Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Goldun.I infected Vista with Norton Internet Security


  • Please log in to reply
6 replies to this topic

#1 sprayoncrayon

sprayoncrayon

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 31 December 2008 - 04:40 PM

Hi, I have a computer running Windows Vista with Norton Internet Security. On a routine scan, Symantec reported infection by the goldun trojan/virus but was unabe to remove it. I have my infected computer running in safe mode and disconnected from the internet and am posting from a second uninfected computer. I have HJT logs, as well as the files generated by DDS. I know there will need to be registry values changed but don't know which ones. Any help would be appreciated.
Thanks,
Duncan



DDS (Version 1.1.0) - NTFSx86 MINIMAL
Run by User at 13:53:03.79 on 31/12/2008
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2045.1701 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
L:\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [BitTorrent DNA] "c:\users\user\program files\dna\btdna.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [EA Core] c:\program files\electronic arts\eadm\Core.exe -silent
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [<NO NAME>]
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\9gzpd46r.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\users\user\program files\dna\plugins\npbtdna.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll

============= SERVICES / DRIVERS ===============

S1 IDSvix86;Symantec Intrusion Prevention Driver;\??\c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20081220.001\IDSvix86.sys [2008-12-20 270384]
S2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;"c:\program files\leapfrog\leapfrog connect\CommandService.exe" [2008-11-25 991232]
S2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-11-5 149352]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\COH_Mon.sys [2007-5-28 23888]
S3 DMSKSSRh;DMSKSSRh;\??\c:\users\user\appdata\local\temp\DMSKSSRh.sys [2008-9-14 31744]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-11-19 99376]
S3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\SYMNDISV.SYS [2008-6-13 41008]

=============== Created Last 30 ================

2008-12-30 01:35 <DIR> --d----- C:\hjt
2008-12-26 23:07 52,736 a------- c:\windows\ipuninst.exe
2008-12-26 15:56 <DIR> --d----- c:\programdata\Google
2008-12-26 15:46 110 a------- c:\windows\{CF055C57-A988-42E6-BDAF-E3D94C6973A8}_WiseFW.ini
2008-12-26 15:45 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-26 15:41 <DIR> --d----- c:\programdata\Leapfrog
2008-12-26 15:41 <DIR> --d----- c:\progra~2\Leapfrog
2008-12-26 15:40 <DIR> --d----- c:\program files\LeapFrog
2008-12-26 15:14 507,400 a------- c:\windows\system32\XAudio2_1.dll
2008-12-26 15:14 65,032 a------- c:\windows\system32\XAPOFX1_0.dll
2008-12-26 15:14 238,088 a------- c:\windows\system32\xactengine3_1.dll
2008-12-26 15:13 1,491,992 a------- c:\windows\system32\D3DCompiler_38.dll
2008-12-26 15:13 467,984 a------- c:\windows\system32\d3dx10_38.dll
2008-12-26 15:13 25,608 a------- c:\windows\system32\X3DAudio1_4.dll
2008-12-26 15:13 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2008-12-26 15:13 479,752 a------- c:\windows\system32\XAudio2_0.dll
2008-12-26 15:13 238,088 a------- c:\windows\system32\xactengine3_0.dll
2008-12-26 15:13 25,608 a------- c:\windows\system32\X3DAudio1_3.dll
2008-12-26 15:13 1,420,824 a------- c:\windows\system32\D3DCompiler_37.dll
2008-12-26 15:13 462,864 a------- c:\windows\system32\d3dx10_37.dll
2008-12-26 15:13 3,786,760 a------- c:\windows\system32\D3DX9_37.dll
2008-12-26 15:10 <DIR> --d----- c:\windows\system32\xlive
2008-12-26 12:23 <DIR> --d----- c:\users\user\appdata\roaming\SPORE
2008-12-26 12:21 1,116 a------- c:\windows\system32\ealregsnapshot1.reg
2008-12-25 23:23 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-12-21 23:42 <DIR> --d----- c:\programdata\CyberLink
2008-12-20 20:19 3,636 a------- c:\windows\system32\drivers\nvphy.bin
2008-12-11 03:02 2,048 a------- c:\windows\system32\tzres.dll
2008-12-10 12:25 2,868,736 a------- c:\windows\system32\mf.dll
2008-12-10 12:25 996,352 a------- c:\windows\system32\WMNetMgr.dll
2008-12-10 12:25 94,720 a------- c:\windows\system32\logagent.exe
2008-12-10 11:02 827,392 a------- c:\windows\system32\wininet.dll
2008-12-10 10:37 296,960 a------- c:\windows\system32\gdi32.dll
2008-12-10 10:35 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-12-10 10:35 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-12-10 10:33 2,927,104 a------- c:\windows\explorer.exe
2008-12-01 19:43 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-01 19:42 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-12-01 19:39 <DIR> --d----- c:\programdata\Logitech
2008-12-01 19:37 <DIR> --d----- c:\programdata\LogiShrd

