Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo - Slippery lil' sucker - Did I get it?


  • This topic is locked This topic is locked
31 replies to this topic

#1 mcclune

mcclune

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 30 April 2009 - 12:43 PM

Greetings,

Vundo (or maybe another one too) got through my Mcafee and diabled it to the point I can't even reach mcafee.com and the auto-update tells me I have to reinstall it which of course isn't possible bc I can't get to the site. I have installed SuperAntiSpyware, Malwarebytes' AntiMalware, Avira's Antivir and all have found traces of one thing or another of Vundo and variants.

The most noticeable effect has been on browser performance - or lack thereof since certain hyperlinks don't work on Yahoo home page, sites cannot be reached and my startup items do not load on startup.

I have scanned and scanned, quarantined and deleted over the past few days - done from safe mode and regular mode. Below is the most recent HJT log...can someone help me out? I'd be more than happy to send gifts of gratitude.

I scanned with SAS, Malwarebytes and Avira this morning and nothing came up but I'm not inclined to believe it just yet.

Thanks in advance...here it is:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:43 AM, on 4/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\program files\common files\protexis\license service\psiservice_2.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kodak\Printer\Center\EKDiscovery.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080116
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080116
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [dscactivate] c:\dell\dsca.exe 3
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe"
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\Act for Windows\ActSage.exe" -preload
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YouSendIt.exe] C:\Program Files\YouSendIt\Express\YouSendIt.exe -ui none
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-20\..\Run: [zotoyanupu] Rundll32.exe "C:\WINDOWS\system32\jahanane.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\dropbox.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204592869281
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: rsdoph.dll qxmufk.dll c:\windows\system32\danipowu.dll,C:\WINDOWS\system32\fimijole.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ACT! Scheduler - Sage Software, Inc. - C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\Printer\Center\EKDiscovery.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\program files\common files\protexis\license service\psiservice_2.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 11742 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:21 AM

Posted 13 May 2009 - 01:45 AM

Hello mcclune,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 mcclune

mcclune
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 13 May 2009 - 12:52 PM

Hi Tea,

Thank you kindly and in advance. I am grateful.

Since my last post I have installed Symantec AntiVirus Corporate edition and uninstalled the other free antivirus programs. I still have Mcafee installed altho I haven't been able to connect to mcafee.com via browser nor any auto updates.

Symantec found Vundo in a Firefox program file yesterday so I deleted it out of quarantine and uninstalled Firefox. I restarted the pc and did a full scan in safe mode. I restarted the pc and Symantec then found Vundo here: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP265\A0053828.exe. It quarantined it and I deleted it and I haven't restarted the pc yet.

Again, I appreciate the help. I am in the music industry so if there's any genre you prefer, let me know and I'll see if I can send you some new music.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:54 AM, on 5/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\explorer.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\program files\common files\protexis\license service\psiservice_2.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kodak\Printer\Center\EKDiscovery.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vpc32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080116
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080116
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [dscactivate] c:\dell\dsca.exe 3
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe"
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\Act for Windows\ActSage.exe" -preload
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YouSendIt.exe] C:\Program Files\YouSendIt\Express\YouSendIt.exe -ui none
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\dropbox.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204592869281
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: rsdoph.dll qxmufk.dll c:\windows\system32\danipowu.dll,C:\WINDOWS\system32\
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ACT! Scheduler - Sage Software, Inc. - C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\Printer\Center\EKDiscovery.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\program files\common files\protexis\license service\psiservice_2.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 12050 bytes

#4 mcclune

mcclune
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 13 May 2009 - 10:32 PM

Never turned my pc off since the last post and just got this Symantec notification:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP265\A0053959.exe
Location: Quarantine
Computer: MIKESSUCCESS
User: SYSTEM
Action taken: Quarantine succeeded : Access denied
Date found: Wednesday, May 13, 2009 7:45:37 PM

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:21 AM

Posted 14 May 2009 - 09:34 AM

Hello,

That's no threat, and we'll take care of it now :

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Let me know if Norton shuts up now. :thumbup2:

Which AntiVirus are you going to keep?

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 mcclune

mcclune
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 14 May 2009 - 11:35 AM

I've uninstalled Mcafee, will stick with Norton. Open to other recommendations too. Am scanning now.

Should I be worried Vundo has been popping up in places like Firefox, System32, etc for the last week or so?

Also some programs like Stamps.com and my Kodak printer aren't recognized anymore and neither will reinstall properly. Is that a symptom of a virus or a result of having it.

Again, much obliged. Thank you thank you thank you.

