Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Used Malwarebytes for Vundo Now getting Popup


  • This topic is locked This topic is locked
37 replies to this topic

#1 mejutty

mejutty

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 19 April 2009 - 07:10 PM

Referred here from: http://www.bleepingcomputer.com/forums/t/219862/used-malwarebytes-now-getting-popup-error/ ~ OB

As requested from the other forum. I ran malware bytes and it found vundo. It removed it as it log shows

Malwarebytes' Anti-Malware 1.36
Database version: 1979
Windows 5.1.2600 Service Pack 3

16/04/2009 10:18:01 PM
mbam-log-2009-04-16 (22-18-01).txt

Scan type: Quick Scan
Objects scanned: 78682
Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\msgctfls.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Kaz\Local Settings\Temp\tmp57F.tmp.exe (Trojan.Agent.W) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msgctfls.dll (Trojan.Vundo) -> Delete on reboot.

Now on reboot and when any program is run (must have popped up over 50 times while running DDS) Application popup: winlogon.exe - Unable To Locate Component : This application has failed to start because msgctfls.dll was not found. Re-installing the application may fix this problem.
Where winlogon is replaced with what is actually trying to run.

Before my PC gets to the login prompt I get 3 of these errors, one for winlogon 1 for lsas and 1 for services.
Have scowered the registry for reference to the file it wants but cannot locate it. Scanned with everything under the sun.

Have rerun Malwarebytes with latest updates and detects nuthing.

Here are the logs

DDS (Ver_09-03-16.01) - NTFSx86
Run by Kaz at 7:30:08.75 on Mon 20/04/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2046.1449 [GMT 8:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated)
FW: Symantec Endpoint Protection *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\nick4eva's software\FAH SMP Affinity Changer\FahSmpAffinityChanger.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2009\Planner\PLNRnote.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Kaz\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://au.yahoo.com/
uInternet Settings,ProxyServer = proxy.wanews.com.au:8000
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Launch LCDMon] "c:\program files\common files\logitech\lcd manager\lcdmon.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\kaz\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~2.lnk - c:\windows\installer\{c4609419-c11e-4ce6-b369-f3f8a7ddd94c}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188808590703
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://portal.webportal.wanews.com.au/sre/ICSScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://portal.webportal.wanews.com.au/SNX/CSHELL/extender.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {AE5B5D69-0AC5-4BAE-AF0C-05BA8338EE1F} = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: XUL Cache: {C6415481-DE1F-45F9-9B36-7C33227DE0A5} - c:\documents and settings\kaz\local settings\application data\{C6415481-DE1F-45F9-9B36-7C33227DE0A5}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-1 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-1 108392]
R2 cpextender;Check Point SSL Network Extender;c:\program files\checkpoint\ssl network extender\slimsvc.exe [2007-6-10 331870]
R2 FahSmpAffinityChanger;FAH SMP Affinity Changer;c:\program files\nick4eva's software\fah smp affinity changer\FahSmpAffinityChanger.exe [2007-12-19 9216]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-4-4 2234296]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-19 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090418.022\NAVENG.SYS [2009-4-19 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090418.022\NAVEX15.SYS [2009-4-19 876144]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [2007-6-10 110160]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S3 MarkFun_NT;MarkFun_NT;c:\program files\markfun.w32 [2007-8-21 17912]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S4 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files\folding@home windows smp client 1\smpd.exe [2008-5-18 1135616]

=============== Created Last 30 ================

2009-04-19 11:37 --d----- c:\program files\Sophos
2009-04-19 11:22 91,520 a------- c:\windows\system32\drivers\SysPlant.sys
2009-04-19 11:22 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-19 11:22 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-04-19 11:22 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-19 11:22 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-04-19 09:21 --d----- C:\RkUnhooker
2009-04-19 08:49 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-19 08:49 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-19 08:48 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-19 08:48 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-19 08:48 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-19 08:48 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-19 08:48 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-19 08:48 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-19 08:48 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-19 08:48 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-19 08:48 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-19 08:48 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-18 17:02 --d----- c:\documents and settings\kaz\DoctorWeb
2009-04-16 23:12 --d----- C:\VundoFix Backups
2009-04-16 22:47 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-16 22:47 --d----- c:\program files\SUPERAntiSpyware
2009-04-16 22:47 --d----- c:\docume~1\kaz\applic~1\SUPERAntiSpyware.com
2009-04-08 06:11 --d----- c:\program files\iPod
2009-04-08 06:11 --d----- c:\program files\iTunes
2009-04-08 06:11 --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-03-23 05:19 133,632 a------- c:\windows\ivisovuniwulaold.dll
2009-03-21 22:06 989,696 -c------ c:\windows\system32\dllcache\kernel32.dll

