Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Vundo, Mbam Not Removing All Of It


  • This topic is locked This topic is locked
3 replies to this topic

#1 skyehigh92

skyehigh92

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 08 August 2008 - 10:10 AM

Hey all,

I was told by Quiteman7 that I could turn here to address this problem. My situation is this: MBAM finds Vundo infections and then says it will remove some of them on reboot, but once it reeboots I see know sign that MBAM is taking action. When I start up again the infections are still there. It seems to be getting worse! For some reason now I can't access some of my most accessed sites like Facebook (Not sure if it's related) however can access some other sites. (LOG BELOW)

Deckard's System Scanner v20071014.68
Run by Skye White on 2008-08-08 10:46:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
8: 2008-08-08 14:16:01 UTC - RP1111 - Deckard's System Scanner Restore Point
7: 2008-08-08 05:07:30 UTC - RP1110 - Last known good configuration
6: 2008-08-07 02:33:08 UTC - RP1109 - Last known good configuration
5: 2008-08-06 01:58:06 UTC - RP1108 - Last known good configuration
4: 2008-08-05 05:12:23 UTC - RP1107 - Last known good configuration


-- First Restore Point --
1: 2008-08-04 23:19:42 UTC - RP1104 - Last known good configuration


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 2.14 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-08 10:50:03
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Documents and Settings\Skye White\My Documents\Downloads\WFlip050\WinFlip.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\Skye White\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://newgrounds.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
O2 - BHO: (no name) - {1179B463-8BF2-4B91-A7ED-5C5E537D3F4B} - C:\WINDOWS\system32\rqRIccYP.dll
O3 - Toolbar: (no name) - {FB3486FF-2A37-4536-B847-D999BA4E7776} - (no file)
O4 - HKLM\..\Run: [BM43c4c870] Rundll32.exe "C:\WINDOWS\system32\cultiepv.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yodm3D] C:\Documents and Settings\Skye White\My Documents\Downloads\yodm3d14\Yodm3D.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: AIM 6.lnk = C:\Program Files\AIM6\aim6.exe
O4 - Startup: ESET NOD32 Antivirus.lnk = C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
O4 - Startup: Stardock ObjectDock.lnk = ?
O4 - Startup: WinFlip.lnk = C:\Documents and Settings\Skye White\My Documents\Downloads\WFlip050\WinFlip.exe
O4 - Startup: Yodm3D.lnk = C:\Documents and Settings\Skye White\My Documents\Downloads\yodm3d14\Yodm3D.exe
O4 - Global Startup: Microsoft Office Outlook 2007.lnk = ?
O4 - Global Startup: Skype.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSXXXXXXXXUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O15 - Trusted Zone: https://geocities.com (HKCU)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/...8180.5005555556
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} () - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{9BC8A0CC-5DB1-4C8A-92C6-3247BDA8D3A2}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\ramaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\system32\TuneUpDefragService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\system32\VundoFixSVC.exe


--
End of file - 9422 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\Icons\Buuf\Buuf.icl,56
.cmd - cmdfile - DefaultIcon - C:\WINDOWS\Icons\Buuf\Buuf.icl,57
.ini - inifile - DefaultIcon - C:\WINDOWS\Icons\Buuf\Buuf.icl,55
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
.txt - txtfile - DefaultIcon - C:\WINDOWS\Icons\Vista Icon Set\Splinter Vista.icl,27


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys <Not Verified; VERITAS Software, Inc.; >
R0 PenClass (Pen Class) - c:\windows\system32\drivers\penclass.sys <Not Verified; Wacom Technology Corporation; Wacom Pen Class Driver>
R0 snapman (Acronis Snapshots Manager) - c:\windows\system32\drivers\snapman.sys <Not Verified; Acronis; Acronis Snapshot API>
R0 timounter (Acronis True Image Backup Archive Explorer) - c:\windows\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R1 sscdbhk5 - c:\windows\system32\drivers\sscdbhk5.sys <Not Verified; VERITAS Software, Inc.; >
R1 ssrtln - c:\windows\system32\drivers\ssrtln.sys <Not Verified; VERITAS Software, Inc.; >
R2 drvnddm - c:\windows\system32\drivers\drvnddm.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnboio - c:\windows\system32\dla\tfsnboio.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsncofs - c:\windows\system32\dla\tfsncofs.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsndrct - c:\windows\system32\dla\tfsndrct.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsndres - c:\windows\system32\dla\tfsndres.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnifs - c:\windows\system32\dla\tfsnifs.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnopio - c:\windows\system32\dla\tfsnopio.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnpool - c:\windows\system32\dla\tfsnpool.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnudf - c:\windows\system32\dla\tfsnudf.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnudfa - c:\windows\system32\dla\tfsnudfa.sys <Not Verified; VERITAS Software, Inc.; >
R2 tifsfilter (Acronis True Image FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; Acronis True Image>

