Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Trojan Vundo, Antivirus 2009


  • This topic is locked This topic is locked
2 replies to this topic

#1 jsinex

jsinex

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia, USA
  • Local time:10:21 PM

Posted 03 January 2009 - 03:28 PM

Would greatly appreciate any help you might provide. Somehow I ran into a Vundo that I can't get rid of, with persistent returns of the popups for Antivirus 2009. I've tried several things, including running SuperAntiSpyware and Malwarebytes AntiMalware multiple times (all fully updated), both in regular and safe mode. Below I've attached the most recent logs. Both required reboots to clear things completely, and the part that I can't get rid of are the following keys:

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

I've deleted all of my system restore points since that time, with repeat scans, and have run into the same bahavior. I've disabled my McAfee to the fullest extent possible during these (though one log listed some portions of it as still on). I've noted some discussion of McAfee potentially "protecting" some malware, with recommendations to uninstall McAfee. I've not yet done that.

Finally, I ran VundoFix (no problem found), VirtumondoBeGone (likewise, none found), and finally ComboFix (downloaded from your site). I'll attach the Combofix log as well.

I greatly appreciate your time and any assistance you might offer.


DDS (Version 1.1.0) - NTFSx86
Run by JS at 14:22:03.14 on Sat 01/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1425 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\JS\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.excite.com/
uInternet Settings,ProxyOverride = *.local
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [MaxtorOneTouch] c:\progra~1\maxtor\onetouch\utils\OneTouch.exe
mRun: [Copperhead] c:\program files\razer\copperhead\razerhid.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [OODefragTray] c:\windows\system32\oodtray.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\js\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-20 201320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-20 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-20 35240]
R3 UsbFltr;Razer Copperhead Driver;c:\windows\system32\drivers\copperhd.sys [2008-12-14 11596]
R4 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-12-20 359248]
R4 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2008-12-20 144704]
R4 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2008-12-14 388936]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-20 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-20 40488]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-12-20 695624]