==================== Find3M ====================

2009-04-16 21:27 110,592 a------- c:\windows\system32\imm32.dll
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-13 18:01 149,768 a------- c:\windows\system32\drivers\WpsHelper.sys
2009-03-06 22:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-05 22:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 22:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-03 08:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-21 02:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 20:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 20:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 20:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 20:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 19:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 19:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 19:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 18:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 18:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-04 03:59 56,832 a------- c:\windows\system32\secur32.dll
2008-04-24 00:22 1,048,576 a------- c:\program files\6a79og0b.0
2008-04-24 00:20 71,018 a------- c:\program files\bios.ini
2008-04-24 00:20 528 a------- c:\program files\CONFIG.INI
2008-04-24 00:20 29 a------- c:\program files\new_ver.ini
2008-02-14 14:28 29 a------- c:\program files\version.ini
2008-02-14 14:23 231,944 a------- c:\program files\gwflash.exe
2007-09-21 19:42 19,008 a------- c:\program files\markfun.a64
2007-08-21 19:49 17,912 a------- c:\program files\markfun.w32
2007-04-04 18:35 207,680 a------- c:\program files\updateutility.exe
2007-03-30 04:36 301 a------- c:\program files\update.ini
2007-03-02 04:48 240,448 a------- c:\program files\gwf32.exe
2006-11-23 23:47 207,680 a------- c:\program files\BIOS_Run.exe
2005-04-27 19:40 6,800 a------- c:\program files\W95_HUA.vxd
2008-04-14 08:12 4,096 a--sh--- c:\windows\system32\nfhfynbyj.dat
2008-10-21 15:58 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102120081022\index.dat

============= FINISH: 7:32:15.82 ===============


Log attached and file uploaded. Have also as requested run drweb came up with nuthing.

Attached Files


Edited by Orange Blossom, 20 April 2009 - 12:44 AM.


BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:40 PM

Posted 03 May 2009 - 01:16 PM

Hello

Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Before we can continue I need to see a fresh HijackThis log. Would you please send a fresh HijackThis log here? :thumbup2:
Posted Image

#3 mejutty

mejutty
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 03 May 2009 - 06:47 PM

if you think you need it I will send it but the pc has been left pretty much off since I did the logs as it's pretty unusable. Been turned on only to get information off when required.

#4 mejutty

mejutty
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 03 May 2009 - 07:30 PM

DDS (Ver_09-03-16.01) - NTFSx86
Run by Kaz at 7:58:10.89 on Mon 04/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2046.1297 [GMT 8:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated)
FW: Symantec Endpoint Protection *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\nick4eva's software\FAH SMP Affinity Changer\FahSmpAffinityChanger.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2009\Planner\PLNRnote.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Kaz\Desktop\dds.scr
C:\WINDOWS\System32\svchost.exe -k HTTPFilter

