Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - Posted Log Files


  • Please log in to reply
1 reply to this topic

#1 brainfroze

brainfroze

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 23 August 2008 - 04:15 AM

Hi,
This is my first time in the forum. I was reading through a previous post by someone who had the exact problem that I'm having and he was given some programs to run and told to post the log files. He never did post his files and the thread was closed, so I don't know if his problem as solved. However, I followed the instructions he was given and am going to post the two files that he was told to do.

I know the forum says not to post files until asked, but I hope you'll forgive me. Most of what I've read while researching my problem has requested these files, so I followed the instructions carefully and have the log file from Combofix and Malwarebytes. Please help. I've ran smitfraud fix, vundo fix, vundobgone, Superanti-Spyware free addition (several times), and others and can't get rid of this thing. Right now about the only major problem I'm having that's showing other than a pop-up here and there is the icon saying that Automatic Updates are turned off. They're not though.

I really appreciate any help you guys can provide. I will post back promply with any of your requests. Thanks Again.

ComboFix 08-08-21.02 - Chris 2008-08-23 4:47:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.456 [GMT -4:00]
Running from: C:\Documents and Settings\Chris\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chris\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Chris\Application Data\macromedia\Flash Player\#SharedObjects\GNV8KF8A\interclick.com
C:\Documents and Settings\Chris\Application Data\macromedia\Flash Player\#SharedObjects\GNV8KF8A\interclick.com\ud.sol
C:\Documents and Settings\Chris\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Chris\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Chris\Cookies\chris@edge.ru4[1].txt
C:\Documents and Settings\Chris\Cookies\chris@ehg.fedex[2].txt
C:\Documents and Settings\Chris\Cookies\chris@insightexpressai[1].txt
C:\Documents and Settings\Chris\Cookies\chris@lxk235.lexmark[2].txt
C:\Documents and Settings\Chris\Cookies\chris@lxk235.lexmark[3].txt
C:\Documents and Settings\Chris\Cookies\chris@specificclick[2].txt
C:\Documents and Settings\Chris\Cookies\chris@vendorweb.citibank[3].txt
C:\Documents and Settings\Chris\Cookies\chris@www35.vzw[1].txt
C:\Documents and Settings\Chris\Cookies\chris@www35.vzw[2].txt
C:\Documents and Settings\Chris\Cookies\chris@www35.vzw[3].txt
C:\Documents and Settings\Chris\Cookies\chris@www35.vzw[4].txt
C:\Documents and Settings\Chris\Desktop\Error Cleaner.url
C:\Documents and Settings\Chris\Desktop\Privacy Protector.url
C:\Documents and Settings\Chris\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Chris\Favorites\Error Cleaner.url
C:\Documents and Settings\Chris\Favorites\Privacy Protector.url
C:\Documents and Settings\Chris\Favorites\Spyware&Malware Protection.url
C:\Program Files\Common Files\{4882D~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\gkynvjov.ini
C:\WINDOWS\system32\jtwrst.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pytxriqs.dll
C:\WINDOWS\system32\rhhpwyke.dll
C:\WINDOWS\system32\vojvnykg.dll
C:\WINDOWS\system32\wwehvr.dll
C:\WINDOWS\system32\yGhkkUtv.ini
C:\WINDOWS\system32\yGhkkUtv.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_NPF
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-23 04:13 . 2008-08-23 04:13 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 04:13 . 2008-08-23 04:13 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Malwarebytes
2008-08-23 04:13 . 2008-08-23 04:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-23 04:13 . 2008-08-17 15:05 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-23 04:13 . 2008-08-17 15:05 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-23 03:52 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-08-23 03:52 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-08-23 03:52 . 2008-08-21 23:41 87,552 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-08-23 03:52 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-08-23 03:52 . 2008-08-14 21:52 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-08-23 03:52 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-08-23 03:52 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-08-23 03:52 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-08-23 03:52 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-08-23 03:30 . 2008-08-23 03:30 <DIR> d-------- C:\_OTMoveIt
2008-08-23 01:26 . 2008-08-23 01:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-23 01:25 . 2008-08-23 02:37 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-23 01:25 . 2008-08-23 01:25 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\SUPERAntiSpyware.com
2008-08-23 00:13 . 2008-08-23 00:13 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-22 23:57 . 2008-08-22 23:57 <DIR> d-------- C:\VundoFix Backups
2008-08-22 04:42 . 2008-08-22 04:42 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-08-22 04:12 . 2008-08-22 23:46 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-20 20:57 . 2008-08-20 20:57 <DIR> d-------- C:\Program Files\Lexmark 4200 Series
2008-08-20 20:41 . 2003-04-11 06:56 983,107 --a------ C:\WINDOWS\system32\LXBMGF.DLL
2008-08-20 20:40 . 2008-08-20 20:40 <DIR> d-------- C:\Lxk4200
2008-08-19 04:51 . 2008-08-19 04:51 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-19 04:51 . 2008-08-19 04:51 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-19 04:51 . 2008-08-19 04:51 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-19 04:50 . 2008-08-23 01:14 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-17 03:24 . 2008-08-19 04:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-15 01:43 . 2004-08-04 08:00 68,608 --a--c--- C:\WINDOWS\system32\dllcache\plugin.ocx
2008-08-15 01:34 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\irstusb.sys
2008-08-14 03:49 . 2008-08-14 03:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-08-11 04:18 . 2008-08-11 04:18 <DIR> d-------- C:\Program Files\LimeWire
2008-08-09 03:58 . 2008-08-23 01:25 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 07:54 1,532 ----a-w C:\WINDOWS\system32\tmp.reg
2008-08-23 05:44 41,454 ----a-w C:\Documents and Settings\Chris\Application Data\wklnhst.dat
2008-08-23 04:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 08:21 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-21 01:17 --------- d-----w C:\Documents and Settings\Chris\Application Data\AdobeUM
