Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.vundo / Adware Vundo Varient/rel


  • This topic is locked This topic is locked
10 replies to this topic

#1 cintha_goh

cintha_goh

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 15 August 2008 - 11:46 AM

Hi all at BleepingCounter,

I have recently got infected with several nasty virus / worms and trojans from my school computers. I have since went to reformat my notebook along with my external hard disk (HDD).

But when I did a virus scan with AVG, I found several infections, whereby I immediately google the possible solution to getting rid of these pesky troubles.

From the SUPER Anti Spyware thorough scan, I have been infected with the Adware. tracking cookie and Adware. Vundo Varient/Rel. I have tried to delete it several times, but it refused to be deleted with SAS.

Then I found this website offering great solutions, so I immediately downloaded the Malwarebyte's Anti-Malware which showed that the vendors were Trojan Vundo, Trojan Agent and Malware trace from the quick scan.

And I also saved the logfile of the Trend Micro scan..

My operating system is Windows XP, it was downgraded from Windows Vista Business. And I currently have AVG 7.5, Avast! Home Edition 4.0, SAS AND Malwarbyte's Anti-Malware.

I am really quite new and ignorant of these viruses and programs, but I am doing whatever I can on my part to save my notebook and I hope that you guys might be able to save my notebook too, it is at present only 3 days old before I received all these nasty viruses!

So I copied and pasted the Hijack file file below... And then I also copied and pasted the log from after I clicked removed selected during the Malwarebyte's scan..

Am I being paranoid or do I have more viruses?




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:34 AM, on 8/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Fujitsu\PSUtility\TrayManager.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {5b2afc98-28bc-f31a-db14-25781aa2d13f} - {f31d2aa1-8752-41bd-a13f-cb8289cfa2b5} - C:\WINDOWS\system32\durykx.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [PSUtility] C:\Program Files\Fujitsu\PSUtility\TrayManager.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [\Win56.exe] C:\Windows\system32\Win56.exe
O4 - HKLM\..\Run: [\Win57.exe] C:\Windows\system32\Win57.exe
O4 - HKLM\..\Run: [\Win58.exe] C:\Windows\system32\Win58.exe
O4 - HKLM\..\Run: [\Win59.exe] C:\Windows\system32\Win59.exe
O4 - HKLM\..\Run: [\Win5A.exe] C:\Windows\system32\Win5A.exe
O4 - HKLM\..\Run: [903ec070] rundll32.exe "C:\WINDOWS\system32\kiyswrjo.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [\Win56.exe] C:\Windows\system32\Win56.exe
O4 - HKCU\..\Run: [\Win57.exe] C:\Windows\system32\Win57.exe
O4 - HKCU\..\Run: [\Win58.exe] C:\Windows\system32\Win58.exe
O4 - HKCU\..\Run: [\Win59.exe] C:\Windows\system32\Win59.exe
O4 - HKCU\..\Run: [\Win5A.exe] C:\Windows\system32\Win5A.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218788215500
O20 - AppInit_DLLs: durykx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: PSUTY - C:\WINDOWS\SYSTEM32\PSUWNP.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech IBT Service (LvIBTSvr) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LvIBTSvr\LvIBTSvr.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: O2Flash Memory Service (O2Flash) - O2Micro International - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 8590 bytes





(Log file after clicking on "remove selected")
Malwarebytes' Anti-Malware 1.24
Database version: 1054
Windows 5.1.2600 Service Pack 3

12:40:57 AM 8/16/2008
mbam-log-8-16-2008 (00-40-57).txt

Scan type: Quick Scan
Objects scanned: 40682
Time elapsed: 3 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 7
Registry Values Infected: 11
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\kiyswrjo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\durykx.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f31d2aa1-8752-41bd-a13f-cb8289cfa2b5} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f31d2aa1-8752-41bd-a13f-cb8289cfa2b5} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\903ec070 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\win56.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\win57.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\win58.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\win59.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\win5a.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\win56.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\win57.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\win58.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\win59.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\win5a.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\durykx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\kiyswrjo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ojrwsyik.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dcfdoicu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.