============== Pseudo HJT Report ===============

uStart Page = hxxp://au.yahoo.com/
uInternet Settings,ProxyServer = proxy.wanews.com.au:8000
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Launch LCDMon] "c:\program files\common files\logitech\lcd manager\lcdmon.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\kaz\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~2.lnk - c:\windows\installer\{c4609419-c11e-4ce6-b369-f3f8a7ddd94c}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188808590703
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://portal.webportal.wanews.com.au/sre/ICSScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://portal.webportal.wanews.com.au/SNX/CSHELL/extender.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {AE5B5D69-0AC5-4BAE-AF0C-05BA8338EE1F} = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: XUL Cache: {C6415481-DE1F-45F9-9B36-7C33227DE0A5} - c:\documents and settings\kaz\local settings\application data\{C6415481-DE1F-45F9-9B36-7C33227DE0A5}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-4-26 130936]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-1 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-1 108392]
R2 cpextender;Check Point SSL Network Extender;c:\program files\checkpoint\ssl network extender\slimsvc.exe [2007-6-10 331870]
R2 FahSmpAffinityChanger;FAH SMP Affinity Changer;c:\program files\nick4eva's software\fah smp affinity changer\FahSmpAffinityChanger.exe [2007-12-19 9216]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-4-26 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-4-26 1095560]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-4-4 2234296]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-19 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090425.020\NAVENG.SYS [2009-4-26 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090425.020\NAVEX15.SYS [2009-4-26 876144]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [2007-6-10 110160]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S3 MarkFun_NT;MarkFun_NT;c:\program files\markfun.w32 [2007-8-21 17912]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S4 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files\folding@home windows smp client 1\smpd.exe [2008-5-18 1135616]

=============== Created Last 30 ================

2009-04-26 13:24 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-04-26 13:24 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-04-26 13:24 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-26 13:24 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-04-26 13:24 <DIR> --d----- c:\program files\common files\PC Tools
2009-04-26 13:24 <DIR> --d----- c:\program files\Spyware Doctor
2009-04-26 13:24 <DIR> --d----- c:\docume~1\kaz\applic~1\PC Tools
2009-04-26 13:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-04-19 11:37 <DIR> --d----- c:\program files\Sophos
2009-04-19 11:22 91,520 a------- c:\windows\system32\drivers\SysPlant.sys
2009-04-19 11:22 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-19 11:22 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-04-19 11:22 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-19 11:22 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-04-19 09:21 <DIR> --d----- C:\RkUnhooker
2009-04-19 08:49 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-19 08:49 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-19 08:48 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-19 08:48 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-19 08:48 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-19 08:48 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-19 08:48 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-19 08:48 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-19 08:48 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-19 08:48 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-19 08:48 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-19 08:48 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-18 17:02 <DIR> --d----- c:\documents and settings\kaz\DoctorWeb
2009-04-16 23:12 <DIR> --d----- C:\VundoFix Backups
2009-04-16 22:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-16 22:47 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-16 22:47 <DIR> --d----- c:\docume~1\kaz\applic~1\SUPERAntiSpyware.com
2009-04-08 06:11 <DIR> --d----- c:\program files\iPod
2009-04-08 06:11 <DIR> --d----- c:\program files\iTunes
2009-04-08 06:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

==================== Find3M ====================

2009-04-16 21:27 110,592 a------- c:\windows\system32\imm32.dll
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-23 05:19 133,632 a------- c:\windows\ivisovuniwulaold.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-13 18:01 149,768 a------- c:\windows\system32\drivers\WpsHelper.sys
2009-03-06 22:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-05 22:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 22:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-03 08:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-21 02:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 20:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 20:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 20:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 20:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 19:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 19:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 19:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 18:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 18:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-04 03:59 56,832 a------- c:\windows\system32\secur32.dll
2008-04-24 00:22 1,048,576 a------- c:\program files\6a79og0b.0
2008-04-24 00:20 71,018 a------- c:\program files\bios.ini
2008-04-24 00:20 528 a------- c:\program files\CONFIG.INI
2008-04-24 00:20 29 a------- c:\program files\new_ver.ini
2008-02-14 14:28 29 a------- c:\program files\version.ini
2008-02-14 14:23 231,944 a------- c:\program files\gwflash.exe
2007-09-21 19:42 19,008 a------- c:\program files\markfun.a64
2007-08-21 19:49 17,912 a------- c:\program files\markfun.w32
2007-04-04 18:35 207,680 a------- c:\program files\updateutility.exe
2007-03-30 04:36 301 a------- c:\program files\update.ini
2007-03-02 04:48 240,448 a------- c:\program files\gwf32.exe
2006-11-23 23:47 207,680 a------- c:\program files\BIOS_Run.exe
2005-04-27 19:40 6,800 a------- c:\program files\W95_HUA.vxd
2008-04-14 08:12 4,096 a--sh--- c:\windows\system32\nfhfynbyj.dat
2008-10-21 15:58 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102120081022\index.dat

