Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With "vundo"


  • Please log in to reply
17 replies to this topic

#1 billf6330

billf6330

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Palm Harbor, Fl.
  • Local time:12:47 PM

Posted 05 August 2008 - 08:20 AM

I am running Symantec Corporate AntiVirus and this trojan slipped through. I keep getting pop up notification boxes that say "Symantec A/V Realtime Protection found "Vundo" in location:
C:\WINDOWS\SYSTEM32\yakdck.dll. Clean: failed, Quarantine: failed, Access: denied. I have searched for fixes and have run Symantecs "FixVundo" removal tool - it shows that it removed 3 files but when it closes - the notification box pops up again with the same info as before about the infection. Also ran "VundoFix" with the same results. Here are the DSS log and Kapersky logs for your consideration in the attachments.



I am at my wits end with this as it also keeps popping up windows advertising AntiVirus 2009 "Free Scan" and generally halting the computer from functioning as well as frequent connection attempts showing up ion boxes displayed on the screen.

Thanks for any and all help you guys (and girls) can provide.

Attached Files



BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 05 August 2008 - 01:44 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply with a fresh HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 billf6330

billf6330
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Palm Harbor, Fl.
  • Local time:12:47 PM

Posted 05 August 2008 - 10:24 PM

Thank you Charles for your assistance. Here is the ComboFix log and the new Hijack This log. Should these be attachments or just posted in the body of the message. I will try to do this right next time.