I truly appreciate the help that you guys are offering me. Because the people around me have adopted an attitude that getting infected with viruses are just sooner or later thing so they do not bother and also advise me to do the same. But I cannot bear to abandon my new laptop to such nasty viruses!!


Sincerely,
Jacintha

Edited by cintha_goh, 15 August 2008 - 11:50 AM.


BC AdBot (Login to Remove)

 


m

#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:10 PM

Posted 17 August 2008 - 04:50 PM

Hello Jacintha and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Restart your computer.

4. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 cintha_goh

cintha_goh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 18 August 2008 - 06:48 AM

Hi,

this is the combofix log file below.

once again, thanks for all the help.

sincerely,
jacintha

ComboFix 08-08-17.03 - Jacintha 2008-08-18 19:37:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2674 [GMT 8:00]
Running from: C:\Documents and Settings\Jacintha\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jacintha\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jacintha\UserData
C:\Documents and Settings\Jacintha\UserData\GJK3M567\Tdy58[1].xml
C:\Documents and Settings\Jacintha\UserData\index.dat
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\ssprs.dll
C:\WINDOWS\system32\WHjmoqss.ini
C:\WINDOWS\system32\WHjmoqss.ini2
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.

2008-08-17 16:34 . 2008-08-17 16:36 <DIR> d-------- C:\Documents and Settings\Jacintha\Application Data\CyberLink
2008-08-17 16:21 . 2008-08-17 16:21 <DIR> d-------- C:\Program Files\Total Video Converter
2008-08-17 16:15 . 2008-08-17 16:15 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-08-17 16:15 . 2008-08-17 16:15 <DIR> d-------- C:\Program Files\QuickTime Alternative
2008-08-17 16:15 . 2008-08-17 16:15 <DIR> d-------- C:\Program Files\Media Player Classic
2008-08-17 16:15 . 2004-09-23 18:57 6,676,480 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-08-17 16:15 . 2004-09-23 18:57 747,008 --a------ C:\WINDOWS\system32\Indeo4.qtx
2008-08-17 16:15 . 2002-12-20 12:40 675,328 --a------ C:\WINDOWS\system32\ir50_32.qtx
2008-08-17 16:15 . 2004-09-23 18:57 430,592 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-08-17 16:15 . 2004-10-27 13:01 360,504 --a------ C:\WINDOWS\system32\QTPlugin.ocx
2008-08-17 16:15 . 2004-09-23 18:57 323,072 --a------ C:\WINDOWS\system32\QuickTime.cpl
2008-08-17 16:15 . 2004-01-12 17:57 86,016 --a------ C:\WINDOWS\system32\QuickTime.ax
2008-08-17 16:15 . 2004-09-23 18:57 70,144 --a------ C:\WINDOWS\system32\QuickTimeCheck.ocx
2008-08-17 15:31 . 2008-08-17 15:31 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-08-17 15:30 . 2008-08-17 15:30 <DIR> d-------- C:\Program Files\Real
2008-08-17 15:29 . 2008-08-17 15:31 <DIR> d-------- C:\Program Files\Common Files\Real
2008-08-17 00:09 . 2008-08-17 00:10 <DIR> d-------- C:\Program Files\Matroska Pack
2008-08-16 22:57 . 2008-08-16 22:57 <DIR> d-------- C:\Documents and Settings\Jacintha\Application Data\Media Player Classic
2008-08-16 19:19 . 2008-08-16 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Minnetonka Audio Software
2008-08-16 19:19 . 2008-08-16 19:19 1,025 --a------ C:\WINDOWS\system32\sysprs7.tgz
2008-08-16 19:19 . 2008-08-16 19:19 1,025 --a------ C:\WINDOWS\system32\sysprs7.dll
2008-08-16 19:19 . 2008-08-16 19:19 1,025 --a------ C:\WINDOWS\system32\clauth2.dll
2008-08-16 19:19 . 2008-08-16 19:19 1,025 --a------ C:\WINDOWS\system32\clauth1.dll
2008-08-16 19:19 . 2008-08-17 15:40 219 --a------ C:\WINDOWS\system32\lsprst7.tgz