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:21 AM

Posted 14 May 2009 - 11:52 AM

Yes, it is to worry about. We aren't done yet, but this tool needs for some protection software to be disabled. So getting this out of the way first helps. :thumbup2:

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :)

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 mcclune

mcclune
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 14 May 2009 - 04:50 PM

Yikes, that was hair raising. I disabled protection software, downloaded Combofix, disconnected internet and Combofix wouldn't run...only the inch or so progress bar. Then nothing. Then freeze. I manually rebooted by holding power button down. I started Combofix in safe mode despite it telling me MSWindows recovery consiole is not installed and it wouldn't fix the serious infections and it needed internet access to do so.

It ran and rebooted into regular mode where my symantec re-appeared in the lower right hand corner startup bar (which it hasn't ever done since they all disappeared when Vundo hit and i installed it after that) and it sounded as if Combo and Symantec were duking it out. I disabled Suymantec and here's the log.

Should we be worried the Combofix tells us it wasn't able to do the full shebang while in safe mode?

Here's the log:

ComboFix 09-05-14.03 - McClunacy 05/14/2009 14:32.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1762 [GMT -7:00]
Running from: c:\documents and settings\McClunacy\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\McClunacy\Application Data\inst.exe
c:\program files\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PACKET
-------\Service_Packet


((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 )))))))))))))))))))))))))))))))
.