ComboFixLog
ComboFix 08-08-04.01 - Bill Fritzsche 2008-08-05 21:47:16.1 - NTFSx86
Running from: C:\Documents and Settings\Bill Fritzsche\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Faye Fritzsche\Application Data\macromedia\Flash Player\#SharedObjects\W4STAUD6\interclick.com
C:\Documents and Settings\Faye Fritzsche\Application Data\macromedia\Flash Player\#SharedObjects\W4STAUD6\interclick.com\ud.sol
C:\Documents and Settings\Faye Fritzsche\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Faye Fritzsche\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Program Files\BulletProofSoft.com
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\SYSTEM32\arnvvtby.ini
C:\WINDOWS\SYSTEM32\bbtdijqk.ini
C:\WINDOWS\system32\bonvvmiq.ini
C:\WINDOWS\system32\bqdwbriu.dll
C:\WINDOWS\system32\crdjlk.dll
C:\WINDOWS\SYSTEM32\dcnmfchh.ini
C:\WINDOWS\system32\dtomndfd.dll
C:\WINDOWS\SYSTEM32\fhnwrcdk.ini
C:\WINDOWS\system32\fmkhnrmi.ini
C:\WINDOWS\SYSTEM32\FNmlmUvw.ini
C:\WINDOWS\SYSTEM32\FNmlmUvw.ini2
C:\WINDOWS\system32\fsynqolv.dll
C:\WINDOWS\system32\itavyf.dll
C:\WINDOWS\system32\itqflwtx.ini
C:\WINDOWS\SYSTEM32\kkaaisiu.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\mjcwjaop.ini
C:\WINDOWS\SYSTEM32\mmllm.tmp2
C:\WINDOWS\system32\mrdlowxq.dll
C:\WINDOWS\system32\nmdekc.dll
C:\WINDOWS\system32\ojopjhbf.ini
C:\WINDOWS\SYSTEM32\omiwagbr.ini
C:\WINDOWS\system32\opnlijHx.dll
C:\WINDOWS\system32\pgjhbklm.ini
C:\WINDOWS\system32\pxrdyyhq.ini
C:\WINDOWS\system32\qumdkxig.ini
C:\WINDOWS\system32\skdhraag.ini
C:\WINDOWS\SYSTEM32\trjlhcpx.ini
C:\WINDOWS\system32\uqhfnuxl.ini
C:\WINDOWS\SYSTEM32\vlsxuklt.ini
C:\WINDOWS\system32\wqknguyv.dll
C:\WINDOWS\system32\wucmmnwh.ini
C:\WINDOWS\system32\wvUmlmNF.dll
C:\WINDOWS\system32\xfbtfv.dll
C:\WINDOWS\system32\xldfaxsi.ini
C:\WINDOWS\system32\yhdabr.dll
C:\WINDOWS\system32\yklbewst.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-05 09:31 . 2008-08-05 09:31 99,712 --a------ C:\WINDOWS\SYSTEM32\tsweblky.dll
2008-08-05 08:44 . 2008-08-05 08:44 <DIR> d-------- C:\Deckard
2008-08-04 09:30 . 2008-08-04 09:30 130,432 --a------ C:\WINDOWS\SYSTEM32\svvffyyy.dll
2008-08-04 09:30 . 2008-08-04 09:30 130,432 --a------ C:\WINDOWS\SYSTEM32\qpdijo.dll
2008-08-03 22:30 . 2008-08-03 22:30 130,432 --a------ C:\WINDOWS\SYSTEM32\qvoqjucl.dll
2008-08-03 22:30 . 2008-08-03 22:30 130,432 --a------ C:\WINDOWS\SYSTEM32\ponmsd.dll
2008-08-03 10:07 . 2008-08-03 10:08 98,688 --a------ C:\WINDOWS\SYSTEM32\tlkuxslv.dll
2008-08-03 10:05 . 2008-08-03 10:05 130,432 --a------ C:\WINDOWS\SYSTEM32\bxvfcy.dll
2008-08-03 10:04 . 2008-08-03 10:05 130,432 --a------ C:\WINDOWS\SYSTEM32\rcbwplbd.dll
2008-08-02 10:21 . 2008-08-02 10:21 <DIR> d-------- C:\Documents and Settings\Bill Fritzsche\Application Data\Uniblue
2008-08-02 10:04 . 2008-08-02 10:04 98,688 --a------ C:\WINDOWS\SYSTEM32\ybtvvnra.dll
2008-08-01 10:03 . 2008-08-01 10:03 129,920 --a------ C:\WINDOWS\SYSTEM32\yakdck.dll
2008-07-31 10:23 . 2008-08-05 20:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-07-31 09:18 . 2008-07-31 09:18 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-31 09:17 . 2008-07-31 09:17 <DIR> d-------- C:\Program Files\McAfee
2008-07-30 11:03 . 2008-07-30 11:03 99,456 --a------ C:\WINDOWS\SYSTEM32\lxunfhqu.dll
2008-07-30 10:02 . 2008-07-30 10:02 5,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MS1000.sys
2008-07-30 10:01 . 2008-08-02 08:27 <DIR> d-------- C:\Program Files\The Cleaner Free
2008-07-25 20:27 . 2008-07-25 20:27 <DIR> d-------- C:\Program Files\ParetoLogic
2008-07-25 20:27 . 2008-07-25 20:27 <DIR> d-------- C:\Program Files\Common Files\ParetoLogic
2008-07-25 20:27 . 2008-07-25 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic
2008-07-24 09:23 . 2008-07-24 09:23 95,360 --a------ C:\WINDOWS\SYSTEM32\kqjidtbb.dll
2008-07-23 11:14 . 2008-07-23 19:29 <DIR> d-------- C:\Program Files\RegCure
2008-07-23 10:01 . 2008-07-23 10:02 111,948,408 --a------ C:\SYM_REGISTRY_BACKUP.old
2008-07-23 10:01 . 2008-07-24 08:30 111,788,332 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-07-22 08:04 . 2008-07-22 08:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-19 10:24 . 2008-07-19 10:24 <DIR> d-------- C:\Program Files\Panda Security
2008-07-19 10:24 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-07-19 09:47 . 2008-07-19 09:47 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-07-18 02:37 . 2008-07-18 02:37 33,152 --a------ C:\WINDOWS\SYSTEM32\jkkICRJy.dll.vir
2008-07-14 20:19 . 2008-07-14 20:19 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-14 20:19 . 2008-07-14 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-07 09:11 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mouhid.sys
2008-07-07 09:11 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mouhid.sys
2008-07-07 09:10 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2008-07-07 09:10 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 13:55 --------- d-----w C:\Documents and Settings\Bill Fritzsche\Application Data\MailWasherPro
2008-08-05 02:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-03 16:55 15,960 -c--a-w C:\Documents and Settings\Bill Fritzsche\Application Data\wklnhst.dat
2008-08-02 12:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-08-02 12:37 --------- d-----w C:\Program Files\ewido anti-malware
2008-07-31 13:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-26 14:58 --------- d-----w C:\Program Files\Greetings Workshop
2008-07-24 05:16 --------- d-----w C:\Program Files\XoftSpySE
2008-07-22 12:07 --------- d-----w C:\Program Files\Lavasoft
2008-07-22 11:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-22 09:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-22 09:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-19 13:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 13:58 --------- d-----w C:\Program Files\MailWasher
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-21 16:52 6,104 ----a-w C:\Documents and Settings\Faye Fritzsche\Application Data\wklnhst.dat
2005-08-10 20:03 83,928 -c--a-w C:\Documents and Settings\Bill Fritzsche\Application Data\GDIPFONTCACHEV1.DAT
2005-07-26 17:34 83,928 -c--a-w C:\Documents and Settings\Faye Fritzsche\Application Data\GDIPFONTCACHEV1.DAT
2004-08-16 00:07 126,976 ----a-w C:\Documents and Settings\Bill Fritzsche\(null)5CE4E679.DLL
2004-04-29 16:51 9,143,000 -c--a-w C:\Program Files\AdbeRdr60_enu.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21 90112]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04 114741]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 21:50 1603152]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 06:28 172032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"VIDC.WMV3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"vidc.VP40"= vp4vfw.dll
"vidc.VP50"= vp5vfw.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
--a------ 2002-04-03 02:01 135264 C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2003-08-13 11:27 28672 C:\WINDOWS\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2007-02-04 12:02 79400 C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 21:16 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--a------ 2002-02-04 22:32 53248 C:\Program Files\REGSHAVE\Regshave.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-10-25 09:03 210472 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-03-19 13:03 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ThreatFire"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Documents and Settings\\Bill Fritzsche\\Desktop\\Downloads\\PUDL22\\PUDL22.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys [2004-11-22 10:15]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-07-23 18:52]
S2 0241561217596788mcinstcleanup;McAfee Application Installer Cleanup (0241561217596788);C:\WINDOWS\TEMP\024156~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 hp4200c;%usbscan.SvcDesc%;C:\WINDOWS\system32\DRIVERS\hp4200c.sys [2001-02-19 06:39]
S3 MTK;Media Technology Kernel Driver;C:\WINDOWS\system32\Drivers\mtk.sys []
S3 ParetoLogic Mail Filter;ParetoLogic Mail Filter;C:\Program Files\ParetoLogic\Spam Controls\FilterService.exe [2008-03-12 16:00]
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-05 C:\WINDOWS\Tasks\ParetoLogic Registration.job
- C:\WINDOWS\system32\rundll32.exe [2004-08-04 00:56]

