Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

At least partially fixed Vundo; recurring Trojans


  • This topic is locked This topic is locked
7 replies to this topic

#1 king_e_dawg

king_e_dawg

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 03 January 2009 - 03:15 AM

Hello,

About a week ago, I got a nasty Vundo/Virtumonde virus. At first, it was popping up fake AV ads, generally slowing down my computer and browsing, and disabling auto updates in Windows Security, which I could not turn back on. Spybot detected it (Virtumonde.sci, prx, etc.) and said it was fixed, but the same stuff kept coming up on every new scan. So I got AVG, A-Squared, and VundoFix/VirtumondoBegone (note that I have all these installed at once, in addition to Spybot and McAfee; lord knows why I still have McAfee, but it's been catching some of the trojans). They turned up quite a few detections. Somewhere along the way, one of them must have caught something, because my system and internet are pretty much back to normal, I can turn WS updates back on, and all my virus scans are turning up clean. I was getting quite a few tracking cookes, and as it turns out, the little bugger must have set IE to accept all cookies - I set it back to default and problem solved.

HOWEVER, I do keep getting alerts from AVG and McAfee on occasion about random trojans it catches (BHO, Vundo.gen.q, etc.). They do tend to come up while one or the other of them is running a full scan. So I'm posting my HJT log in hopes that I'll finally get clean. Please let me know if there's any other logs I can provide that would help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:30:37 AM, on 1/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\WINDOWS\system32\RUNDLL32.EXE
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9A372A5B-8A45-4ADF-82C1-804D690870D7} - C:\WINDOWS\system32\rqRIaYqO.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193366508905
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193372986421
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A8938FF-F552-4320-880C-3D3F71FCA306}: NameServer = 12.44.251.117,12.44.251.119,12.44.251.116
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\togubiza.dll,avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

--
End of file - 10048 bytes

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:26 AM

Posted 05 January 2009 - 05:46 AM

Hello King_e_dawg and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 king_e_dawg

king_e_dawg
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 06 January 2009 - 12:10 AM

OK, I was alerted on ComboFix startup to stop real-time scanning for AVG and McAfee. I stopped McAfee, and I did everything I could to stop all processes for AVG (short of uninstalling it), but after I went ahead, ComboFix said AVG was still running and it was going to continue anyway. It didn't appear that anything went wrong, auto-restarted, and on startup, I got the same alerts about real-time scanning. Repeated, and then ComboFix hung for a minute, saying "error: could not open temp01," then finished up.

Just thought I should note some of that. Anyway, here's the log:

ComboFix 09-01-05.02 - Ian 2009-01-05 14:14:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.744 [GMT -5:00]
Running from: c:\documents and settings\Ian\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\elopaban.ini
c:\windows\system32\etenivaj.ini
c:\windows\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2009-01-03 02:29 . 2009-01-03 02:29 <DIR> d-------- c:\program files\Trend Micro
2009-01-02 21:27 . 2009-01-02 21:27 91 --a------ c:\windows\Retrieve.INI
2008-12-31 11:40 . 2008-12-31 11:40 7,168 --ahs---- c:\windows\Thumbs.db
2008-12-30 04:31 . 2008-12-31 20:35 <DIR> d-------- c:\program files\a-squared Free
2008-12-30 00:25 . 2009-01-03 01:59 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-30 00:23 . 2009-01-05 13:06 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-30 00:23 . 2008-12-30 00:23 <DIR> d-------- c:\program files\AVG
2008-12-30 00:23 . 2008-12-30 00:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-30 00:23 . 2008-12-30 00:23 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-30 00:23 . 2008-12-30 00:23 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-29 02:22 . 2008-12-29 02:22 <DIR> d-------- C:\!KillBox
2008-12-29 00:08 . 2008-12-29 00:08 <DIR> d-------- C:\VundoFix Backups
2008-12-28 13:46 . 2008-12-27 09:26 1,736,704 --a------ c:\windows\system32\javan.exe
2008-12-28 13:39 . 2008-12-28 13:39 45,984 --a------ c:\windows\system32\ins2.exe
2008-12-28 13:10 . 2008-12-28 13:10 336 --a------ c:\program files\temp995.bat
2008-12-25 12:08 . 2008-12-25 12:08 0 --ah----- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-12-25 12:08 . 2008-12-25 12:08 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-12-25 12:05 . 2008-12-25 12:05 0 --ah----- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-12-25 11:59 . 2008-12-25 12:02 <DIR> d-------- c:\program files\Zune
2008-12-25 11:59 . 2008-03-21 13:57 14,640 --a------ c:\windows\system32\spmsgXP_2k3.dll
2008-12-25 11:59 . 2008-12-25 11:59 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-25 11:59 . 2008-12-25 11:59 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-12-25 11:57 . 2008-05-02 08:25 465,920 --a------ c:\windows\system32\imapi2fs.dll
2008-12-25 11:57 . 2008-05-02 08:25 465,920 -----c--- c:\windows\system32\dllcache\imapi2fs.dll
2008-12-25 11:57 . 2008-05-02 08:25 317,952 --a------ c:\windows\system32\imapi2.dll
2008-12-25 11:57 . 2008-05-02 08:25 317,952 -----c--- c:\windows\system32\dllcache\imapi2.dll
2008-12-25 11:57 . 2008-05-02 05:49 62,976 -----c--- c:\windows\system32\dllcache\cdrom.sys
2008-12-24 12:12 . 2008-12-24 12:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-12-14 17:27 . 2008-12-14 17:27 <DIR> d-------- c:\windows\Replay Converter 3
2008-12-14 17:27 . 2008-12-14 17:26 737,280 --a------ c:\windows\iun6002.exe
2008-12-12 12:41 . 2008-12-12 12:41 243,840 --a------ c:\windows\system32\ZuneWlanCfgSvc.exe
2008-12-12 12:41 . 2008-12-12 12:41 60,032 --a------ c:\windows\system32\ZuneBusEnum.exe
2008-12-07 16:19 . 2008-12-07 16:19 <DIR> d-------- c:\program files\Daniusoft
2008-12-07 12:55 . 2008-08-12 21:08 16,896 --a------ c:\windows\system32\drivers\VirtualAudio.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 19:17 --------- d-----w c:\documents and settings\Ian\Application Data\WTablet
2009-01-02 01:57 --------- d-----w c:\documents and settings\Ian\Application Data\uTorrent
2008-12-28 21:09 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-28 20:15 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-28 18:16 --------- d-----w c:\program files\DAP
2008-12-28 18:16 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2008-12-28 18:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-28 18:14 --------- d-----w c:\program files\Common Files\Adobe
2008-12-28 18:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-26 21:44 --------- d-----w c:\documents and settings\Ian\Application Data\Image Zone Express
2008-12-16 18:47 --------- d-----w c:\program files\Java
2008-11-16 18:47 --------- d-----w c:\program files\DivX
2008-11-14 05:45 --------- d-----w c:\program files\McAfee
2008-11-10 17:09 40,832 ----a-w c:\windows\system32\drivers\zumbus.sys
2002-07-26 22:02 153,088 ----a-w c:\program files\UNWISE.EXE
2008-07-07 08:10 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070720080708\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"LaunchList"="c:\program files\Pinnacle\Studio 11\LaunchList2.exe" [2007-03-21 145496]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2007-01-23 81920]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-30 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.dll]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-08-13 5562368]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"SENTINEL"= snti386.dll
"VIDC.MJPG"= Pvmjpg30.dll
"vidc.ffds"= -
"vidc.RMP4"= rmp4.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\msconfig.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-30 97928]
R3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2008-12-07 16896]
R4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-06-29 3406120]
S1 c2scsi;c2scsi; [x]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-06-29 15656]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-30 231704]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{11FC12D0-1A72-12D2-992D-5BC14F992BC7}]
c:\windows\system32\javan.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-05 c:\windows\Tasks\feymmrjb.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
- - - - ORPHANS REMOVED - - - -

BHO-{9A372A5B-8A45-4ADF-82C1-804D690870D7} - c:\windows\system32\rqRIaYqO.dll
HKCU-Run-Sonic RecordNow! Deluxe - (no file)
MSConfigStartUp-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe
MSConfigStartUp-vulowihida - c:\windows\system32\wufewoga.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: *.internet
Trusted Zone: *.mcafee.com
TCP: {8A8938FF-F552-4320-880C-3D3F71FCA306} = 12.44.251.117,12.44.251.119,12.44.251.116
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 14:24:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\a-squared Free\a2service.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-01-05 14:27:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-05 19:27:12

Pre-Run: 176,406,052,864 bytes free
Post-Run: 176,284,753,920 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

223 --- E O F --- 2008-12-17 19:06:03

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:26 AM

Posted 06 January 2009 - 08:16 AM

Hello King_e_dawg,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/191695/at-least-partially-fixed-vundo;-recurring-trojans/
Collect::[9]
c:\windows\system32\ins2.exe
File::
c:\program files\temp995.bat
c:\windows\Tasks\feymmrjb.job