2009-05-14 17:57 . 2009-05-14 17:57 -------- d-sh--w c:\documents and settings\McClunacy\IECompatCache
2009-05-14 17:49 . 2009-05-14 17:49 -------- d-sh--w c:\documents and settings\McClunacy\PrivacIE
2009-05-14 15:44 . 2009-05-14 15:44 -------- d-----w c:\documents and settings\McClunacy\Local Settings\Application Data\PCHealth
2009-05-14 04:53 . 2009-05-14 04:53 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-14 04:53 . 2009-05-14 04:53 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-14 04:53 . 2009-05-14 04:53 -------- d-sh--w c:\documents and settings\McClunacy\IETldCache
2009-05-14 04:49 . 2009-05-14 04:49 -------- d-----w c:\windows\ie8updates
2009-05-14 04:49 . 2009-04-25 05:30 102400 ------w c:\windows\system32\dllcache\iecompat.dll
2009-05-14 04:48 . 2009-05-14 04:49 -------- dc-h--w c:\windows\ie8
2009-05-13 02:40 . 2009-05-13 02:40 -------- d-----w C:\bbeaa106dce1cd97cdf9bdb4
2009-05-13 02:26 . 2008-10-22 14:54 102400 ----a-w c:\windows\system32\EKIJCOINST02.dll
2009-05-13 01:52 . 2009-05-13 01:52 70872 ---ha-w c:\windows\system32\mlfcache.dat
2009-05-12 18:28 . 2009-05-12 18:28 -------- d-----w c:\documents and settings\McClunacy\Local Settings\Application Data\Symantec
2009-05-12 18:28 . 2009-05-12 18:27 73496 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-12 18:28 . 2009-05-12 18:27 83208 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-05-12 18:28 . 2009-05-12 18:28 -------- d-----w c:\program files\Symantec
2009-05-12 18:28 . 2009-05-12 18:28 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-05-12 18:28 . 2009-05-12 18:28 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-12 18:28 . 2009-05-12 18:28 -------- d-----w c:\program files\Symantec_Client_Security
2009-05-12 18:12 . 2009-05-12 18:12 -------- d-----w c:\documents and settings\All Users\Application Data\{0BE4A41F-2461-43DE-B799-C509D8395034}
2009-05-12 18:12 . 2009-05-12 18:12 -------- d-----w c:\documents and settings\All Users\Application Data\{E23E3BED-ADD9-4DF7-B375-5EC5E69FD666}
2009-05-12 18:11 . 2009-05-12 18:11 -------- d-----w c:\documents and settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
2009-05-12 18:11 . 2009-05-12 18:11 -------- d-----w c:\documents and settings\All Users\Application Data\{AB89557A-DCAD-4657-A970-8F9A3EFFB34D}
2009-05-12 18:11 . 2009-05-12 18:11 -------- d-----w c:\documents and settings\All Users\Application Data\{E40FD160-D3F8-4151-96D1-7B73567D4FF3}
2009-05-11 16:50 . 2009-05-14 21:12 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-30 17:18 . 2009-04-30 17:18 -------- d-----w c:\program files\Trend Micro
2009-04-30 01:28 . 2009-03-24 23:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-30 01:05 . 2009-04-30 01:05 -------- d-----w C:\VundoFix Backups
2009-04-28 23:59 . 2009-04-29 00:00 512 ----a-w C:\drmHeader.bin
2009-04-28 16:33 . 2009-04-28 16:33 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-04-28 16:23 . 2009-04-28 16:23 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-27 23:41 . 2009-04-27 23:41 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-27 23:41 . 2009-05-14 21:11 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-27 23:41 . 2009-05-05 02:46 -------- d-----w c:\documents and settings\McClunacy\Application Data\SUPERAntiSpyware.com
2009-04-27 17:57 . 2009-04-27 17:57 -------- d-----w C:\a56dd43f6540c9fdc60a3f39a8c2
2009-04-27 17:55 . 2009-04-27 17:55 -------- d-----w c:\windows\system32\XPSViewer
2009-04-27 17:54 . 2009-04-27 17:54 -------- d-----w c:\program files\Reference Assemblies
2009-04-27 17:54 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-27 17:54 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-27 17:54 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-27 17:54 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-27 17:54 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-27 17:54 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-27 17:54 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-27 17:54 . 2009-04-27 17:54 -------- d-----w C:\a819ca8b2918b0de80
2009-04-27 17:54 . 2009-04-27 19:57 -------- d-----w c:\windows\SxsCaPendDel
2009-04-24 21:33 . 2009-04-24 21:47 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-23 19:08 . 2009-04-23 19:08 -------- d-----w c:\documents and settings\McClunacy\Application Data\YouSendIt
2009-04-23 19:08 . 2009-04-23 19:08 -------- d-----w c:\program files\YouSendIt
2009-04-23 19:08 . 2009-04-23 19:08 -------- d-----w c:\windows\Downloaded Installations
2009-04-15 16:10 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 16:10 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 16:10 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 16:10 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 16:10 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 16:10 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 16:10 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 16:10 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 16:10 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 16:10 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 16:09 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 16:09 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-14 21:37 . 2008-04-09 20:30 848 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-05-14 04:37 . 2008-02-01 03:06 89504 ----a-w c:\documents and settings\McClunacy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 01:55 . 2008-02-29 01:10 -------- d-----w c:\program files\Microsoft Works
2009-05-13 02:23 . 2008-12-17 03:27 -------- d-----w c:\program files\Common Files\Kodak
2009-05-12 21:41 . 2008-03-17 21:25 -------- d-----w c:\program files\Yahoo!
2009-05-12 18:12 . 2008-02-29 02:41 -------- d-----w c:\program files\Stamps.com Internet Postage
2009-05-12 18:11 . 2008-02-29 02:41 36 ---ha-w c:\windows\system32\f9t.dat
2009-05-01 02:13 . 2008-04-04 22:51 60 ----a-w c:\windows\wpd99.drv
2009-04-28 16:22 . 2009-04-28 16:22 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-23 19:08 . 2008-01-16 19:40 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-17 21:35 . 2008-01-16 19:38 -------- d-----w c:\program files\Java
2009-04-16 20:09 . 2008-03-20 17:22 -------- d-----w c:\program files\Soulseek
2009-04-01 00:53 . 2008-04-08 23:30 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-25 18:06 . 2008-02-04 19:09 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 18:06 . 2008-02-04 19:09 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 18:06 . 2008-02-04 19:09 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 18:06 . 2008-02-04 19:09 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 18:05 . 2008-02-04 19:09 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-09 12:19 . 2008-12-16 16:07 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 11:34 . 2004-08-10 18:51 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2004-08-10 18:51 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2004-08-10 18:50 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2004-08-10 18:51 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2004-08-10 18:50 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2004-08-10 18:51 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2004-08-10 18:51 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2004-08-10 18:51 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2004-08-10 18:51 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2004-08-10 18:51 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-10 18:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 06:59 . 2009-03-13 02:39 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 06:59 . 2008-03-06 21:32 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2007-11-16 06:18 . 2008-04-08 23:17 9948 ----a-w c:\program files\HAZE.nfo
2007-08-15 23:43 . 2008-04-25 19:56 17488 ----a-w c:\program files\Autoplay.exe
2007-08-15 23:43 . 2008-04-08 23:19 360518 ----a-w c:\program files\act.ico
2004-01-27 23:28 . 2008-04-08 23:17 75 ----a-w c:\program files\Setup.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-20 00:51 143360 ----a-w c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-20 00:51 143360 ----a-w c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-20 00:51 143360 ----a-w c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"YouSendIt.exe"="c:\program files\YouSendIt\Express\YouSendIt.exe" [2008-12-03 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-28 8429568]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"Act.Outlook.Service"="c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe" [2007-10-24 9728]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2007-10-24 393216]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-01 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-11 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2004-05-21 90224]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-22 16132608]

c:\documents and settings\McClunacy\Start Menu\Programs\Startup\
Dropbox.lnk - c:\program files\Dropbox\dropbox.exe [2008-7-1 8766167]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-1-16 7168]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-2-27 972064]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"9322:TCP"= 9322:TCP:EKDiscovery