S2 windrvNT - c:\windows\system32\windrvnt.sys (file missing)
S3 adxapie - c:\docume~1\skyewh~1\locals~1\temp\adxapie.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 PCANDIS5 (PCANDIS5 Protocol Driver) - c:\windows\system32\pcandis5.sys (file missing)
S3 SS1022 (Siemens SpeedStream Wireless USB Driver) - c:\windows\system32\drivers\ssusbn51.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AcrSch2Svc (Acronis Scheduler2 Service) - "c:\program files\common files\acronis\schedule2\schedul2.exe" <Not Verified; Acronis; Acronis Scheduler 2>
R2 Autodesk Licensing Service - "c:\program files\common files\autodesk shared\service\adskscsrv.exe"
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 TabletService - c:\windows\system32\tablet.exe <Not Verified; Wacom Technology, Corp.; Wacom Win32 Tablet Service>

S3 VundoFixSvc (VundoFix Service) - vundofixsvc.exe <Not Verified; Atribune.org; Vundofix Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-07-08 and 2008-08-08 -----------------------------

2008-08-08 10:37:24 866286 --ahs---- C:\WINDOWS\system32\PYccIRqr.ini2
2008-08-08 07:10:00 96256 --a------ C:\WINDOWS\system32\hdoriwao.dll
2008-08-08 07:07:02 80896 -----n--- C:\WINDOWS\system32\mvwvoees.dll
2008-08-08 07:05:24 2048 --a------ C:\WINDOWS\system32\kgrlwfpn.exe
2008-08-08 01:09:30 91136 --a------ C:\WINDOWS\system32\cultiepv.dll
2008-08-07 19:54:42 80384 --a------ C:\WINDOWS\system32\ipdsnfkr.dll
2008-08-07 19:51:42 2048 --a------ C:\WINDOWS\system32\agxjcqci.exe
2008-08-06 19:48:19 2048 --a------ C:\WINDOWS\system32\jbhkytyv.exe
2008-08-05 00:33:54 2048 --a------ C:\WINDOWS\system32\facgoxik.exe
2008-08-05 00:15:57 0 dr-h----- C:\Documents and Settings\Skye White\Recent
2008-08-04 21:42:08 0 d-------- C:\Documents and Settings\Skye White\Application Data\Malwarebytes
2008-08-04 21:41:57 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-04 21:41:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-03 14:57:06 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-08-02 16:02:43 246272 -----n--- C:\WINDOWS\system32\rqRIccYP.dll
2008-08-02 15:22:51 0 d-------- C:\VundoFix Backups
2008-08-01 20:43:39 102400 --a------ C:\WINDOWS\system32\pzbguo.dll
2008-08-01 18:44:49 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-01 13:32:50 0 d-------- C:\d6835
2008-07-20 19:37:21 0 d-------- C:\Program Files\iPod
2008-07-20 19:37:09 0 d-------- C:\Program Files\iTunes
2008-07-20 19:36:02 0 d-------- C:\Program Files\Bonjour
2008-07-20 19:29:50 0 d-------- C:\Program Files\Apple Software Update
2008-07-20 19:28:06 0 d-------- C:\Program Files\Common Files\Apple
2008-07-20 19:05:12 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-07-20 19:04:21 0 d-------- C:\Program Files\Common Files\Skype
2008-07-20 16:06:56 0 d-------- C:\Program Files\Portal
2008-07-20 15:39:09 0 --a------ C:\Documents and Settings\Skye White\jagex_runescape_preferences.dat
2008-07-13 21:19:04 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-07-12 22:43:18 0 d-------- C:\Program Files\PUSH Entertainment
2008-07-12 13:16:35 0 d-------- C:\Program Files\UselessCreations


