Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Vundo Trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 baca85

baca85

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 14 December 2008 - 11:12 PM

Hi guys I am having problems removing vundo trojan I thought i had got rid of it but if obv has a hidden file somewhere that keeps regenerating it. Any help would be great thanks



Logfile of random's system information tool 1.04 (written by random/random)
Run by Brendan at 2008-12-15 04:05:26
Microsoft Windows XP Professional Service Pack 3
System drive C: has 61 GB (51%) free of 120 GB
Total RAM: 1023 MB (28% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:06:22, on 15/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\BizAutomator\Automator.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\AIM6\aim6.exe
C:\Documents and Settings\Brendan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\InCode Solutions\RemoveIT Pro v7 Enterprise\removeit.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Flock\flock\flock.exe
C:\Documents and Settings\Brendan\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\twhirl\twhirl.exe
C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Brendan\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Brendan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Automator] C:\Program Files\BizAutomator\Automator.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Brendan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RemoveIT Pro v7Ent] C:\Program Files\InCode Solutions\RemoveIT Pro v7 Enterprise\removeit.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [rahawedanu] Rundll32.exe "C:\WINDOWS\system32\buzozati.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll werbmv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Update Service (gupdate1c95bec62dd16a9) (gupdate1c95bec62dd16a9) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 9863 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job
C:\WINDOWS\tasks\GoogleUpdateTaskUser.job
C:\WINDOWS\tasks\xnjuvstf.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53}]
Google Gears Helper - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll [2008-11-29 1667072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{3041d03e-fd4b-44e0-b742-2d9b88305f98} - Ask Toolbar - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-08-06 279944]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-11-03 7700480]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-11-03 86016]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-06-01 16208384]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"PWRISOVM.EXE"=C:\Program Files\PowerISO\PWRISOVM.EXE [2006-03-18 184320]
"Automator"=C:\Program Files\BizAutomator\Automator.exe [2003-04-23 1035776]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-23 136600]
"COMODO SafeSurf"=C:\Program Files\COMODO\SafeSurf\cssurf.exe [2008-11-08 278264]
"COMODO Internet Security"=C:\Program Files\Comodo\COMODO Internet Security\cfp.exe [2008-11-19 1796856]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"BOC-427"=C:\PROGRA~1\Comodo\CBOClean\BOC427.exe [2008-07-14 351480]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2007-10-18 5724184]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"igndlm.exe"=C:\Program Files\Download Manager\DLM.exe [2008-08-01 1103216]
"EA Core"=C:\Program Files\Electronic Arts\EADM\Core.exe [2008-07-21 2752512]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-08-12 21741864]
"Aim6"=C:\Program Files\AIM6\aim6.exe [2008-08-06 50472]
"Google Update"=C:\Documents and Settings\Brendan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 133104]
"RemoveIT Pro v7Ent"=C:\Program Files\InCode Solutions\RemoveIT Pro v7 Enterprise\removeit.exe [2008-12-11 2195456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Documents and Settings\Brendan\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll werbmv.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\xampp\apache\bin\apache.exe"="C:\xampp\apache\bin\apache.exe:*:Enabled:Apache HTTP Server"
"C:\xampp\mysql\bin\mysqld.exe"="C:\xampp\mysql\bin\mysqld.exe:*:Enabled:mysqld"
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe"="C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\Program Files\Common Files\PocketSoft\RTPatch\AutoRTP\artpschd.exe"="C:\Program Files\Common Files\PocketSoft\RTPatch\AutoRTP\artpschd.exe:*:Enabled:artpschd"
"C:\Documents and Settings\Brendan\Local Settings\Temp\ElectronicArts_Patcher_000.exe"="C:\Documents and Settings\Brendan\Local Settings\Temp\ElectronicArts_Patcher_000.exe:*:Enabled:Command and Conquer™ 3 Kane's Wrath Launcher"
"C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe"="C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:*:Enabled:Football Manager 2008"
"C:\Program Files\EA Games\Red Alert 3 Beta\RetailExe\1.3\ra3game.dat"="C:\Program Files\EA Games\Red Alert 3 Beta\RetailExe\1.3\ra3game.dat:*:Enabled:Command & Conquer™ Red Alert 3™"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Documents and Settings\Brendan\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll"="C:\Documents and Settings\Brendan\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin"
"C:\Documents and Settings\Brendan\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe"="C:\Documents and Settings\Brendan\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - D:\autoset.exe