============= FINISH: 8:01:27.59 ===============

Attached Files



#5 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:40 PM

Posted 03 May 2009 - 10:39 PM

Hello

Step #1
OTMoveIt3
  • Download OTMoveIt3 and save it to your desktop. Then run it.
  • Copy and paste the lines in the code box below into the input field at the bottom left corner:
    :processes
    explorer.exe
    
    :files
    c:\windows\ivisovuniwulaold.dll
    
    :commands
    [emptytemp]
    [start explorer]
    [reboot]
  • Now click the red button that says MoveIt!
  • To the right, the results show up. Copy and paste them all into a notepad file and post the notepad file in your next reply.
Step #2
Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window

c:\windows\system32\nfhfynbyj.dat

Click Submit/Send File
Please post back, to let me know the results.


If Jotti is too busy please try Virustotal

Step #3
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #4
Please post OtMoveIt log, Kaspersky log and a fresh HijackThis log back here :thumbup2:
How's pc working now?
Posted Image

#6 mejutty

mejutty
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 04 May 2009 - 09:56 AM

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
c:\windows\ivisovuniwulaold.dll NOT unregistered.
c:\windows\ivisovuniwulaold.dll moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Kaz\LOCALS~1\Temp\Perflib_Perfdata_a40.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Kaz\LOCALS~1\Temp\WCESLog.log scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Kaz\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_8f8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05042009_185800

Files moved on Reboot...
File C:\DOCUME~1\Kaz\LOCALS~1\Temp\Perflib_Perfdata_a40.dat not found!
C:\DOCUME~1\Kaz\LOCALS~1\Temp\WCESLog.log moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_8f8.dat not found!

Service load: 0% 100%

File: nfhfynbyj.dat
Status: OK
MD5: 5990f05fb9a48d0d5e8a8e16b70fd98b



DDS (Ver_09-03-16.01) - NTFSx86
Run by Kaz at 22:41:46.67 on Mon 04/05/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2046.1576 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2009\Planner\PLNRnote.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kaz\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://au.yahoo.com/
uInternet Settings,ProxyServer = proxy.wanews.com.au:8000
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Launch LCDMon] "c:\program files\common files\logitech\lcd manager\lcdmon.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\kaz\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~2.lnk - c:\windows\installer\{c4609419-c11e-4ce6-b369-f3f8a7ddd94c}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188808590703
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://portal.webportal.wanews.com.au/sre/ICSScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?AuthParam=1241436996_08e173c4b93fb46d3c18b3997f4dbe5d&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab&File=jinstall-6u13-windows-i586-jc.cab&BHost=javadl.sun.com
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://portal.webportal.wanews.com.au/SNX/CSHELL/extender.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {AE5B5D69-0AC5-4BAE-AF0C-05BA8338EE1F} = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R2 cpextender;Check Point SSL Network Extender;c:\program files\checkpoint\ssl network extender\slimsvc.exe [2007-6-10 331870]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [2007-6-10 110160]
S3 MarkFun_NT;MarkFun_NT;c:\program files\markfun.w32 [2007-8-21 17912]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S4 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files\folding@home windows smp client 1\smpd.exe [2008-5-18 1135616]

=============== Created Last 30 ================

2009-05-04 19:30 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-04 19:30 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-04 18:58 <DIR> --d----- C:\_OTMoveIt
2009-04-19 11:37 <DIR> --d----- c:\program files\Sophos
2009-04-19 08:49 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-19 08:49 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-19 08:48 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-19 08:48 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-19 08:48 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-19 08:48 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-19 08:48 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-19 08:48 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-19 08:48 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-19 08:48 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-19 08:48 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-19 08:48 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-18 17:02 <DIR> --d----- c:\documents and settings\kaz\DoctorWeb
2009-04-16 23:12 <DIR> --d----- C:\VundoFix Backups
2009-04-16 22:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-16 22:47 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-16 22:47 <DIR> --d----- c:\docume~1\kaz\applic~1\SUPERAntiSpyware.com
2009-04-08 06:11 <DIR> --d----- c:\program files\iPod
2009-04-08 06:11 <DIR> --d----- c:\program files\iTunes
2009-04-08 06:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