2008-08-16 19:19 . 2008-08-17 15:40 87 --a------ C:\WINDOWS\system32\ssprs.tgz
2008-08-16 14:41 . 2008-08-16 14:41 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-16 00:26 . 2008-08-16 00:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-16 00:02 . 2008-08-16 00:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-16 00:02 . 2008-08-16 00:02 <DIR> d-------- C:\Documents and Settings\Jacintha\Application Data\Malwarebytes
2008-08-16 00:02 . 2008-08-16 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-16 00:02 . 2008-07-30 20:15 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-16 00:02 . 2008-07-30 20:15 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-15 23:18 . 2008-08-15 23:18 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-08-15 23:18 . 2008-08-15 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-08-15 23:15 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-15 23:15 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-08-15 23:15 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-15 22:21 . 2008-08-15 22:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-15 22:21 . 2008-08-15 22:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-15 22:21 . 2008-08-15 22:21 <DIR> d-------- C:\Documents and Settings\Jacintha\Application Data\SUPERAntiSpyware.com
2008-08-15 22:21 . 2008-08-15 22:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-15 21:43 . 2008-08-15 21:43 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-15 20:58 . 2008-08-18 10:46 <DIR> dr-h----- C:\$VAULT$.AVG
2008-08-15 20:40 . 2008-08-15 20:40 <DIR> d-------- C:\Documents and Settings\Jacintha\Contacts
2008-08-15 20:37 . 2008-08-15 20:39 <DIR> d-------- C:\Program Files\Windows Live
2008-08-15 20:37 . 2008-08-15 20:39 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-15 20:36 . 2008-08-15 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-15 20:20 . 2008-08-15 20:20 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-15 17:10 . 2008-04-14 20:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-15 16:52 . 2008-08-15 16:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-08-15 16:52 . 2008-08-18 10:10 <DIR> d-------- C:\Documents and Settings\Jacintha\Application Data\AVG7
2008-08-15 16:52 . 2008-08-15 16:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-08-15 16:52 . 2008-08-15 21:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-08-15 16:52 . 2008-08-15 16:52 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll
2008-08-15 16:38 . 2008-08-15 16:42 <DIR> d-------- C:\I386
2008-08-15 16:32 . 2008-08-15 16:32 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-15 16:25 . 2008-06-13 19:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-08-15 16:25 . 2008-06-13 19:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-15 16:20 . 2008-08-15 16:34 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-08-15 16:20 . 2005-02-25 11:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-08-15 16:18 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-08-15 16:18 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-15 16:18 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-15 16:18 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-15 16:18 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-15 15:34 . 2008-08-15 15:34 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-08-15 15:21 . 2008-08-15 15:21 <DIR> d-------- C:\Program Files\Toshiba
2008-08-15 15:21 . 2007-01-12 21:41 113,792 --a------ C:\WINDOWS\system32\drivers\tosrfbd.sys
