Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Vundo.H and Trojan.BHO


  • This topic is locked This topic is locked
11 replies to this topic

#1 Greg Sweet

Greg Sweet

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 23 January 2009 - 08:50 AM

As requested by User boopme I am posting these logs

Referred here from: http://www.bleepingcomputer.com/forums/t/195682/infected-with-trojanvundoh-and-trojanbho/ ~ OB

DDS


DDS (Ver_09-01-19.01) - NTFSx86
Run by Greg Sweet at 8:46:07.06 on 01/23/09
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.372 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\VBTUCopy\VBTUCopy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP Wireless Multimedia Keyboard and Mouse\KMaestro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\logonui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Greg Sweet\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://sympatico.msn.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {041B67DA-AD06-4D3E-89C1-C36E7661B581} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {750EC6CE-E4D1-4DDF-B524-222C76953C2E} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A4A98A6B-C62B-434A-BBB3-B8AC620843D4} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: {DBAB3761-A94A-460E-A675-D68D8EAA84F6} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {DE347001-EE68-4F5F-93D2-20DCDF587A44} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {EF7F6FC6-75D9-43B9-AC0D-B243C08A350C} - No File
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MessengerPlus3] "c:\program files\messengerplus! 3\MsgPlus.exe" /WinStart
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [Greg Sweet] c:\documents and settings\greg sweet\Greg Sweet.exe /i
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Realtime Monitor] c:\progra~1\ca\etrust~1\realmon.exe -s
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [VBTUCopy] c:\program files\vbtucopy\VBTUCopy.exe /a /f
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [BtcMaestro] "c:\program files\hp wireless multimedia keyboard and mouse\KMaestro.exe"
mRun: [CPMfbdea679] Rundll32.exe "c:\windows\system32\yujitana.dll",a
mRun: [f8ed95e5] rundll32.exe "c:\windows\system32\nwhsthvw.dll",b
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\gregsw~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link media server\MediaGUI.exe
StartupFolder: c:\docume~1\gregsw~1\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link media server\MediaGUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\myrci.lnk - c:\program files\theport\xml player\XMLplayer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quickenw\bagent.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2B55B5F0-9D95-48CF-96A1-FEAF74CEC150} - hxxp://a248.g.akamai.net/7/248/9286/200309241629/ps.theport.com/xmlplayer/eng2/download.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://esqapey.spaces.msn.com//PhotoUpload/MsnPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.53.cab
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.disneyphotopass.com/software/ImageUploader4.cab
DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - hxxp://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://www.shockwave.com/content/tumblebugs/sis/axhost.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://66.242.36.117/view22/diyapp/View22RTE.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E856B973-45FD-4559-8F82-EAB539144667} - hxxp://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://walmart.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\quicktax 2007\ic2007pp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: geBuVOih - geBuVOih.dll
Notify: nnnoLFvs - nnnoLFvs.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\powirabu.dll c:\windows\system32\sukakuya.dll c:\windows\system32\bamawasi.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~3\MpShHook.dll
SEH: {DA93D885-6248-4A14-8C49-6BAF5E4CA44C} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\sukakuya.dll

============= SERVICES / DRIVERS ===============

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2005-12-14 6097]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2005-12-1 29744]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2005-12-14 299923]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-12-1 189792]
S3 XLoader;PLEXTOR EZ-USB FX2 FIRMWARE LOADER (XLoader.sys);c:\windows\system32\drivers\XLoader.sys [2004-11-26 13696]
S4 ati64si;ati64si;\??\c:\windows\system32\drivers\ati64si.sys --> c:\windows\system32\drivers\ati64si.sys [?]
S4 port135sik;port135sik;\??\c:\windows\system32\drivers\port135sik.sys --> c:\windows\system32\drivers\port135sik.sys [?]

