Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bleeping Virumonde Virus


  • This topic is locked This topic is locked
29 replies to this topic

#1 13Z50P

13Z50P

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 02 January 2009 - 09:34 PM

I have locked down my computer for 2 weeks trying to fix it and nothing works. I think the program that runs in the memory is the a-hole.

HP Pavillion a350n
Windows XP SP3
Firefox
Zone Alarm
Ad-Aware
Symantec AV
SuperAntiSpyware
Everything running latest versions/ definitions...

I have turned off System Restore; rebooted in safe-mode; run all 4 programs multiple times and rebooted; still can't kill it!

I went to the "Am I infected forum" and went through the entire Malwarebytes routine - to no avail; and was referred to this forum. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/191251/nothing-works-to-get-rid-of-bleeping-virtumonde-virus/ ~ OB

Now when I reboot, I get the following error:

RUNDLL - "Error loading C:\WINDOWS\system32\vofuyage.dll (or kogonubo.dll)
The specified module could not be found"

When I shutdown the following program is always running - ShellIconHiddenWindow"

Here is latest DDS Log:

[The keylogger is old and legit - gotta monitor the kids! Everything else is game]

SOMEONE PLEASE HELP A DESPERATE SOLDIER OUT!

Attached Files


Edited by Orange Blossom, 02 January 2009 - 10:03 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:23 PM

Posted 08 January 2009 - 12:35 PM

Hi 13Z50P,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I'm not a computer genius as you asked in the thread. But I'm going to assist you with your problem and what I need from you is patience.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Tell me if you have run any tool or have made a major change to the system since your last post. Also tell me how is the current condition of your computer.

  • To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Set the list of files/folders created to 3 mount and click Continue at the disclaimer screen.
    • Once it has finished, two logs will open.
    • log.txt (<<will be maximized)
    • info.txt (<<will be minimized).
  • Please copy and paste the content of just log.txt to your reply. No need for info.txt

    Note 1: If you have difficulty finding the log, the logs is in this folder: C:\rsit

    Note 2: The tool takes not more than one minute to scan the system.

You might want to save this page on your favorites, so you can find it again when you return.

#3 13Z50P

13Z50P
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 08 January 2009 - 06:33 PM

Greetings, thanx for your attention.

I haven't done anything to my computer since I ran the DDS tool - just like I was told.

Using Zone Alarm, my computer has been on lock-down ever since.

Everything going back to my first posting holds true.

Attached is the log you requested...

Attached Files

  • Attached File  log.txt   43.1KB   19 downloads


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:23 PM

Posted 08 January 2009 - 08:21 PM

Your computer is still infected. Beside taking care of the initial errors you have asked assistance for we are going to make a full security check. So what we are going to do is much more than what you ask. I hope you agree with that.

Please make sure you do the steps in the order they are written. If you face any problem in doing one of them don't proceed to the next before asking and solving the problem.

Please copy and paste the logs to your reply instead of attaching.
  • Open notepad (start-all programs-accessories-notepad). Copy and paste the text in the code box into the notepad.

    @ECHO OFF
    attrib -h -r -s C:\WINDOWS\tasks\axpgerhk.job
    del /q C:\WINDOWS\tasks\axpgerhk.job
    del remove.bat
    • Select save in:desktop
    • Fill in File name: remove.bat
    • Save as type: All file types (*.*)
    • Click Save and close the Notepad.
    • Double-click remove.bat on the desktop.
  • Tell me if the following image is put on the desktop with your consent. If yes it is in a temporary folder and it is going to be removed when we empty temporary folders:

    clip_image002.jpg

  • I see that you have BearShare installed. If it is the free version, it includes spyware. The paid version is spyware free. More information here: http://www.bleepingcomputer.com/uninstall/117/BearShare.html

    To uninstall the program click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by highlighting the following entry/entries and selecting Remove:

    BearShare
    MediaBar


    Remove also the following folder(s):

    C:\Program Files\BearShare
    C:\Program Files\BearShare Applications

  • Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you remove the program if you are not using it.
    If you decided to uninstall it click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist:

    Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    Also remove the folder in bold: C:\Program Files\Viewpoint

  • Now we going to take care of those startup and shut down errors. Please open HiJackThis (if you don't know how go to start -> Run and type in the run box: owner.exe and press Enter) and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):


    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKUS\S-1-5-19\..\Run: [lomafawipi] Rundll32.exe "C:\WINDOWS\system32\gubohagi.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [lomafawipi] Rundll32.exe "C:\WINDOWS\system32\kogonubo.dll",s (User 'NETWORK SERVICE')
    O20 - AppInit_DLLs: eyzxho.dll c:\windows\system32\raferafo.dll
    O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

    Note 1: The startup entry pointing at ALCMTR.EXE is an "Sypware" entry related to Realtek used silently to monitor one's actions. It is not a sinister one and you can remove the start up entry without affecting the function of Realtek software. We have just removed the start up entry but not the file itself. Notice that you should not remove the file itself because it is needed for the subsequent updating of the software.