-- Find3M Report ---------------------------------------------------------------

2008-08-08 10:38:26 0 d-------- C:\Documents and Settings\Skye White\Application Data\Skype
2008-08-08 10:22:26 31059 --a------ C:\WINDOWS\system32\tablet.dat
2008-08-08 00:41:30 0 d-------- C:\Program Files\LogMeIn
2008-08-07 23:29:28 0 d-------- C:\Documents and Settings\Skye White\Application Data\U3
2008-08-07 22:18:11 0 d-------- C:\Documents and Settings\Skye White\Application Data\skypePM
2008-08-03 15:08:57 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-24 19:57:33 0 d-------- C:\Program Files\Java
2008-07-20 19:35:14 0 d-------- C:\Program Files\QuickTime
2008-07-20 19:28:06 0 d-------- C:\Program Files\Common Files
2008-07-20 14:12:04 0 d-------- C:\Documents and Settings\Skye White\Application Data\BitTorrent
2008-07-13 20:59:00 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-06 18:22:36 0 d-------- C:\Program Files\Game Optimizer Pro
2008-07-06 17:21:12 34 --a------ C:\WINDOWS\system32\09wutili.sys
2008-07-06 17:20:37 0 d-------- C:\Program Files\WinUtilities
2008-07-05 11:35:39 0 d-------- C:\Program Files\CCleaner
2008-07-05 02:28:43 0 d-------- C:\Program Files\Google
2008-07-05 02:21:19 0 d-------- C:\Program Files\Screenblast
2008-07-05 02:15:50 0 d-------- C:\Program Files\LimeWire
2008-07-05 02:13:25 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-05 01:57:33 0 d-------- C:\Program Files\AAA Real Recorder
2008-07-05 00:35:47 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-04 22:20:35 0 d-------- C:\Program Files\AIM
2008-07-04 22:20:09 0 d-------- C:\Documents and Settings\Skye White\Application Data\Aim
2008-07-04 18:53:35 0 d-------- C:\Program Files\Ripple Screensaver
2008-06-17 19:12:43 0 d-------- C:\Documents and Settings\Skye White\Application Data\Mozilla
2008-06-17 15:08:20 0 d-------- C:\Program Files\Common Files\Stardock
2008-06-17 14:26:22 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-06-12 22:40:17 0 d-------- C:\Program Files\Logitech
2008-06-12 22:40:16 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-12 15:26:30 0 d-------- C:\Program Files\RndLabs


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1179B463-8BF2-4B91-A7ED-5C5E537D3F4B}]
08/02/2008 04:02 PM 246272 --------- C:\WINDOWS\system32\rqRIccYP.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM43c4c870"="C:\WINDOWS\system32\cultiepv.dll" [08/08/2008 01:09 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" [01/08/2008 02:31 PM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [01/03/2008 12:15 PM]
"Yodm3D"="C:\Documents and Settings\Skye White\My Documents\Downloads\yodm3d14\Yodm3D.exe" [07/12/2008 05:12 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Skye White\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]
AIM 6.lnk - C:\Program Files\AIM6\aim6.exe [1/3/2008 12:15:06 PM]
ESET NOD32 Antivirus.lnk - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [7/1/2008 9:01:04 AM]
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [6/17/2008 3:08:22 PM]
WinFlip.lnk - C:\Documents and Settings\Skye White\My Documents\Downloads\WFlip050\WinFlip.exe [5/21/2008 5:22:18 PM]
Yodm3D.lnk - C:\Documents and Settings\Skye White\My Documents\Downloads\yodm3d14\Yodm3D.exe [6/26/2007 7:26:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office Outlook 2007.lnk - C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe [8/22/2007 12:34:11 PM]
Skype.lnk - C:\WINDOWS\Installer\{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}\Skype.ico [7/20/2008 7:04:36 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 11/24/2007 11:38 AM 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap C:\WINDOWS\system32\rqRIccYP

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msliksurserv.sys]
@="driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe"
"TrueTransparency"="F:\Skye's Downloads\truetransparency-crystalxp.net-en-5139\TrueTransparency\TrueTransparency.exe"
"wekewfjo983mkefdd"=C:\DOCUME~1\SKYEWH~1\LOCALS~1\Temp\winlogan.exe
"Jnskdfmf9eldfd"=C:\DOCUME~1\SKYEWH~1\LOCALS~1\Temp\csrssc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
"ControlCenter3"=C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
"wekewfjo983mkefdd"=C:\DOCUME~1\SKYEWH~1\LOCALS~1\Temp\winlogan.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3794dc7a-b30f-11dc-89eb-0040ca3db7f5}]
autorun\command- G:\LaunchU3.exe -a




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

8855 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-08 10:51:44 ------------

BC AdBot (Login to Remove)

 


#2 skyehigh92

skyehigh92
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 08 August 2008 - 09:11 PM

HELP PLEASE!

#3 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:27 PM

Posted 11 August 2008 - 04:06 PM

Hi skyehigh92

You do seem to have a few problems there.

Step 1
DSS is showing that you may have a few file association problems.
DSS has a built in tool to help correct this.

Make sure DSS.exe is on your Desktop
Click Start... Run,
Then copy/paste the following command into the 'run' box and press OK.
"%userprofile%\desktop\dss.exe" /daft
Press OK to the disclaimer(s) and then click Scan
Place checkmarks in all the boxes that appear and click Fix
Then close Deckard's System Scanner.

Step 2
Please download ComboFix

**Note: It is important that it is saved directly to your desktop**

There are full instructions on how to download and run ComboFix here:
How to use ComboFix
Please follow all the instructions to the letter...(this is very important)

Please ensure that you install the Recovery Console.
If it's not already installed on your machine

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
Note: Do not mouseclick combofix's window while its running. This may cause it to stall

When finished, it will produce a log for you. Post that log in your next reply.

In your next reply, please submit:
ComboFix.txt
and a new Hjt log

Thanks.

BBPP6nz.png


#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:27 PM

Posted 15 August 2008 - 06:46 PM

Due to the lack of feedback, this Topic will now be closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users