2008-08-15 15:21 . 2007-01-24 14:57 73,728 --a------ C:\WINDOWS\system32\drivers\Tosrfhid.sys
2008-08-15 15:21 . 2005-08-01 16:45 64,896 --a------ C:\WINDOWS\system32\drivers\tosrfcom.sys
2008-08-15 15:21 . 2007-01-22 10:43 53,376 --a------ C:\WINDOWS\system32\drivers\TosRfSnd.sys
2008-08-15 15:21 . 2006-10-10 19:33 41,600 --a------ C:\WINDOWS\system32\drivers\tosporte.sys
2008-08-15 15:21 . 2007-01-12 21:16 40,576 --a------ C:\WINDOWS\system32\drivers\tosrfusb.sys
2008-08-15 15:21 . 2006-11-20 17:55 36,480 --a------ C:\WINDOWS\system32\drivers\tosrfbnp.sys
2008-08-15 15:21 . 2005-01-06 13:42 18,612 --a------ C:\WINDOWS\system32\drivers\tosrfnds.sys
2008-08-15 14:39 . 2008-08-15 14:39 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-08-15 14:39 . 2007-02-27 02:33 172,032 --a------ C:\WINDOWS\system32\igfxres.dll
2008-08-15 14:39 . 2008-08-15 14:39 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-08-15 14:22 . 2008-08-15 14:22 <DIR> d-------- C:\Program Files\Realtek
2008-08-15 14:21 . 2007-02-15 13:31 2,756,608 --a------ C:\WINDOWS\system32\NETw4r32.dll
2008-08-15 14:21 . 2007-04-02 02:30 2,204,672 --a------ C:\WINDOWS\system32\drivers\NETw4x32.sys
2008-08-15 14:21 . 2007-02-15 13:30 679,936 --a------ C:\WINDOWS\system32\NETw4c32.dll
2008-08-15 14:14 . 2008-08-15 14:14 <DIR> d-------- C:\Program Files\AuthenTec
2008-08-15 14:09 . 2008-08-15 14:09 <DIR> d-------- C:\WINDOWS\system32\SDA
2008-08-15 14:09 . 2008-08-15 14:09 <DIR> d-------- C:\Program Files\O2Micro
2008-08-15 14:09 . 2006-10-03 12:23 36,640 --a------ C:\WINDOWS\system32\drivers\o2media.sys
2008-08-15 14:09 . 2007-05-11 16:56 35,456 --a------ C:\WINDOWS\system32\drivers\o2sd.sys
2008-08-15 14:09 . 2008-08-15 14:08 7,168 --a------ C:\WINDOWS\system32\drivers\FJGSDisk.sys
2008-08-15 14:06 . 2008-08-15 14:06 <DIR> d-------- C:\WINDOWS\Options
2008-08-15 14:06 . 2008-08-15 14:06 <DIR> d-------- C:\Program Files\ltmoh
2008-08-15 14:05 . 2008-08-15 14:05 <DIR> d-------- C:\Program Files\Synaptics
2008-08-15 14:05 . 2007-06-15 11:00 209,184 --a------ C:\WINDOWS\system32\drivers\SynTP.sys
2008-08-15 14:05 . 2007-06-15 11:07 196,608 --a------ C:\WINDOWS\system32\SynCtrl.dll
2008-08-15 14:05 . 2007-06-15 11:06 163,840 --a------ C:\WINDOWS\system32\SynCOM.dll
2008-08-15 14:05 . 2007-06-15 11:14 147,456 --a------ C:\WINDOWS\system32\SynTPAPI.dll
2008-08-15 14:05 . 2007-06-15 11:51 110,592 --a------ C:\WINDOWS\system32\SynTPCo4.dll
2008-08-15 14:04 . 2008-08-15 14:04 <DIR> d-------- C:\Program Files\Softex
2008-08-15 14:04 . 2006-06-10 16:38 2,179,072 --a------ C:\WINDOWS\system32\mfc71d.dll
2008-08-15 14:04 . 2006-06-10 16:38 2,174,464 --a------ C:\WINDOWS\system32\mfc71ud.dll
2008-08-15 14:04 . 2006-06-10 16:38 765,952 --a------ C:\WINDOWS\system32\msvcp71d.dll
2008-08-15 14:04 . 2006-06-10 16:38 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2008-08-15 14:04 . 2006-06-10 17:02 65,536 --a------ C:\WINDOWS\system32\scurecpl.cpl
2008-08-15 14:03 . 2008-08-15 14:03 <DIR> d-------- C:\Program Files\Fingerprint Sensor
2008-08-15 14:01 . 2006-03-07 22:44 40,960 --a------ C:\WINDOWS\system32\ct32.dll
2008-08-15 13:59 . 2007-02-07 04:58 1,939,360 --a------ C:\WINDOWS\system32\drivers\lvuvc.sys
2008-08-15 13:59 . 2007-02-07 04:58 527,136 --a------ C:\WINDOWS\system32\LVUI2RC.dll
2008-08-15 13:59 . 2003-02-21 05:42 348,160 --a------ C:\WINDOWS\system\msvcr71.dll
2008-08-15 13:59 . 2007-02-07 04:55 264,992 --a------ C:\WINDOWS\system32\lvcodec2.dll
2008-08-15 13:59 . 2007-02-07 04:58 215,840 --a------ C:\WINDOWS\system32\LVUI2.dll
2008-08-15 13:59 . 2007-02-07 04:55 129,824 --a------ C:\WINDOWS\system32\lvci1052.dll