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\Printer\Center\EKDiscovery.exe [10/10/2008 12:33 PM 274432]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [10/30/2008 10:58 AM 28672]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [4/25/2008 1:09 PM 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-01-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2009-05-14 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\Printer\Center\Kodak.Statistics.exe [2008-10-30 17:57]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-14 14:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3988)
c:\program files\Dropbox\DropboxExt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Protexis\License Service\PSIService_2.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Real\RealPlayer\realplay.exe
c:\program files\Real\RealPlayer\realplay.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-14 14:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-14 21:40

Pre-Run: 272,310,157,312 bytes free
Post-Run: 272,316,026,880 bytes free

255 --- E O F --- 2009-05-14 21:06

#9 mcclune

mcclune
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 14 May 2009 - 05:57 PM

I was able to run the program in regular windows mode. Before Combofix ran it reminded me I didn't have MSWindows Recovery Console installed and asked if it should update/download it. I said no since I wasn't online. It scanned, rebooted and upon reboot I got an error window saying the system could not fine the HIDEC.exe file.

Here is the log:

ComboFix 09-05-14.03 - McClunacy 05/14/2009 15:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1431 [GMT -7:00]
Running from: c:\documents and settings\McClunacy\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PACKET


((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 )))))))))))))))))))))))))))))))
.