=============== Created Last 30 ================

2009-01-22 14:48 --d----- c:\windows\ERUNT
2009-01-22 14:45 --d----- C:\SDFix
2009-01-22 12:49 --d----- C:\AutoRuns
2009-01-21 10:23 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-21 10:23 --d----- c:\program files\SUPERAntiSpyware
2009-01-21 10:23 --d----- c:\docume~1\gregsw~1\applic~1\SUPERAntiSpyware.com
2009-01-16 12:01 --d----- c:\program files\Trend Micro
2009-01-13 22:57 127 a------- c:\windows\system32\MRT.INI
2009-01-13 10:43 22,016 a------- c:\windows\system32\drivers\PORT135SIK.SYS.1.AVB
2009-01-13 10:43 22,016 a------- c:\windows\system32\drivers\PORT135SIK.SYS.0.AVB
2009-01-04 19:45 33,280 a------- c:\windows\system32\CRYPTS.DLL.0.AVB
2009-01-03 01:28 --d----- c:\program files\common files\Symantec Shared
2008-12-30 22:45 578,560 a------- c:\windows\system32\dllcache\user32.dll
2008-12-27 14:09 83,216 -------- c:\windows\system32\KmRemove.exe
2008-12-27 14:09 --d----- c:\program files\HP Wireless Multimedia Keyboard and Mouse
2008-12-27 13:57 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-25 22:19 107,368 a------- c:\windows\system32\GEARAspi.dll
2008-12-25 22:19 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-25 22:19 --d----- c:\program files\iPod
2008-12-25 22:19 --d----- c:\program files\iTunes
2008-12-25 22:19 --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 22:18 --d----- c:\program files\Bonjour
2008-12-25 22:17 32,000 a------- c:\windows\system32\drivers\usbaapl.sys

==================== Find3M ====================

2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-30 22:44 578,560 a------- c:\windows\system32\user32.DLL
2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-11-01 15:45 30 a------- c:\documents and settings\greg sweet\jagex_runescape_preferences.dat
2008-02-19 18:14 774,144 a------- c:\program files\RngInterstitial.dll
2007-01-09 21:05 87,608 a------- c:\docume~1\gregsw~1\applic~1\ezpinst.exe
2007-01-09 21:05 47,360 a------- c:\docume~1\gregsw~1\applic~1\pcouffin.sys
2006-03-02 19:00 56 ---shr-- c:\windows\system32\209B916624.sys

============= FINISH: 8:46:55.34 ===============


Attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-19.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/01/05 5:14:48 PM
System Uptime: 01/22/09 3:04:00 PM (17 hours ago)

Motherboard: Dell Inc. | | 0YC523
Processor: Intel® Pentium® D CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 230 GiB total, 26.767 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (FAT32) - 298 GiB total, 45.428 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0001
Service: CVirtA