2008-08-15 13:59 . 2007-02-07 03:20 50,127 --a------ C:\WINDOWS\system32\lvcoinst.ini
2008-08-15 13:59 . 2007-02-07 03:22 13,398 --a------ C:\WINDOWS\system32\Repository.reg
2008-08-15 13:58 . 2008-08-15 13:58 <DIR> d-------- C:\Program Files\SXGA Video
2008-08-15 13:58 . 2008-08-15 13:58 <DIR> d-------- C:\Program Files\Common Files\LogiShrd
2008-08-15 13:58 . 2007-02-07 04:57 66,848 --a------ C:\WINDOWS\system32\drivers\lvselsus.sys
2008-08-15 13:58 . 2007-02-07 04:59 22,560 --a------ C:\WINDOWS\system32\drivers\lvuvcflt.sys
2008-08-15 13:57 . 2008-08-15 15:51 <DIR> d-------- C:\Program Files\Fujitsu
2008-08-15 12:02 . 2008-08-15 12:02 0 --a------ C:\WINDOWS\tosOBEX.INI
2008-08-15 10:14 . 2008-08-15 10:14 <DIR> d-------- C:\Program Files\Intel
2008-08-15 09:47 . 2008-08-15 09:47 <DIR> d-------- C:\Program Files\Marvell
2008-08-15 09:31 . 2008-04-14 00:15 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-08-15 09:04 . 2007-04-04 22:19 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-08-15 09:03 . 2008-08-15 20:39 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-08-15 09:03 . 2008-08-15 09:03 <DIR> d-------- C:\Program Files\DIFX
2008-08-15 09:02 . 2008-08-15 09:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PCDr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 09:51 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:09 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATSwpNav"="C:\Program Files\Fingerprint Sensor\ATSwpNav -run" [X]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-06-14 18:32 132760]
"IndicatorUtility"="C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2006-03-15 17:12 90112]
"LVCOMSX"="C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-04-02 23:29 252704]
"OmniPass"="C:\Program Files\Softex\OmniPass\scureapp.exe" [2006-06-10 17:24 1966080]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-15 11:23 888832]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2005-05-18 15:57 188416]
"PSUtility"="C:\Program Files\Fujitsu\PSUtility\TrayManager.exe" [2006-07-05 11:57 118784]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-02-27 02:34 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-02-27 02:33 131072]
"LoadFUJ02E3"="C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2006-11-17 15:38 80688]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-08-16 14:42 579584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-08-17 15:29 185896]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 13:32 89541 C:\WINDOWS\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-12 01:05 16125440 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-08-15 16:56 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2006-12-05 11:14:28 421888]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2006-06-10 17:02 49152 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-08-15 16:52 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PSUTY]
2006-06-02 17:04 32768 C:\WINDOWS\system32\PSUWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=durykx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-10-03 12:23]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2007-05-11 16:56]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 22:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 22:37]
S2 LvIBTSvr;Logitech IBT Service;C:\Program Files\Common Files\LogiShrd\LvIBTSvr\LvIBTSvr.exe [2007-04-02 23:29]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Jacintha\Application Data\Mozilla\Firefox\Profiles\vq9qwor6.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com.sg


