Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Removal


  • Please log in to reply
6 replies to this topic

#1 JBoogie

JBoogie

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 27 September 2008 - 11:48 PM

I tried several spyware and virus scanners. Not able to remove the Vundo trojan. It somethings stops explorer.exe from starting. So when I start the computer the icons and task bar are missing. I am unable to start windows updates. I get several pop up for fake virus scanners.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:14 AM, on 9/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Adp\MSDE\MSSQL$ADPDB\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BMcf95eec1] Rundll32.exe "C:\WINDOWS\system32\ccdvauup.dll",s
O4 - HKCU\..\Run: [Uahe] "C:\PROGRA~1\SSEMBL~1\rundll.exe" -vt yazb
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to startup.lnk = C:\startup.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: ,avgrsstx.dll eklkjr.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 3321 bytes

BC AdBot (Login to Remove)

 


m

#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 28 September 2008 - 02:31 PM

Hi

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 JBoogie

JBoogie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 28 September 2008 - 08:44 PM

Malwarebytes Log:

Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 2

9/28/2008 12:03:48 PM
mbam-log-2008-09-28 (12-03-48).txt

Scan type: Quick Scan
Objects scanned: 49729
Time elapsed: 17 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 17
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 29

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\geBuTnNF.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\eklkjr.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0a127272-7d66-4d00-b148-d002676471ab} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0a127272-7d66-4d00-b148-d002676471ab} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1e532c5b-635e-4a10-a163-161083cb2272} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e532c5b-635e-4a10-a163-161083cb2272} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetModule (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\gebutnnf -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\gebutnnf -> Delete on reboot.

Folders Infected:
C:\Program Files\WinBudget (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\geBuTnNF.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\FNnTuBeg.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\FNnTuBeg.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eklkjr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mmrkqmut.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tumqkrmm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\piowpuxh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxupwoip.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\upyyjvgl.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lgvjyypu.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vwfkyqtw.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wtqykfwv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wmwibjtt.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ttjbiwmw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\saqjoihv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wmzbwj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iuwtkxyt.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin\tempzor (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\iCheck.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\GetModule23.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\ozadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\startup.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMcf95eec1.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMcf95eec1.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Will post Combo log soon...

#4 JBoogie

JBoogie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 28 September 2008 - 09:42 PM

ComboFix Log:

ComboFix 08-09-27.06 - CindyB 2008-09-28 22:32:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.299 [GMT -4:00]
Running from: C:\Documents and Settings\CindyB\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\CindyB\Cookies\cindyb@a.chryslerllc[2].txt
C:\Documents and Settings\CindyB\Cookies\cindyb@aggregateknowledge[2].txt
C:\Documents and Settings\CindyB\Cookies\cindyb@interclick[2].txt
C:\Documents and Settings\CindyB\Cookies\cindyb@my.clearchannelradio[1].txt
C:\Documents and Settings\CindyB\Cookies\cindyb@track.bestbuy[1].txt
C:\Documents and Settings\CindyB\Cookies\cindyb@turn[2].txt
C:\Documents and Settings\CindyB\Cookies\cindyb@www.beaches[2].txt
C:\Documents and Settings\CindyB\Cookies\cindyb@www35.vzw[1].txt
C:\Program Files\ssembl~1
C:\Program Files\ssembl~1\?ssembly\
C:\WINDOWS\system32\cdrmxacb.ini
C:\WINDOWS\system32\gdxkmtys.ini
C:\WINDOWS\system32\sstem~1

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-29 )))))))))))))))))))))))))))))))
.

