Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection


  • This topic is locked This topic is locked
8 replies to this topic

#1 appage21

appage21

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 22 May 2009 - 02:32 PM

DDS (Ver_09-05-14.01) - NTFSx86
Run by Andy at 15:18:41.54 on Fri 05/22/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.396 [GMT -4:00]

AV: AVG 7.5.560 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\3M\PSNotes\psn.exe
C:\PROGRA~1\3M\PSNotes\PSNGive.exe
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\DOCUME~1\Andy\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Andy\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\TVersity\Media Server\web\admin\TVersity.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exe
C:\Program Files\Extensis\Extensis Suitcase 11\Suitcase.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\Andy\Desktop\dds.scr
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

============== Pseudo HJT Report ===============

uStart Page = hxxp://umass.edu/umhome/index.php
uDefault_Page_URL = hxxp://www.dellnet.com
uSearch Bar =
uWindow Title = Microsoft Internet Explorer provided by Comcast
uDefault_Search_URL =
mStart Page = hxxp://www.comcast.net/
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: {c91c9f6f-95ab-4266-91da-a717ce4d91cf} - c:\windows\system32\fehamito.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {D3FBBA39-B2CD-4A1A-81B5-E940850BDF59} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [PeerGuardian] "c:\program files\peerguardian2\pg2.exe"
uRun: [Aim6]
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [AVG7_CC] "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /STARTUP
mRun: [MaxtorOneTouch] "c:\program files\maxtor\onetouch\utils\Onetouch.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [NeroFilterCheck] "c:\program files\common files\ahead\lib\NeroCheck.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [zorewubovo] Rundll32.exe "c:\windows\system32\jehibowi.dll",s
mRun: [98db2883] rundll32.exe "c:\windows\system32\zilolowa.dll",b
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
dRunOnce: [RunNarrator]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\psnotes\psn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\suitca~1.lnk - c:\windows\installer\{7451c9b5-3e10-4e59-ad37-ab7438d84288}\_01D57C9244869186542E24.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,74/mcinsctl.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093798515500
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {64697663-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/cinepak.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab
DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} - hxxp://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://www.dotphoto.com/XUpload.ocx
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:\windows\system32\gezimihe.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\gezimihe.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andy\applic~1\mozilla\firefox\profiles\l1am3en0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - http:/www.google.com
FF - component: c:\documents and settings\andy\application data\mozilla\firefox\profiles\l1am3en0.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\andy\application data\mozilla\firefox\profiles\l1am3en0.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 pnpshark;pnpshark;c:\windows\system32\drivers\pnpshark.sys [2003-10-2 119552]
R0 st3shark;st3shark;c:\windows\system32\drivers\st3shark.sys [2003-9-27 5504]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2006-5-24 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2006-4-17 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2006-4-17 27776]
R1 AvgClean;AVG Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-4-18 10760]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2006-4-17 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2006-4-17 49664]
R2 RVIEGVST;VSC VST Engine;c:\program files\roland\virtual sound canvas vst\RVIEg01VST.sys [2006-9-6 188276]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2006-7-18 33792]
S1 tvtool;tvtool;\??\c:\program files\tvtool 6.5\tvtool.sys --> c:\program files\tvtool 6.5\tvtool.sys [?]
S3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\drivers\cur_bus.sys [2005-8-7 52384]
S3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\drivers\cur_mdfl.sys [2005-8-7 6096]
S3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\drivers\cur_mdm.sys [2005-8-7 84384]
S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cur_serd.sys [2005-8-7 66016]
S3 Curidcato;Curidcato;c:\windows\system32\MRINFO.EXE [2002-8-29 12800]
S3 bleepFmn;bleepFmn;\??\c:\program files\avisplit\bleepfmn.sys --> c:\program files\avisplit\bleepFmn.sys [?]
S3 MIDUSB;Driver for Midistart-2;c:\windows\system32\drivers\mstart-2drv.sys [2006-7-17 46976]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\screamingbaudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [2001-1-2 19677]
SUnknown Net.n0n5ilip;Net.n0n5ilip; [x]

