 d-------- F:\Program Files\VSO
2008-06-17 16:44:20 0 d-------- F:\Program Files\SUPERAntiSpyware
2008-06-17 16:44:20 0 d-------- F:\Documents and Settings\prc\Application Data\SUPERAntiSpyware.com
2008-06-17 16:43:40 0 d-------- F:\Program Files\Common Files\Wise Installation Wizard
2008-06-16 21:03:54 0 d-------- F:\Program Files\MagicISO
2008-06-15 14:34:35 0 d-------- F:\Program Files\TrippLite
2008-06-15 14:34:14 0 d-------- F:\Program Files\Common Files\InstallShield
2008-06-09 17:28:20 0 d-------- F:\Program Files\Microsoft Streets & Trips
2008-06-09 17:27:39 0 d-------- F:\Program Files\Microsoft Location Finder
2008-06-02 08:53:54 0 d-------- F:\Program Files\Better File Rename
2008-05-22 12:07:37 2528 --a------ F:\Documents and Settings\prc\Application Data\$_hpcst$.hpc
2008-05-18 18:45:27 2560 --a------ F:\WINDOWS\_MSRSTRT.EXE
2008-05-18 07:49:10 21640 --a------ F:\WINDOWS\system32\emptyregdb.dat
2008-05-18 03:39:26 62 --ahs---- F:\Documents and Settings\prc\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------



-- End of Deckard's System Scanner: finished at 2008-08-02 23:24:37 ------------

Thanks in advance for helping. Worst damn thing is the files that I think caused the problem show clean when scanned with bitdefender SAS and MAM????

Let me know what is needed next and I will do it asap

BC AdBot (Login to Remove)

 


m

#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 03 August 2008 - 02:24 AM

Hello frozenbutt

Please print out these instructions or copy and paste this fix into Notepad for future reference.

Open HijackThis again, select "Do a System Scan only" and place a checkmark in the boxes before the following entries:

O2 - BHO: {b7ca37a3-dce7-1169-1ab4-8c37e2850597} - {7950582e-73c8-4ba1-9611-7ecd3a73ac7b} - F:\WINDOWS\system32\pfpjla.dll
O2 - BHO: (no name) - {90B37118-33A1-4E9C-8A95-31FC2B13C6B2} - F:\WINDOWS\system32\wvUNExVO.dll (file missing)
O2 - BHO: (no name) - {912DEA58-2F29-4DEF-98D7-0BE98B5ECD21} - F:\WINDOWS\system32\jvcwxgke.dll (file missing)
O4 - HKLM\..\Run: [BMff179419] Rundll32.exe "F:\WINDOWS\system32\jkyfupfw.dll",s
O4 - HKLM\..\Run: [20e01e4f] rundll32.exe "F:\WINDOWS\system32\ppcttgrv.dll",b
O20 - AppInit_DLLs: pfpjla.dll
O20 - Winlogon Notify: geBrpnOf - F:\WINDOWS\SYSTEM32\geBrpnOf.dll

Close all other open windows and click on Fix checked, then exit HijackThis.


Please download MalwareBytes Anti-malware (MBAM) from one of the following links:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please rescan with HijackThis and post the new log and the MalwareBytes results.
ourwilly

#3 frozenbutt

frozenbutt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 03 August 2008 - 09:48 AM

mam log

Malwarebytes' Anti-Malware 1.24
Database version: 1019
Windows 5.1.2600 Service Pack 2