==== System Restore Points ===================

RP108: 10/25/08 11:08:10 AM - System Checkpoint
RP109: 10/26/08 5:01:43 PM - System Checkpoint
RP110: 10/27/08 5:32:35 PM - System Checkpoint
RP111: 10/28/08 5:55:32 PM - System Checkpoint
RP112: 10/29/08 9:30:53 AM - Software Distribution Service 3.0
RP113: 10/30/08 10:48:50 AM - System Checkpoint
RP114: 10/31/08 1:50:18 AM - Software Distribution Service 3.0
RP115: 11/01/08 3:07:33 AM - System Checkpoint
RP116: 11/02/08 2:28:53 AM - System Checkpoint
RP117: 11/03/08 2:56:41 AM - System Checkpoint
RP118: 11/04/08 4:09:04 AM - System Checkpoint
RP119: 11/05/08 1:49:27 AM - Software Distribution Service 3.0
RP120: 11/06/08 4:09:50 AM - System Checkpoint
RP121: 11/07/08 12:15:38 AM - Software Distribution Service 3.0
RP122: 11/07/08 9:21:31 PM - Software Distribution Service 3.0
RP123: 11/08/08 10:38:23 PM - System Checkpoint
RP124: 11/09/08 11:16:27 PM - System Checkpoint
RP125: 11/10/08 1:43:06 PM - Software Distribution Service 3.0
RP126: 11/12/08 2:32:13 AM - System Checkpoint
RP127: 11/12/08 3:00:23 AM - Software Distribution Service 3.0
RP128: 11/13/08 1:58:20 AM - Software Distribution Service 3.0
RP129: 11/14/08 2:17:44 AM - System Checkpoint
RP130: 11/15/08 2:30:13 AM - System Checkpoint
RP131: 11/16/08 1:58:14 AM - Software Distribution Service 3.0
RP132: 11/17/08 2:31:07 AM - System Checkpoint
RP133: 11/18/08 3:21:18 AM - System Checkpoint
RP134: 11/19/08 3:51:33 AM - Software Distribution Service 3.0
RP135: 11/20/08 4:51:37 AM - System Checkpoint
RP136: 11/21/08 1:53:34 AM - Software Distribution Service 3.0
RP137: 11/22/08 2:51:37 AM - System Checkpoint
RP138: 11/23/08 3:44:39 AM - System Checkpoint
RP139: 11/24/08 4:37:36 AM - System Checkpoint
RP140: 11/24/08 6:39:23 PM - Software Distribution Service 3.0
RP141: 11/25/08 9:02:26 PM - System Checkpoint
RP142: 11/26/08 9:45:41 PM - System Checkpoint
RP143: 11/27/08 9:48:56 PM - System Checkpoint
RP144: 11/28/08 1:53:25 AM - Software Distribution Service 3.0
RP145: 11/29/08 2:44:28 AM - System Checkpoint
RP146: 11/30/08 3:37:58 AM - System Checkpoint
RP147: 12/01/08 4:25:50 AM - System Checkpoint
RP148: 12/02/08 4:37:30 AM - System Checkpoint
RP149: 12/02/08 4:40:44 AM - Software Distribution Service 3.0
RP150: 12/02/08 3:02:25 PM - Removed IKEA HomePlanner Kitchen
RP151: 12/03/08 3:46:17 PM - System Checkpoint
RP152: 12/04/08 1:33:38 PM - Software Distribution Service 3.0
RP153: 12/05/08 1:46:04 PM - System Checkpoint
RP154: 12/06/08 1:47:21 PM - System Checkpoint
RP155: 12/07/08 2:12:05 PM - System Checkpoint
RP156: 12/08/08 3:56:33 PM - System Checkpoint
RP157: 12/08/08 10:16:30 PM - Software Distribution Service 3.0
RP158: 12/09/08 10:19:30 PM - System Checkpoint
RP159: 12/10/08 10:43:14 PM - System Checkpoint
RP160: 12/12/08 2:36:42 PM - System Checkpoint
RP161: 12/13/08 3:24:19 PM - System Checkpoint
RP162: 12/15/08 8:28:38 AM - System Checkpoint
RP163: 12/16/08 10:12:57 AM - System Checkpoint
RP164: 12/17/08 2:37:48 PM - System Checkpoint
RP165: 12/18/08 2:56:50 PM - System Checkpoint
RP166: 12/19/08 3:49:31 PM - System Checkpoint
RP167: 12/20/08 4:03:22 PM - System Checkpoint
RP168: 12/21/08 4:20:51 PM - System Checkpoint
RP169: 12/22/08 4:48:42 PM - System Checkpoint
RP170: 12/23/08 5:12:18 PM - System Checkpoint
RP171: 12/24/08 5:51:45 PM - System Checkpoint
RP172: 12/25/08 6:03:48 PM - System Checkpoint
RP173: 12/25/08 10:19:19 PM - Installed iTunes
RP174: 12/26/08 11:19:01 PM - System Checkpoint
RP175: 12/27/08 1:57:03 PM - Installed Java™ 6 Update 11
RP176: 12/27/08 1:59:47 PM - Software Distribution Service 3.0
RP177: 12/27/08 2:01:58 PM - Software Distribution Service 3.0
RP178: 12/27/08 2:12:17 PM - Installed Router
RP179: 12/28/08 5:49:11 PM - System Checkpoint
RP180: 12/29/08 6:34:44 PM - System Checkpoint
RP181: 12/29/08 10:46:21 PM - Software Distribution Service 3.0
RP182: 12/30/08 11:28:51 PM - System Checkpoint
RP183: 12/31/08 11:51:31 PM - System Checkpoint
RP184: 01/01/09 11:56:44 PM - System Checkpoint
RP185: 01/02/09 1:34:18 AM - Software Distribution Service 3.0
RP186: 01/02/09 10:28:33 PM - Shockwave Player
RP187: 01/03/09 10:52:28 PM - System Checkpoint
RP188: 01/04/09 10:57:47 PM - System Checkpoint