=============== Created Last 30 ================

2009-05-21 15:11 <DIR> --d----- c:\program files\TagScanner
2009-05-21 01:17 1,434,578 ---sh--- c:\windows\system32\awololiz.ini
2009-05-20 16:47 <DIR> --d----- c:\docume~1\andy\applic~1\Extensis
2009-05-20 16:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Extensis
2009-05-20 16:43 <DIR> --d----- c:\program files\Extensis
2009-05-20 13:18 1,434,587 ---sh--- c:\windows\system32\uyemitab.ini
2009-05-19 17:39 1,434,587 ---sh--- c:\windows\system32\epifohal.ini
2009-05-13 04:13 1,434,578 ---sh--- c:\windows\system32\onoluzes.ini
2009-05-12 04:09 1,434,587 ---sh--- c:\windows\system32\osulaven.ini
2009-05-11 17:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OrbNetworks
2009-05-11 17:58 <DIR> --d----- c:\program files\Winamp Remote
2009-05-09 03:04 1,434,587 ---sh--- c:\windows\system32\ukihorej.ini
2009-05-08 15:03 1,434,565 ---sh--- c:\windows\system32\unepemov.ini
2009-05-08 03:03 1,434,565 ---sh--- c:\windows\system32\ijomiveg.ini
2009-05-07 15:03 1,434,565 ---sh--- c:\windows\system32\ukimefav.ini
2009-05-07 03:03 1,433,623 ---sh--- c:\windows\system32\ojapuwuv.ini
2009-05-04 03:01 1,433,632 ---sh--- c:\windows\system32\oyusuvob.ini
2009-05-03 15:01 1,433,623 ---sh--- c:\windows\system32\uhofozop.ini
2009-05-03 03:01 1,433,623 ---sh--- c:\windows\system32\egezoham.ini
2009-05-02 20:08 <DIR> --d----- c:\program files\SopCast
2009-05-02 15:01 1,433,610 ---sh--- c:\windows\system32\edurenaw.ini
2009-05-02 03:01 1,433,623 ---sh--- c:\windows\system32\ikadumuk.ini
2009-05-01 18:48 <DIR> --d----- c:\program files\Bonjour
2009-05-01 18:23 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-05-01 15:00 1,433,641 ---sh--- c:\windows\system32\ivapobut.ini
2009-05-01 03:00 1,433,650 ---sh--- c:\windows\system32\oneyonuf.ini
2009-04-30 15:02 1,433,650 ---sh--- c:\windows\system32\ewokesoz.ini
2009-04-30 14:59 69,632 a------- c:\documents and settings\andy\a.exe