10:34:46 2008-08-03
mbam-log-8-3-2008 (10-34-46).txt

Scan type: Full Scan (F:\|)
Objects scanned: 82051
Time elapsed: 13 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
F:\WINDOWS\system32\cbXpQIYQ.dll (Trojan.Vundo) -> Delete on reboot.
F:\WINDOWS\system32\geBrpnOf.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a4928bec-8a76-4436-b7e4-17df3891ade4} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a4928bec-8a76-4436-b7e4-17df3891ade4} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ba98aa71-a42d-4a06-b991-75cb1b28352e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebrpnof (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ba98aa71-a42d-4a06-b991-75cb1b28352e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20e01e4f (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmff179419 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: f:\windows\system32\cbxpqiyq -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: f:\windows\system32\cbxpqiyq -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
F:\WINDOWS\system32\cbXpQIYQ.dll (Trojan.Vundo) -> Delete on reboot.
F:\WINDOWS\system32\QYIQpXbc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\QYIQpXbc.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\geBrpnOf.dll (Trojan.Vundo) -> Delete on reboot.
F:\Documents and Settings\prc\Local Settings\Temporary Internet Files\Content.IE5\CP2RAN0D\2oxu[1].dll (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\Documents and Settings\prc\Local Settings\Temporary Internet Files\Content.IE5\CP2RAN0D\kb671231[1] (Trojan.Vundo) -> Delete on reboot.
F:\Documents and Settings\prc\Local Settings\Temporary Internet Files\Content.IE5\ENRRZSWV\CAWT8DWF (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\Documents and Settings\prc\Local Settings\Temporary Internet Files\Content.IE5\ENRRZSWV\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\Documents and Settings\prc\Local Settings\Temporary Internet Files\Content.IE5\GHKZWQH7\CAC36B6P (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\Documents and Settings\prc\Local Settings\Temporary Internet Files\Content.IE5\WIMP355L\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\System Volume Information\_restore{EB27691C-699F-4255-99CA-0A52C01A6FF6}\RP2\A0000070.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\System Volume Information\_restore{EB27691C-699F-4255-99CA-0A52C01A6FF6}\RP3\A0000084.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\fjhvmqqy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\cbixbrbw.dll (Trojan.Vundo) -> Delete on reboot.
F:\WINDOWS\system32\hjdgko.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\lyyftcfe.dll (Trojan.Vundo) -> Delete on reboot.
F:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe (Trojan.Agent) -> Delete on reboot.
F:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\WINDOWS\BMff179419.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\WINDOWS\BMff179419.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


hjt log after reboot

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40, on 2008-08-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\CEZEO software\LanTalk NET\LanTalk.exe
F:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
F:\Program Files\TrippLite\PowerAlert\console\pastatus.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
F:\Program Files\DS Clock\dsclock.exe
F:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
F:\PROGRA~1\MI3AA1~1\rapimgr.exe
F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
F:\Program Files\MagicTune Premium\GammaTray.exe
F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
F:\Program Files\SEC\Natural Color Pro\NCProTray.exe
F:\Program Files\Paltalk Messenger\paltalk.exe
F:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
F:\Program Files\Metacafe\MetacafeAgent.exe
F:\Program Files\FreeCommander\FreeCommander.exe
F:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler.exe
F:\Program Files\Trillian\trillian.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
F:\Program Files\FolderSize\FolderSizeSvc.exe
F:\Documents and Settings\prc\Start Menu\Programs\Startup\UltraMon.exe
F:\Program Files\Logitech\Easy Synchronization\servicestub.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\UltraMon\UltraMonTaskbar.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\MagicTune Premium\MagicTuneEngine.exe
F:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
F:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\IoctlSvc.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\TrippLite\PowerAlert\engine\pa.exe
F:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
F:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
F:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\MagicTune Premium\MagicTune.exe
C:\AV\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.macromedia.com/shockwave/downlo...om/default.html
O2 - BHO: {dc8d2229-b5d6-a55a-bae4-c080b692fcd6} - {6dcf296b-080c-4eab-a55a-6d5b9222d8cd} - F:\WINDOWS\system32\hjdgko.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - F:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LanTalk.NET] F:\Program Files\CEZEO software\LanTalk NET\LanTalk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [PALogView] F:\Program Files\TrippLite\PowerAlert\console\logview.exe /s
O4 - HKLM\..\Run: [PAStatus] F:\Program Files\TrippLite\PowerAlert\console\pastatus.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DS Clock] "F:\Program Files\DS Clock\dsclock.exe"
O4 - HKCU\..\Run: [WeatherEye] F:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [AnyDVD] F:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: FreeCommander.lnk = F:\Program Files\UltraMon\UltraMonShortcuts.exe
O4 - Startup: Metacafe.lnk = F:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Startup: NuonSoft Wallpaper Cycler.lnk = F:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler.exe
O4 - Startup: Shortcut to loader.exe.lnk = F:\Program Files\Trillian\loader.exe
O4 - Startup: Stardock ObjectDock.lnk = F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: UltraMon.exe
O4 - Startup: Yahoo! Widgets.lnk = F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Metacafe.lnk = F:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Global Startup: NCProTray.lnk = ?
O4 - Global Startup: PalTalk.lnk = F:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - F:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: hjdgko.dll
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: mlJYpMed - F:\WINDOWS\SYSTEM32\mlJYpMed.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Folder Size (FolderSize) - Brio - F:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - F:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Logitech Easy Synchronization - Unknown owner - F:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: MagicTuneEngine - Unknown owner - F:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - F:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - F:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PowerAlert Agent - Unknown owner - F:\Program Files\TrippLite\PowerAlert\engine/pa.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - F:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - F:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 10074 bytes

and like fleas it's back. I have bdod.bin 2 .dll files an ini file and a txt file that all showed up.