    Note 2: The following entry is a legit program related to MusicMatch Jukebox. It is not needed to run at startup and when it is running causes the shut down error you mention. You can always run Juebox manually if you wanted. That is the reason we removed it:

    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

  • We need to repair a security related registry item altered by the malware. Open a notepad (Start > Run and type in Notepad ) make sure the wordwrap under Format menu is not selected.
    Copy and paste the text in code box into it.

    REGEDIT4 
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Notification Packages"=hex(7):73,63,65,63,6C,69,00,00
    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm.
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.
    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  • Reboot your computer.

  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • Please run RSIT, set the list of Files/Folders created to 2 Months and copy/paste the content of log.txt to your reply (this time RSIT creates just one log).
Please copy/paste in your next reply:
  • The log of MBAM.
  • The RSIT log.
  • Any comment or feedback about how it went.


#5 13Z50P

13Z50P
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 09 January 2009 - 08:18 PM

I appreciate what you have done so far, unfortunately, it still seems to be infected.

According to your instructions, the following are the results:

Per step 2 - No .jpg was put onto the desktop; however, when I ran Hijack This, it did show up in the log.

Per step 5 - "Owner.exe" did not exist. I believe there was an assumption that I already installed Hijack This, which
I didn't. I went to CNET and downloaded the program, then ran it per your instructions.

The logs you requested are posted below...




Malwarebytes' Anti-Malware 1.32
Database version: 1635
Windows 5.1.2600 Service Pack 3

1/9/2009 6:14:06 PM
mbam-log-2009-01-09 (18-14-06).txt

Scan type: Quick Scan
Objects scanned: 66042
Time elapsed: 12 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\kugcqeqb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.