2008-08-05 C:\WINDOWS\Tasks\ParetoLogic Update Version2.job
- C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 12:25]

2008-08-06 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-07-31 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-08-06 C:\WINDOWS\Tasks\XoftSpySE 2.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-07-16 15:17]

2008-08-05 C:\WINDOWS\Tasks\XoftSpySE.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-07-16 15:17]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Bill Fritzsche\Application Data\Mozilla\Firefox\Profiles\zg9cipr5.Bill\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://us.f541.mail.yahoo.com/ym/login?.rand=2qlfs9p882ev4


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 22:41:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-05 22:55:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-06 02:55:01

Pre-Run: 51,242,405,888 bytes free
Post-Run: 51,300,798,464 bytes free

224 --- E O F --- 2008-07-11 13:33:17

HijackThis Log 8-5-08

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:10 PM, on 8/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f541.mail.yahoo.com/ym/login?.rand=8i7pl8dl75010
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f541.mail.yahoo.com/ym/login?.rand=8i7pl8dl75010
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRA~1\DAP\DAPIEBar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kodakgallery.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177462023484
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: McAfee Application Installer Cleanup (0241561217596788) (0241561217596788mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\024156~1.EXE (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ParetoLogic Mail Filter - ParetoLogic - C:\Program Files\ParetoLogic\Spam Controls\FilterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://us.i1.yimg.com/us.yimg.com/i/us/pim...lue/shd_r_1.gif

