Hi,
I some how got the Trojan.Vundo. I have run Malwarebytes multiple times, including offline, and I am still not able to fully get rid of this Trojan. I have also tried to run SDFix in Safe Mode, but it keeps saying "Access is Denied".
Here is my most recent log from Malwarebytes:
Malwarebytes' Anti-Malware 1.36
Database version: 2024
Windows 5.1.2600 Service Pack 3
4/22/2009 2:00:59 AM
mbam-log-2009-04-22 (02-00-59).txt
Scan type: Quick Scan
Objects scanned: 79351
Time elapsed: 4 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\desfint.dll (Trojan.Vundo.V) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a243200e-d2a7-49d9-974a-a67ba2936e1d} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fgyqwmcu (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a243200e-d2a7-49d9-974a-a67ba2936e1d} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.Data) -> Delete on reboot.
Files Infected:
c:\WINDOWS\system32\zmxgxph.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\desfint.dll (Trojan.Vundo.V) -> Delete on reboot.
C:\Documents and Settings\Cool Dave\Local Settings\Temp\jinywooj.dat (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.Data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.Data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
Once I reboot and rerun the scan with Malwarebytes, it just detects the exact same infected files again. It's just a never ending cycle. Malwarebytes just can't seem to get rid of this Trojan completely. Here is my log from Trend Micro HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:36 AM, on 4/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe
C:\Program Files\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTAPR.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Steganos Internet Anonym VPN\SVPNStarter.exe
C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\MicroStar\WLANUtility\WLAN_Service.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.65.127.161:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {A243200E-D2A7-49D9-974A-A67BA2936E1D} - c:\windows\system32\zmxgxph.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [CTFeatureModeUtility] C:\Program Files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe --ports
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: WlanUtility.lnk = C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to WebSite-Watcher - C:\Documents and Settings\Cool Dave\Application Data\aignes\WebSite-Watcher\config\settings\wswie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03A13D5D-2C8E-4C1A-970D-D6D07A4FE3D0} (FileMgr Class) - https://atlas.atlassolutions.com/dl/AtlasCtrl.cab
O16 - DPF: {5A9D4578-6649-4692-921B-ACA9ADAB007C} (UFC Class) - http://video.ufc.com/cabfiles/UFC_DLManager_3_6_0_19.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://evideo.ufc.com/ufc/cabfiles/Entriq_...0_15_Silent.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://rightmedia.webex.com/client/T23L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B94D187B-7C57-4207-86A4-53802D719A4E}: NameServer = 212.19.48.14
O20 - Winlogon Notify: fgyqwmcu - C:\WINDOWS\SYSTEM32\zmxgxph.dll
O23 - Service: Anonymizer Management Service (AnonMgmtSvc) - Anonymizer - C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Steganos VPN Starter Service (SVPNStarter) - Unknown owner - C:\Program Files\Steganos Internet Anonym VPN\SVPNStarter.exe
--
End of file - 8915 bytes
Here is my logfile from ComboFix:
ComboFix 09-04-22.A2 - Cool Dave 04/22/2009 4:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1411 [GMT -6:00]
Running from: c:\download\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
c:\windows\IE4 Error Log.txt
c:\windows\system32\wl.exe
.
((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.