sigh

#4 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 03 August 2008 - 10:52 AM

Hello frozenbutt

Please go to: http://virusscan.jotti.org/
At the top select the Browse button then navigate to this File and Submit it to be scanned.
F:\WINDOWS\SYSTEM32\mlJYpMed.dll
Please Copy & Paste the results back to me

Open HijackThis again, select "Do a System Scan only" and place a checkmark in the boxes before the following entries:

O2 - BHO: {dc8d2229-b5d6-a55a-bae4-c080b692fcd6} - {6dcf296b-080c-4eab-a55a-6d5b9222d8cd} - F:\WINDOWS\system32\hjdgko.dll (file missing)
O20 - AppInit_DLLs: hjdgko.dll
O20 - Winlogon Notify: mlJYpMed - F:\WINDOWS\SYSTEM32\mlJYpMed.dll

Close all other open windows and click on Fix checked, then exit HijackThis.


Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you. Please include the following reports:

The C:\ComboFix.txt,
a new HijackThis log,
and the Jotti results.

#5 frozenbutt

frozenbutt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 03 August 2008 - 01:46 PM

ok here are the jotti results

Scanner results
Scan taken on 03 Aug 2008 18:18:32 (GMT)
A-Squared Found nothing
AntiVir Found TR/Vundo.Gen
ArcaVir Found nothing
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found Vundo.U
BitDefender Found Trojan.Vundo.EWZ
ClamAV Found Trojan.Vundo-6020
CPsecure Found nothing
Dr.Web Found Trojan.Virtumod.based.21
F-Prot Antivirus Found W32/Virtumonde.AB.gen!Eldorado
F-Secure Anti-Virus Found Trojan.Win32.Monderc.gen
Fortinet Found nothing
Ikarus Found Trojan.Win32.Monderc
Kaspersky Anti-Virus Found Trojan.Win32.Monderc.gen
NOD32 Found nothing
Norman Virus Control Found Vundo.gen192
Panda Antivirus Found nothing
Sophos Antivirus Found Troj/Virtum-Gen
VirusBuster Found nothing
VBA32 Found Trojan.Win32.Monderc.gen

Then I ran the hjt and fixed what you said to fix. Then ran the combofix and here is the log for that.

ComboFix 08-08-01.05 - prc 2008-08-03 14:26:30.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1460 [GMT -4:00]
Running from: F:\Documents and Settings\prc\Desktop\ComboFix.exe
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\WINDOWS\system32\ljJATjGv.dll
F:\WINDOWS\system32\mlJYpMed.dll
F:\WINDOWS\system32\vGjTAJjl.ini
F:\WINDOWS\system32\vGjTAJjl.ini2

.
((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 )))))))))))))))))))))))))))))))
.