RP189: 01/05/09 2:40:53 PM - Software Distribution Service 3.0
RP190: 01/06/09 3:58:42 PM - System Checkpoint
RP191: 01/07/09 4:51:05 PM - System Checkpoint
RP192: 01/08/09 5:26:02 PM - System Checkpoint
RP193: 01/08/09 11:51:43 PM - Software Distribution Service 3.0
RP194: 01/10/09 7:08:15 AM - System Checkpoint
RP195: 01/11/09 8:45:13 AM - System Checkpoint
RP196: 01/12/09 11:49:57 AM - System Checkpoint
RP197: 01/13/09 12:44:18 PM - System Checkpoint
RP198: 01/13/09 10:54:25 PM - Software Distribution Service 3.0
RP199: 01/14/09 11:48:10 PM - System Checkpoint
RP200: 01/15/09 3:07:01 PM - Software Distribution Service 3.0
RP201: 01/16/09 4:12:20 PM - System Checkpoint
RP202: 01/17/09 4:47:51 PM - System Checkpoint
RP203: 01/18/09 7:05:09 PM - System Checkpoint
RP204: 01/19/09 8:09:14 PM - System Checkpoint
RP205: 01/20/09 1:49:38 AM - Software Distribution Service 3.0
RP206: 01/21/09 2:03:59 AM - System Checkpoint
RP207: 01/21/09 10:23:35 AM - Installed SUPERAntiSpyware Free Edition
RP208: 01/22/09 10:55:23 AM - System Checkpoint
RP209: 01/22/09 3:14:22 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Aare AVI to VCD/DVD/SVCD/MPEG Converter
Adobe Flash Player 10 ActiveX
Adobe Reader 7.1.0
Adobe Shockwave Player 11
Any Video Converter 2.6.7
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
AutoUpdate
AviSynth 2.5
Big Fish Games Client
Bonjour
CA eTrust Antivirus
CDex extraction audio
Choice Guard
Contacts
ConvertXtoDVD 2.1.14.223
D-Link Media Server 1.10
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support Center
Dell System Restore
DellConnect
DellSupport
DING!
DivX
DivX Converter
DivX Player
DivX Web Player
DVD Shrink 3.2
Google Desktop
Google Toolbar for Internet Explorer
GSpot Codec Information Appliance
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
hp deskjet 6122 series
HP Wireless Multimedia Keyboard and Mouse Driver V1.3
Insaniquarium Deluxe 1.1
Intel A/V Codecs V2.0
Intel Matrix Storage Manager
Intel® 537EP V9x DFV PCI Modem
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections
InterVideo WinDVD Creator 2
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 11
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
Lame ACM MP3 Codec
Learn2 Player (Uninstall Only)
LimeWire PRO 4.16.4
Logitech Desktop Messenger
Logitech Harmony Remote Client
Logitech Harmony Remote Software 7
Malwarebytes' Anti-Malware
Matroska Pack - Lazy Man's MKV 1.0.1-alpha6
MCU
MD Simple Burner 2.0.01
Messenger Plus! 3
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Application Error Reporting
Microsoft Digital Image Library 9
Microsoft Digital Image Pro 9
Microsoft FrontPage 2000
Microsoft Office Professional Edition 2003
Microsoft Plus! for Windows XP
Microsoft Plus! Photo Story 2 LE
Microsoft Streets and Trips 2004
Modem Event Monitor
Modem Helper
Modem On Hold
MS Access 97 SP2
MSN
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch for Windows Media Player
MyPublisher
Nuclear Coffee - VideoGet 2.0.2.28
OpenMG Limited Patch 4.2-05-07-27-01
OpenMG Secure Module 4.2.00
Peggle Deluxe (remove only)
Peggle Nights Deluxe 1.0
Platform
PowerDVD 5.5
Punch! Master Landscape Pro
Quicken 2006
QuickTax 2006
QuickTax 2007
QuickTime
RealArcade
RealPlayer
Remote Control USB Driver
Retirement Income Planner
Scrapbook Factory Deluxe
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Segoe UI
SimCity 3000 Unlimited
SmartSound Quicktracks Plugin
Sonic Audio module
Sonic Copy Module
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Data
Sony USB Driver
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
SureThing CD Labeler - Stomper Edition 32 bit
The Sims 2
Tweak Manager 2.1
Ulead AC-3 PowerPack
Ulead DVD MovieFactory 3 Suite
Ulead VideoStudio 8.0 SE DVD
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VIA Platform Device Manager
Viewpoint Media Player
Virtual DJ - Atomix Productions
VLC media player 0.9.6
VPN Client
WebCyberCoach 3.2 Dell
WebFldrs XP
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Live Beta (all programs)
Windows Live Call
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live SkyDrive Upload Tool
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
WinZip
XMLplayer
XviD MPEG-4 Video Codec
Zoo Tycoon 2