Logfile of random's system information tool 1.05 (written by random/random)
Run by Owner at 2009-01-09 18:23:07
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 109 GB (74%) free of 147 GB
Total RAM: 1535 MB (69% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:19 PM, on 1/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AKProg\AKProg.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\HijackThis\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [AprvRemoveLegacyWordKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Word\Addins\OfficeAddIn.OfficeAddIn
O4 - HKLM\..\Run: [AprvRemoveLegacyExcelKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Excel\Addins\OfficeAddIn.OfficeAddIn
O4 - HKLM\..\Run: [ApproveItForOfficeSetup] "C:\Program Files\ApproveIt\Support\Tools\ApproveItForOfficeSetup.exe " /1 /p "C:\Program Files\ApproveIt\"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [application] C:\Program Files\AKProg\AKProg.exe hs
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O4 - Global Startup: ApproveIt StartUp.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...20Installer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188933553500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1222713639656
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\system32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ActivClient Authentication Service (acachsrv) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
O23 - Service: ActivClient Auto-Update Service (acautoup) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11041 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Symantec NetDetect.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
Yahoo! IE Services Button - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2005-08-17 181752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
- []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"=c:\windows\system\hpsysdrv.exe [1998-05-07 52736]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe [2003-04-07 114688]
"CamMonitor"=c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe [2002-10-07 90112]
"HPHUPD05"=c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe [2003-05-23 49152]
"HPHmon05"=C:\WINDOWS\System32\hphmon05.exe [2003-05-23 483328]
"KBD"=C:\HP\KBD\KBD.EXE [2003-02-11 61440]
"AutoTKit"=C:\hp\bin\AUTOTKIT.EXE []
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-13 212992]
"Sunkist2k"=C:\Program Files\Multimedia Card Reader\shwicon2k.exe [2003-08-09 139264]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2004-06-09 66680]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2004-10-06 161096]
"LVCOMSX"=C:\WINDOWS\system32\LVCOMSX.EXE [2005-09-01 221184]
"LogitechVideo[inspector]"=C:\Program Files\Logitech\Video\InstallHelper.exe [2005-09-07 73728]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-10-25 282624]
""= []
"accrdsub"=C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe [2006-11-10 275968]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-07-09 919016]
"masqform.exe"=C:\Program Files\PureEdge\Viewer 6.5\masqform.exe [2005-07-04 643072]
"AprvRemoveLegacyWordKeys"=C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe [2007-07-27 73728]
"AprvRemoveLegacyExcelKeys"=C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe [2007-07-27 73728]
"ApproveItForOfficeSetup"=C:\Program Files\ApproveIt\Support\Tools\ApproveItForOfficeSetup.exe [2007-10-29 155648]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"application"=C:\Program Files\AKProg\AKProg.exe [2005-07-08 522752]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe [2003-06-22 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd.exe [2003-06-25 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2006-10-30 256576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraAssistant]
C:\Program Files\Logitech\Video\CameraAssistant.exe [2005-09-07 434176]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
C:\Program Files\Logitech\Video\ManifestEngine.exe [2005-01-18 196608]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\System32\NVMCTRAY.DLL [2003-07-28 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OmniPass]
C:\Program Files\Softex\OmniPass\scureapp.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopularScreensaversWallpaper]
rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\F3SCRCTR.DLL []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2006-10-25 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\Windows\Creator\Remind_XP.exe [2003-06-17 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RiskII.exe]
C:\DOCUME~1\Owner\Desktop\RISKII~1.EXE /r []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\salm]
c:\temp\salm.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2003-08-23 151597]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
C:\Program Files\Verizon\McciTrayApp.exe [2007-03-11 936960]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
C:\WINDOWS\wt\updater\wcmdmgrl.exe [2004-03-12 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]
C:\Program Files\WeatherCast\Weather.exe /q []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0]
C:\Program Files\Web_Rebates\WebRebates0.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
wjview /cp:p C:\Program Files\WebSavingsfromEbates\System\Code Main lp: C:\Program Files\WebSavingsfromEbates []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\PROGRA~1\Save\Save.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows AdControl]
C:\Program Files\Windows AdControl\WinAdCtl.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows ControlAd]
C:\Program Files\Windows ControlAd\WinCtlAd.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows TaskAd]
C:\Program Files\Windows TaskAd\WinTaskAd.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE [2003-04-09 598150]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~2\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSOEMON.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
C:\PROGRA~1\SONYCO~1\PICTUR~1\PICTUR~3\SonyTray.exe [2003-11-21 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
C:\PROGRA~1\SONYCO~1\PICTUR~1\PICTUR~1\RESIDE~1.EXE [2003-12-17 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
C:\PROGRA~1\Quicken\bagent.exe [2002-09-20 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^AutoTBar.exe]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\AutoTBar.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSOEMON.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
C:\PROGRA~1\INTERM~1\SPAMSU~1\SPAMSU~1.EXE -q []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2
"Schedule"=2
"RDSessMgr"=3
"RasMan"=3
"omniserv"=2
"ERSvc"=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
ActivClient Agent.lnk - C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
ApproveIt StartUp.lnk - C:\WINDOWS\Installer\{20F8DC31-F965-4DD6-BC8A-2820C25A3ED0}\Icon9557F1BC1.ico
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-03 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ackpbsc]
C:\WINDOWS\system32\ackpbsc.dll [2006-11-10 189952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acunlock]
C:\Program Files\ActivIdentity\ActivClient\acunlock.dll [2006-11-10 261632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-04-07 315392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\System32\NavLogon.dll [2004-10-06 83272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe"="C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"
"C:\Program Files\ACSPMonitor\ASMonitor.exe"="C:\Program Files\ACSPMonitor\ASMonitor.exe:*:Enabled:System"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:IEXPLORE"
"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======List of files/folders created in the last 2 months======

65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\zideribu.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\wepihopa.dll
2009-01-08 18:27:02 ----D---- C:\Program Files\trend micro
2009-01-08 18:27:01 ----D---- C:\rsit
2009-01-01 17:16:19 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2009-01-01 17:16:08 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-01 17:16:08 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-28 13:12:32 ----SH---- C:\WINDOWS\system32\usahoyuv.ini
2008-12-27 21:11:22 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-27 20:56:57 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-27 20:56:39 ----D---- C:\Program Files\SUPERAntiSpyware
2008-12-27 20:56:39 ----D---- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-12-27 19:26:04 ----D---- C:\VundoFix Backups
2008-12-27 19:26:04 ----A---- C:\VundoFix.txt
2008-12-27 17:10:26 ----SH---- C:\WINDOWS\system32\zekafire.exe
2008-12-26 23:08:35 ----SH---- C:\WINDOWS\system32\jobavito.exe
2008-12-23 22:08:26 ----A---- C:\WINDOWS\system32\brykmpcw.dll
2008-12-20 18:23:37 ----A---- C:\WINDOWS\system32\676773d1-.txt
2008-12-20 18:18:05 ----D---- C:\WINDOWS\Prefetch
2008-12-15 15:10:31 ----D---- C:\Program Files\LG Electronics
2008-11-10 17:53:35 ----D---- C:\Documents and Settings\All Users\Application Data\23EA