==================== Find3M ====================

2009-04-16 21:27 110,592 a------- c:\windows\system32\imm32.dll
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 22:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-05 22:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 22:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-03 08:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-21 02:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 20:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 20:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 20:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 20:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 19:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 19:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 19:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 18:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 18:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-04 03:59 56,832 a------- c:\windows\system32\secur32.dll
2008-04-24 00:22 1,048,576 a------- c:\program files\6a79og0b.0
2008-04-24 00:20 71,018 a------- c:\program files\bios.ini
2008-04-24 00:20 528 a------- c:\program files\CONFIG.INI
2008-04-24 00:20 29 a------- c:\program files\new_ver.ini
2008-02-14 14:28 29 a------- c:\program files\version.ini
2008-02-14 14:23 231,944 a------- c:\program files\gwflash.exe
2007-09-21 19:42 19,008 a------- c:\program files\markfun.a64
2007-08-21 19:49 17,912 a------- c:\program files\markfun.w32
2007-04-04 18:35 207,680 a------- c:\program files\updateutility.exe
2007-03-30 04:36 301 a------- c:\program files\update.ini
2007-03-02 04:48 240,448 a------- c:\program files\gwf32.exe
2006-11-23 23:47 207,680 a------- c:\program files\BIOS_Run.exe
2005-04-27 19:40 6,800 a------- c:\program files\W95_HUA.vxd
2008-04-14 08:12 4,096 a--sh--- c:\windows\system32\nfhfynbyj.dat
2008-10-21 15:58 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102120081022\index.dat

============= FINISH: 22:43:03.18 ===============


Could not run the kaspersky on the machine just will not run. Have got the drive mounted on another machine and runninng scan through that will post when finished.

No change still has the popups from even before you are prompted to log in. The first bos that comes up the mouse doesn't even work yet.

Attached Files



#7 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:40 PM

Posted 04 May 2009 - 11:04 AM

Hello

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
Posted Image

#8 mejutty

mejutty
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 04 May 2009 - 06:08 PM

GooredFix v1.92 by jpshortstuff
Log created at 07:01 on 05/05/2009 running Option #1 (Kaz)
Firefox version [Unable to determine]

=====Suspect Goored Entries=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{C6415481-DE1F-45F9-9B36-7C33227DE0A5}"="C:\Documents and Settings\Kaz\Local Settings\Application Data\{C6415481-DE1F-45F9-9B36-7C33227DE0A5}"

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{C6415481-DE1F-45F9-9B36-7C33227DE0A5}"="C:\Documents and Settings\Kaz\Local Settings\Application Data\{C6415481-DE1F-45F9-9B36-7C33227DE0A5}"

#9 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:40 PM

Posted 04 May 2009 - 10:28 PM

Please double-click GooredFix.exe on your Desktop to run it.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Please post gooredlog.txt and a fresh HijackThis log back here.
How's computer / browser working now? :thumbup2:

Edited by Baabiouz, 04 May 2009 - 10:28 PM.

Posted Image

#10 mejutty

mejutty
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 05 May 2009 - 05:47 AM

will do but firefox not currenlty installed.

#11 mejutty

mejutty
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 05 May 2009 - 06:41 AM

DDS (Ver_09-03-16.01) - NTFSx86
Run by Kaz at 19:34:00.34 on Tue 05/05/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2046.1650 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2009\Planner\PLNRnote.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kaz\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://au.yahoo.com/
uInternet Settings,ProxyServer = proxy.wanews.com.au:8000
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Launch LCDMon] "c:\program files\common files\logitech\lcd manager\lcdmon.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\kaz\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~2.lnk - c:\windows\installer\{c4609419-c11e-4ce6-b369-f3f8a7ddd94c}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188808590703
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://portal.webportal.wanews.com.au/sre/ICSScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?AuthParam=1241436996_08e173c4b93fb46d3c18b3997f4dbe5d&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab&File=jinstall-6u13-windows-i586-jc.cab&BHost=javadl.sun.com
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://portal.webportal.wanews.com.au/SNX/CSHELL/extender.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {AE5B5D69-0AC5-4BAE-AF0C-05BA8338EE1F} = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