======List of files/folders created in the last 1 months======

2008-12-15 04:05:26 ----D---- C:\rsit
2008-12-15 02:23:37 ----D---- C:\32788R22FWJFW
2008-12-15 02:23:00 ----D---- C:\32788R22FWJFW.0.tmp
2008-12-13 18:50:31 ----A---- C:\VundoFix.txt
2008-12-13 18:50:06 ----D---- C:\VundoFix Backups
2008-12-13 17:31:40 ----A---- C:\WINDOWS\lfmfq.txt
2008-12-11 23:57:57 ----D---- C:\Program Files\Google
2008-12-11 16:11:05 ----D---- C:\Program Files\Trend Micro
2008-12-11 16:05:50 ----A---- C:\esuIn.txt
2008-12-11 15:56:14 ----D---- C:\Documents and Settings\Brendan\Application Data\Malwarebytes
2008-12-11 15:53:50 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-11 15:53:50 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-11 15:34:28 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-11 13:27:11 ----D---- C:\Program Files\twhirl
2008-12-11 03:55:40 ----D---- C:\Program Files\InCode Solutions
2008-12-11 01:52:14 ----A---- C:\WINDOWS\UNBOC.EXE
2008-12-11 01:52:13 ----A---- C:\WINDOWS\CMDLIC.DLL
2008-12-11 01:52:07 ----D---- C:\Documents and Settings\All Users\Application Data\BOC427
2008-12-11 01:52:03 ----A---- C:\WINDOWS\BOC427.INI
2008-12-10 23:18:26 ----A---- C:\WINDOWS\system32\werbmv.dll
2008-12-10 23:17:05 ----A---- C:\WINDOWS\system32\8fdf9fca-.txt
2008-12-10 23:02:14 ----A---- C:\WINDOWS\system32\nnnNfcBq.dll
2008-12-10 22:58:25 ----A---- C:\ftsuih.exe
2008-12-09 20:29:15 ----D---- C:\Program Files\Full Tilt Poker
2008-12-03 13:27:34 ----D---- C:\Program Files\Market Samurai
2008-11-29 20:24:00 ----D---- C:\Program Files\iPod
2008-11-29 20:23:56 ----D---- C:\Program Files\iTunes
2008-11-29 20:23:56 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-29 20:21:18 ----D---- C:\Program Files\QuickTime
2008-11-26 00:49:16 ----D---- C:\Documents and Settings\Brendan\Application Data\Subversion
2008-11-25 02:03:34 ----D---- C:\Program Files\Common Files\Adobe AIR
2008-11-23 11:56:35 ----A---- C:\WINDOWS\system32\javaws.exe
2008-11-23 11:56:35 ----A---- C:\WINDOWS\system32\javaw.exe
2008-11-23 11:56:35 ----A---- C:\WINDOWS\system32\java.exe
2008-11-23 11:56:35 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-11-20 20:41:25 ----D---- C:\xampp
2008-11-20 20:25:24 ----D---- C:\Program Files\glassfish-v3-prelude
2008-11-20 20:23:25 ----D---- C:\Program Files\glassfish-v2ur2
2008-11-20 20:17:42 ----D---- C:\Program Files\NetBeans 6.5