--
End of file - 8550 bytes

Thanks again for your help in resolving this.
Bill

#4 billf6330

billf6330
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Palm Harbor, Fl.
  • Local time:12:47 PM

Posted 05 August 2008 - 11:45 PM

Charles, after running ComboFix and posting the logs of that and Hijack This, I noticed that my Symantec AntiVirus is disabled. A restart did not re-instate it. I can NOT activate my "Real Time Protection". Is this normal? Should I re-install it? I don't feel comfortable without some kind of a "safety net".

Thanks for any response.

#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 06 August 2008 - 03:42 AM

Hi again,

Charles, after running ComboFix and posting the logs of that and Hijack This, I noticed that my Symantec AntiVirus is disabled. A restart did not re-instate it. I can NOT activate my "Real Time Protection". Is this normal? Should I re-install it? I don't feel comfortable without some kind of a "safety net".

Yes, please try reinstalling it, that should sort the problem out for you.

Before we begin, please visit the page below, scroll down to the part which says "How to install and use the Windows XP Recovery Console," and follow those instructions:

How to download and use ComboFix

Then please run another scan with Combofix and post back the new log, along with a HijackThis log. It's fine to include it in the post and not attach it :thumbsup:
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#6 billf6330

billf6330
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Palm Harbor, Fl.
  • Local time:12:47 PM

Posted 06 August 2008 - 08:13 AM

Hi Charles, I found my Windows Re-installation disc for XP home Edition but it only includes Service Pack 1a. I am pretty sure that I am running Service Pack 2. Will this disc be OK to use? I don't want to start this process without some guidance as I just don't feel real comfortable doing some of the things that are required. Thanks for your response.

Bill

#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 06 August 2008 - 03:57 PM

If you don't want to use the CD there is a link on the Microsoft page to do it without inserting the CD at all :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#8 billf6330

billf6330
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Palm Harbor, Fl.
  • Local time:12:47 PM

Posted 06 August 2008 - 08:57 PM

Sorry Charles for the delay in responding. I had trouble re-installing my A/V so I installed AVG. Then tried my Reinstallation CD which did nothing at all. In order to try the Microsoft method, I will have to stop at a store tomorrow and get some floppy discs to boot to. So, I guess I am in a "hold" status until I can accomplish that. So far, though, computer seems to be running fine with NO pop-ups or delays.
I will post back tomorrow after I have accomplished the download from Microsoft. Thanks for your patience and help.

#9 billf6330

billf6330
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Palm Harbor, Fl.
  • Local time:12:47 PM

Posted 06 August 2008 - 09:08 PM

I just retried the CD and it worked but it warned that the version on the CD (Service Pack 1) was older than what was on the computer (Service Pack 2) and I could lose my settings so I decided I will get the floppies and proceed with the alternate method from Microsoft. Thanks again.

Bill

#10 billf6330

billf6330
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Palm Harbor, Fl.
  • Local time:12:47 PM

Posted 07 August 2008 - 10:29 AM

Hello Charles,

I have downloaded the Windows Recovery Console Disks and will attempt the restart this evening when I return from work. Hopefully, I can proceed with the "cleaning" process. Thanks again for your help.

Bill

#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 07 August 2008 - 03:33 PM

Goob job Bill, let me know how it goes :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#12 billf6330

billf6330
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Palm Harbor, Fl.
  • Local time:12:47 PM

Posted 07 August 2008 - 06:42 PM

OK Charles, here are the logs you requested. I have updated the Hijack this program to 2.0.2 version now.