2009-04-22 07:31 . 2009-04-22 07:31 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-22 06:05 . 2009-04-22 06:05 -------- d-----w c:\documents and settings\Cool Dave\Local Settings\Application Data\{80811122-EF6B-4F28-BDD0-BE4BDDD9A18A}
2009-04-17 07:06 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 07:06 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 07:06 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-17 07:05 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 07:05 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 07:05 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 07:05 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 07:05 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 07:05 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 07:05 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 07:05 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 07:05 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 07:54 . 2008-12-05 23:58 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 06:17 . 2006-09-01 08:16 -------- d-----w c:\program files\WebSite-Watcher
2009-04-06 21:32 . 2008-12-05 23:58 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 21:32 . 2008-12-05 23:58 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-21 04:10 . 2007-07-27 05:04 -------- d-----w c:\documents and settings\Cool Dave\Application Data\iPhoneRingToneMaker
2009-03-17 07:36 . 2009-03-17 07:35 -------- d-----w c:\program files\iTunes
2009-03-17 07:36 . 2009-03-17 07:35 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-17 07:35 . 2009-03-17 07:35 -------- d-----w c:\program files\iPod
2009-03-17 07:35 . 2007-06-29 18:21 -------- d-----w c:\program files\Common Files\Apple
2009-03-17 07:34 . 2009-03-17 07:34 -------- d-----w c:\program files\Bonjour
2009-03-17 07:34 . 2009-03-17 07:33 -------- d-----w c:\program files\QuickTime
2009-03-13 21:43 . 2006-11-23 14:09 -------- d-----w c:\documents and settings\Cool Dave\Application Data\Skype
2009-03-06 14:22 . 2006-08-12 15:39 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 05:59 . 2009-03-17 07:31 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 05:59 . 2007-06-29 18:21 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-20 08:10 . 2006-08-12 15:39 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2006-08-12 15:39 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2006-08-12 15:39 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-08-12 15:39 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2006-08-12 15:39 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-08-12 15:39 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2006-08-12 15:39 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2006-08-12 15:39 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-03 23:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2006-08-12 15:39 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2006-08-12 15:39 56832 ----a-w c:\windows\system32\secur32.dll
2008-09-18 01:05 . 2006-08-29 08:09 27224 ----a-w c:\documents and settings\Cool Dave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-15 09:45 . 2006-09-01 11:01 26448 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-09-01 11:07 . 2006-09-01 11:07 132 ----a-w c:\documents and settings\Cool Dave\Local Settings\Application Data\fusioncache.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A243200E-D2A7-49D9-974A-A67BA2936E1D}]
2004-08-04 12:00 104448 ----a-w c:\windows\system32\zmxgxph.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-18 7585792]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-01-27 45056]
"Easy Synchronization"="c:\program files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 53248]
"CTSysVol"="c:\program files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTFeatureModeUtility"="c:\program files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe" [2005-01-10 81920]
"CTDVDDET"="c:\program files\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-09-22 90112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Easy Synchronization"="c:\program files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 53248]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-25 805392]
WlanUtility.lnk - c:\program files\MicroStar\WLANUtility\WlanUtility.exe [2005-6-8 147456]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= "c:\program files\Logitech\Easy Synchronization\shellexecutehook.dll" [2005-10-05 69632]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 08:42 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fgyqwmcu]
2004-08-04 12:00 104448 ----a-w c:\windows\system32\zmxgxph.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli desfint.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrv48.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1157159514\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Anonymizer\\Anonymizer Software\\Common\\AnonProxy.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Simplify Media\\SimplifyPeer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 Winrv48;Winrv48; [x]
R3 CTMSFSYN;Creative SoundFont Synth;c:\windows\system32\drivers\ctmsfsyn.sys [2005-01-31 159104]
R3 HPPLSBULK;HPPLSBULK;c:\windows\system32\drivers\hpplsbulk.sys [2005-02-02 9344]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2007-02-15 26624]
S0 eamtxujf;eamtxujf;c:\windows\system32\drivers\eamtxujf.sys [2004-08-04 23424]
S2 LBeepKE;LBeepKE;c:\windows\system32\Drivers\LBeepKE.sys [2006-10-26 3712]
S2 SVPNStarter;Steganos VPN Starter Service;c:\program files\Steganos Internet Anonym VPN\SVPNStarter.exe [2007-02-16 19968]
S3 DCamUSBET;USB2.0 1.3M PC CAM;c:\windows\system32\DRIVERS\etDevice.sys [2005-07-01 88704]
S3 FiltUSBET;ET USB Device Lower Filter;c:\windows\system32\DRIVERS\etFilter.sys [2005-12-16 118272]
S3 HSFHWVIA;HSFHWVIA;c:\windows\system32\DRIVERS\HSFHWVIA.sys [2005-10-24 255232]
S3 ScanUSBET;ET USB Still Image Capture Device;c:\windows\system32\DRIVERS\etScan.sys [2005-07-01 5760]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
axmaurxa
.