======List of files/folders modified in the last 2 months======

2009-01-09 18:20:36 ----D---- C:\WINDOWS\Internet Logs
2009-01-09 18:17:23 ----A---- C:\WINDOWS\ModemLog_Lucent Win Modem.txt
2009-01-09 18:17:12 ----D---- C:\WINDOWS\Temp
2009-01-09 18:15:56 ----D---- C:\WINDOWS\system32\drivers
2009-01-09 18:15:56 ----D---- C:\WINDOWS\system32
2009-01-09 18:15:30 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-09 17:27:15 ----D---- C:\Program Files\Mozilla Firefox
2009-01-09 17:21:33 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-09 16:47:48 ----D---- C:\My Download Files
2009-01-09 16:29:26 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2009-01-09 16:29:26 ----AD---- C:\Program Files
2009-01-09 15:55:14 ----SD---- C:\WINDOWS\Tasks
2009-01-09 06:50:19 ----D---- C:\Program Files\Mozilla Thunderbird
2009-01-03 09:12:16 ----D---- C:\WINDOWS\security
2009-01-01 21:03:01 ----D---- C:\WINDOWS
2009-01-01 17:05:34 ----A---- C:\WINDOWS\win.ini
2009-01-01 17:03:40 ----D---- C:\Program Files\AIM
2009-01-01 17:03:32 ----D---- C:\Documents and Settings\Owner\Application Data\Aim
2008-12-28 17:41:04 ----D---- C:\Program Files\PC-Doctor for Windows
2008-12-28 13:12:13 ----ASH---- C:\WINDOWS\system32\gokisoso.dll
2008-12-27 21:12:16 ----D---- C:\Documents and Settings
2008-12-27 20:56:53 ----SHD---- C:\WINDOWS\Installer
2008-12-27 20:55:26 ----SHD---- C:\System Volume Information
2008-12-27 20:53:25 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-25 14:40:55 ----A---- C:\WINDOWS\WININIT.INI
2008-12-23 23:00:22 ----ASH---- C:\WINDOWS\system32\powamahe.dll
2008-12-22 22:06:21 ----D---- C:\WINDOWS\system32\CatRoot
2008-12-22 21:55:16 ----D---- C:\WINDOWS\system32\config
2008-12-22 21:54:52 ----D---- C:\WINDOWS\system32\wbem
2008-12-22 21:54:51 ----D---- C:\WINDOWS\Registration
2008-12-22 21:50:58 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-22 21:50:55 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-22 20:57:24 ----HD---- C:\WINDOWS\inf
2008-12-22 20:57:24 ----D---- C:\WINDOWS\Help
2008-12-22 20:56:53 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-20 18:17:50 ----D---- C:\Program Files\Symantec AntiVirus
2008-12-19 20:44:02 ----D---- C:\WINDOWS\Minidump
2008-12-15 15:10:31 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-12 12:34:42 ----D---- C:\WINDOWS\system32\Restore
2008-11-16 14:20:09 ----SD---- C:\Documents and Settings\Owner\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 cdrbsvsd;cdrbsvsd; C:\WINDOWS\system32\drivers\cdrbsvsd.sys [2003-12-03 13566]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 KLIF;KLIF; C:\WINDOWS\system32\DRIVERS\klif.sys [2007-07-19 127768]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
R1 SiSkp;SiSkp; C:\WINDOWS\System32\DRIVERS\srvkp.sys [2003-04-11 10624]
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2004-06-11 263736]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2008-07-09 394952]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]
R2 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2004-02-17 391424]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-02-17 538236]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 GemCCID;GemCCID; C:\WINDOWS\System32\Drivers\GemCCID.sys [2008-04-04 87424]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [2005-10-21 49920]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [2005-10-21 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [2005-10-22 21568]
R3 ltmodem5;Lucent Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2003-03-31 625537]
R3 LVPrcMon;Logitech LVPrcMon Driver; \??\C:\WINDOWS\system32\drivers\LVPrcMon.sys []
R3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS\system32\drivers\lvusbsta.sys [2005-09-01 22528]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081212.004\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081212.004\navex15.sys []
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-07-28 1341339]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-03 10368]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2008-02-25 105088]
R3 SunkFilt;Alcor Micro Corp - 9360; \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys []
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2008-04-13 37760]
S2 mrtRate;mrtRate; C:\WINDOWS\system32\drivers\mrtRate.sys []
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752]
S3 61883;61883 Unit Device; C:\WINDOWS\System32\DRIVERS\61883.sys [2008-04-13 48128]
S3 Avc;AVC Device; C:\WINDOWS\System32\DRIVERS\avc.sys [2008-04-13 38912]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 ENUM1394;%1394\031887&040892.DeviceDesc%; C:\WINDOWS\System32\DRIVERS\enum1394.sys [2001-08-17 6400]
S3 FilterService;UVC Filter Service; C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys [2005-09-01 14080]
S3 GTwinUSB;GTwinUSB; C:\WINDOWS\System32\Drivers\GTwinUSB.sys [2004-06-28 61840]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2003-04-15 90907]
S3 Lvckap;Logitech Kernel Audio Processing Filter Driver; \??\C:\WINDOWS\system32\drivers\Lvckap.sys []
S3 lvmvdrv;Logitech Machine Vision Engine Loader; \??\C:\WINDOWS\system32\drivers\lvmvdrv.sys []
S3 lvpopflt;Logitech POP Suppression Filter; C:\WINDOWS\system32\DRIVERS\lvpopflt.sys [2005-09-01 2010112]
S3 LVUVC;Logitech QuickCam Fusion(UVC); C:\WINDOWS\system32\DRIVERS\lvuvc.sys [2005-09-01 1081856]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MREMPR5;MREMPR5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS []
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS []
S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\System32\DRIVERS\msdv.sys [2008-04-13 51200]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 rtl8139;Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver; C:\WINDOWS\System32\DRIVERS\R8139n51.SYS [2002-10-04 46976]
S3 S3Psddr;S3Psddr; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [2004-08-04 166912]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2003-05-06 394752]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 sonypvs1;Sony Digital Imaging Video2; C:\WINDOWS\System32\DRIVERS\sonypvs1.sys [2002-10-15 102220]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 Sunkfiltp;HP && Alcor Micro Corp for Phison; C:\WINDOWS\system32\drivers\Sunkfiltp.sys []
S3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2004-06-11 16280]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbbus;LGE CDMA Composite USB Device; C:\WINDOWS\system32\DRIVERS\lgusbbus.sys [2007-07-23 12416]
S3 UsbDiag;LGE CDMA USB Serial Port; C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys [2007-07-23 19840]
S3 USBModem;LGE CDMA USB Modem; C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys [2007-07-23 21632]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-28 18944]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-07 611664]
R2 acachsrv;ActivClient Authentication Service; C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe [2006-11-10 74240]
R2 acautoup;ActivClient Auto-Update Service; C:\Program Files\ActivIdentity\ActivClient\acautoup.exe [2006-11-10 26624]
R2 accoca;ActivClient Middleware Service; C:\Program Files\ActivIdentity\ActivClient\accoca.exe [2006-11-10 129536]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2004-06-09 242808]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2004-10-06 30024]
R2 LVPrcSrv;Logitech Process Monitor; c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe [2005-09-01 81920]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-19 322120]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2003-07-28 77824]
R2 ScsiAccess;ScsiAccess; C:\WINDOWS\System32\ScsiAccess.EXE [2003-02-04 181312]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2008-07-09 75304]
R3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\HPZipm12.exe [2003-07-16 65795]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2004-06-09 255096]
S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2004-06-09 87160]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2006-10-30 492608]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2004-10-06 173392]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2004-06-11 201944]
S3 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2004-10-06 1275216]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:23 PM