2009-05-14 17:57 . 2009-05-14 17:57 -------- d-sh--w c:\documents and settings\McClunacy\IECompatCache
2009-05-14 17:49 . 2009-05-14 17:49 -------- d-sh--w c:\documents and settings\McClunacy\PrivacIE
2009-05-14 15:44 . 2009-05-14 15:44 -------- d-----w c:\documents and settings\McClunacy\Local Settings\Application Data\PCHealth
2009-05-14 04:53 . 2009-05-14 04:53 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-14 04:53 . 2009-05-14 04:53 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-14 04:53 . 2009-05-14 04:53 -------- d-sh--w c:\documents and settings\McClunacy\IETldCache
2009-05-14 04:49 . 2009-05-14 04:49 -------- d-----w c:\windows\ie8updates
2009-05-14 04:49 . 2009-04-25 05:30 102400 ------w c:\windows\system32\dllcache\iecompat.dll
2009-05-14 04:48 . 2009-05-14 04:49 -------- dc-h--w c:\windows\ie8
2009-05-13 02:40 . 2009-05-13 02:40 -------- d-----w C:\bbeaa106dce1cd97cdf9bdb4
2009-05-13 02:26 . 2008-10-22 14:54 102400 ----a-w c:\windows\system32\EKIJCOINST02.dll
2009-05-13 01:52 . 2009-05-13 01:52 70872 ---ha-w c:\windows\system32\mlfcache.dat
2009-05-12 18:28 . 2009-05-12 18:28 -------- d-----w c:\documents and settings\McClunacy\Local Settings\Application Data\Symantec
2009-05-12 18:28 . 2009-05-12 18:27 73496 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-12 18:28 . 2009-05-12 18:27 83208 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-05-12 18:28 . 2009-05-12 18:28 -------- d-----w c:\program files\Symantec
2009-05-12 18:28 . 2009-05-12 18:28 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-05-12 18:28 . 2009-05-12 18:28 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-12 18:28 . 2009-05-12 18:28 -------- d-----w c:\program files\Symantec_Client_Security
2009-05-12 18:12 . 2009-05-12 18:12 -------- d-----w c:\documents and settings\All Users\Application Data\{0BE4A41F-2461-43DE-B799-C509D8395034}
2009-05-12 18:12 . 2009-05-12 18:12 -------- d-----w c:\documents and settings\All Users\Application Data\{E23E3BED-ADD9-4DF7-B375-5EC5E69FD666}
2009-05-12 18:11 . 2009-05-12 18:11 -------- d-----w c:\documents and settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
2009-05-12 18:11 . 2009-05-12 18:11 -------- d-----w c:\documents and settings\All Users\Application Data\{AB89557A-DCAD-4657-A970-8F9A3EFFB34D}
2009-05-12 18:11 . 2009-05-12 18:11 -------- d-----w c:\documents and settings\All Users\Application Data\{E40FD160-D3F8-4151-96D1-7B73567D4FF3}
2009-05-11 16:50 . 2009-05-14 21:12 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-30 17:18 . 2009-04-30 17:18 -------- d-----w c:\program files\Trend Micro
2009-04-30 01:28 . 2009-03-24 23:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-30 01:05 . 2009-04-30 01:05 -------- d-----w C:\VundoFix Backups
2009-04-28 23:59 . 2009-04-29 00:00 512 ----a-w C:\drmHeader.bin
2009-04-28 16:33 . 2009-04-28 16:33 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-04-28 16:23 . 2009-04-28 16:23 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-27 23:41 . 2009-04-27 23:41 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-27 23:41 . 2009-05-14 21:11 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-27 23:41 . 2009-05-14 21:11 -------- d-----w c:\documents and settings\McClunacy\Application Data\SUPERAntiSpyware.com
2009-04-27 17:57 . 2009-04-27 17:57 -------- d-----w C:\a56dd43f6540c9fdc60a3f39a8c2
2009-04-27 17:55 . 2009-04-27 17:55 -------- d-----w c:\windows\system32\XPSViewer
2009-04-27 17:54 . 2009-04-27 17:54 -------- d-----w c:\program files\Reference Assemblies
2009-04-27 17:54 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-27 17:54 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-27 17:54 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-27 17:54 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-27 17:54 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-27 17:54 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-27 17:54 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-27 17:54 . 2009-04-27 17:54 -------- d-----w C:\a819ca8b2918b0de80
2009-04-27 17:54 . 2009-04-27 19:57 -------- d-----w c:\windows\SxsCaPendDel
2009-04-24 21:33 . 2009-04-24 21:47 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-23 19:08 . 2009-04-23 19:08 -------- d-----w c:\documents and settings\McClunacy\Application Data\YouSendIt
2009-04-23 19:08 . 2009-04-23 19:08 -------- d-----w c:\program files\YouSendIt
2009-04-23 19:08 . 2009-04-23 19:08 -------- d-----w c:\windows\Downloaded Installations
2009-04-15 16:10 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 16:10 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 16:10 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 16:10 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 16:10 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 16:10 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 16:10 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 16:10 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 16:10 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 16:10 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 16:09 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 16:09 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-14 21:57 . 2008-02-29 02:41 -------- d-----w c:\program files\Stamps.com Internet Postage
2009-05-14 21:57 . 2008-02-29 02:41 36 ---ha-w c:\windows\system32\f9t.dat
2009-05-14 21:37 . 2008-04-09 20:30 848 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-05-14 04:37 . 2008-02-01 03:06 89504 ----a-w c:\documents and settings\McClunacy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 01:55 . 2008-02-29 01:10 -------- d-----w c:\program files\Microsoft Works
2009-05-13 02:23 . 2008-12-17 03:27 -------- d-----w c:\program files\Common Files\Kodak
2009-05-12 21:41 . 2008-03-17 21:25 -------- d-----w c:\program files\Yahoo!
2009-05-01 02:13 . 2008-04-04 22:51 60 ----a-w c:\windows\wpd99.drv
2009-04-28 16:22 . 2009-04-28 16:22 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-23 19:08 . 2008-01-16 19:40 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-17 21:35 . 2008-01-16 19:38 -------- d-----w c:\program files\Java
2009-04-16 20:09 . 2008-03-20 17:22 -------- d-----w c:\program files\Soulseek
2009-04-01 00:53 . 2008-04-08 23:30 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-25 18:06 . 2008-02-04 19:09 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 18:06 . 2008-02-04 19:09 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 18:06 . 2008-02-04 19:09 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 18:06 . 2008-02-04 19:09 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 18:05 . 2008-02-04 19:09 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-09 12:19 . 2008-12-16 16:07 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 11:34 . 2004-08-10 18:51 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2004-08-10 18:51 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2004-08-10 18:50 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2004-08-10 18:51 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2004-08-10 18:50 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2004-08-10 18:51 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2004-08-10 18:51 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2004-08-10 18:51 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2004-08-10 18:51 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2004-08-10 18:51 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-10 18:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 06:59 . 2009-03-13 02:39 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 06:59 . 2008-03-06 21:32 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2007-11-16 06:18 . 2008-04-08 23:17 9948 ----a-w c:\program files\HAZE.nfo
2007-08-15 23:43 . 2008-04-25 19:56 17488 ----a-w c:\program files\Autoplay.exe
2007-08-15 23:43 . 2008-04-08 23:19 360518 ----a-w c:\program files\act.ico
2004-01-27 23:28 . 2008-04-08 23:17 75 ----a-w c:\program files\Setup.ini
.