==================== Find3M ====================

2008-12-24 23:39 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-12-24 23:12 717,296 a------- c:\windows\system32\drivers\sptd.sys
2008-12-20 20:19 143,360 a------- c:\windows\inf\infstrng.dat
2008-12-20 20:19 51,200 a------- c:\windows\inf\infpub.dat
2008-12-20 20:19 86,016 a------- c:\windows\inf\infstor.dat
2008-12-02 21:42 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2008-11-25 09:36 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-11-23 15:51 174 a--sh--- c:\program files\desktop.ini
2008-11-23 15:35 665,600 a------- c:\windows\inf\drvindex.dat
2008-11-23 12:29 101,888 a------- c:\windows\system32\ifxcardm.dll
2008-11-23 12:29 82,432 a------- c:\windows\system32\axaltocm.dll
2008-11-06 23:47 269,312 a------- c:\windows\system32\es.dll
2008-11-06 03:22 361,984 a------- c:\windows\system32\IPSECSVC.DLL
2008-11-06 03:22 272,896 a------- c:\windows\system32\polstore.dll
2008-11-06 03:22 61,440 a------- c:\windows\system32\winipsec.dll
2008-11-06 03:22 28,672 a------- c:\windows\system32\FwRemoteSvr.dll
2008-11-06 03:22 2,560 a------- c:\windows\apppatch\AcRes.dll
2008-11-06 03:21 1,695,744 a------- c:\windows\system32\gameux.dll
2008-11-06 03:19 428,544 a------- c:\windows\system32\EncDec.dll
2008-11-06 03:19 293,376 a------- c:\windows\system32\psisdecd.dll
2008-11-06 03:16 303,616 a------- c:\windows\system32\wmpeffects.dll
2008-11-06 03:16 2,032,640 a------- c:\windows\system32\win32k.sys
2008-11-06 03:10 6,656 a------- c:\windows\system32\kbd106n.dll
2008-11-06 03:10 988,216 a------- c:\windows\system32\winload.exe
2008-11-06 03:10 927,288 a------- c:\windows\system32\winresume.exe
2008-11-06 03:10 378,368 a------- c:\windows\system32\srcore.dll
2008-11-06 03:10 318,464 a------- c:\windows\system32\rstrui.exe
2008-11-06 03:10 40,960 a------- c:\windows\system32\srclient.dll
2008-11-06 03:10 14,848 a------- c:\windows\system32\srdelayed.exe
2008-11-06 03:10 615,992 a------- c:\windows\system32\ci.dll
2008-11-06 03:10 46,592 a------- c:\windows\system32\setbcdlocale.dll
2008-11-06 03:10 19,000 a------- c:\windows\system32\kd1394.dll
2008-11-06 03:08 288,768 a------- c:\windows\system32\drivers\srv.sys
2008-11-06 03:08 443,392 a------- c:\windows\system32\win32spl.dll
2008-11-06 03:08 37,888 a------- c:\windows\system32\printcom.dll
2008-11-06 03:07 113,664 a------- c:\windows\system32\drivers\rmcast.sys
2008-11-06 03:07 14,848 a------- c:\windows\system32\wshrm.dll
2008-11-06 03:06 84,480 a------- c:\windows\system32\INETRES.dll
2008-11-06 03:06 738,304 a------- c:\windows\system32\inetcomm.dll
2008-11-06 03:05 1,314,816 a------- c:\windows\system32\quartz.dll
2008-11-06 03:04 3,601,464 a------- c:\windows\system32\ntkrnlpa.exe
2008-11-06 03:04 3,549,240 a------- c:\windows\system32\ntoskrnl.exe
2008-11-05 21:19 319,456 a------- c:\windows\DIFxAPI.dll
2008-11-05 19:57 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-05 19:57 10,671 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-05 19:57 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-10-31 20:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-10-31 20:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-10-31 20:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-10-31 20:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-10-31 20:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-21 20:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-20 22:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-16 14:08 162,064 a------- c:\windows\system32\wuwebv.dll
2008-10-16 13:56 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-10-16 13:56 31,232 a------- c:\windows\system32\wuapp.exe
2008-10-16 13:55 83,456 a------- c:\windows\system32\wudriver.dll
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 13:53:16.44 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:06:16 PM