ComboFix Log 8-7-08:
ComboFix 08-08-04.01 - Bill Fritzsche 2008-08-07 18:49:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190 [GMT -4:00]
Running from: C:\Documents and Settings\Bill Fritzsche\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bill Fritzsche\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-06 23:38 . 2008-08-07 18:26 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-06 21:36 . 2008-08-07 09:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-08-06 21:36 . 2008-08-06 21:36 <DIR> d-------- C:\Program Files\AVG
2008-08-06 21:36 . 2008-08-06 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-06 21:36 . 2008-08-06 21:36 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-08-06 21:36 . 2008-08-06 21:36 76,040 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys
2008-08-06 21:36 . 2008-08-06 21:36 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-08-05 08:44 . 2008-08-05 08:44 <DIR> d-------- C:\Deckard
2008-08-02 10:21 . 2008-08-02 10:21 <DIR> d-------- C:\Documents and Settings\Bill Fritzsche\Application Data\Uniblue
2008-08-01 10:03 . 2008-08-01 10:03 129,920 --a------ C:\WINDOWS\SYSTEM32\yakdck.dll
2008-07-31 10:23 . 2008-08-07 18:38 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-07-31 09:18 . 2008-07-31 09:18 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-31 09:17 . 2008-07-31 09:17 <DIR> d-------- C:\Program Files\McAfee
2008-07-30 10:02 . 2008-07-30 10:02 5,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MS1000.sys
2008-07-30 10:01 . 2008-08-02 08:27 <DIR> d-------- C:\Program Files\The Cleaner Free
2008-07-25 20:27 . 2008-07-25 20:27 <DIR> d-------- C:\Program Files\ParetoLogic
2008-07-25 20:27 . 2008-07-25 20:27 <DIR> d-------- C:\Program Files\Common Files\ParetoLogic
2008-07-25 20:27 . 2008-07-25 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic
2008-07-23 11:14 . 2008-07-23 19:29 <DIR> d-------- C:\Program Files\RegCure
2008-07-23 10:01 . 2008-08-06 20:50 115,570,740 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-07-23 10:01 . 2008-07-24 08:30 111,788,332 --a------ C:\SYM_REGISTRY_BACKUP.old
2008-07-22 08:04 . 2008-07-22 08:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-19 10:24 . 2008-07-19 10:24 <DIR> d-------- C:\Program Files\Panda Security
2008-07-19 10:24 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-07-19 09:47 . 2008-07-19 09:47 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-07-14 20:19 . 2008-07-14 20:19 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-14 20:19 . 2008-07-14 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-07 09:11 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mouhid.sys
2008-07-07 09:11 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mouhid.sys
2008-07-07 09:10 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2008-07-07 09:10 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-07 15:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-07 15:50 --------- d-----w C:\Documents and Settings\Bill Fritzsche\Application Data\MailWasherPro
2008-08-07 15:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-07 14:08 8,726 ----a-w C:\Documents and Settings\Faye Fritzsche\Application Data\wklnhst.dat
2008-08-07 08:37 --------- d-----w C:\Program Files\DAP
2008-08-07 03:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-07 01:24 --------- d-----w C:\Program Files\ewido anti-malware
2008-08-06 15:24 --------- d-----w C:\Program Files\a2 free
2008-08-03 16:55 15,960 -c--a-w C:\Documents and Settings\Bill Fritzsche\Application Data\wklnhst.dat
2008-08-02 12:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-31 13:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-26 14:58 --------- d-----w C:\Program Files\Greetings Workshop
2008-07-24 05:16 --------- d-----w C:\Program Files\XoftSpySE
2008-07-22 12:07 --------- d-----w C:\Program Files\Lavasoft
2008-07-22 09:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-19 13:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-17 13:58 --------- d-----w C:\Program Files\MailWasher
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2005-08-10 20:03 83,928 -c--a-w C:\Documents and Settings\Bill Fritzsche\Application Data\GDIPFONTCACHEV1.DAT
2005-07-26 17:34 83,928 -c--a-w C:\Documents and Settings\Faye Fritzsche\Application Data\GDIPFONTCACHEV1.DAT
2004-08-16 00:07 126,976 ----a-w C:\Documents and Settings\Bill Fritzsche\(null)5CE4E679.DLL
2004-04-29 16:51 9,143,000 -c--a-w C:\Program Files\AdbeRdr60_enu.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21 90112]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04 114741]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 21:50 1603152]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 06:28 172032]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-06 21:36 1232152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"VIDC.WMV3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"vidc.VP40"= vp4vfw.dll
"vidc.VP50"= vp5vfw.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
--a------ 2002-04-03 02:01 135264 C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2003-08-13 11:27 28672 C:\WINDOWS\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2007-02-04 12:02 79400 C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 21:16 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--a------ 2002-02-04 22:32 53248 C:\Program Files\REGSHAVE\Regshave.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-10-25 09:03 210472 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-03-19 13:03 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ThreatFire"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Documents and Settings\\Bill Fritzsche\\Desktop\\Downloads\\PUDL22\\PUDL22.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=