Posted 10 January 2009 - 08:27 AM

Well done and thanks for the feedback.

I appreciate what you have done so far, unfortunately, it still seems to be infected.


If you are just expressing your frustration it is understandable.
If you expected a magic one stepped fix, it doesn't exists. The best of malware removers need at least a few posts to clean a computer. Just read some ongoing topics and see for yourself what I mean.
If you want to remind me that it is not clean yet, I can see and tell you when your log is clean. I asked you your patience as the job is not done in one post. When you say something like "you need a genius" or after just one post instead of giving a positive feedback like whether you still get those errors at startup or shut down, you make a negative and totally unneeded statement, one might get the impression of nagging. The helpers here are all volunteers and certainly dislike it. I'm sorry for my frankness as I'm sure you just express your frustration.

Per step 5 - "Owner.exe" did not exist. I believe there was an assumption that I already installed Hijack This, which
I didn't. I went to CNET and downloaded the program, then ran it per your instructions.


You actually didn't need to download Hijackthis. I didn't make the assumption as RSIT had already downloaded a Hijachthis and renamed it. The path was not given correctly by me but you could run it by typing or copy and paste C:\Program Files\trend micro\Owner.exe into run box and click OK. Or making a shortcut of Owner.exe on the desktop and run it from there.

But no harm in installing it again.

From MBAM log:

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.


This means the entry was not deleted yet. It would be deleted after reboot. The instruction was (underlined) to let reboot if needed and then post the log after reboot. So please run an updated MBAM and make sure you get a clean log. No need to post it.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • Please copy and paste a fresh Hijackthis log to your reply.


#7 13Z50P

13Z50P
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 10 January 2009 - 09:56 AM

Farbar,

I am at work today and felt it necessary to reply to your latest posting. When I get home today, I will follow up on your instructions (after football of course.)