======List of files/folders modified in the last 1 months======

2008-12-15 04:06:20 ----D---- C:\Documents and Settings\Brendan\Application Data\Skype
2008-12-15 04:05:18 ----D---- C:\WINDOWS\Prefetch
2008-12-15 02:24:52 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-15 02:24:14 ----SHD---- C:\System Volume Information
2008-12-15 02:24:14 ----D---- C:\WINDOWS\system32\Restore
2008-12-15 01:54:38 ----D---- C:\WINDOWS\Temp
2008-12-15 00:09:06 ----D---- C:\Documents and Settings\Brendan\Application Data\skypePM
2008-12-14 22:03:19 ----D---- C:\Program Files\PokerStars
2008-12-14 13:01:41 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-14 12:19:01 ----D---- C:\Documents and Settings\Brendan\Application Data\OpenOffice.org2
2008-12-13 23:56:47 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-13 17:36:50 ----D---- C:\WINDOWS\system32
2008-12-13 17:32:37 ----D---- C:\WINDOWS\system32\drivers
2008-12-13 17:31:40 ----D---- C:\WINDOWS
2008-12-12 00:04:00 ----D---- C:\Program Files\Mozilla Firefox
2008-12-11 23:59:36 ----SHD---- C:\WINDOWS\Installer
2008-12-11 23:59:04 ----SD---- C:\WINDOWS\Tasks
2008-12-11 23:57:57 ----RD---- C:\Program Files
2008-12-11 23:46:34 ----D---- C:\Documents and Settings\Brendan\Application Data\FileZilla
2008-12-11 17:47:53 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-12-11 17:27:35 ----D---- C:\Program Files\Adobe
2008-12-11 01:52:00 ----D---- C:\Program Files\Comodo
2008-12-10 23:02:13 ----D---- C:\Program Files\Flock
2008-12-05 12:24:42 ----D---- C:\Documents and Settings\Brendan\Application Data\Mozilla
2008-11-29 20:23:59 ----D---- C:\Program Files\Common Files\Apple
2008-11-25 02:03:34 ----D---- C:\Program Files\Common Files
2008-11-23 11:56:12 ----D---- C:\Program Files\Java
2008-11-20 23:43:30 ----D---- C:\Documents and Settings\Brendan\Application Data\MySQL
2008-11-20 19:48:12 ----D---- C:\Program Files\PHP
2008-11-19 16:39:38 ----D---- C:\Program Files\Viral Toolbar Builder
2008-11-19 08:12:45 ----A---- C:\WINDOWS\system32\guard32.dll
2008-11-18 16:50:36 ----A---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdPPM;AMD HwPState Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
R1 cmdGuard;COMODO Internet Security Sandbox Driver; C:\WINDOWS\System32\DRIVERS\cmdguard.sys [2008-11-19 99216]
R1 cmdHlp;COMODO Internet Security Helper Driver; C:\WINDOWS\System32\DRIVERS\cmdhlp.sys [2008-11-19 31504]
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2006-03-18 26844]
R1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2006-07-24 5632]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.3.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2008-07-26 20747]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 BOCDRIVE;BOClean Kernel Monitor.; \??\C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-06-06 4284928]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-11-03 3994624]
R3 RT61;Linksys Wireless-G PCI Adapter Driver(RT61); C:\WINDOWS\system32\DRIVERS\RT61.sys [2005-10-27 356096]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-14 17152]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2007-12-06 285952]
R4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-14 73472]
S3 EverestDriver;Lavalys EVEREST Kernel Driver; \??\C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt []
S3 GTNDIS5;GTNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\GTNDIS5.SYS []
S3 iMSPQMn;iMSPQMn; \??\C:\DOCUME~1\Brendan\LOCALS~1\Temp\iMSPQMn.sys []
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM); C:\WINDOWS\system32\DRIVERS\ssm_bus.sys [2005-08-30 58320]
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter; C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys [2005-08-30 8336]
S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers; C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys [2005-08-30 94000]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2008-04-14 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 BOCore;BOCore; C:\Program Files\Comodo\CBOClean\BOCORE.exe [2008-07-14 73464]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 cmdAgent;COMODO Internet Security Helper Service; C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe [2008-11-19 618232]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-23 152984]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-11-03 159810]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S2 gupdate1c95bec62dd16a9;Google Update Service (gupdate1c95bec62dd16a9); C:\Program Files\Google\Update\GoogleUpdate.exe [2008-12-11 133104]
S2 WMP54Gv4SVC;WMP54Gv4SVC; C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe [2005-07-04 53307]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-09-29 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:29 PM

Posted 21 December 2008 - 05:26 PM

Hi baca85,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Tell me if you have done anything since previous post. Or you have run any other tools. Also tell me how is the current condition of your computer.

  • First remove C:\rsit\info.txt then run RSIT again and copy and paste the content of both logs (log.txt and info.txt.)


You might want to save this page on your favorites, so you can find it again when you return.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:29 PM

Posted 02 January 2009 - 06:14 AM

This thread will now be closed due to lack of activity.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users