*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-07 C:\WINDOWS\Tasks\ParetoLogic Registration.job
- C:\WINDOWS\system32\rundll32.exe [2004-08-04 00:56]

2008-08-07 C:\WINDOWS\Tasks\ParetoLogic Update Version2.job
- C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 12:25]

2008-08-07 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-08-07 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-08-07 C:\WINDOWS\Tasks\XoftSpySE 2.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-07-16 15:17]

2008-08-05 C:\WINDOWS\Tasks\XoftSpySE.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-07-16 15:17]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Bill Fritzsche\Application Data\Mozilla\Firefox\Profiles\zg9cipr5.Bill\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://us.f541.mail.yahoo.com/ym/login?.rand=2qlfs9p882ev4


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 18:56:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-08-07 19:00:03
ComboFix-quarantined-files.txt 2008-08-07 22:59:55
ComboFix2.txt 2008-08-06 02:55:08

Pre-Run: 50,319,998,976 bytes free
Post-Run: 50,317,115,392 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

177 --- E O F --- 2008-07-11 13:33:17


Hijack This Log 8-7-08:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:54 PM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f541.mail.yahoo.com/ym/login?.rand=8i7pl8dl75010
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f541.mail.yahoo.com/ym/login?.rand=8i7pl8dl75010
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kodakgallery.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177462023484
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: McAfee Application Installer Cleanup (0241561217596788) (0241561217596788mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\024156~1.EXE (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ParetoLogic Mail Filter - ParetoLogic - C:\Program Files\ParetoLogic\Spam Controls\FilterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://us.i1.yimg.com/us.yimg.com/i/us/pim...lue/shd_r_1.gif

--
End of file - 9324 bytes

Again, thanks for your help and I have been learning a lot more about the computer through this exercise.

Bill

#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 08 August 2008 - 03:03 PM

Good evening Bill!
It looks like we're starting to take a good chunk out of the malware, so good work :thumbsup:
Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm


Then close all other windows - you should only see HijackThis on your Desktop - and click the Fix checked button.


Go to Start | Control Panel | Internet Options | General.
Click the Delete Cookies button.
Next to it, click the Delete Files button.
When prompted, place a check in: 'Delete all offline content', click OK
Go back to Start | Run | type: cleanmgr | OK.
Let it scan your system for files to remove.
Make sure 'Temporary Files', 'Temporary Internet Files', and 'Recycle Bin' are the only things checked.
Press OK to remove them.

If you have Firefox installed, we need to clean out these temporary files as well:
Go to Tools | Options.
Click Privacy.
Press the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to finish, before closing it.
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.


Then I'd like you to run me another Kaspersky scan like you did in your first post, then copy and paste its contents into your next reply with a new Combofix log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#14 billf6330

billf6330
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Palm Harbor, Fl.
  • Local time:12:47 PM

Posted 08 August 2008 - 08:37 PM

Hi Charles, here are the logs you requested:

Kapersky Scan:
riday, August 8, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 08, 2008 22:21:37
Records in database: 1070513


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
B:\
C:\
D:\
E:\
F:\

Scan statistics
Files scanned 73541
Threat name 6
Infected objects 13
Suspicious objects 0
Duration of the scan 01:45:53

File name Threat name Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08840000.VBN Infected: not-a-virus:Downloader.Win32.VistaAntivirus.b 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08840001.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B4C0000.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E1C0000.VBN Infected: Trojan.Win32.Monder.axp 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E1C0002.VBN Infected: Trojan.Win32.Monder.axp 1