((((((((((((((((((((((((((((( SnapShot@2009-05-14_21.37.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-14 22:39 . 2009-05-14 22:39 16384 c:\windows\temp\Perflib_Perfdata_54c.dat
+ 2009-05-14 22:39 . 2009-05-14 22:39 16384 c:\windows\temp\Perflib_Perfdata_4e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-20 00:51 143360 ----a-w c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-20 00:51 143360 ----a-w c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-20 00:51 143360 ----a-w c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"YouSendIt.exe"="c:\program files\YouSendIt\Express\YouSendIt.exe" [2008-12-03 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-28 8429568]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"Act.Outlook.Service"="c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe" [2007-10-24 9728]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2007-10-24 393216]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-01 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-11 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2004-05-21 90224]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-22 16132608]

c:\documents and settings\McClunacy\Start Menu\Programs\Startup\
Dropbox.lnk - c:\program files\Dropbox\dropbox.exe [2008-7-1 8766167]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-1-16 7168]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-2-27 972064]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"9322:TCP"= 9322:TCP:EKDiscovery

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\Printer\Center\EKDiscovery.exe [10/10/2008 12:33 PM 274432]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [10/30/2008 10:58 AM 28672]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [4/25/2008 1:09 PM 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-01-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2009-05-14 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\Printer\Center\Kodak.Statistics.exe [2008-10-30 17:57]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-14 15:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3000)
c:\program files\Dropbox\DropboxExt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Protexis\License Service\PSIService_2.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-14 15:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-14 22:43
ComboFix2.txt 2009-05-14 21:40

Pre-Run: 272,333,000,704 bytes free
Post-Run: 272,301,211,648 bytes free

256 --- E O F --- 2009-05-14 21:06

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:21 AM

Posted 15 May 2009 - 05:22 AM

Thanks. :) I have two of you at once getting that error so I'm checking with the maker of the tool before we go on. I'll get back to you as soon as I can. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 mcclune

mcclune
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 15 May 2009 - 12:35 PM

Stamps.com is working again and the programs in the lower left corner are loading again upon startup. Yesterday I had a few webpage re-directs while surfing via safari. Nothing bad, just strange seemingly innocuous sites instead of the one I clicked on.

Also I perpetually get the yellow shield with exclamation point notice in the lower left hand corner saying i need to install the following update. When I click on it it tries to download/install the following. When it says it's completed, the shield pops up again a few minutes later and tries to install the same exact thing. Here's what it keeps trying to install:
Installing Security Update for Microsoft XML Core Services 4.0 Service Pack 2 (KB954430) (update 1 of 1)...

I haven't restarted the pc yet since turning it on this am.

God bless you and Texas! Hook 'em horns?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:21 AM

Posted 15 May 2009 - 10:13 PM

Hello there,

I'm not a huge college football fan......I guess I'm more the baseball type. :thumbup2:

Let's try this again. The glitch that caused the error has been fixed. Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer. Now let's grab a fresh one. After you run it this time, please do reboot so any changes can take effect. :)

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 mcclune

mcclune
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 18 May 2009 - 11:38 AM

Funny...I'm not big on college football either...just figured good chances to show solidarity with a Texan. That and a prelim paypal donation. Again, allow to express my thanks. You're awesome!

So I deleted and reinstalled new Combofix from the bleepingcomputer.com link. I then rebooted and ran it while offline. Again it told me I don't have MS Windows Recovery Console and asked if it should download it. I clicked no. Report is below.

Lastly, I am still getting repeating security updates saying I need to install new stuff. I click the shield, choose express install and it says "Installing Security Update for Microsoft XML Core Services 4.0 Service Pack 2 (KB954430) (update 1 of 1)..." Then is says it's complete. Within a minute the shield appears again and the cycle starts over. I've chosen the custom install option as well and the same thing happens.

Combofix log:

ComboFix 09-05-17.08 - McClunacy 05/18/2009 9:16.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1323 [GMT -7:00]
Running from: c:\documents and settings\McClunacy\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.