2008-08-03 12:51 . 2008-08-03 14:33 81,984 --a------ F:\WINDOWS\system32\bdod.bin
2008-08-02 23:22 . 2008-08-02 23:22 <DIR> d-------- F:\Deckard
2008-08-02 22:04 . 2008-07-30 20:07 38,472 --a------ F:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-31 14:18 . 2008-07-31 14:18 <DIR> d-------- F:\Program Files\SEC
2008-07-31 14:18 . 2003-02-24 16:20 827,392 -ra------ F:\WINDOWS\system32\Flash.ocx
2008-07-31 08:24 . 2008-07-31 08:24 0 --a------ F:\WINDOWS\nsreg.dat
2008-07-31 08:15 . 2006-08-28 17:12 13,312 --a------ F:\WINDOWS\system32\drivers\MTictwl.sys
2008-07-31 08:14 . 2008-07-31 08:15 <DIR> d-------- F:\Program Files\MagicTune Premium
2008-07-21 08:11 . 2008-07-21 08:11 24,392 --a------ F:\WINDOWS\system32\drivers\ElbyCDIO.sys
2008-07-20 21:07 . 2008-07-20 21:07 <DIR> d-------- F:\Program Files\Deskshare
2008-07-20 21:07 . 2008-07-20 21:07 <DIR> d-------- F:\Program Files\Common Files\DeskShare Shared
2008-07-20 21:07 . 2008-07-20 21:07 356,352 --a------ F:\WINDOWS\eSellerateEngine.dll
2008-07-20 21:07 . 2004-12-07 10:11 258,352 --a------ F:\WINDOWS\system32\Unicows.dll
2008-07-20 21:07 . 2004-03-09 00:00 224,016 --a------ F:\WINDOWS\system32\TABCTL32.OCX
2008-07-18 07:14 . 2008-07-18 07:14 99,648 --a------ F:\WINDOWS\system32\drivers\AnyDVD.sys
2008-07-17 23:15 . 2008-07-17 23:15 <DIR> d-------- F:\Program Files\Westtek
2008-07-16 23:20 . 2008-07-17 15:36 162,816 --a------ F:\WINDOWS\system32\fmod.dll
2008-07-16 23:13 . 2008-07-16 23:13 <DIR> d-------- F:\Program Files\Resco
2008-07-16 23:13 . 2007-10-10 19:38 90,112 --a------ F:\WINDOWS\RSetupCE.exe
2008-07-09 23:21 . 2008-07-09 23:21 <DIR> d-------- F:\Documents and Settings\prc\Application Data\Duality Software
2008-07-09 18:20 . 2008-07-09 18:20 886 --a------ F:\WINDOWS\buddy.ini
2008-07-09 18:20 . 2008-07-09 18:20 496 --a------ F:\plugins.ini
2008-07-09 18:20 . 2008-07-09 18:20 134 --a------ F:\WINDOWS\toolkit.ini
2008-07-09 18:20 . 2008-07-09 18:20 50 --a------ F:\Cordonata.ini
2008-07-09 18:16 . 2008-07-09 18:20 894 --a------ F:\WINDOWS\trillian.ini
2008-07-09 18:16 . 2008-07-09 18:20 384 --a------ F:\WINDOWS\talk.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-03 18:32 --------- d-----w F:\Program Files\Trillian
2008-08-03 18:32 --------- d-----w F:\Program Files\FreeCommander
2008-08-03 18:32 --------- d-----w F:\Program Files\Common Files\Akamai
2008-08-03 18:16 --------- d-----w F:\Program Files\Mozilla Firefox 3 Beta 5
2008-08-03 18:15 --------- d-----w F:\Documents and Settings\prc\Application Data\Metacafe
2008-08-03 14:26 --------- d-----w F:\Program Files\Mozilla Thunderbird
2008-08-03 02:04 --------- d-----w F:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 23:25 78,240 ----a-w F:\WINDOWS\system32\drivers\FILEM701.SYS
2008-07-31 18:18 --------- d--h--w F:\Program Files\InstallShield Installation Information
2008-07-31 11:34 --------- d-----w F:\Program Files\Quicken
2008-07-31 00:07 17,144 ----a-w F:\WINDOWS\system32\drivers\mbam.sys
2008-07-28 01:36 --------- d-----w F:\Documents and Settings\prc\Application Data\uTorrent
2008-07-28 01:22 --------- d-----w F:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-25 01:36 --------- d-----w F:\Program Files\Microsoft ActiveSync
2008-07-25 00:07 --------- d---a-w F:\Documents and Settings\All Users\Application Data\TEMP
2008-07-23 07:00 --------- d-----w F:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-20 01:06 --------- d-----w F:\Program Files\eMule
2008-07-10 18:08 --------- d-----w F:\Program Files\Java
2008-07-10 03:21 --------- d-----w F:\Program Files\DS Clock
2008-07-01 23:43 --------- d-----w F:\Documents and Settings\All Users\Application Data\LogiShrd
2008-07-01 23:36 0 ---ha-w F:\WINDOWS\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-07-01 23:36 --------- d-----w F:\Program Files\Common Files\Logishrd
2008-07-01 23:35 --------- d-----w F:\Documents and Settings\prc\Application Data\InstallShield
2008-06-27 20:04 --------- d-----w F:\Program Files\MP3 Splitter & Joiner
2008-06-20 17:36 245,248 ----a-w F:\WINDOWS\system32\mswsock.dll
2008-06-20 10:44 360,960 ----a-w F:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w F:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w F:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 23:47 --------- d-----w F:\Program Files\Metacafe
2008-06-18 23:47 --------- d-----w F:\Documents and Settings\All Users\Application Data\Metacafe
2008-06-18 23:14 --------- d-----w F:\Program Files\Conduits Pocket Player
2008-06-18 22:43 --------- d-----w F:\Program Files\My Mobile
2008-06-18 10:48 --------- d-----w F:\Documents and Settings\prc\Application Data\Vso
2008-06-18 00:50 --------- d-----w F:\Documents and Settings\All Users\Application Data\vsosdk
2008-06-17 23:30 47,360 ----a-w F:\WINDOWS\system32\drivers\pcouffin.sys
2008-06-17 23:30 47,360 ----a-w F:\Documents and Settings\prc\Application Data\pcouffin.sys
2008-06-17 23:30 --------- d-----w F:\Program Files\VSO
2008-06-17 20:44 --------- d-----w F:\Program Files\SUPERAntiSpyware
2008-06-17 20:44 --------- d-----w F:\Documents and Settings\prc\Application Data\SUPERAntiSpyware.com
2008-06-17 20:43 --------- d-----w F:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 01:03 --------- d-----w F:\Program Files\MagicISO
2008-06-15 18:34 --------- d-----w F:\Program Files\TrippLite
2008-06-15 18:34 --------- d-----w F:\Program Files\Common Files\InstallShield
2008-06-13 13:10 272,128 ------w F:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 21:28 --------- d-----w F:\Program Files\Microsoft Streets & Trips
2008-06-09 21:27 --------- d-----w F:\Program Files\Microsoft Location Finder
2008-05-31 11:13 127,034 ------r F:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2008-05-28 22:26 128,840 ----a-w F:\WINDOWS\system32\Metacafe.scr
2008-05-18 22:45 2,560 ----a-w F:\WINDOWS\_MSRSTRT.EXE
2008-05-07 04:55 1,288,192 ----a-w F:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="F:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"DS Clock"="F:\Program Files\DS Clock\dsclock.exe" [2008-06-20 21:49 577606]
"WeatherEye"="F:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2008-05-30 14:45 4501912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [2006-08-11 22:43 7630848]
"LanTalk.NET"="F:\Program Files\CEZEO software\LanTalk NET\LanTalk.exe" [2007-02-08 19:51 274944]
"PALogView"="F:\Program Files\TrippLite\PowerAlert\console\logview.exe" [2005-06-01 18:22 172032]
"PAStatus"="F:\Program Files\TrippLite\PowerAlert\console\pastatus.exe" [2005-06-01 18:21 299008]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 03:12 76304 F:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 19:56 15360]