First, I sincerely apologize if anything I wrote was misconstrued as being negative, judgemental, or condescending. That was never the case. Writing and speaking are two different animals and can easily be misunderstood. I think that you volunteers do an awesome job, and I always waited patiently for when you took your own time out to help us out. The genius quote was never meant as a negative comment, I certainly didn't mean that the person helping me wasn't qualified, I just realized that with all that code that somebody out there would figure it out. When I post "this or that is fixed or still exists" - I mean that as an update to my current situation; not as if it still isn't fixed yet and somebody failed. I realize it takes time and am in no hurry, since I have a back-up laptop to use in the mean time. When this ordeal is finally solved, I planned to make a donation to this site or you personally (but I haven't found out how to do that yet). I assure you that your perceptions of me are inaccurate, and again I apologize. As for the virus...

I can see in other posts how people don't follow instructions or take the time to read all the rules first. Since your time is valuable, I take pride in following every step to a tee. When I typed owner.exe into the run box, I received an error, so that is what I tried to convey. Also in regards to the Malwarebytes step. I did reboot the computer. I completed the steps you requested in sequence [see below] - update / run pgrm / reboot / post log. The log was from the scan that occured before the reboot, which is why it still showed the error. Lastly I do not receive the start-up / shut-down errors anymore. I should have been clearer in an earlier posting when I said that everything was fixed except for the trojan that resided in the memory.

I will proceed with the Combofix instructions when I get home. Thank you for your time, I hope I cleared things up. Have a great weekend and Go Ravens!

J.M.

["Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply."]

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:23 PM

Posted 10 January 2009 - 11:24 AM

J.M.,

The impression/interpretations is not the same as intention and I was sure you didn't intend anything negative. It is even more clear now.
No apology is needed and thanks for your kind words.
About the possibility to donate, we don't have it as a site and I don't (yet ?) have it personally. Thanks. But if you get infected in the future I make sure there will be an opportunity to do that. :thumbsup:

It is a real pleasure to assist you.

Post the logs when ready and we get it done tomorrow. Have a nice weekend too.

#9 13Z50P

13Z50P
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 10 January 2009 - 04:05 PM

Farbar,

I was hopeful we might finally conquer this issue, but regrettably I ran into trouble.

Proceeding from Step 1. above, the ComboFix failed to run.

1st time - The progress bar appeared, then nothing...
2nd time - Error window - "Some files could not be created... close... reboot... rerun"
3rd time - Same as first time and it locked up.

I tried all 3 download sites without any luck.

Nortons and Zone Alarm were disabled.

Any ideas?

J.M.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:23 PM

Posted 10 January 2009 - 07:05 PM

Delete your copy of the Combofix from your desktop.

Please download a renamed copy of Combofix from here: here or here.

Follow the rest of instruction on running the Combofix, installing Recovery Console and letting it scan the system.

#11 13Z50P

13Z50P
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 11 January 2009 - 02:15 PM

Yikes, I tried everything I could think of and every combination of steps, but can not get the Combofix to run. The same thing happens as stated in my earlier reply. In addition, upon reboot, I get the following "End program" alert for C:\WINDOWS\system32\cmd.execf

Here is the latest MBAM log, if it helps. (every time I reboot, that last registry keeps coming back!)

Should I go to the Microsoft website and download the Recovery Console you speak of separately?

Regards...



Malwarebytes' Anti-Malware 1.32
Database version: 1643
Windows 5.1.2600 Service Pack 3

1/11/2009 2:08:58 PM
mbam-log-2009-01-11 (14-08-58).txt

Scan type: Quick Scan
Objects scanned: 65716
Time elapsed: 7 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:23 PM

Posted 11 January 2009 - 02:30 PM

Make sure you download the renamed copy of Combofix. It is the Combo-Fix.exe

Then open the Task Manager (Ctrl+Alt+Del).

Under processes tab right-click any instances of the following and select End Procses.

sed.cfexe, VFind.cfexe, swreg.cfexe, grep.cfexe or cmd.cfexe
OR
sed.execf, VFind.execf, swreg.execf or grep.execf or cmd.execf

Then run Combofix again.

Note down and tell me if you find any instances those processes.

#13 13Z50P

13Z50P
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 12 January 2009 - 11:52 AM

Still no luck...

The error I spoke about only occurred after I ran the program twice without rebooting.

On a totally refreshed and rebooted computer none of those processes were running, and I am still not able to execute it.

One time it made it to the CMD prompt with the blue screen. But it stayed there for 12 hours without doing anything. The CMD prompt screen didn't have any words/ instructions like the example did (please wait... installing... etc) All it had was a blinking cursor in the box, nothing else.

What about installing the recovery console separately, then trying to run the Combofix???

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:23 PM

Posted 12 January 2009 - 01:37 PM

  • Please remove you copy of Combofix from the desktop.

  • Start in Safe Mode Using the F8 key:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode with networking menu item.
    • Press the Enter key.
  • Please download a renamed copy of Combofix from here: here or here.