Posted 10 January 2009 - 08:34 PM

Welcome to BC :thumbsup:

Sorry for the delay

I need fresh logs and only the DDS log. Thanks
Microsoft MVP Consumer Security--2007-2010

#3 sprayoncrayon

sprayoncrayon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 11 January 2009 - 02:12 AM

Latest DDS log, still in safe mode for Vista.
I attached the latest ATTACH log file, just in case it would be helpful.

Thanks for looking,



DDS (Ver_09-01-07.01) - NTFSx86 MINIMAL
Run by User at 0:10:45.23 on 11/01/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2045.1677 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
R:\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [BitTorrent DNA] "c:\users\user\program files\dna\btdna.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [EA Core] c:\program files\electronic arts\eadm\Core.exe -silent
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [<NO NAME>]
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\9gzpd46r.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\users\user\program files\dna\plugins\npbtdna.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll

============= SERVICES / DRIVERS ===============

S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20081220.001\IDSvix86.sys [2008-12-20 270384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-28 23888]
S3 DMSKSSRh;DMSKSSRh;c:\users\user\appdata\local\temp\DMSKSSRh.sys [2008-2-3 31744]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-11-19 99376]
S3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2008-6-13 41008]
S4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-11-25 991232]
S4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-11-5 149352]

=============== Created Last 30 ================

2009-01-02 21:20 <DIR> --d----- c:\program files\Laser Center
2009-01-01 22:30 <DIR> --d----- c:\program files\common files\EZB Systems
2009-01-01 22:30 <DIR> --d----- c:\program files\UltraISO
2009-01-01 19:56 505,104 a----r-- c:\windows\system32\msxml.dll
2009-01-01 19:56 115,016 a----r-- c:\windows\system32\MSINET.OCX
2009-01-01 19:56 140,488 a----r-- c:\windows\system32\comdlg32.ocx
2009-01-01 19:56 89,360 a----r-- c:\windows\system32\VB5DB.DLL
2009-01-01 19:56 69,632 a----r-- c:\windows\system32\xmltok.dll
2009-01-01 19:56 36,864 a----r-- c:\windows\system32\xmlparse.dll
2009-01-01 19:56 35,840 a----r-- c:\windows\system32\comdlg32.oca
2009-01-01 19:56 29,184 a----r-- c:\windows\system32\MSINET.oca
2009-01-01 19:56 28,432 a----r-- c:\windows\system32\msxmlr.dll
2009-01-01 19:56 26,096 a----r-- c:\windows\system32\xmlinst.exe
2009-01-01 19:56 24,576 a----r-- c:\windows\system32\msxml3a.dll
2009-01-01 18:53 278,984 a------- c:\windows\system32\drivers\atksgt.sys
2009-01-01 18:53 25,416 a------- c:\windows\system32\drivers\lirsgt.sys
2008-12-30 01:35 <DIR> --d----- C:\hjt
2008-12-26 23:07 52,736 a------- c:\windows\ipuninst.exe
2008-12-26 15:56 <DIR> --d----- c:\programdata\Google
2008-12-26 15:46 110 a------- c:\windows\{CF055C57-A988-42E6-BDAF-E3D94C6973A8}_WiseFW.ini
2008-12-26 15:45 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-26 15:41 <DIR> --d----- c:\programdata\Leapfrog
2008-12-26 15:41 <DIR> --d----- c:\progra~2\Leapfrog
2008-12-26 15:40 <DIR> --d----- c:\program files\LeapFrog
2008-12-26 15:14 507,400 a------- c:\windows\system32\XAudio2_1.dll
2008-12-26 15:14 65,032 a------- c:\windows\system32\XAPOFX1_0.dll
2008-12-26 15:14 238,088 a------- c:\windows\system32\xactengine3_1.dll
2008-12-26 15:13 1,491,992 a------- c:\windows\system32\D3DCompiler_38.dll
2008-12-26 15:13 467,984 a------- c:\windows\system32\d3dx10_38.dll
2008-12-26 15:13 25,608 a------- c:\windows\system32\X3DAudio1_4.dll
2008-12-26 15:13 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2008-12-26 15:13 479,752 a------- c:\windows\system32\XAudio2_0.dll
2008-12-26 15:13 238,088 a------- c:\windows\system32\xactengine3_0.dll
2008-12-26 15:13 25,608 a------- c:\windows\system32\X3DAudio1_3.dll
2008-12-26 15:13 1,420,824 a------- c:\windows\system32\D3DCompiler_37.dll
2008-12-26 15:13 462,864 a------- c:\windows\system32\d3dx10_37.dll
2008-12-26 15:13 3,786,760 a------- c:\windows\system32\D3DX9_37.dll
2008-12-26 15:10 <DIR> --d----- c:\windows\system32\xlive
2008-12-26 12:23 <DIR> --d----- c:\users\user\appdata\roaming\SPORE
2008-12-26 12:21 1,116 a------- c:\windows\system32\ealregsnapshot1.reg
2008-12-25 23:23 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-12-21 23:42 <DIR> --d----- c:\programdata\CyberLink
2008-12-20 20:19 3,636 a------- c:\windows\system32\drivers\nvphy.bin