2008-09-28 22:26 . 2008-09-28 22:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-09-28 11:37 . 2008-09-28 11:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-28 11:37 . 2008-09-28 11:37 <DIR> d-------- C:\Documents and Settings\CindyB\Application Data\Malwarebytes
2008-09-28 11:37 . 2008-09-28 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-28 11:37 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-28 11:37 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-27 20:45 . 2008-09-27 22:56 <DIR> d-------- C:\Documents and Settings\CindyB\.housecall6.6
2008-09-27 20:30 . 2008-09-27 20:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-24 10:26 . 2008-09-24 10:27 <DIR> d-------- C:\Documents and Settings\CindyB\Application Data\U3
2008-09-24 07:07 . 2008-09-28 21:47 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-09-23 22:59 . 2008-09-23 22:59 <DIR> d-------- C:\VundoFix Backups
2008-09-23 22:31 . 2008-09-23 22:33 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-09-23 22:17 . 2008-09-23 22:17 <DIR> d-------- C:\Dial-a-fix-v0.60.0.24
2008-09-23 20:04 . 2008-09-23 20:05 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-23 20:04 . 2008-09-23 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-22 11:45 . 2008-09-22 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-22 11:40 . 2008-09-22 11:40 <DIR> d-------- C:\Program Files\AVG
2008-09-22 08:15 . 2008-09-22 08:40 414 ---hs---- C:\WINDOWS\system32\drbipkty.ini
2008-09-20 15:42 . 2008-09-20 15:42 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-09-20 15:42 . 2008-09-22 08:20 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-09-20 15:31 . 2008-09-20 15:31 <DIR> d-------- C:\Program Files\OINAnalytics

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 17:20 --------- d-----w C:\Program Files\QuickTime
2008-09-22 16:58 --------- d-----w C:\Program Files\eSoftware
2008-09-22 16:16 --------- d-----w C:\Program Files\iTunes
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2006-01-17 16:00 28,672 ------w C:\Documents and Settings\CindyB\atwbxdet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B221E01-F517-4959-8C41-81948E7F2F17}]
2008-09-11 15:48 229376 --a------ C:\Program Files\OINAnalytics\OINAnalytics.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 C:\WINDOWS\StartupMonitor.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2004-08-18 06:30 258048 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eklkjr.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jlga]
C:\WINDOWS\system32\s?stem\?hkntfs.exe [?]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\java.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Documents and Settings\\CindyB\\Desktop\\WS_FTP32.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2004-08-18 11520]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2004-08-18 2432]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2004-07-29 16384]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2006-04-10 4096]
R2 MSSQL$ADPDB;MSSQL$ADPDB;C:\Adp\MSDE\MSSQL$ADPDB\Binn\sqlservr.exe [2002-12-17 7520337]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys [2003-11-13 13904]
S2 portD;CMS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys [ ]
S3 PNDIS5;PNDIS5 NDIS Protocol Driver;D:\PNDIS5.SYS [ ]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2004-08-18 12288]
S3 SQLAgent$ADPDB;SQLAgent$ADPDB;C:\Adp\MSDE\MSSQL$ADPDB\Binn\sqlagent.EXE [2002-12-17 311872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0128e3b0-88b9-11dd-9e86-000e35f37f12}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{915e4cd1-dd5b-11db-9b6e-000e35f37f12}]
\Shell\AutoRun\command - E:\DTE_Privacy_launcher.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{A945974F-078F-2875-FF4A-7BA2E3CB19C0} - C:\WINDOWS\system32\vlvev.dll
HKCU-Run-Uahe - C:\PROGRA~1\SSEMBL~1\rundll.exe
ShellExecuteHooks-{28D0EF2B-41FF-4E45-AB90-398BC0428896} - (no file)
MSConfigStartUp-BMcf95eec1 - C:\WINDOWS\system32\pflucepi.dll
MSConfigStartUp-HP Software Update - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 22:36:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-28 22:38:36
ComboFix-quarantined-files.txt 2008-09-29 02:38:21

Pre-Run: 13,770,178,560 bytes free
Post-Run: 13,806,465,024 bytes free

134 --- E O F --- 2008-03-19 21:25:33

#5 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 29 September 2008 - 03:38 PM

HI

Please post a new hijackthis log :thumbsup:

How's the computer running now ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#6 JBoogie

JBoogie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 01 October 2008 - 09:52 PM

Computer has been working great!! Steamwiz, thanks for all your help.

#7 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 02 October 2008 - 12:00 PM

Hi

That's great to hear :thumbsup:

but there is still a little more to do, I would like to see a new hijackthis log please...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users