C:\Documents and Settings\Bill Fritzsche\.housecall6.6\Quarantine\A0014280.exe.bac_a02168 Infected: Trojan-Downloader.Win32.Zlob.bv 1

C:\Documents and Settings\Bill Fritzsche\.housecall6.6\Quarantine\vcodec_ver3.166.exe.bac_a02168 Infected: Trojan-Downloader.Win32.Zlob.bv 1

C:\Documents and Settings\Bill Fritzsche\Desktop\Saved Mail\DAP_v8.5.5.5_Build_292_Premium.rar Infected: Trojan-Spy.Win32.Banker.fzf 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bqdwbriu.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cdz 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yhdabr.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cdz 1

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000007.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cdz 1

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000018.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cdz 1

C:\WINDOWS\SYSTEM32\yakdck.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 1

Combo Fix Scan 8-8:

ComboFix 08-08-04.01 - Bill Fritzsche 2008-08-08 21:19:47.3 - NTFSx86
Running from: C:\Documents and Settings\Bill Fritzsche\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.

2008-08-07 19:34 . 2008-08-07 19:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-06 23:38 . 2008-08-08 05:28 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-06 21:36 . 2008-08-08 01:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-08-06 21:36 . 2008-08-06 21:36 <DIR> d-------- C:\Program Files\AVG
2008-08-06 21:36 . 2008-08-06 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-06 21:36 . 2008-08-06 21:36 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-08-06 21:36 . 2008-08-06 21:36 76,040 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys
2008-08-06 21:36 . 2008-08-06 21:36 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-08-05 08:44 . 2008-08-05 08:44 <DIR> d-------- C:\Deckard
2008-08-02 10:21 . 2008-08-02 10:21 <DIR> d-------- C:\Documents and Settings\Bill Fritzsche\Application Data\Uniblue
2008-08-01 10:03 . 2008-08-01 10:03 129,920 --a------ C:\WINDOWS\SYSTEM32\yakdck.dll
2008-07-31 10:23 . 2008-08-08 17:37 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-07-31 09:18 . 2008-07-31 09:18 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-31 09:17 . 2008-07-31 09:17 <DIR> d-------- C:\Program Files\McAfee
2008-07-30 10:02 . 2008-07-30 10:02 5,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MS1000.sys
2008-07-30 10:01 . 2008-08-02 08:27 <DIR> d-------- C:\Program Files\The Cleaner Free
2008-07-25 20:27 . 2008-07-25 20:27 <DIR> d-------- C:\Program Files\ParetoLogic
2008-07-25 20:27 . 2008-07-25 20:27 <DIR> d-------- C:\Program Files\Common Files\ParetoLogic
2008-07-25 20:27 . 2008-07-25 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic
2008-07-23 11:14 . 2008-07-23 19:29 <DIR> d-------- C:\Program Files\RegCure
2008-07-23 10:01 . 2008-08-06 20:50 115,570,740 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-07-23 10:01 . 2008-07-24 08:30 111,788,332 --a------ C:\SYM_REGISTRY_BACKUP.old
2008-07-22 08:04 . 2008-07-22 08:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-19 10:24 . 2008-07-19 10:24 <DIR> d-------- C:\Program Files\Panda Security
2008-07-19 10:24 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-07-19 09:47 . 2008-07-19 09:47 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-07-14 20:19 . 2008-07-14 20:19 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-14 20:19 . 2008-07-14 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 15:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-08 12:19 --------- d-----w C:\Documents and Settings\Bill Fritzsche\Application Data\MailWasherPro
2008-08-08 00:03 --------- d-----w C:\Program Files\Java
2008-08-07 15:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-07 14:08 8,726 ----a-w C:\Documents and Settings\Faye Fritzsche\Application Data\wklnhst.dat
2008-08-07 08:37 --------- d-----w C:\Program Files\DAP
2008-08-07 03:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-07 01:24 --------- d-----w C:\Program Files\ewido anti-malware
2008-08-06 15:24 --------- d-----w C:\Program Files\a2 free
2008-08-03 16:55 15,960 -c--a-w C:\Documents and Settings\Bill Fritzsche\Application Data\wklnhst.dat
2008-08-02 12:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-31 13:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-26 14:58 --------- d-----w C:\Program Files\Greetings Workshop
2008-07-24 05:16 --------- d-----w C:\Program Files\XoftSpySE
2008-07-22 12:07 --------- d-----w C:\Program Files\Lavasoft
2008-07-22 09:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-19 13:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-17 13:58 --------- d-----w C:\Program Files\MailWasher
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2005-08-10 20:03 83,928 -c--a-w C:\Documents and Settings\Bill Fritzsche\Application Data\GDIPFONTCACHEV1.DAT
2005-07-26 17:34 83,928 -c--a-w C:\Documents and Settings\Faye Fritzsche\Application Data\GDIPFONTCACHEV1.DAT
2004-08-16 00:07 126,976 ----a-w C:\Documents and Settings\Bill Fritzsche\(null)5CE4E679.DLL
2004-04-29 16:51 9,143,000 -c--a-w C:\Program Files\AdbeRdr60_enu.exe
.