==================== Find3M ====================

2008-12-24 23:39 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-12-24 23:12 717,296 a------- c:\windows\system32\drivers\sptd.sys
2008-12-20 20:19 143,360 a------- c:\windows\inf\infstrng.dat
2008-12-20 20:19 51,200 a------- c:\windows\inf\infpub.dat
2008-12-20 20:19 86,016 a------- c:\windows\inf\infstor.dat
2008-12-02 21:42 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2008-12-01 19:43 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-01 19:42 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-11-25 09:36 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-11-23 15:51 174 a--sh--- c:\program files\desktop.ini
2008-11-23 15:35 665,600 a------- c:\windows\inf\drvindex.dat
2008-11-23 12:29 101,888 a------- c:\windows\system32\ifxcardm.dll
2008-11-23 12:29 82,432 a------- c:\windows\system32\axaltocm.dll
2008-11-06 23:47 269,312 a------- c:\windows\system32\es.dll
2008-11-06 03:22 361,984 a------- c:\windows\system32\IPSECSVC.DLL
2008-11-06 03:22 272,896 a------- c:\windows\system32\polstore.dll
2008-11-06 03:22 61,440 a------- c:\windows\system32\winipsec.dll
2008-11-06 03:22 28,672 a------- c:\windows\system32\FwRemoteSvr.dll
2008-11-06 03:22 2,560 a------- c:\windows\apppatch\AcRes.dll
2008-11-06 03:21 1,695,744 a------- c:\windows\system32\gameux.dll
2008-11-06 03:19 428,544 a------- c:\windows\system32\EncDec.dll
2008-11-06 03:19 293,376 a------- c:\windows\system32\psisdecd.dll
2008-11-06 03:16 303,616 a------- c:\windows\system32\wmpeffects.dll
2008-11-06 03:16 2,032,640 a------- c:\windows\system32\win32k.sys
2008-11-06 03:10 6,656 a------- c:\windows\system32\kbd106n.dll
2008-11-06 03:10 988,216 a------- c:\windows\system32\winload.exe
2008-11-06 03:10 927,288 a------- c:\windows\system32\winresume.exe
2008-11-06 03:10 378,368 a------- c:\windows\system32\srcore.dll
2008-11-06 03:10 318,464 a------- c:\windows\system32\rstrui.exe
2008-11-06 03:10 40,960 a------- c:\windows\system32\srclient.dll
2008-11-06 03:10 14,848 a------- c:\windows\system32\srdelayed.exe
2008-11-06 03:10 615,992 a------- c:\windows\system32\ci.dll
2008-11-06 03:10 46,592 a------- c:\windows\system32\setbcdlocale.dll
2008-11-06 03:10 19,000 a------- c:\windows\system32\kd1394.dll
2008-11-06 03:08 443,392 a------- c:\windows\system32\win32spl.dll
2008-11-06 03:08 37,888 a------- c:\windows\system32\printcom.dll
2008-11-06 03:07 14,848 a------- c:\windows\system32\wshrm.dll
2008-11-06 03:06 84,480 a------- c:\windows\system32\INETRES.dll
2008-11-06 03:06 738,304 a------- c:\windows\system32\inetcomm.dll
2008-11-06 03:05 1,314,816 a------- c:\windows\system32\quartz.dll
2008-11-06 03:04 3,601,464 a------- c:\windows\system32\ntkrnlpa.exe
2008-11-06 03:04 3,549,240 a------- c:\windows\system32\ntoskrnl.exe
2008-11-05 21:19 319,456 a------- c:\windows\DIFxAPI.dll