==================== Find3M ====================

2009-05-22 00:30 112,560 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-05-19 17:39 100,864 -------- c:\windows\system32\lahofipe.dll
2009-05-11 16:09 65,024 a--sh--- c:\windows\system32\lajerode.exe
2009-05-07 03:03 69,632 a--sh--- c:\windows\system32\tadofuvo.dll
2009-05-07 03:03 100,864 -------- c:\windows\system32\vuwupajo.dll
2009-05-04 03:01 101,376 -------- c:\windows\system32\bovusuyo.dll
2009-05-02 15:00 61,440 a--sh--- c:\windows\system32\sijuwuji.exe
2009-05-02 03:00 100,864 -------- c:\windows\system32\kumudaki.dll
2009-05-01 15:00 101,888 -------- c:\windows\system32\tubopavi.dll
2009-05-01 15:00 62,976 a--sh--- c:\windows\system32\sefuyahu.exe
2009-05-01 03:00 69,632 a--sh--- c:\windows\system32\wotozaso.dll
2009-05-01 03:00 63,488 a--sh--- c:\windows\system32\royufehe.exe
2009-04-30 15:02 70,144 a--sh--- c:\windows\system32\pebudure.dll
2009-04-30 15:01 62,464 a--sh--- c:\windows\system32\vujafape.exe
2009-04-30 15:01 102,400 -------- c:\windows\system32\zosekowe.dll
2009-02-18 21:21 256 a------- c:\documents and settings\andy\pool.bin
2007-10-08 12:23 87,608 a------- c:\docume~1\andy\applic~1\ezpinst.exe
2007-10-08 12:23 47,360 a------- c:\docume~1\andy\applic~1\pcouffin.sys
2006-03-14 16:31 21,376 a------- c:\windows\inf\hopperp.sys
2006-02-28 14:35 487 a------- c:\documents and settings\andy\CR-DX7WP.reg
2005-03-02 20:56 88,720 a------- c:\docume~1\andy\applic~1\GDIPFONTCACHEV1.DAT
2003-10-07 15:35 784 a------- c:\docume~1\andy\applic~1\mpauth.dat
2003-03-31 14:48 221,249 a------- c:\windows\inf\Mididll.dll
2003-03-31 14:33 167,580 a------- c:\windows\inf\BulkUsb.sys
2003-03-15 15:30 7,808 a------- c:\windows\inf\MyMidi.drv
2000-04-25 01:00 1,437,910 a------- c:\documents and settings\andy\Setup.exe
2005-05-13 18:12 217,073 a--shr-- c:\windows\meta4.exe
2005-10-24 12:13 66,560 a--shr-- c:\windows\MOTA113.exe
1823-03-19 01:27 4,263 ---sh--- c:\windows\windllreg1c.sys
2005-10-13 22:27 422,400 a--shr-- c:\windows\x2.64.exe
2004-11-06 14:20 56 ---shr-- c:\windows\system32\00E32A7342.sys
2005-10-07 20:14 308,224 a--shr-- c:\windows\system32\avisynth.dll
2005-07-14 13:31 27,648 a--shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 16:32 616,448 a--shr-- c:\windows\system32\cygwin1.dll
2005-06-21 23:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2004-01-25 01:00 70,656 a--shr-- c:\windows\system32\i420vfw.dll
2006-04-27 11:24 2,945,024 a--shr-- c:\windows\system32\Smab.dll
2005-02-28 14:16 240,128 a--shr-- c:\windows\system32\x.264.exe
2004-01-25 01:00 70,656 a--shr-- c:\windows\system32\yv12vfw.dll

============= FINISH: 15:23:43.29 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 8/1/2003 7:21:23 PM
System Uptime: 5/20/2009 1:15:42 PM (50 hours ago)

Motherboard: Dell Computer Corp. | | 02Y832
Processor: Intel® Pentium® 4 CPU 2.40GHz | Microprocessor | 2394/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 10.103 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM (CDFS)
G: is FIXED (NTFS) - 190 GiB total, 19.522 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01551028&REV_02\4&1C660DD6&0&40F0
Manufacturer: Intel
Name: Intel® PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01551028&REV_02\4&1C660DD6&0&40F0
Service: E100B