F:\Documents and Settings\prc\Start Menu\Programs\Startup\
FreeCommander.lnk - F:\Program Files\UltraMon\UltraMonShortcuts.exe [2008-01-14 19:24:18 227840]
Metacafe.lnk - F:\Program Files\Metacafe\MetacafeAgent.exe [2008-05-28 18:26:27 145736]
NuonSoft Wallpaper Cycler.lnk - F:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler.exe [2008-05-18 10:35:19 2195456]
Shortcut to loader.exe.lnk - F:\Program Files\Trillian\loader.exe [2008-05-18 15:39:43 100864]
Stardock ObjectDock.lnk - F:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-05-18 18:50:50 2860792]
UltraMon.exe [2008-01-15 02:42:02 694040]
Yahoo! Widgets.lnk - F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 18:34:48 3746856]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 22:37:20 561213]
Logitech Desktop Messenger.lnk - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-05-31 07:15:32 67128]
Logitech SetPoint.lnk - F:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-07-01 19:36:25 805392]
Metacafe.lnk - F:\Program Files\Metacafe\MetacafeAgent.exe [2008-05-28 18:26:27 145736]
NCProTray.lnk - F:\Program Files\SEC\Natural Color Pro\NCProTray.exe [2008-07-31 14:18:16 49220]
PalTalk.lnk - F:\Program Files\Paltalk Messenger\paltalk.exe [2008-05-08 18:17:29 10452992]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= "F:\Program Files\Logitech\Easy Synchronization\shellexecutehook.dll" [2005-10-05 12:00 69632]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "F:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="F:\\Program Files\\LogonScreenChanger\\Data\\31logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 F:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 f:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 14:13 49152 F:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
backup=F:\WINDOWS\pss\GammaTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a------ 2008-07-21 08:15 89024 F:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 F:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"F:\\Program Files\\uTorrent\\uTorrent.exe"=
"F:\\Program Files\\CEZEO software\\LanTalk NET\\LanTalk.exe"=
"F:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"F:\Program Files\Microsoft ActiveSync\rapimgr.exe"= F:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"F:\Program Files\Microsoft ActiveSync\wcescomm.exe"= F:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"F:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= F:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"F:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 Akamai;Akamai;F:\WINDOWS\System32\svchost.exe [2004-08-03 19:56]
R2 PowerAlert Agent;PowerAlert Agent;F:\Program Files\TrippLite\PowerAlert\engine/pa.exe [2007-01-25 19:17]
R2 UltraMonUtility;UltraMon Utility Driver;F:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 20:22]
R3 AL101;Airlink101 802.11g PCI Driver;F:\WINDOWS\system32\DRIVERS\AL101.sys [2006-05-04 04:02]
R3 UltraMonMirror;UltraMonMirror;F:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 20:23]
S3 MBAMCatchMe;MBAMCatchMe;F:\WINDOWS\system32\drivers\mbamcatchme.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Akamai REG_MULTI_SZ Akamai