=============== Created Last 30 ================

2009-01-03 13:50 <DIR> --d----- C:\ComboFix
2009-01-02 19:31 34,304 a------- c:\windows\system32\drivers\AmdLLD.sys
2009-01-02 19:31 <DIR> --d----- c:\program files\AMD
2008-12-25 22:02 <DIR> --d----- c:\windows\system32\appmgmt
2008-12-25 21:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-25 21:56 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-25 21:56 <DIR> --d----- c:\docume~1\js\applic~1\SUPERAntiSpyware.com
2008-12-25 20:29 1,260 a------- c:\windows\wininit.ini
2008-12-25 14:11 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-25 14:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-25 11:19 <DIR> --d----- c:\program files\LucasArts
2008-12-25 10:13 <DIR> --d----- c:\program files\Iron Aces
2008-12-24 12:55 <DIR> --d----- c:\docume~1\js\applic~1\GARMIN
2008-12-24 03:25 <DIR> --d----- c:\docume~1\js\applic~1\Malwarebytes
2008-12-24 03:25 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-24 03:25 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 03:25 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-24 03:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-24 03:09 <DIR> a-dshr-- C:\cmdcons
2008-12-24 03:08 161,792 a------- c:\windows\SWREG.exe
2008-12-24 03:08 98,816 a------- c:\windows\sed.exe
2008-12-22 21:22 544,768 a------- c:\windows\system32\msvcr71d.dll
2008-12-22 21:22 344,064 a------- c:\windows\system32\msvcr70.dll
2008-12-22 21:22 719,872 a------- c:\windows\system32\devil.dll
2008-12-22 21:22 314,368 a------- c:\windows\system32\avisynth.dll
2008-12-22 21:22 <DIR> --d----- c:\program files\Magic Video Converter
2008-12-22 17:01 <DIR> --d----- c:\program files\PeerGuardian2
2008-12-22 14:49 268,648 a------- c:\windows\system32\mucltui.dll
2008-12-22 14:49 208,744 a------- c:\windows\system32\muweb.dll
2008-12-22 14:49 27,496 a------- c:\windows\system32\mucltui.dll.mui
2008-12-22 14:11 <DIR> --d----- c:\program files\MemTurbo
2008-12-22 14:10 304,128 a------- c:\windows\IsUninst.exe
2008-12-22 14:10 <DIR> --d----- c:\documents and settings\js\WINDOWS
2008-12-20 16:55 <DIR> --d----- c:\program files\Citrix
2008-12-20 16:29 15,557 a------- c:\windows\system32\Config.MPF
2008-12-20 16:29 143,360 a------- c:\windows\system32\dunzip32.dll
2008-12-20 16:27 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2008-12-20 16:27 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2008-12-20 16:27 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2008-12-20 16:27 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2008-12-20 16:27 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2008-12-20 16:27 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2008-12-20 16:27 <DIR> --d----- c:\program files\McAfee.com
2008-12-20 16:27 <DIR> --d----- c:\program files\common files\McAfee
2008-12-20 16:27 <DIR> --d----- c:\program files\McAfee
2008-12-20 14:37 <DIR> --d----- c:\windows\LastGood(2)
2008-12-17 20:58 <DIR> --d----- c:\program files\triCerat
2008-12-17 20:56 <DIR> --d----- c:\docume~1\js\applic~1\ICAClient
2008-12-16 10:48 1,700,352 a------- c:\windows\system32\gdiplus.dll
2008-12-15 21:13 14,608 a------- c:\windows\system32\iviaspi.sys
2008-12-15 18:35 653 a------- c:\windows\unins000.dat
2008-12-15 17:14 102,160 a------- c:\windows\system32\oodbs.lor
2008-12-15 17:10 <DIR> --d----- c:\windows\system32\oodag
2008-12-15 17:10 <DIR> --d----- c:\program files\Symantec
2008-12-15 17:04 <DIR> --d----- C:\TempDVD
2008-12-15 17:04 <DIR> --d----- C:\dvdsanta
2008-12-15 17:04 921,600 a------- c:\windows\system32\vorbisenc.dll
2008-12-15 17:04 516,096 a------- c:\windows\system32\ac3filter.ax
2008-12-15 17:04 258,048 a------- c:\windows\system32\GplMpgDec.ax
2008-12-15 17:04 237,568 a------- c:\windows\system32\OggDS.dll
2008-12-15 17:04 188,416 a------- c:\windows\system32\vorbis.dll
2008-12-15 17:04 45,056 a------- c:\windows\system32\ogg.dll
2008-12-15 17:04 290,304 a------- c:\windows\system32\divxdec.ax
2008-12-15 17:04 116,224 a------- c:\windows\system32\rmalt.ax
2008-12-15 17:04 61,440 a------- c:\windows\system32\xvid.ax
2008-12-15 17:04 28,672 a------- c:\windows\system32\qtalt.ax
2008-12-15 17:04 <DIR> --d----- c:\program files\dvdSanta
2008-12-15 17:02 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2008-12-15 17:02 47,360 a------- c:\docume~1\js\applic~1\pcouffin.sys