2009-05-14 17:57 . 2009-05-14 17:57 -------- d-sh--w c:\documents and settings\McClunacy\IECompatCache
2009-05-14 17:49 . 2009-05-14 17:49 -------- d-sh--w c:\documents and settings\McClunacy\PrivacIE
2009-05-14 15:44 . 2009-05-14 15:44 -------- d-----w c:\documents and settings\McClunacy\Local Settings\Application Data\PCHealth
2009-05-14 04:53 . 2009-05-14 04:53 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-14 04:53 . 2009-05-14 04:53 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-14 04:53 . 2009-05-14 04:53 -------- d-sh--w c:\documents and settings\McClunacy\IETldCache
2009-05-14 04:49 . 2009-05-14 04:49 -------- d-----w c:\windows\ie8updates
2009-05-14 04:49 . 2009-04-25 05:30 102400 ------w c:\windows\system32\dllcache\iecompat.dll
2009-05-14 04:48 . 2009-05-14 04:49 -------- dc-h--w c:\windows\ie8
2009-05-13 02:40 . 2009-05-13 02:40 -------- d-----w C:\bbeaa106dce1cd97cdf9bdb4
2009-05-13 02:26 . 2008-10-22 14:54 102400 ----a-w c:\windows\system32\EKIJCOINST02.dll
2009-05-13 01:52 . 2009-05-13 01:52 70872 ---ha-w c:\windows\system32\mlfcache.dat
2009-05-12 18:28 . 2009-05-12 18:28 -------- d-----w c:\documents and settings\McClunacy\Local Settings\Application Data\Symantec
2009-05-12 18:28 . 2009-05-12 18:27 73496 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-12 18:28 . 2009-05-12 18:27 83208 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-05-12 18:28 . 2009-05-12 18:28 -------- d-----w c:\program files\Symantec
2009-05-12 18:28 . 2009-05-12 18:28 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-05-12 18:28 . 2009-05-12 18:28 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-12 18:28 . 2009-05-12 18:28 -------- d-----w c:\program files\Symantec_Client_Security
2009-05-12 18:12 . 2009-05-12 18:12 -------- d-----w c:\documents and settings\All Users\Application Data\{0BE4A41F-2461-43DE-B799-C509D8395034}
2009-05-12 18:12 . 2009-05-12 18:12 -------- d-----w c:\documents and settings\All Users\Application Data\{E23E3BED-ADD9-4DF7-B375-5EC5E69FD666}
2009-05-12 18:11 . 2009-05-12 18:11 -------- d-----w c:\documents and settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
2009-05-12 18:11 . 2009-05-12 18:11 -------- d-----w c:\documents and settings\All Users\Application Data\{AB89557A-DCAD-4657-A970-8F9A3EFFB34D}
2009-05-12 18:11 . 2009-05-12 18:11 -------- d-----w c:\documents and settings\All Users\Application Data\{E40FD160-D3F8-4151-96D1-7B73567D4FF3}
2009-05-11 16:50 . 2009-05-14 21:12 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-30 17:18 . 2009-04-30 17:18 -------- d-----w c:\program files\Trend Micro
2009-04-30 01:28 . 2009-03-24 23:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-30 01:05 . 2009-04-30 01:05 -------- d-----w C:\VundoFix Backups
2009-04-28 23:59 . 2009-04-29 00:00 512 ----a-w C:\drmHeader.bin
2009-04-28 16:33 . 2009-04-28 16:33 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-04-28 16:23 . 2009-04-28 16:23 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-27 23:41 . 2009-04-27 23:41 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-27 23:41 . 2009-05-14 21:11 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-27 23:41 . 2009-05-14 21:11 -------- d-----w c:\documents and settings\McClunacy\Application Data\SUPERAntiSpyware.com
2009-04-27 17:57 . 2009-04-27 17:57 -------- d-----w C:\a56dd43f6540c9fdc60a3f39a8c2
2009-04-27 17:55 . 2009-04-27 17:55 -------- d-----w c:\windows\system32\XPSViewer
2009-04-27 17:54 . 2009-04-27 17:54 -------- d-----w c:\program files\Reference Assemblies
2009-04-27 17:54 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-27 17:54 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-27 17:54 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-27 17:54 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-27 17:54 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-27 17:54 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-27 17:54 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-27 17:54 . 2009-04-27 17:54 -------- d-----w C:\a819ca8b2918b0de80
2009-04-27 17:54 . 2009-04-27 19:57 -------- d-----w c:\windows\SxsCaPendDel
2009-04-24 21:33 . 2009-04-24 21:47 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-23 19:08 . 2009-04-23 19:08 -------- d-----w c:\documents and settings\McClunacy\Application Data\YouSendIt
2009-04-23 19:08 . 2009-04-23 19:08 -------- d-----w c:\program files\YouSendIt
2009-04-23 19:08 . 2009-04-23 19:08 -------- d-----w c:\windows\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-18 16:04 . 2008-04-09 20:30 848 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-05-14 21:57 . 2008-02-29 02:41 -------- d-----w c:\program files\Stamps.com Internet Postage
2009-05-14 21:57 . 2008-02-29 02:41 36 ---ha-w c:\windows\system32\f9t.dat
2009-05-14 04:37 . 2008-02-01 03:06 89504 ----a-w c:\documents and settings\McClunacy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 01:55 . 2008-02-29 01:10 -------- d-----w c:\program files\Microsoft Works
2009-05-13 02:23 . 2008-12-17 03:27 -------- d-----w c:\program files\Common Files\Kodak
2009-05-12 21:41 . 2008-03-17 21:25 -------- d-----w c:\program files\Yahoo!
2009-05-01 02:13 . 2008-04-04 22:51 60 ----a-w c:\windows\wpd99.drv
2009-04-28 16:22 . 2009-04-28 16:22 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-23 19:08 . 2008-01-16 19:40 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-17 21:35 . 2008-01-16 19:38 -------- d-----w c:\program files\Java
2009-04-16 20:09 . 2008-03-20 17:22 -------- d-----w c:\program files\Soulseek
2009-04-01 00:53 . 2008-04-08 23:30 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-25 18:06 . 2008-02-04 19:09 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 18:06 . 2008-02-04 19:09 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 18:06 . 2008-02-04 19:09 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 18:06 . 2008-02-04 19:09 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 18:05 . 2008-02-04 19:09 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-09 12:19 . 2008-12-16 16:07 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 11:34 . 2004-08-10 18:51 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2004-08-10 18:51 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2004-08-10 18:50 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2004-08-10 18:51 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2004-08-10 18:50 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2004-08-10 18:51 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2004-08-10 18:51 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2004-08-10 18:51 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2004-08-10 18:51 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2004-08-10 18:51 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-10 18:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 06:59 . 2009-03-13 02:39 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 06:59 . 2008-03-06 21:32 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2007-11-16 06:18 . 2008-04-08 23:17 9948 ----a-w c:\program files\HAZE.nfo
2007-08-15 23:43 . 2008-04-25 19:56 17488 ----a-w c:\program files\Autoplay.exe
2007-08-15 23:43 . 2008-04-08 23:19 360518 ----a-w c:\program files\act.ico
2004-01-27 23:28 . 2008-04-08 23:17 75 ----a-w c:\program files\Setup.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-20 00:51 143360 ----a-w c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-20 00:51 143360 ----a-w c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-20 00:51 143360 ----a-w c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-28 8429568]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"Act.Outlook.Service"="c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe" [2007-10-24 9728]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2007-10-24 393216]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-01 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-11 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2004-05-21 90224]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-22 16132608]