==== End Of File ===========================

Edited by Orange Blossom, 23 January 2009 - 09:44 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 PM

Posted 03 February 2009 - 07:39 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Post back with:
-Combofix log
-New Pair of DDS logs
-Description of any problems you still have


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 PM

Posted 05 February 2009 - 01:11 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 PM

Posted 07 February 2009 - 04:39 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 PM

Posted 17 February 2009 - 04:04 PM

Hello.

Topic re-opened as user returned. Please let me know of any problems you may still have. I have the logs you posted in the other topic so no need to re post it again.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 Greg Sweet

Greg Sweet
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 17 February 2009 - 04:12 PM

I am still having the same issues with Trojan.Vundo.H and Trojan.BHO. They are in the registry and I cannot get rid of them.
E-Ttrust also pops up with a virus caled "Silly" one in a while.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 PM

Posted 17 February 2009 - 04:49 PM

Hello.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you want to continue do the steps below:
Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case
LimeWire PRO 4.16.4
). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

Combofix you currently have is outdated now. It has been a while since you posted these logs...

Please delete Combofix you have on your desktop right now. Re-download it from one of the links below:

Link 1
Link 2
Link 3

Install the Recovery Console!!!

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.
Posted Image
Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click No.

    Posted Image
  • Make sure you select No at this prompt

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/197476/infected-with-trojanvundoh-and-trojanbho/
    Collect::[68]
    c:\windows\system32\drivers\PORT135SIK.SYS.0.AVB
    Driver::
    ati64si
    port135sik
    Rootkit::
    c:\windows\system32\drivers\ati64si.sys
    c:\windows\system32\drivers\port135sik.sys
    File::
    c:\windows\system32\209B916624.sys
    c:\windows\system32\nwhsthvw.dll
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "f8ed95e5"=-
    "CPMfbdea679"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"=-
    "6346:TCP"=-
    "6346:UDP"=-
    DDS::
    TB: {BA52B914-B692-46c4-B683-905236F6F655} -
    SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} -
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to sumbit for anaylsis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".
  • Simply follow the instructions to copy/paste/send the requested file.
Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • After the reboot, run Gmer again and click on the Rootkit tab.[list]
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Removing Programs using Add/Remove

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 11


Additional instructions can be found here if needed.

Post back with:
-Combofix log ~ Did the upload go succesfully?
-GMER log
-New DDS log (only DDS.txt)
-Problems you still have? Does your AV still detect it? If so, tell me the location and name please.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 PM

Posted 19 February 2009 - 05:20 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Greg Sweet

Greg Sweet
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 20 February 2009 - 01:10 PM

I was folowing the instructions as posted and I realized this was going to take some time to do the clean and it may never be clean.

Based on your analysis it sounds pretty bad. I think I will take option A and do a wipe and re-load of my system. I have done this before so it should not be an issue. I puchased a 1TB drive to back everything up.

Thanks for you analysis and time with my issues.

Greg

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 PM

Posted 20 February 2009 - 01:15 PM

Your welcome.

Good luck on the format and backup :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 PM

Posted 21 February 2009 - 12:31 PM

Hello.

Below are just some prevention tips and some AV/Firewall programs.

Install an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources

Some Free Anti-Virus software I recommend are: Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Install a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

Some Firewall programs I recommend to others are:
Update your Firewall Program - It is imperitive that you update your Firewall at least once a week (Even more if you wish). If you do not update your firewall then it will not be able to catch any of the new variants that may come out.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Additional Security Programs

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :thumbup2:

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 PM

Posted 21 February 2009 - 12:34 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users