    Then say yes to any prompt and let Combofix run and let reboot when needed and post the log after it finished. Combofix might take 20 minutes to run if it freezes it freezes, open task manager (ctrl+alt+del) right-click and and select End Process to kill any instances of the processes with <processname>.cfexe like sed.cfexe, VFind.cfexe, swreg.cfexe , grep.cfexe,
    Do the same with cmd.execf or catchme.cfexe.
    End those processes one by one and wait. If Combofix run don't end the other processes even if they are running on the task manager.


#15 13Z50P

13Z50P
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 12 January 2009 - 06:26 PM

Getting closer...

This time it was able to run in safe mode after 3 tries. It kept locking up after stage 50 at the following point - "C:\WINDOWS\system32\ not recognized as an internal or external command, operable program, or batch file." When I ended the process the last time it froze up - it rebooted. To my surprise it actually generated a log, which is posted below. I don't think any recovery console installation took place, and I am not sure the program ran full and complete. Thanks again for your diligence.


ComboFix 09-01-10.01 - Administrator 2009-01-12 16:49:07.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1199 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
FW: ZoneAlarm Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\java2.sys c:\windows\system32\snjava.dll
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\IE4 Error Log.txt
c:\windows\system32\ATPartners.dll
c:\windows\system32\gehavefe.dll
c:\windows\system32\gokisoso.dll
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\lakofara.dll
c:\windows\system32\mfcans32.DLL
c:\windows\system32\mfcuia32.dll
c:\windows\system32\msrdo20.dll
c:\windows\system32\powamahe.dll
c:\windows\system32\rdocurs.dll
c:\windows\system32\usahoyuv.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-10 21:26 . 2009-01-10 21:52 <DIR> d-------- C:\ComboFix
2009-01-08 18:27 . 2009-01-08 18:29 <DIR> d-------- C:\rsit
2009-01-08 18:27 . 2009-01-09 16:45 <DIR> d-------- c:\program files\trend micro
2009-01-01 17:16 . 2009-01-09 17:29 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 17:16 . 2009-01-01 17:16 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-01 17:16 . 2009-01-01 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-01 17:16 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-01 17:16 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-27 21:13 . 2008-12-27 21:13 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-27 21:12 . 2003-08-23 09:34 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-12-27 21:12 . 2003-08-28 22:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-12-27 21:12 . 2003-08-23 09:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2008-12-27 21:12 . 2003-08-23 22:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SampleView
2008-12-27 21:12 . 2003-08-28 22:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\interMute
2008-12-27 21:12 . 2008-12-27 21:12 <DIR> d-------- c:\documents and settings\Administrator
2008-12-27 20:56 . 2008-12-27 20:56 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-27 20:56 . 2008-12-27 20:56 <DIR> d-------- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2008-12-27 20:56 . 2008-12-27 20:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-27 19:26 . 2008-12-27 19:26 <DIR> d-------- C:\VundoFix Backups
2008-12-27 17:10 . 2008-12-27 17:10 6,537 ---hs---- c:\windows\system32\zekafire.exe
2008-12-26 23:08 . 2008-12-26 23:08 6,537 ---hs---- c:\windows\system32\jobavito.exe
2008-12-23 22:08 . 2008-12-23 22:08 88,312 --a------ c:\windows\system32\brykmpcw.dll
2008-12-15 15:10 . 2008-12-15 15:10 <DIR> d-------- c:\program files\LG Electronics
2008-12-15 15:10 . 2007-07-23 09:23 21,632 --a------ c:\windows\system32\drivers\lgusbmodem.sys
2008-12-15 15:10 . 2007-07-23 09:23 19,840 --a------ c:\windows\system32\drivers\lgusbdiag.sys
2008-12-15 15:10 . 2007-07-23 09:23 12,416 --a------ c:\windows\system32\drivers\lgusbbus.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 21:46 133,124 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-01-12 21:46 12,208,160 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-12 21:43 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-11 02:55 --------- d-----w c:\program files\Symantec
2009-01-11 02:55 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-11 02:55 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-09 21:29 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-01 22:03 --------- d-----w c:\program files\AIM
2009-01-01 22:03 --------- d-----w c:\documents and settings\Owner\Application Data\Aim
2008-12-28 22:41 --------- d-----w c:\program files\PC-Doctor for Windows
2008-12-28 01:53 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-23 02:50 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-15 20:10 --------- d--h--w c:\program files\InstallShield Installation Information
2005-11-18 03:21 36,680 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-05-31 14:29 10,856 --sha-w c:\windows\system32\KGyGaAvL.sys
1601-01-01 00:12 2,048 --sha-w c:\windows\system32\zideribu.dll
2008-07-29 22:29 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072920080730\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 90112]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-08-09 139264]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-09-01 221184]
"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-09-07 06:39 73728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2006-11-10 275968]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 643072]
"AprvRemoveLegacyWordKeys"="c:\program files\ApproveIt\Support\Tools\AprvClean.exe" [2007-07-27 73728]
"AprvRemoveLegacyExcelKeys"="c:\program files\ApproveIt\Support\Tools\AprvClean.exe" [2007-07-27 73728]
"ApproveItForOfficeSetup"="c:\program files\ApproveIt\Support\Tools\ApproveItForOfficeSetup.exe" [2007-10-29 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"application"="c:\program files\AKProg\AKProg.exe" [2005-07-08 522752]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-07 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2006-11-10 77312]
ApproveIt StartUp.lnk - c:\windows\Installer\{20F8DC31-F965-4DD6-BC8A-2820C25A3ED0}\Icon9557F1BC1.ico [2008-10-09 9216]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2003-07-07 233472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2006-11-10 12:28 189952 c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2006-11-10 12:28 261632 c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^AutoTBar.exe]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\AutoTBar.exe
backup=c:\windows\pss\AutoTBar.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=c:\windows\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
wjview [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
--a------ 2003-06-22 23:25 24576 c:\program files\Hewlett-Packard\Digital Imaging\bin\BackupNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-06-25 11:24 49152 c:\program files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraAssistant]
--a------ 2005-09-07 06:33 434176 c:\program files\Logitech\Video\CameraAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-01-18 17:07 196608 c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2003-07-28 13:19 49152 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-06-17 20:13 118784 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 11:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2003-08-23 09:14 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
--a------ 2007-03-11 16:37 936960 c:\program files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
--a------ 2004-03-12 15:53 20480 c:\windows\wt\updater\wcmdmgrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-07-28 13:19 323584 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"Schedule"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"omniserv"=2 (0x2)
"ERSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [2008-04-04 87424]
S3 GTwinUSB;GTwinUSB;c:\windows\system32\drivers\GTwinUSB.sys [2004-06-28 61840]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S4 acachsrv;ActivClient Authentication Service;c:\program files\ActivIdentity\ActivClient\acachsrv.exe [2006-11-10 74240]
S4 acautoup;ActivClient Auto-Update Service;c:\program files\ActivIdentity\ActivClient\acautoup.exe [2006-11-10 26624]
S4 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [2006-11-10 129536]
S4 mrtRate;mrtRate; [x]
.
Contents of the 'Scheduled Tasks' folder