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

ComboFix has generated a zipped file at C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip.
Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/submit-malware.php?channel=9 :
In the C:\Qoobox\ folder, you'll find the CF-Submit.htm file, double click it (opens browser window) and
click OK to open the upload page,
copy the path description (printed in fat) on this page, and paste it in the search field.
Click Send File. :thumbsup:

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 king_e_dawg

king_e_dawg
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 06 January 2009 - 01:32 PM

I loaded the script into ComboFix, but did not try to disable AVG or McAfee when prompted. As ComboFix was starting, McAfee popped up an alert that it found "EICAR test file (Virus)" in file 'C:\Documents and Settings\Ian\Local Settings\Temp\Av-test.txt,' process 'C:\WINDOWS\system32\CF27221.exe' and quarantined it. ComboFix did everything it did before (besides asking to update to a newer version, which I did) and appeared to run the script, but did not restart my system. Shortly after, I noticed the AVG tray icon for "scan running," but the control panel did not show anything running.

I'm thinking some of this may be all the anti-malware programs conflicting with each other. At this point, I really don't have anything erratic happening on my system except when one of these programs is working, and then it's just one of those real-time scanning alerts. Here are the new logs:

ComboFix 09-01-05.05 - Ian 2009-01-06 12:57:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.709 [GMT -5:00]
Running from: c:\documents and settings\Ian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ian\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
* Resident AV is active


FILE ::
c:\program files\temp995.bat
c:\windows\Tasks\feymmrjb.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\temp995.bat
c:\windows\system32\ins2.exe
c:\windows\Tasks\feymmrjb.job