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 19:40:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Softex\OmniPass\OmniServ.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
.
**************************************************************************
.
Completion time: 2008-08-18 19:42:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-18 11:42:45

Pre-Run: 194,644,385,792 bytes free
Post-Run: 194,752,122,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

272 --- E O F --- 2008-08-16 06:41:50

#4 cintha_goh

cintha_goh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 18 August 2008 - 07:16 AM

Hi again..

After running the Combo Fix file, does this also mean that it has recovered important files on my notebook too?

Because I noticed that my desktop has the IE shortcut again. But I cannot seem to get my Avast! back on my system tray after I stopped the on-access protection. Does this also mean that my avast! is not working?


Sincerely,
Jacintha

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:10 PM

Posted 18 August 2008 - 09:51 AM

Hello Jacintha,

Don't worry about Avast! just yet, we'll get that sorted out once you're system is clean again :thumbsup:

Could you upload some files please ?
Can you zip all .dll.vir files in the folder C:\Qoobox using WinZip (or a similar program) to Qoobox.zip and upload the zipped file to :

http://www.bleepingcomputer.com/submit-malware.php?channel=9

How ? : 1. In the first window (Link to topic where this file was requested:) copy and past this link :http://www.bleepingcomputer.com/forums/t/163437/infected-with-trojanvundo-adware-vundo-varientrel/
2. In the second window (Browse to the file you want to submit: ) browse to the Qoobox.zip file

3. Click the Send file button :)
[/list]Then, let's check some deeper :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/163437/infected-with-trojanvundo-adware-vundo-varientrel/
Suspect::[9]
C:\WINDOWS\system32\sysprs7.tgz
C:\WINDOWS\system32\sysprs7.dll
C:\WINDOWS\system32\clauth2.dll
C:\WINDOWS\system32\clauth1.dll
C:\WINDOWS\system32\lsprst7.tgz
C:\WINDOWS\system32\ssprs.tgz
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file [9]-Submit_Date_Time.zip.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 cintha_goh

cintha_goh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 18 August 2008 - 08:47 PM

Hi,

I have sent the 2 .dll.vir files via WinZip and the ComboFix log.


Sincerely.
Jacintha

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:10 PM

Posted 19 August 2008 - 04:36 AM

Hello Jacintha,

Your log looks fine now. :thumbsup:

One thing though : running 2 antivirus applications at the same time is not a good idea !
Please, make a choice, and remove one of them through Control Panel > Software.
Then reboot your PC.

Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Select your Platform (Windows version) and check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windowsi586-p.exe to install the newest version.
Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 cintha_goh

cintha_goh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 19 August 2008 - 08:42 AM

Hi,

Thanks for all your help. I feel relieved now that my laptop has been assured of no virus lurking within.. Bleeping Computer is practically my angel!!

However, I would like to ask you about another problem that I am currently facing..

My laptop has been downgraded from Windows Vista Business to Windows XP Professional Edition SP3. Then due to some viruses, it was re-formatted, and then downgraded to Windows XP again. But my language bar has disappeared, and I am unable to install it back again.

There is always a prompt for my to insert the Windows XP Professional Edition SP3 CD into my cd drive. However, I do not the CD in my possession. Is there any other way around this problem, because I really need to install the language bar badly. I need to use Japanese, Korean and Chinese for my school-related work.

Sincerely,
Jacintha

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:10 PM

Posted 19 August 2008 - 09:16 AM

Hello Jacintha,

I guess you tried right-clicking on the taskbar and then looking in the list of Toolbars,
check the Language bar and exit again ?

To install additional languages legally, you do need the installation disk :thumbsup:

Greetings,
Thunder

Edited by Thunder, 19 August 2008 - 09:18 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#10 cintha_goh

cintha_goh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 19 August 2008 - 07:44 PM

Hi Thunder,

Hmmm... I guess I have no choice but to get the installation CD then.

THANKS A LOT FOR ALL YOUR HELP!!


Sincerely,
Jacintha

#11 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:10 PM

Posted 20 August 2008 - 04:45 AM

Glad we could help, Jacintha :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users