2008-12-15 17:02 <DIR> --d----- c:\program files\DVDFab 5
2008-12-15 17:01 <DIR> --d----- c:\program files\HyperSnap-DX 5
2008-12-15 16:59 0 a------- c:\windows\oodcnt.INI
2008-12-15 16:56 <DIR> --d----- c:\program files\OO Software
2008-12-15 16:08 256 a------- c:\documents and settings\js\pool.bin
2008-12-15 15:00 23,992 a------- c:\windows\system32\drivers\pnarp.sys
2008-12-15 15:00 25,272 a------- c:\windows\system32\drivers\purendis.sys
2008-12-15 15:00 <DIR> --d----- c:\program files\common files\Pure Networks Shared
2008-12-15 13:53 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-12-15 13:53 22,328 a------- c:\docume~1\js\applic~1\PnkBstrK.sys
2008-12-15 13:53 107,832 a------- c:\windows\system32\PnkBstrB.exe
2008-12-15 13:53 2,250,024 a------- c:\windows\system32\pbsvc.exe
2008-12-15 13:53 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-12-15 13:34 5,632 a------- c:\windows\system32\ptpusb.dll
2008-12-15 13:34 159,232 a------- c:\windows\system32\ptpusd.dll
2008-12-15 13:33 26,496 a----r-- c:\windows\system32\drivers\RimSerial.sys
2008-12-15 13:32 <DIR> --d----- c:\program files\Research In Motion
2008-12-15 13:22 <DIR> --dsh--- c:\windows\ftpcache
2008-12-15 12:29 32,592 a------- c:\windows\system32\msonpmon.dll
2008-12-15 11:57 441,760 a------- c:\windows\system32\drivers\timntr.sys
2008-12-15 11:57 44,384 a------- c:\windows\system32\drivers\tifsfilt.sys
2008-12-15 11:56 129,248 a------- c:\windows\system32\drivers\snapman.sys
2008-12-15 11:56 368,544 a------- c:\windows\system32\drivers\tdrpman.sys
2008-12-15 11:20 <DIR> --d----- c:\program files\TagRename
2008-12-15 11:18 164,352 a------- c:\windows\system32\unrar.dll
2008-12-15 11:18 38 a------- c:\windows\avisplitter.ini
2008-12-15 11:17 839,680 a------- c:\windows\system32\lameACM.acm
2008-12-15 11:17 118,784 a------- c:\windows\system32\ac3acm.acm
2008-12-15 11:17 1,216,512 a------- c:\windows\system32\xvidcore.dll
2008-12-15 11:17 237,568 a------- c:\windows\system32\xvidvfw.dll
2008-12-15 11:17 217,088 a------- c:\windows\system32\yv12vfw.dll
2008-12-15 11:17 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-12-15 11:17 684,032 a------- c:\windows\system32\divx.dll
2008-12-15 11:17 81,920 a------- c:\windows\system32\dpl100.dll
2008-12-15 11:17 499,712 a------- c:\windows\system32\msvcp71.dll
2008-12-15 11:17 348,160 a------- c:\windows\system32\msvcr71.dll
2008-12-15 11:17 57,344 a------- c:\windows\system32\ff_vfw.dll
2008-12-15 11:17 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2008-12-15 11:17 <DIR> --d----- c:\program files\K-Lite Codec Pack
2008-12-15 11:14 <DIR> --d----- c:\program files\Epocrates
2008-12-15 01:49 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-12-15 01:47 <DIR> --d----- c:\windows\system32\xlive
2008-12-15 01:05 14,048 a------- c:\windows\system32\spmsg2.dll
2008-12-15 01:05 <DIR> --d----- c:\program files\Rockstar Games
2008-12-15 01:00 203,540 a------- c:\windows\system32\nvapps.nvb
2008-12-15 00:45 <DIR> --d----- c:\windows\RegisteredPackages
2008-12-14 22:40 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2008-12-14 21:26 <DIR> --d----- c:\program files\VS Revo Group
2008-12-14 21:25 <DIR> --d----- c:\program files\DAMN NFO Viewer
2008-12-14 21:22 266,360 a------- c:\windows\system32\TweakUI.exe
2008-12-14 21:02 <DIR> --d----- c:\windows\system32\URTTemp
2008-12-14 20:51 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2008-12-14 20:51 272,128 -------- c:\windows\system32\drivers\bthport.sys
2008-12-14 20:48 <DIR> --d----- c:\windows\system32\PreInstall
2008-12-14 20:45 31,768 a------- c:\windows\system32\wucltui.dll.mui
2008-12-14 20:45 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2008-12-14 20:45 23,576 a------- c:\windows\system32\wuapi.dll.mui
2008-12-14 20:45 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2008-12-14 20:45 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2008-12-14 19:11 <DIR> --d----- c:\docume~1\js\applic~1\Webroot
2008-12-14 19:11 <DIR> --d----- c:\program files\Webroot
2008-12-14 19:11 <DIR> --d----- c:\program files\common files\Webroot Shared
2008-12-14 19:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2008-12-14 19:11 69,960 a------- c:\windows\Unwash6.exe