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


3ivx D4 4.5.1 (remove only)
Absolute Poker
AC3Filter (remove only)
Action Replay XBOX 1.31
Adobe Acrobat 5.0
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Viewer CS3
Adobe PDF Library Files
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop CS
Adobe Reader 8.1.0
Adobe Setup
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
AIM 6
AnalogX Rhyme
Antares Autotune VST RTAS TDM v5.08
Antares AVOX Vocal Kit Bundle VST v1.02
Antares Microphone Modeler - ZONE
Apple Mobile Device Support
Apple Software Update
ASIO4ALL
ATT 1.4 Engine Only (no voices)
Audiorealism BassLine VSTi v1.06
Audiovox USB Drivers
AutoUpdate
AVG Free Edition
Azureus
Banctec Service Agreement
BitPim 1.0.1.20070802
BlackBerry Desktop Software 4.3
BrainWave Generator
Canon PIXMA iP1500
CCleaner (remove only)
CDex extraction audio
CleanUp!
ComcastSUPPORT
Conexant SmartHSFi V92 56K DF PCI Modem
Consumer Complete Care Services Agreement
ConvertXtoDVD 2.1.14.223
Cool Edit Pro 2.0
Crazy Poker
Curitel Packet Service Software
CuteFTP 6 Professional
CuteFTP 8 Professional
DAEMON Tools
Dell Networking Guide
Dell Picture Studio - Dell Image Expert
Dell Solution Center
DFX for Winamp
Digital Line Detect
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DreamStation DXi
DriverGuide Toolkit
DVDSentry
Dynamic Library v1.03
Easy CD Creator 5 Basic
Enhance/MP3 (remove only)
ESPNMotion
Extensis Suitcase 11.0.1
ffdshow [rev 1723] [2007-12-24]
Final Draft 7
FL Studio 6
FlashDigger Plus
FlashFXP v3
FlashGet 1.9.6.1073
FoxyTunes for Firefox
Google Earth
Grand Theft Auto Vice City
GSpot Codec Information Appliance
GST 2.3.6.1
GTK+ Runtime 2.4.7 rev a (remove only)
Guitar Pro 5.2
Help and Support Customization
HijackThis 2.0.2
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hotfix for Windows XP (KB926239)
Huffyuv AVI lossless video codec (Remove Only)
Hypersonic 1.1.1
Intel® PRO Network Adapters and Drivers
Intel® PROSet
iPod for Windows 2006-03-23
iPodRip
iTunes
iTunes Library Updater
iZotope Ozone 3
Java 2 Runtime Environment, SE v1.4.2_06
Java™ 6 Update 10
K-Lite Codec Pack 2.54 Full
KORG Legacy Collection v1.1.3
LG USB Modem driver
Linksys Wireless-G PCI Adapter
LinPlug Octopus VSTi v1.0
Macromedia Extension Manager
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Shockwave Player
Maxtor Backup
Maxtor OneTouch III
MediaMonkey 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
MID Converter 4.0
mIRC
MixMeister BPM Analyzer 1.0
Modem Helper
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.0.10)
MP3Test 1.5.1.152
MSXML 6.0 Parser
MUSICMATCH® Jukebox
Native Instruments B4 Tone Wheels Bundle v1.11
Native Instruments FM7
Native Instruments Guitar Rig 2
Native Instruments Guitar Rig 3
Native Instruments Kontakt v1.02
Native Instruments Service Center
Nero 7 Essentials
NetWaiting
Novation Bass-Station VSTi v1.10
NVIDIA Windows 2000/XP Display Drivers
Paint Shop Pro 7
PeerGuardian 2.0
Post-it® Software Notes
PowerISO
QPST
QuickTime
RealPlayer
RealProducer Basic 10
Roxio Media Manager
SampleTank 2
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Shockwave
Slab DSP - Virtuoso v1.0 (remove only)
SopCast 3.0.3
SoulSeek Client 156c
Spy Sweeper
Spybot - Search & Destroy 1.4
Starcraft
Steinberg Groove Agent 2 v2.0.0.28
Syncrosoft's License Control
SyncroSoft Emu (Remove only)
TagScanner 5.0 build 532
Trillian
TTS
TVersity Codec Pack 1.2
TVersity Media Server Pro 1.5a Beta
UltraEdit-32
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908521)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
USB 2.0 Single Slot Reader
USB Dual Vibration Joystick
USB Memory Stick Reader/Writer
Usb Midi Keyboard
VideoLAN VLC media player 0.8.6d
Virtual Sound Canvas VST
Waves Diamond Bundle v5.0
Waves Native Gold Bundle v3.01
WebFldrs XP
Winamp
Winamp Essentials Pack v5.32
Winamp Remote
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Tools 4.0
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinSCP 4.0.7
XviD Video Codec 04102002-1 (Koepi's build with EPSZ ME)
zbattle.net 1.09 SR-1 beta