Contents of the 'Scheduled Tasks' folder
2009-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 21:42]
2009-04-22 c:\windows\Tasks\At1.job
- c:\windows\system32\zmxgxph.dll [2006-08-12 12:00]
2009-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1767777339-682003330-1004.job
- c:\documents and settings\Cool Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-20 00:13]
.
- - - - ORPHANS REMOVED - - - -
BHO-{65523557-F7BF-4C4A-8C48-197746C4E913} - c:\windows\system32\cmpbk3.dll
HKLM-Run-Bluetooth Connection Assistant - LBTWIZ.EXE
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = 200.65.127.161:80
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add to WebSite-Watcher - c:\documents and settings\Cool Dave\Application Data\aignes\WebSite-Watcher\config\settings\wswie.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
TCP: {B94D187B-7C57-4207-86A4-53802D719A4E} = 212.19.48.14
DPF: {03A13D5D-2C8E-4C1A-970D-D6D07A4FE3D0} - hxxps://atlas.atlassolutions.com/dl/AtlasCtrl.cab
DPF: {5A9D4578-6649-4692-921B-ACA9ADAB007C} - hxxp://video.ufc.com/cabfiles/UFC_DLManager_3_6_0_19.cab
FF - ProfilePath - c:\documents and settings\Cool Dave\Application Data\Mozilla\Firefox\Profiles\zjr8kvxv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\All Users\Application Data\Entriq\UFC\3.8.0.24\npEntriqVersionCheckMozillaPlugin.dll
FF - plugin: c:\documents and settings\Cool Dave\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Entriq\MediaSphere\3.8.0.24\npEntriqMediaMozillaPlugin.dll
FF - plugin: c:\program files\Entriq\MediaSphere\3.8.0.24\npEntriqVersionCheckMozillaPlugin.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 04:38
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{175AF4D7-9CF3-F457-BF0E37CACC73FC6B}\{467C247B-D237-138A-478D2C475DF76751}\{0F112251-81FD-FF65-E1D4489D8D443FBC}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{210BD7C7-47ED-BBE9-95D0F9FAA3BD0E97}\{C5D4C247-F1D1-D183-A63FC2DFAAC29AA3}\{B55B3474-A2E6-F6F7-4AD088E6434601A2}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,ec,50,ad,
1b,d5,ad,b5,a4,25,c6,87,11,99,ba,6e,ed,ab,17,e4,c7,ad,16,05,7b,c8,de,3b,55,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{71A78D8C-2A2C-F1E0-42C57DD6D788EDD0}\{92C0E49C-6DF5-7FD3-2A5D5DA34780C80D}\{FCC2AF23-71C0-A57B-CCE1F90128BA76FE}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E24A3BE2-0E58-440D-C5291999CC5C5741}\{9EE83BBD-CDA7-8737-4BFE3ADA0C41BF51}\{12860FBF-70CB-D90A-D9669DC891BE38B3}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EA20B5D7-213B-BF6A-A687F1F5E27AC26F}\{EEE35091-0AEA-CF92-BEFE1061EF739928}\{47B248DC-A6E0-641B-BA973614FEEFC865}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,ec,50,ad,
1b,d5,ad,b5,a4,25,c6,87,11,99,ba,6e,ed,ab,17,e4,c7,ad,16,05,7b,c8,de,3b,55,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(920)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
- - - - - - - > 'explorer.exe'(3884)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Logitech\Bluetooth\LBTServ.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Kontiki\KService.exe
c:\program files\Logitech\Easy Synchronization\servicestub.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\SetPoint\LBTWiz.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTAPR.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\MicroStar\WLANUtility\WLAN_Service.exe
.
**************************************************************************
.
Completion time: 2009-04-22 4:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-22 10:49
Pre-Run: 5,249,961,984 bytes free
Post-Run: 5,285,285,888 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
267 --- E O F --- 2009-04-18 16:07
Can someone please help me out? How do I completely get rid of this Trojan? How can I get SDFix to run correctly?
I appreciate all your help! Thanks!
-Dave