2008-12-14 18:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\espionServerData
2008-12-14 17:19 657 a------- c:\windows\Q&EORG.INI
2008-12-14 17:01 <DIR> --d----- c:\docume~1\js\applic~1\DAEMON Tools Pro
2008-12-14 17:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2008-12-14 17:00 <DIR> --d----- c:\program files\DAEMON Tools Lite
2008-12-14 16:58 717,296 a------- c:\windows\system32\drivers\sptd.sys
2008-12-14 16:58 <DIR> --d----- c:\docume~1\js\applic~1\DAEMON Tools Lite
2008-12-14 16:57 <DIR> --d----- c:\docume~1\js\applic~1\.BitTornado
2008-12-14 16:52 30 a------- c:\windows\system32\mslck.dat
2008-12-14 16:51 569,368 a------- c:\windows\system32\olelib.tlb
2008-12-14 16:51 389,120 a------- c:\windows\system32\actskn43.ocx
2008-12-14 16:51 368,912 a------- c:\windows\system32\vbar332.dll
2008-12-14 16:51 153,088 a------- c:\windows\system32\fldlckun.exe
2008-12-14 16:51 140,288 a------- c:\windows\system32\COMDLG32.OCX
2008-12-14 16:51 34,304 a------- c:\windows\system32\ntsvc.ocx
2008-12-14 16:51 <DIR> --d----- c:\program files\FolderAccess
2008-12-14 16:51 1,081,616 a------- c:\windows\system32\MSCOMCTL.OCX
2008-12-14 16:47 107,368 a------- c:\windows\system32\GEARAspi.dll
2008-12-14 16:47 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-14 16:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-14 16:46 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2008-12-14 16:39 14,592 a------- c:\windows\system32\drivers\USBICP.sys
2008-12-14 16:39 11,596 a------- c:\windows\system32\drivers\copperhd.sys
2008-12-14 16:39 69,632 a------- c:\windows\system32\copperhd.cpl
2008-12-14 16:36 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2008-12-14 16:36 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2008-12-14 16:32 389,180 a------- c:\windows\system32\UCS32P.DLL
2008-12-14 16:32 339,968 a------- c:\windows\system32\N067UFW.DLL
2008-12-14 16:32 36,864 a------- c:\windows\system32\CNQU70.DLL
2008-12-14 16:32 <DIR> --d-h--- C:\CanoScan
2008-12-14 16:29 87,552 a------- c:\windows\system32\CNMLM3q.DLL
2008-12-14 16:29 5,632 a------- c:\windows\system32\CNMVS3q.DLL
2008-12-14 16:29 73,728 a------- c:\windows\system32\CNMCP3q.exe
2008-12-14 16:29 <DIR> --d-h--- C:\BJPrinter
2008-12-14 14:55 19,712 a----r-- c:\windows\system32\drivers\mxofwfp.sys
2008-12-14 14:55 <DIR> --d----- c:\windows\Downloaded Installations
2008-12-14 14:11 <DIR> --d----- c:\documents and settings\js\usrusmt2.tmp
2008-12-14 13:36 <DIR> --d----- C:\ceea64b6bd212dfa911c86cbeb80da
2008-12-14 13:24 <DIR> --d----- c:\program files\Maxtor
2008-12-14 13:12 <DIR> --d----- c:\windows\pss
2008-12-14 11:36 <DIR> --d----- c:\docume~1\js\applic~1\TuneUp Software
2008-12-14 11:36 <DIR> --d----- c:\docume~1\js\applic~1\Research In Motion
2008-12-14 11:36 <DIR> --d----- c:\docume~1\js\applic~1\Microsoft Games
2008-12-14 11:36 <DIR> --d----- c:\docume~1\js\applic~1\McAfee
2008-12-14 11:36 <DIR> --d----- c:\docume~1\js\applic~1\MAGIX
2008-12-14 11:36 <DIR> --d----- c:\docume~1\js\applic~1\LEAPS
2008-12-14 11:36 <DIR> --d----- c:\docume~1\js\applic~1\IrfanView
2008-12-14 11:36 <DIR> --d----- c:\docume~1\js\applic~1\Ideazon
2008-12-14 11:36 <DIR> --d----- c:\docume~1\js\applic~1\hott notes 4
2008-12-14 11:36 <DIR> --d----- c:\docume~1\js\applic~1\Blackberry Desktop
2008-12-14 11:33 <DIR> --d----- c:\windows\system32\WDI
2008-12-14 11:33 <DIR> --d----- c:\windows\system32\WCN
2008-12-14 11:33 <DIR> --d----- c:\windows\system32\migwiz
2008-12-14 11:33 <DIR> --d----- c:\windows\system32\DriverStore
2008-12-14 11:33 <DIR> --d----- c:\windows\ServiceProfiles
2008-12-14 11:33 <DIR> --d----- c:\windows\PLA
2008-12-14 11:33 <DIR> --d----- c:\windows\Performance
2008-12-14 11:33 <DIR> --d----- c:\windows\Panther
2008-12-14 11:22 <DIR> --d----- C:\Users
2008-12-14 11:22 <DIR> --d----- C:\ProgramData
2008-12-14 11:22 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-12-14 11:22 <DIR> --d----- C:\c3b4312f2e26c7af9e6327ee
2008-12-14 11:20 <DIR> --d----- C:\Videos
2008-12-14 11:19 <DIR> --d----- C:\Temp DVD.{21EC2020-3AEA-1069-A2DD-08002B30309D}
2008-12-14 11:14 <DIR> --d----- c:\windows\system32\XPSViewer
2008-12-14 11:14 <DIR> --d----- C:\Dead.Space
2008-12-14 11:14 <DIR> --d----- c:\windows\SHELLNEW
2008-12-14 11:14 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-14 11:14 <DIR> --d----- C:\Tivola