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8259661-4550-11dd-b55f-0018021fea9b}]
\Shell\AutoRun\command - E:\.pspware\PSPWareLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E555}]
I:\Software\Utilities\DVD\SlySoft\AnyDVD 6.3.0.0\AnyDVD leftover killer 1.3.exe -M
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-20e01e4f - F:\WINDOWS\system32\beqfbmad.dll
MSConfigStartUp-BMff179419 - F:\WINDOWS\system32\krwmhovq.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - F:\Documents and Settings\prc\Application Data\Mozilla\Firefox\Profiles\o24kbbt0.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://sympatico.msn.ca/
FF -: plugin - F:\Program Files\Mozilla Firefox 3 Beta 5\plugins\np32dsw.dll
FF -: plugin - F:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npnul32.dll
FF -: plugin - F:\Program Files\Mozilla Firefox 3 Beta 5\plugins\NPOFF12.DLL
FF -: plugin - F:\Program Files\Mozilla Firefox 3 Beta 5\plugins\nppdf32.dll
FF -: plugin - F:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npyaxmpb.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 14:32:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="F:/Program Files/Common Files/Akamai/rswin_3333.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="F:/Program Files/Common Files/Akamai/rswin_3333.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PowerAlert Agent]
"ImagePath"="F:\Program Files\TrippLite\PowerAlert\engine/pa.exe -service"
.
------------------------ Other Running Processes ------------------------
.
F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
F:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
F:\Program Files\FolderSize\FolderSizeSvc.exe
F:\Program Files\Logitech\Easy Synchronization\servicestub.exe
F:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
F:\Program Files\MagicTune Premium\MagicTuneEngine.exe
F:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\IoctlSvc.exe
F:\Program Files\TrippLite\PowerAlert\engine\pa.exe
F:\WINDOWS\system32\wdfmgr.exe
F:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
F:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
F:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
F:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
F:\WINDOWS\system32\wscntfy.exe
F:\PROGRA~1\MI3AA1~1\rapimgr.exe
F:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
F:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
F:\Program Files\FreeCommander\FreeCommander.exe
F:\Program Files\Trillian\trillian.exe
F:\Documents and Settings\prc\Start Menu\Programs\Startup\UltraMon.exe
F:\Program Files\UltraMon\UltraMonTaskbar.exe
F:\Program Files\MagicTune Premium\MagicTune.exe
F:\WINDOWS\system32\notepad.exe
.
**************************************************************************
.
Completion time: 2008-08-03 14:36:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-03 18:35:49
ComboFix2.txt 2008-08-03 02:55:05

Pre-Run: 33,755,570,176 bytes free
Post-Run: 33,771,753,472 bytes free

242 --- E O F --- 2008-07-23 07:00:50

Then I ran the hjt again with log and here is that

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:39, on 2008-08-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\FolderSize\FolderSizeSvc.exe
F:\Program Files\Logitech\Easy Synchronization\servicestub.exe
F:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
F:\Program Files\MagicTune Premium\MagicTuneEngine.exe
F:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\IoctlSvc.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\TrippLite\PowerAlert\engine\pa.exe
F:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
F:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
F:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
F:\WINDOWS\System32\svchost.exe
F:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\CEZEO software\LanTalk NET\LanTalk.exe
F:\Program Files\TrippLite\PowerAlert\console\pastatus.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
F:\Program Files\DS Clock\dsclock.exe
F:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
F:\PROGRA~1\MI3AA1~1\rapimgr.exe
F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
F:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
F:\Program Files\SEC\Natural Color Pro\NCProTray.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Metacafe\MetacafeAgent.exe
F:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler.exe
F:\Program Files\FreeCommander\FreeCommander.exe
F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
F:\Program Files\Trillian\trillian.exe
F:\Documents and Settings\prc\Start Menu\Programs\Startup\UltraMon.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\UltraMon\UltraMonTaskbar.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\MagicTune Premium\MagicTune.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\AV\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.macromedia.com/shockwave/downlo...om/default.html
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - F:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LanTalk.NET] F:\Program Files\CEZEO software\LanTalk NET\LanTalk.exe
O4 - HKLM\..\Run: [PALogView] F:\Program Files\TrippLite\PowerAlert\console\logview.exe /s
O4 - HKLM\..\Run: [PAStatus] F:\Program Files\TrippLite\PowerAlert\console\pastatus.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DS Clock] "F:\Program Files\DS Clock\dsclock.exe"
O4 - HKCU\..\Run: [WeatherEye] F:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: FreeCommander.lnk = F:\Program Files\UltraMon\UltraMonShortcuts.exe
O4 - Startup: Metacafe.lnk = F:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Startup: NuonSoft Wallpaper Cycler.lnk = F:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler.exe
O4 - Startup: Shortcut to loader.exe.lnk = F:\Program Files\Trillian\loader.exe
O4 - Startup: Stardock ObjectDock.lnk = F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: UltraMon.exe
O4 - Startup: Yahoo! Widgets.lnk = F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Metacafe.lnk = F:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Global Startup: NCProTray.lnk = ?
O4 - Global Startup: PalTalk.lnk = F:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - F:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Folder Size (FolderSize) - Brio - F:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - F:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Logitech Easy Synchronization - Unknown owner - F:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: MagicTuneEngine - Unknown owner - F:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - F:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - F:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PowerAlert Agent - Unknown owner - F:\Program Files\TrippLite\PowerAlert\engine/pa.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - F:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - F:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 9538 bytes