.
((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-03 02:29 . 2009-01-03 02:29 <DIR> d-------- c:\program files\Trend Micro
2009-01-02 21:27 . 2009-01-02 21:27 91 --a------ c:\windows\Retrieve.INI
2008-12-31 11:40 . 2008-12-31 11:40 7,168 --ahs---- c:\windows\Thumbs.db
2008-12-30 04:31 . 2008-12-31 20:35 <DIR> d-------- c:\program files\a-squared Free
2008-12-30 00:25 . 2009-01-03 01:59 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-30 00:23 . 2009-01-06 12:49 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-30 00:23 . 2008-12-30 00:23 <DIR> d-------- c:\program files\AVG
2008-12-30 00:23 . 2008-12-30 00:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-30 00:23 . 2008-12-30 00:23 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-30 00:23 . 2008-12-30 00:23 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-29 02:22 . 2008-12-29 02:22 <DIR> d-------- C:\!KillBox
2008-12-29 00:08 . 2008-12-29 00:08 <DIR> d-------- C:\VundoFix Backups
2008-12-28 13:46 . 2008-12-27 09:26 1,736,704 --a------ c:\windows\system32\javan.exe
2008-12-25 12:08 . 2008-12-25 12:08 0 --ah----- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-12-25 12:08 . 2008-12-25 12:08 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-12-25 12:05 . 2008-12-25 12:05 0 --ah----- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-12-25 11:59 . 2008-12-25 12:02 <DIR> d-------- c:\program files\Zune
2008-12-25 11:59 . 2008-03-21 13:57 14,640 --a------ c:\windows\system32\spmsgXP_2k3.dll
2008-12-25 11:59 . 2008-12-25 11:59 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-25 11:59 . 2008-12-25 11:59 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-12-25 11:57 . 2008-05-02 08:25 465,920 --a------ c:\windows\system32\imapi2fs.dll
2008-12-25 11:57 . 2008-05-02 08:25 465,920 -----c--- c:\windows\system32\dllcache\imapi2fs.dll
2008-12-25 11:57 . 2008-05-02 08:25 317,952 --a------ c:\windows\system32\imapi2.dll
2008-12-25 11:57 . 2008-05-02 08:25 317,952 -----c--- c:\windows\system32\dllcache\imapi2.dll
2008-12-25 11:57 . 2008-05-02 05:49 62,976 -----c--- c:\windows\system32\dllcache\cdrom.sys
2008-12-24 12:12 . 2008-12-24 12:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-12-14 17:27 . 2008-12-14 17:27 <DIR> d-------- c:\windows\Replay Converter 3
2008-12-14 17:27 . 2008-12-14 17:26 737,280 --a------ c:\windows\iun6002.exe
2008-12-12 12:41 . 2008-12-12 12:41 243,840 --a------ c:\windows\system32\ZuneWlanCfgSvc.exe
2008-12-12 12:41 . 2008-12-12 12:41 60,032 --a------ c:\windows\system32\ZuneBusEnum.exe
2008-12-07 16:19 . 2008-12-07 16:19 <DIR> d-------- c:\program files\Daniusoft
2008-12-07 12:55 . 2008-08-12 21:08 16,896 --a------ c:\windows\system32\drivers\VirtualAudio.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 17:47 --------- d-----w c:\documents and settings\Ian\Application Data\WTablet
2009-01-02 01:57 --------- d-----w c:\documents and settings\Ian\Application Data\uTorrent
2008-12-28 21:09 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-28 20:15 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-28 18:16 --------- d-----w c:\program files\DAP
2008-12-28 18:16 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2008-12-28 18:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-28 18:14 --------- d-----w c:\program files\Common Files\Adobe
2008-12-28 18:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-26 21:44 --------- d-----w c:\documents and settings\Ian\Application Data\Image Zone Express
2008-12-16 18:47 --------- d-----w c:\program files\Java
2008-11-16 18:47 --------- d-----w c:\program files\DivX
2008-11-14 05:45 --------- d-----w c:\program files\McAfee
2008-11-10 17:09 73,728 ----a-w c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 17:09 57,344 ----a-w c:\windows\system32\ZuneRegUtil.dll
2008-11-10 17:09 40,832 ----a-w c:\windows\system32\drivers\zumbus.sys
2008-11-10 17:09 310,272 ----a-w c:\windows\system32\ZuneNetProxy.dll
2008-11-10 17:09 18,944 ----a-w c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 17:09 145,920 ----a-w c:\windows\system32\ZuneMTPZ.dll
2008-11-10 17:09 12,800 ----a-w c:\windows\system32\ZunePTDNS.dll
2008-11-10 10:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2002-07-26 22:02 153,088 ----a-w c:\program files\UNWISE.EXE
2008-07-07 08:10 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070720080708\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-05_14.26.33.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-05 18:09:44 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-06 17:52:57 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-05 18:09:44 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-06 17:52:57 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-05 19:21:19 72,152 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-06 17:51:24 72,152 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-05 19:21:19 444,528 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-06 17:51:24 444,528 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-06 17:47:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_25c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"LaunchList"="c:\program files\Pinnacle\Studio 11\LaunchList2.exe" [2007-03-21 145496]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2007-01-23 81920]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-30 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.dll]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-08-13 5562368]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"SENTINEL"= snti386.dll
"VIDC.MJPG"= Pvmjpg30.dll
"vidc.ffds"= -
"vidc.RMP4"= rmp4.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\msconfig.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-30 97928]
R3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2008-12-07 16896]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-30 231704]
R4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-06-29 3406120]
S1 c2scsi;c2scsi; [x]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-06-29 15656]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{11FC12D0-1A72-12D2-992D-5BC14F992BC7}]
c:\windows\system32\javan.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: *.internet
Trusted Zone: *.mcafee.com
TCP: {8A8938FF-F552-4320-880C-3D3F71FCA306} = 12.44.251.117,12.44.251.119,12.44.251.116
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 13:00:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,b1,da,ac,cf,0f,\
64,96,b4,e2,63,26,f1,3f,c8,ff,68,e7,46,72,05,e9,98,a1,cb,e2,63,26,f1,3f,c8,\
ff,68,be,41,2c,07,59,3d,d3,65,c8,28,51,af,b0,29,a3,98,a4,1f,bc,d7,cd,6c,ec,\
e4,6b,d8,41,0f

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,fc,3c,31,b1,f3,\
38,fb,1b,6a,9c,d6,61,af,45,84,18,af,db,6d,3f,a6,e7,98,2c,6a,9c,d6,61,af,45,\
84,18,eb,af,ec,c9,ed,cf,4b,72,6a,9c,d6,61,af,45,84,18,9f,7e,56,00,45,58,bb,\
8b,0d,9f,05,65

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,e1,c4,0c,97,37,\
17,03,d1,ff,7c,85,e0,43,d4,0e,fe,ac,c4,f2,fb,ee,e9,d7,15,ff,7c,85,e0,43,d4,\
0e,fe,2d,bb,a2,7d,a4,2f,54,bf,7a,45,05,fd,91,e8,6f,31,7b,19,5e,27,69,f1,30,\
70,b6,e1,3e,0b

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,2e,e8,4e,38,e4,\
63,25,b4,86,8c,21,01,be,91,eb,e7,da,6a,ea,b1,7a,59,7c,8e,86,8c,21,01,be,91,\
eb,e7,ea,1e,de,ba,bd,52,38,03,86,8c,21,01,be,91,eb,e7,09,d9,e8,13,2f,af,27,\
48,c3,9d,da,2c