2008-12-14 11:14 <DIR> --d----- c:\program files\Yahoo!
2008-12-14 11:14 <DIR> --d----- c:\program files\TuneUp Utilities 2008
2008-12-14 11:13 <DIR> --d----- c:\program files\Steam
2008-12-14 11:13 <DIR> --d----- c:\program files\Siber Systems
2008-12-14 11:13 <DIR> --d----- c:\program files\SanDisk
2008-12-14 11:13 <DIR> --d----- c:\program files\RivaTuner v2.20
2008-12-14 11:13 <DIR> --d----- c:\program files\QNEORG
2008-12-14 11:13 <DIR> --d----- c:\program files\Pure Networks
2008-12-14 11:13 <DIR> --d----- c:\program files\PC Magazine Utilities
2008-12-14 11:13 <DIR> --d----- c:\program files\Nero
2008-12-14 11:13 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2008-12-14 11:13 <DIR> --d----- c:\program files\Microsoft Games
2008-12-14 11:13 <DIR> --d----- c:\program files\Microsoft ActiveSync
2008-12-14 11:13 <DIR> --d----- c:\program files\Mass Effect
2008-12-14 11:13 <DIR> --d----- c:\program files\iTunes
2008-12-14 11:13 <DIR> --d----- c:\program files\IrfanView
2008-12-14 11:13 <DIR> --d----- c:\program files\iPod
2008-12-14 11:13 <DIR> --d----- c:\program files\GameSpot
2008-12-14 11:12 <DIR> --d----- c:\program files\Disney Interactive
2008-12-14 11:12 <DIR> --d----- c:\program files\Disney
2008-12-14 11:12 <DIR> --d----- c:\program files\common files\Sonic Shared
2008-12-14 11:12 <DIR> --d----- c:\program files\common files\Research In Motion
2008-12-14 11:12 <DIR> --d----- c:\program files\common files\MAGIX Shared
2008-12-14 11:12 <DIR> --d----- c:\program files\common files\Macrovision Shared
2008-12-14 11:12 <DIR> --d----- c:\program files\Canon
2008-12-14 11:12 <DIR> --d----- c:\program files\Bonjour
2008-12-14 11:12 <DIR> --d----- c:\program files\BitTornado
2008-12-14 11:12 <DIR> --d----- c:\program files\Big City Adventure San Francisco
2008-12-14 11:12 <DIR> --d----- c:\program files\Bethesda Softworks
2008-12-14 11:12 <DIR> --d----- c:\program files\Attack on Pearl Harbor
2008-12-14 11:07 <DIR> --d----- c:\program files\ACW
2008-12-14 11:07 <DIR> --d----- c:\program files\Activision
2008-12-14 11:07 <DIR> --d----- C:\MigWiz
2008-12-14 11:07 <DIR> --d----- C:\Garmin
2008-12-14 11:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Pure Networks
2008-12-14 11:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2008-12-13 21:40 <DIR> --d----- c:\program files\Windows Media Connect 2
2008-12-13 21:39 <DIR> --d----- c:\windows\system32\LogFiles
2008-12-13 21:36 <DIR> --d-h--- c:\windows\msdownld.tmp
2008-12-13 21:36 <DIR> --d----- c:\windows\Logs
2008-12-13 21:29 23,856 a------- c:\windows\system32\spupdsvc.exe
2008-12-13 21:28 <DIR> --d-h--- c:\windows\$hf_mig$
2008-12-13 21:19 <DIR> --d----- c:\windows\system32\AGEIA
2008-12-13 21:19 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-13 21:19 453,152 a------- c:\windows\system32\nvudisp.exe
2008-12-13 21:19 199,207 a------- c:\windows\system32\nvapps.xml
2008-12-13 21:19 18,537 a------- c:\windows\system32\nvdisp.nvu
2008-12-13 21:19 <DIR> --d----- c:\windows\nview
2008-12-13 21:14 4,992 ac------ c:\windows\system32\dllcache\mspqm.sys
2008-12-13 21:14 <DIR> --d----- c:\program files\NVIDIA Corporation
2008-12-13 21:14 <DIR> --d----- c:\program files\common files\NVIDIA Shared
2008-12-13 21:13 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-13 21:13 <DIR> --d----- C:\NVIDIA
2008-12-13 21:11 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys
2008-12-13 21:09 <DIR> --d----- c:\documents and settings\JS
2008-12-13 21:07 103,424 ac------ c:\windows\system32\dllcache\uihelper.dll
2008-12-13 21:06 1,677,824 ac------ c:\windows\system32\dllcache\chsbrkr.dll
2008-12-13 21:05 <DIR> --dsh--- c:\documents and settings\all users\DRM
2008-12-13 21:05 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2008-12-13 21:05 <DIR> --d-h--- c:\program files\WindowsUpdate
2008-12-13 21:04 <DIR> --d----- c:\program files\common files\MSSoap
2008-12-13 21:03 <DIR> --d----- c:\program files\Messenger OFF
2008-12-13 21:02 <DIR> --d----- c:\program files\MSN Gaming Zone
2008-12-13 21:02 <DIR> --d----- c:\program files\Windows NT
2008-12-13 15:59 <DIR> --d--r-- c:\documents and settings\all users\Documents
2008-12-13 12:14 <DIR> --d----- c:\program files\common files\ODBC
2008-12-13 12:14 <DIR> --d----- c:\program files\common files\SpeechEngines