The bdod.bin file that I mentioned before is still there but I found that it is part of bitdefender. A file that keeps track of updates.

#6 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 03 August 2008 - 03:34 PM

Hello frozenbutt

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All Click the Empty Selected button.

If you use Firefox browser - Click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you use Opera browser - Click Opera at the top and choose: Select All
Click the Empty Selected button.

Click Exit on the Main menu to close the program.


Please now use Internet Explorer and run this online scan with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases


Click OK
Now under select a target to scan: Select My Computer

This will program will start and scan your system, This will take a while so be patient and let it run.

When the scan has completed, click Save Report As a Text File.
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste that information in your next post along with a new HijackThis log.

#7 frozenbutt

frozenbutt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 03 August 2008 - 09:08 PM

Ok I ran the cleaner and it deleted about 25meg of junk.

ran the online scan and there was nothing in the log as it found no malware at all.

hjt log as follows

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:05, on 2008-08-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\FolderSize\FolderSizeSvc.exe
F:\Program Files\Logitech\Easy Synchronization\servicestub.exe
F:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
F:\Program Files\MagicTune Premium\MagicTuneEngine.exe
F:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\IoctlSvc.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\TrippLite\PowerAlert\engine\pa.exe
F:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
F:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
F:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
F:\WINDOWS\System32\svchost.exe
F:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\CEZEO software\LanTalk NET\LanTalk.exe
F:\Program Files\TrippLite\PowerAlert\console\pastatus.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
F:\Program Files\DS Clock\dsclock.exe
F:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
F:\PROGRA~1\MI3AA1~1\rapimgr.exe
F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
F:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
F:\Program Files\SEC\Natural Color Pro\NCProTray.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Metacafe\MetacafeAgent.exe
F:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler.exe
F:\Program Files\FreeCommander\FreeCommander.exe
F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
F:\Program Files\Trillian\trillian.exe
F:\Documents and Settings\prc\Start Menu\Programs\Startup\UltraMon.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\UltraMon\UltraMonTaskbar.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\MagicTune Premium\MagicTune.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
F:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
F:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\AV\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.macromedia.com/shockwave/downlo...om/default.html
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - F:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LanTalk.NET] F:\Program Files\CEZEO software\LanTalk NET\LanTalk.exe
O4 - HKLM\..\Run: [PALogView] F:\Program Files\TrippLite\PowerAlert\console\logview.exe /s
O4 - HKLM\..\Run: [PAStatus] F:\Program Files\TrippLite\PowerAlert\console\pastatus.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DS Clock] "F:\Program Files\DS Clock\dsclock.exe"
O4 - HKCU\..\Run: [WeatherEye] F:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: FreeCommander.lnk = F:\Program Files\UltraMon\UltraMonShortcuts.exe
O4 - Startup: Metacafe.lnk = F:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Startup: NuonSoft Wallpaper Cycler.lnk = F:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler.exe
O4 - Startup: Shortcut to loader.exe.lnk = F:\Program Files\Trillian\loader.exe
O4 - Startup: Stardock ObjectDock.lnk = F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: UltraMon.exe
O4 - Startup: Yahoo! Widgets.lnk = F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Metacafe.lnk = F:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Global Startup: NCProTray.lnk = ?
O4 - Global Startup: PalTalk.lnk = F:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - F:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Folder Size (FolderSize) - Brio - F:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - F:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Logitech Easy Synchronization - Unknown owner - F:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: MagicTuneEngine - Unknown owner - F:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - F:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - F:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PowerAlert Agent - Unknown owner - F:\Program Files\TrippLite\PowerAlert\engine/pa.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - F:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - F:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 9660 bytes

#8 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 04 August 2008 - 10:46 AM

Hello frozenbutt

How is this system running now..?