2008-08-20 09:31 --------- d-----w C:\Program Files\Notebook Maximizer
2008-08-10 08:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-09 09:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-09 07:58 --------- d-----w C:\Program Files\Lavasoft
2008-08-09 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-21 09:49 --------- d-----w C:\Program Files\MSBuild
2008-07-21 09:44 --------- d-----w C:\Program Files\Reference Assemblies
2008-07-19 11:39 --------- d-----w C:\Program Files\Java
2008-07-19 11:29 --------- d-----w C:\Program Files\AVG
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-15 07:19 --------- d-----w C:\Program Files\Pinnacle
2008-07-13 08:30 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-07-11 05:54 --------- d-----w C:\Documents and Settings\Chris\Application Data\mjusbsp
2008-07-09 08:26 --------- d-----w C:\Documents and Settings\Chris\Application Data\PDF reDirect
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 10:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-25 10:31 --------- d-----w C:\Documents and Settings\Chris\Application Data\Download Manager
2008-06-25 09:25 --------- d-----w C:\Program Files\Elaborate Bytes
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-05-29 06:26 410,976 ----a-w C:\WINDOWS\system32\deploytk.dll
2008-05-16 04:57 81,920 ----a-w C:\Documents and Settings\Chris\Application Data\ezpinst.exe
2008-05-16 04:57 47,360 ----a-w C:\Documents and Settings\Chris\Application Data\pcouffin.sys
2006-11-17 09:52 2,459 -c-ha-w C:\Documents and Settings\Chris\hpothb07.dat
2005-10-03 03:33 80 -csh--r C:\WINDOWS\system32\42A52D0657.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wwehvr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer4_in_1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LoadMSvcmm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notebook Maximizer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmaTel StacMon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2006-10-22 04:05 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2006-10-22 04:06 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2006-10-22 04:06 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 4200 Series]
--a------ 2004-01-16 05:04 57344 C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a------ 2005-03-17 19:37 151552 c:\TOSHIBA\IVP\ISM\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2004-03-02 16:45 135168 C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
--a------ 2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a--c--- 2004-02-20 18:00 88363 C:\WINDOWS\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
--a------ 2003-12-02 17:15 73728 C:\WINDOWS\system32\TFNF5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
--a------ 2004-06-01 23:43 278528 C:\WINDOWS\system32\TPSMain.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"PCLEUSBTip"=C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-19 04:51]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-19 04:50]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-19 04:50]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-19 04:51]
S3 FlyUsb;FLY Fusion;C:\WINDOWS\system32\DRIVERS\FlyUsb.sys [2007-09-05 15:26]
S3 lgatbus;LG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\lgatbus.sys [2002-10-15 16:03]
S3 lgatmdm;LG CDMA USB Modem Drivers;C:\WINDOWS\system32\DRIVERS\lgatmdm.sys [2002-10-15 16:05]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\lgatserd.sys [2002-10-15 16:07]
S3 mamovec;mamovec;C:\WINDOWS\system32\Drivers\mamovec.sys [2005-06-15 12:00]
S3 mamovem;mamovem;C:\WINDOWS\system32\Drivers\mamovem.sys [2005-06-15 12:00]
S3 mamoveu;mamoveu;C:\WINDOWS\system32\DRIVERS\mamoveu.sys [2007-01-09 06:32]
S3 MaRdPnp;MaRdPnp;C:\WINDOWS\system32\DRIVERS\MaRdP2K.sys [2005-08-17 23:44]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 08:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 08:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 08:00]
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS []
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 08:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RegistryMechanic - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\qvdh2qxs.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.msn.com
FF -: plugin - C:\Program Files\Java\jre1.5.0_14\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_14\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_14\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_14\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_14\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_14\bin\NPJPI150_14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_14\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 04:50:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-23 4:52:09
ComboFix-quarantined-files.txt 2008-08-23 08:52:02

Pre-Run: 27,065,847,808 bytes free
Post-Run: 27,044,372,480 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

274 --- E O F --- 2008-08-14 07:07:07







Here is the one from Malwarebytes:


Malwarebytes' Anti-Malware 1.25
Database version: 1078
Windows 5.1.2600 Service Pack 2

04:31:47 2008-08-23
mbam-log-08-23-2008 (04-31-47).txt

Scan type: Quick Scan
Objects scanned: 52066
Time elapsed: 7 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\rbwfjjjc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vtUkkhGy.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\utnugc.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{df1893c9-015e-4d66-a42a-2e42f1478737} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{df1893c9-015e-4d66-a42a-2e42f1478737} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rafbsvnx.btqk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\vtukkhgy -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtukkhgy -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\vtUkkhGy.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yGhkkUtv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yGhkkUtv.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rbwfjjjc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cjjjfwbr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\utnugc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\chjebcep.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:05:20 AM

Posted 07 September 2008 - 02:33 PM

Hello

Welcome to the Bleeping Computer Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to. If you have not resolved your issue and still need assistance, post a new HJT log please as your system may have changed since your original post.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users