==================== Find3M ====================

2008-12-15 18:35 72,748 a------- c:\windows\unins000.exe
2008-12-14 18:31 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2008-12-14 18:31 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys
2008-12-14 18:31 129,784 a------- c:\windows\system32\pxafs.dll
2008-12-14 18:31 116,472 a------- c:\windows\system32\pxcpyi64.exe
2008-12-14 18:31 43,528 -------- c:\windows\system32\drivers\PxHelp20.sys
2008-12-14 18:31 118,520 a------- c:\windows\system32\pxinsi64.exe
2008-12-13 21:11 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-13 21:03 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-12-02 23:11 801,312 a------- c:\windows\system32\nvcplui.exe
2008-10-28 17:41 14,303,392 a------- c:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 a------- c:\windows\system32\xlivefnt.dll
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-13 09:56 70,936 a------- c:\windows\system32\PhysXLoader.dll
2008-10-10 04:52 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2008-10-10 04:52 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2008-10-10 04:52 452,440 a------- c:\windows\system32\d3dx10_40.dll

============= FINISH: 14:22:30.17 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:21 PM

Posted 10 January 2009 - 02:14 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable McAfee:
  • Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
    Right-click it -> chose Exit.
  • A popup will warn that protection will now be disabled. Click on Yes to disable the Antivirus guard.
Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:21 PM

Posted 15 January 2009 - 12:06 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users