#9 frozenbutt

frozenbutt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 04 August 2008 - 11:02 AM

Seems to be fine now. Combofix seems to reset a lot of stuff especially if you are not running IE. FIrefox is working much better and no weird files showing up in the system32 folder. The only thing that is odd now is on a reboot if I move my mouse down to the task bar area I get the hourglass and can't access the start button or any of the task icons. This lasts for up to 1/2 hour and I can't figure what is hogging the explorer.

It has been a learning experience and I thank everyone that helped out. With the info on how to fix mine I was able to fix my daughter's computer also which had the same damn thing.

My only question now is why my bitdefender didn't catch this in the first place and is there something else out there that I should be running to protect myself? I did try SAS but it turned my computer into a boat anchor so that was out. Is the real time protection that is available from MAM worth it? Does it work?

Thanks again

#10 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 05 August 2008 - 10:28 AM

Hello frozenbutt

May I ask does this system have the same issues when running in safe-mode, and does this repeat on other user accounts.

Right-click the Taskbar and select Toolbars and uncheck QuickLaunch

Please now look into disabling items to find the cause of this problem, download and run StartUp Inspector.
This program will help you to decide what programs you disable from running at startup.
The Readme.txt file included has instructions on how to use it

Your question regarding MBAM, I'm afraid I can't help you with as I've not used this tool.

Please let me know how you get on

#11 frozenbutt

frozenbutt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 05 August 2008 - 01:47 PM

No problem with safe mode and I only have one account on this machine other than the admin account which is just for backup.

I checked the startup with that program and there is nothing surprising there. I also installed their startup monitor to watch for anything trying to change or add to the startup folder.

I will watch and see what happens and use the task manager to see if I can see a resource hog when this happens.

Still looking for something to safeguard against this happening again.

Thanks

#12 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 05 August 2008 - 04:23 PM

Hello frozenbutt

So the Admin account has no problems, then please keep an eye on taskmanger.

May I ask what type of protection are you after..?.

I'm just a little concerned to the way this user account is loading with the hourglass issue unresolved. Installing and launching a new program may not help matters. Have you have gone through and disabled any entries with StartUp Inspector at all..?. May help in finding the cause of problem when rebooting.

Overall the less you have to load, the quicker your system should start, so either disabling or even uninstalling any unwanted software may benefit. Such as Logitech Desktop Messenger which displays popup messages from Logitech about new products and product updates, like to suggest completely removing Logitech Desktop Manager using Add or Remove Programs.

Edited by ourwilly, 05 August 2008 - 04:24 PM.


#13 frozenbutt

frozenbutt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 05 August 2008 - 04:42 PM

Protection against Vundo and the like. I was very disappointed that bitdefender didn't catch it and was disabled by this malware. It took me a few days I am sure before I noticed that bitdefender was not in the task bar. The same thing happened on my daughters computer and she was running Kasperski. Both I had always thought were highly rated. Maybe I am expecting the right kind of software to protect against the wrong type of threat. After I was infected both antivirus packages did find it but neither could remove it at all.

So I guess I am looking for something more geared for malware/spyware than your standard viruses.

I'll get rid of the logitech crap and then I'll start testing on the others to see if I can single out the culprit.

#14 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 06 August 2008 - 11:29 AM

Hello frozenbutt

Your daughter is using Kaspersky which is one of the best anti-virus products available, I recommend the best method would to be avoid using peer to peer software altogether, as these are susceptible to various forms of malware. Please uninstall all Peer 2 peer software using Add or Remove programs and then Right-Click on and delete the Peer to Peer folders from your system.

Install SpywareBlaster
This Prevent's the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.

Are you using an Host file..? if not download and unzip this Hosts File into a new folder http://www.mvps.org/winhelp2002/hosts.zip
Once unzipped Double Click on the File to install.

Also take a look at Free WinPatrol.

Any software product that is corrupt then please uninstall then reinstall again. If you replace BitDefender, please ensure it is fully removed before installing another anti-virus..

For Free Anti-Virus protection choose one of these

Avira
AVG Anti-Virus
Avast

If you are using The Windows Firewall that you replace it as soon as possible. Please choose to install One of these good free firewalls below to fully protect your system anyone of these will give you full control over everything that requests Internet access a feature not available in the default Windows Firewall

ZoneAlarm
Kerio Personal Firewall
OutPost Firewall Free

#15 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 21 August 2008 - 02:28 PM

This Topic has been closed.

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users