S3 MarkFun_NT;MarkFun_NT;c:\program files\markfun.w32 [2007-8-21 17912]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [2007-6-10 110160]
S4 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files\folding@home windows smp client 1\smpd.exe [2008-5-18 1135616]

=============== Created Last 30 ================

2009-05-04 19:30 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-04 19:30 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-04 18:58 <DIR> --d----- C:\_OTMoveIt
2009-04-19 11:37 <DIR> --d----- c:\program files\Sophos
2009-04-19 08:49 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-19 08:49 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-19 08:48 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-19 08:48 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-19 08:48 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-19 08:48 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-19 08:48 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-19 08:48 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-19 08:48 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-19 08:48 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-19 08:48 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-19 08:48 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-18 17:02 <DIR> --d----- c:\documents and settings\kaz\DoctorWeb
2009-04-16 23:12 <DIR> --d----- C:\VundoFix Backups
2009-04-16 22:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-16 22:47 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-16 22:47 <DIR> --d----- c:\docume~1\kaz\applic~1\SUPERAntiSpyware.com
2009-04-08 06:11 <DIR> --d----- c:\program files\iPod
2009-04-08 06:11 <DIR> --d----- c:\program files\iTunes
2009-04-08 06:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

==================== Find3M ====================

2009-04-16 21:27 110,592 a------- c:\windows\system32\imm32.dll
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 22:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-05 22:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-03 08:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-21 02:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 20:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 20:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 20:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 20:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 19:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 19:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 19:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 18:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 18:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2008-04-24 00:22 1,048,576 a------- c:\program files\6a79og0b.0
2008-04-24 00:20 71,018 a------- c:\program files\bios.ini
2008-04-24 00:20 528 a------- c:\program files\CONFIG.INI
2008-04-24 00:20 29 a------- c:\program files\new_ver.ini
2008-02-14 14:28 29 a------- c:\program files\version.ini
2008-02-14 14:23 231,944 a------- c:\program files\gwflash.exe
2007-09-21 19:42 19,008 a------- c:\program files\markfun.a64
2007-08-21 19:49 17,912 a------- c:\program files\markfun.w32
2007-04-04 18:35 207,680 a------- c:\program files\updateutility.exe
2007-03-30 04:36 301 a------- c:\program files\update.ini
2007-03-02 04:48 240,448 a------- c:\program files\gwf32.exe
2006-11-23 23:47 207,680 a------- c:\program files\BIOS_Run.exe
2005-04-27 19:40 6,800 a------- c:\program files\W95_HUA.vxd
2008-04-14 08:12 4,096 a--sh--- c:\windows\system32\nfhfynbyj.dat
2008-10-21 15:58 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102120081022\index.dat

============= FINISH: 19:35:03.17 ===============


GooredFix v1.92 by jpshortstuff
Log created at 19:29 on 05/05/2009 running Option #2 (Kaz)
Firefox version [Unable to determine]

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{C6415481-DE1F-45F9-9B36-7C33227DE0A5}"="C:\Documents and Settings\Kaz\Local Settings\Application Data\{C6415481-DE1F-45F9-9B36-7C33227DE0A5}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Kaz\Local Settings\Application Data\{C6415481-DE1F-45F9-9B36-7C33227DE0A5}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

pc running same same

#12 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:40 PM

Posted 05 May 2009 - 08:12 AM

Do you get same popups?

Edited by Baabiouz, 05 May 2009 - 08:13 AM.

Posted Image

#13 mejutty

mejutty
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 05 May 2009 - 08:29 AM

yes pc is still the same get all the popups still when you run anything and when the pc is starting up.

#14 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:40 PM

Posted 05 May 2009 - 08:40 AM

Can you tell me or take a screenshot, what's in those popups? :thumbup2:
Posted Image

#15 mejutty

mejutty
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 05 May 2009 - 09:52 AM

uploaded rename file to .rar to unzip

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users