2004-01-10 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-01-02 14:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AutoTKit - c:\hp\bin\AUTOTKIT.EXE
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
MSConfigStartUp-OmniPass - c:\program files\Softex\OmniPass\scureapp.exe
MSConfigStartUp-PopularScreensaversWallpaper - c:\progra~1\MYWEBS~1\bar\1.bin\F3SCRCTR.DLL
MSConfigStartUp-PopUpStopperFreeEdition - c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe
MSConfigStartUp-PS2 - c:\windows\system32\ps2.exe
MSConfigStartUp-RiskII - c:\docume~1\Owner\Desktop\RISKII~1.EXE
MSConfigStartUp-salm - c:\temp\salm.exe
MSConfigStartUp-StorageGuard - c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
MSConfigStartUp-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
MSConfigStartUp-WeatherCast - c:\program files\WeatherCast\Weather.exe
MSConfigStartUp-WebRebates0 - c:\program files\Web_Rebates\WebRebates0.exe
MSConfigStartUp-WhenUSave - c:\progra~1\Save\Save.exe
MSConfigStartUp-Windows AdControl - c:\program files\Windows AdControl\WinAdCtl.exe
MSConfigStartUp-Windows ControlAd - c:\program files\Windows ControlAd\WinCtlAd.exe
MSConfigStartUp-Windows TaskAd - c:\program files\Windows TaskAd\WinTaskAd.exe
MSConfigStartUp-WT GameChannel - c:\program files\WildTangent\Apps\GameChannel.exe


.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://srch-us9.hpwis.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://srch-us9.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
IE: &Search - ?p=ZU
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: online.musicmatch.com

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\vzTCPConfig.dll - O16 -: vzTCPConfig
hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
c:\windows\Downloaded Program Files\OSD94.OSD
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8klbdn7z.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJPI141_02.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 17:53:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3935848337-1460218289-1280627995-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\byXQgHAP.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7384afbb-bb83-469d-aac7-c82647a8ad18}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\eyzxho.dll"
"ThreadingModel"="free"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\ackpbsc.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\aclog.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\system32\ZoneLabs\vsmon.exe
.
**************************************************************************
.
Completion time: 2009-01-12 17:57:43 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-01-12 22:57:39

Pre-Run: 116,075,577,344 bytes free
Post-Run: 116,023,783,424 bytes free

323




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users