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,58,24,bf,4b,75,\
7d,55,d8,f5,1d,4d,73,a8,13,5c,05,1a,65,9c,77,9c,3e,ed,74,f5,1d,4d,73,a8,13,\
5c,05,5b,36,55,a2,75,72,10,ec,f5,1d,4d,73,a8,13,5c,05,05,5a,8a,bf,fa,61,5a,\
83,34,69,17,ec

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,33,78,ec,93,f7,\
4e,5b,ab,df,20,58,62,78,6b,cf,c8,fe,54,fa,78,2c,43,05,72,df,20,58,62,78,6b,\
cf,c8,0a,de,39,6f,d5,e7,80,ab,50,93,e5,ab,ec,6a,4e,ab,d2,99,93,ef,de,c1,26,\
6e,41,5d,5c,b8

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,15,df,16,4c,95,\
3d,73,b2,fb,a7,78,e6,12,2f,9a,ea,2b,88,9a,e3,0e,46,0f,6d,fb,a7,78,e6,12,2f,\
9a,ea,e5,f4,91,49,a9,37,ce,a5,fb,a7,78,e6,12,2f,9a,ea,e8,d2,d9,99,93,c4,4f,\
95,11,ff,75,dd

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,cc,37,48,3e,36,\
bd,a6,c0,01,3a,48,fc,e8,04,4a,f1,a0,df,7b,e1,4a,e5,b8,29,01,3a,48,fc,e8,04,\
4a,f1,86,c9,ef,db,ff,84,c8,0e,83,6c,56,8b,a0,85,96,ab,01,5f,d1,04,50,f4,18,\
40,21,9f,34,20

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,f0,08,11,21,16,\
63,89,3a,f6,0f,4e,58,98,5b,89,c9,59,30,53,36,f4,1b,a9,bb,f6,0f,4e,58,98,5b,\
89,c9,3b,76,4b,da,f0,0a,3e,63,51,fa,6e,91,28,9e,14,cc,4e,02,fe,d8,eb,d5,37,\
08,e6,12,7a,7b

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,68,79,7c,16,42,\
72,2c,3f,3d,ce,ea,26,2d,45,aa,78,bb,06,39,ea,4a,15,53,19,3d,ce,ea,26,2d,45,\
aa,78,94,60,6f,99,ad,0b,dc,b2,3d,ce,ea,26,2d,45,aa,78,6c,66,4b,e3,d5,cd,8c,\
e9,f3,12,3a,4c

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,c2,75,94,91,80,\
f7,56,7e,2a,b7,cc,b5,b9,7f,41,e7,8a,96,c9,fd,6b,bb,bd,5f,2a,b7,cc,b5,b9,7f,\
41,e7,68,9b,36,4a,ed,38,de,e7,f8,31,0f,a9,5f,a0,ec,fb,22,e2,17,d3,b6,4c,40,\
2d,92,44,50,3e

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,3c,d1,79,7c,5f,\
65,f1,6c,6c,43,2d,1e,aa,22,2f,9c,ce,93,f1,0a,d4,08,4d,ea,6c,43,2d,1e,aa,22,\
2f,9c,5e,ee,91,d5,ff,b8,80,95,6c,43,2d,1e,aa,22,2f,9c,b9,78,05,f9,e9,66,f9,\
9d,6c,a1,91,29
.
Completion time: 2009-01-06 13:03:13
ComboFix-quarantined-files.txt 2009-01-06 18:03:03
ComboFix2.txt 2009-01-05 19:27:20

Pre-Run: 176,144,445,440 bytes free
Post-Run: 176,137,318,400 bytes free

316 --- E O F --- 2008-12-17 19:06:03



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:04 PM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193366508905
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193372986421
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A8938FF-F552-4320-880C-3D3F71FCA306}: NameServer = 12.44.251.117,12.44.251.119,12.44.251.116
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

--
End of file - 9608 bytes

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:26 AM

Posted 06 January 2009 - 06:31 PM

Hello King_e_dawg,

Looks like ComboFix managed to clear those remains anyway. :thumbsup:

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against the following, if still present :O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 king_e_dawg

king_e_dawg
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 07 January 2009 - 12:57 AM

No major problems now for a while. I kind of thought I might have gotten rid of it, but couldn't quite be sure (since it was so hard to do in the first place). McAfee popped up an alert a little while ago, but it turns out it just found a part of ComboFix! I suppose I really should drop McAfee and stick with AVG or something.

Thanks for all your help with this issue!

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:26 AM

Posted 07 January 2009 - 03:02 AM

Glad we could help, King_e_dawg :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users