==== End Of File ===========================



Thank you

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:39 AM

Posted 22 May 2009 - 03:43 PM

Hi appage21,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please give me a little time to go through your log and I will also let you know that I am a trainee so each stage of the fix will need to be checked by an expert coach before I post so there may be a slight delay. Don't worry I won't abandon you.
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 2 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 appage21

appage21
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 22 May 2009 - 03:53 PM

I am here

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:39 AM

Posted 24 May 2009 - 05:16 AM

Hi appage21,

There is indeed a lot of Vundo in your PC.

Firstly,

The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case Azureus and Soulseek). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Next, on with the fix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 appage21

appage21
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 24 May 2009 - 04:12 PM

ComboFix 09-05-24.01 - Andy 05/24/2009 16:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.486 [GMT -4:00]
Running from: c:\documents and settings\Andy\Desktop\ComboFix.exe
AV: AVG 7.5.560 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Andy\LOCALS~1\Temp\rdD8.tmp\____mmfp.ocx
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Andy\Local Settings\Temp\rdD8.tmp\____mmfp.ocx
c:\windows\patch.exe
c:\windows\system32\awololiz.ini
c:\windows\system32\edurenaw.ini
c:\windows\system32\egezoham.ini
c:\windows\system32\epifohal.ini
c:\windows\system32\ewokesoz.ini
c:\windows\system32\FTPx.dll
c:\windows\system32\Ijl11.dll
c:\windows\system32\ijomiveg.ini
c:\windows\system32\ikadumuk.ini
c:\windows\system32\ivapobut.ini
c:\windows\system32\MabryObj.dll
c:\windows\system32\ojapuwuv.ini
c:\windows\system32\oneyonuf.ini
c:\windows\system32\onoluzes.ini
c:\windows\system32\open.ico
c:\windows\system32\osulaven.ini
c:\windows\system32\oyusuvob.ini
c:\windows\system32\ufezubet.ini
c:\windows\system32\uhofozop.ini
c:\windows\system32\ukihorej.ini
c:\windows\system32\ukimefav.ini
c:\windows\system32\Ultra.dll
c:\windows\system32\unepemov.ini
c:\windows\system32\uyemitab.ini
G:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://zahadum.oit.ads.umass.edu
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWS_OVERLAY_COMPONENTS


((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.