c:\documents and settings\McClunacy\Start Menu\Programs\Startup\
Dropbox.lnk - c:\program files\Dropbox\dropbox.exe [2008-7-1 8766167]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-1-16 7168]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-2-27 972064]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"9322:TCP"= 9322:TCP:EKDiscovery

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\Printer\Center\EKDiscovery.exe [10/10/2008 12:33 PM 274432]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [10/30/2008 10:58 AM 28672]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [4/25/2008 1:09 PM 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-01-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2009-05-16 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\Printer\Center\Kodak.Statistics.exe [2008-10-30 17:57]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-18 09:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(308)
c:\program files\Dropbox\DropboxExt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-18 9:18
ComboFix-quarantined-files.txt 2009-05-18 16:18
ComboFix2.txt 2009-05-14 22:43

Pre-Run: 271,344,414,720 bytes free
Post-Run: 271,364,845,568 bytes free

210 --- E O F --- 2009-05-18 15:58

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:21 AM

Posted 18 May 2009 - 01:20 PM

Hello,

Navigate (using Internet Explorer only, other browsers won't work) to the following site: http://www.kaspersky.com/virusscanner

Click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").

* In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
* When you get the Windows dialog asking if you want to install this software, click the "Install" button.
* The scanner will download the latest definition files. When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
* Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
* Under "Please select a target to scan:", click My Computer to start the scan.

When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop. Close the Kaspersky On-line Scanner window.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 mcclune

mcclune
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 18 May 2009 - 04:23 PM

Is this what you're looking for? The online scan I just did didn't have the options and prompts you mentioned above.

KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 18, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 18, 2009 21:28:01
Records in database: 2191809
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 79740
Threat name: 4
Infected objects: 5
Suspicious objects: 15
Duration of the scan: 01:36:41


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\015C0000.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\015C0002.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\McClunacy\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 15
C:\Documents and Settings\McClunacy\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Dropper.MSOffice.Fordo.b 1
C:\Documents and Settings\McClunacy\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Worm.Win32.Agent.jf 2

The selected area was scanned.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users