((((((((((((((((((((((((((((( snapshot@2008-08-07_18.59.11.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-12 05:22:00 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2007-07-12 05:22:04 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
- 2007-07-12 06:22:38 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21 90112]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04 114741]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 21:50 1603152]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 06:28 172032]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-06 21:36 1232152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"VIDC.WMV3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"vidc.VP40"= vp4vfw.dll
"vidc.VP50"= vp5vfw.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
--a------ 2002-04-03 02:01 135264 C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2003-08-13 11:27 28672 C:\WINDOWS\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2007-02-04 12:02 79400 C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 21:16 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--a------ 2002-02-04 22:32 53248 C:\Program Files\REGSHAVE\Regshave.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-10-25 09:03 210472 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-03-19 13:03 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ThreatFire"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Documents and Settings\\Bill Fritzsche\\Desktop\\Downloads\\PUDL22\\PUDL22.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-06 21:36]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-06 21:36]
S3 hp4200c;%usbscan.SvcDesc%;C:\WINDOWS\system32\DRIVERS\hp4200c.sys [2001-02-19 06:39]
S3 MTK;Media Technology Kernel Driver;C:\WINDOWS\system32\Drivers\mtk.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-08-08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-08 C:\WINDOWS\Tasks\ParetoLogic Registration.job
- C:\WINDOWS\system32\rundll32.exe [2004-08-04 00:56]

2008-08-08 C:\WINDOWS\Tasks\ParetoLogic Update Version2.job
- C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 12:25]

2008-08-08 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-08-07 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-08-08 C:\WINDOWS\Tasks\XoftSpySE 2.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-07-16 15:17]

2008-08-05 C:\WINDOWS\Tasks\XoftSpySE.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-07-16 15:17]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Bill Fritzsche\Application Data\Mozilla\Firefox\Profiles\zg9cipr5.Bill\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://us.f541.mail.yahoo.com/ym/login?.rand=2qlfs9p882ev4


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-08 21:26:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
-> C:\Program Files\McAfee\SiteAdvisor\saHook.dll
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-08-08 21:29:26
ComboFix-quarantined-files.txt 2008-08-09 01:29:22
ComboFix2.txt 2008-08-07 23:00:04
ComboFix3.txt 2008-08-06 02:55:08

Pre-Run: 49,027,436,544 bytes free
Post-Run: 49,070,669,824 bytes free

180 --- E O F --- 2008-07-11 13:33:17

Thanks again for your help - I know this is time consuming and I appreciate your efforts to get me "clean".

Bill

#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 10 August 2008 - 03:11 PM

Please find and delete this file:

C:\WINDOWS\SYSTEM32\yakdck.dll

Let me know if you have any problems doing so.

We need to purge your infected system restore points.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.
More information on how to disable your system restore can be found here.

We want to create a new, clean restore point. Please first reboot your computer.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Uncheck "Turn off System Restore", click Apply, and then click OK.

Click Start | All Programs | Accessories | System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create, and after it has created the restore point, click "Close".
Further instructions on creating a restore point can be found here

Then please let me know how things are running for you now.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users