2095-11-30 23:05 . 2095-11-30 23:05 -------- d-s---w c:\documents and settings\Andy\UserData
2095-11-30 22:49 . 2004-05-10 03:08 -------- d-----w c:\program files\WS_FTP
2009-05-22 13:07 . 2009-02-24 14:08 17835008 ----a-w c:\documents and settings\All Users\Application Data\Grisoft\Avg7Data\avg7upd\backup\avgabout.dll
2009-05-21 19:11 . 2009-05-21 19:11 -------- d-----w c:\program files\TagScanner
2009-05-20 20:47 . 2009-05-22 20:05 -------- d-----w c:\documents and settings\All Users\Application Data\Extensis
2009-05-20 20:47 . 2009-05-20 20:48 -------- d-----w c:\documents and settings\Andy\Application Data\Extensis
2009-05-20 20:43 . 2009-05-20 20:43 -------- d-----w c:\program files\Extensis
2009-05-19 22:34 . 2009-05-21 19:47 -------- d-----w c:\documents and settings\Andy\Local Settings\Application Data\MediaMonkey
2009-05-11 21:59 . 2009-05-11 22:07 -------- d-----w c:\documents and settings\All Users\Application Data\OrbNetworks
2009-05-11 21:58 . 2009-05-11 22:01 -------- d-----w c:\program files\Winamp Remote
2009-05-03 00:08 . 2009-05-03 00:09 -------- d-----w c:\program files\SopCast
2009-05-01 23:29 . 2007-02-21 06:09 2781184 ----a-w c:\documents and settings\Andy\Application Data\Adobe\Dreamweaver 9\Configuration\Flash Player\authplay.dll
2009-05-01 23:27 . 2009-05-01 23:27 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-01 22:48 . 2009-05-01 22:48 -------- d-----w c:\program files\Bonjour
2009-05-01 22:23 . 2009-05-01 22:23 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-28 17:42 . 2009-02-10 18:25 372736 ----a-w c:\documents and settings\Andy\Application Data\Mozilla\Firefox\Profiles\l1am3en0.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 21:02 . 2007-02-10 21:59 -------- d-----w c:\program files\PeerGuardian2
2009-05-24 20:56 . 2007-11-13 05:45 -------- d-----w c:\program files\FlashGet
2009-05-24 12:00 . 2006-04-17 18:11 -------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2009-05-22 19:46 . 2005-01-09 01:56 -------- d-----w c:\documents and settings\Andy\Application Data\Azureus
2009-05-22 04:30 . 2005-12-29 06:22 112560 ----a-w c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-05-21 22:04 . 2003-08-24 15:25 -------- d-----w c:\program files\Soulseek
2009-05-19 22:35 . 2005-10-27 21:53 -------- d-----w c:\program files\MediaMonkey
2009-05-11 22:22 . 2008-01-07 18:07 -------- d-----w c:\program files\TVersity Codec Pack
2009-05-11 22:22 . 2008-01-07 18:08 -------- d-----w c:\program files\ffdshow
2009-05-11 20:58 . 2003-07-29 15:03 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-05 08:17 . 2007-10-08 16:23 -------- d-----w c:\documents and settings\Andy\Application Data\Vso
2009-05-01 22:48 . 2003-08-29 06:12 -------- d-----w c:\program files\Common Files\Adobe
2009-04-28 17:51 . 2004-05-26 19:31 -------- d-----w c:\program files\Azureus
2009-04-21 08:52 . 2009-04-21 08:52 -------- d-----w c:\documents and settings\Andy\Application Data\vlc
2009-04-21 08:48 . 2009-04-21 08:48 -------- d-----w c:\program files\VideoLAN
2009-04-20 21:44 . 2006-03-02 20:27 -------- d-----w c:\program files\ewido anti-malware
2009-04-20 21:37 . 2004-08-17 20:23 -------- d-----w c:\program files\Gabest
2009-04-20 21:35 . 2006-07-11 20:23 -------- d-----w c:\program files\Native Instruments
2009-04-20 21:30 . 2006-07-19 03:13 -------- d-----w c:\program files\VirSyn Software Synthesizer
2009-04-20 21:28 . 2006-07-09 15:42 -------- d-----w c:\program files\VstPlugins
2009-04-20 21:24 . 2007-01-04 05:02 -------- d-----w c:\program files\Avi2Dvd
2009-04-20 21:23 . 2009-02-20 08:15 -------- d-----w c:\program files\NextUp Talker
2009-04-20 21:04 . 2004-07-16 01:53 -------- d-----w c:\program files\AIM
2009-04-20 21:02 . 2009-02-20 08:50 -------- d-----w c:\program files\Cepstral
2009-04-20 20:59 . 2006-10-26 23:47 -------- d-----w c:\program files\Absolute Poker
2009-04-07 14:40 . 2007-08-26 23:01 -------- d-----w c:\program files\Battlefield Vietnam
2009-04-07 01:42 . 2009-04-07 01:42 -------- d-----w c:\program files\Microsoft Silverlight
2005-05-13 22:12 . 2005-05-13 22:12 217073 --sha-r c:\windows\meta4.exe
2005-10-24 16:13 . 2005-10-24 16:13 66560 --sha-r c:\windows\MOTA113.exe
1823-03-19 05:27 . 1823-03-19 05:27 4263 --sh--w c:\windows\windllreg1c.sys
2005-10-14 02:27 . 2005-10-14 02:27 422400 --sha-r c:\windows\x2.64.exe
2004-11-06 18:20 . 2004-11-06 18:20 56 --sh--r c:\windows\SYSTEM32\00E32A7342.sys
2005-10-08 00:14 . 2005-10-08 00:14 308224 --sha-r c:\windows\SYSTEM32\avisynth.dll
2005-07-14 17:31 . 2005-07-14 17:31 27648 --sha-r c:\windows\SYSTEM32\AVSredirect.dll
2005-06-26 20:32 . 2005-06-26 20:32 616448 --sha-r c:\windows\SYSTEM32\cygwin1.dll
2005-06-22 03:37 . 2005-06-22 03:37 45568 --sha-r c:\windows\SYSTEM32\cygz.dll
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r c:\windows\SYSTEM32\i420vfw.dll
2006-04-27 15:24 . 2006-04-27 15:24 2945024 --sha-r c:\windows\SYSTEM32\Smab.dll
2005-02-28 18:16 . 2005-02-28 18:16 240128 --sha-r c:\windows\SYSTEM32\x.264.exe
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r c:\windows\SYSTEM32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2009-02-24 590848]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2005-11-09 634880]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 81920]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-11-01 4806144]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-7-29 24576]
Post-itr Software Notes.lnk - c:\program files\3M\PSNotes\psn.exe [2003-10-10 675840]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"midi1"= mstart-2int.cpl
"midi2"= mstart-2int.cpl
"midi4"= mstud-2int.cpl
"midi3"= mstart-2int.cpl
"midi5"= mstud-2int.cpl
"midi6"= mstart-2int.cpl