2008-10-31 20:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-10-31 20:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-10-31 20:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-10-31 20:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-10-31 20:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-31 20:44 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-10-31 18:21 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-10-28 23:29 2,927,104 a------- c:\windows\explorer.exe
2008-10-21 20:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-21 18:22 2,048 a------- c:\windows\system32\tzres.dll
2008-10-20 22:25 296,960 a------- c:\windows\system32\gdi32.dll
2008-10-20 22:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-16 14:08 162,064 a------- c:\windows\system32\wuwebv.dll
2008-10-16 13:56 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-10-16 13:56 31,232 a------- c:\windows\system32\wuapp.exe
2008-10-16 13:55 83,456 a------- c:\windows\system32\wudriver.dll
2008-10-15 21:47 827,392 a------- c:\windows\system32\wininet.dll
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 0:10:57.04 ===============

Attached Files



#4 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:06:16 PM

Posted 11 January 2009 - 08:27 PM

Navigate to the following folder
c:\program files\alcohol soft\alcohol 120 and double-click on the uninstaller. Let me know if it fails.


Remove the following from Add/Remove Programs.
Java™ SE Runtime Environment 6 Update 1


Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Ugrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u11.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.


Let me know how things are running. Thanks Are you receiving any popups or slowdowns? Let me know otherwise. Thanks
Microsoft MVP Consumer Security--2007-2010

#5 sprayoncrayon

sprayoncrayon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 13 January 2009 - 09:49 PM

Thanks for your response. I had no trouble deleting Alcohol 120%, although I'm sure there's some registry information on the computer somewhere. However, when I went to uninstall Java Runtime environment from the control panel, I was told the uninstall couldn't be completed because the Windows Installer Service could not be accessed. Is this because I am in safe mode?
Thanks,
Duncan

#6 sprayoncrayon

sprayoncrayon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 16 January 2009 - 12:36 AM

Another question. I read on another post that the program haxfix would be useful for finding goldun and haxdoor trojans, so I was able to download it on this winXP computer (runs fine) but when I take it to the infected Vista computer, it comes up with a message reading "Unregistered Version". Why won't it run properly in Vista?

#7 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:06:16 PM

Posted 16 January 2009 - 03:39 PM

you have to be in Normal mode for windows installer to work


I don't believe it works on Vista, i wouldn't run tools like that unless your trained to use them.
Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users