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Andy^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=c:\documents and settings\Andy\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Java\\j2re1.4.2_06\\bin\\javaw.exe"=
"c:\\Program Files\\Qwix101\\Qwix.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP Professional\\ftpte.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Documents and Settings\\Andy\\Desktop\\XBOX\\QWIX\\Qwix.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\WINDOWS\\SYSTEM32\\jview.exe"=
"c:\\Program Files\\Activision\\THPS2\\THPS2\\THawk2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"49153:TCP"= 49153:TCP:azur
"49153:UDP"= 49153:UDP:azur2

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 pnpshark;pnpshark;c:\windows\SYSTEM32\DRIVERS\pnpshark.sys [10/2/2003 4:16 AM 119552]
R0 st3shark;st3shark;c:\windows\SYSTEM32\DRIVERS\st3shark.sys [9/27/2003 3:37 PM 5504]
R2 RVIEGVST;VSC VST Engine;c:\program files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [9/6/2006 9:41 AM 188276]
R3 CLEDX;Team H2O CLEDX service;c:\windows\SYSTEM32\DRIVERS\cledx.sys [7/18/2006 10:58 PM 33792]
S1 tvtool;tvtool;\??\c:\program files\TVTool 6.5\tvtool.sys --> c:\program files\TVTool 6.5\tvtool.sys [?]
S3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\SYSTEM32\DRIVERS\cur_bus.sys [8/7/2005 2:30 PM 52384]
S3 cur_mdfl;Curitel Packet Service Filter;c:\windows\SYSTEM32\DRIVERS\cur_mdfl.sys [8/7/2005 2:30 PM 6096]
S3 cur_mdm;Curitel Packet Service Drivers;c:\windows\SYSTEM32\DRIVERS\cur_mdm.sys [8/7/2005 2:30 PM 84384]
S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);c:\windows\SYSTEM32\DRIVERS\cur_serd.sys [8/7/2005 2:30 PM 66016]
S3 Curidcato;Curidcato;c:\windows\SYSTEM32\MRINFO.EXE [8/29/2002 6:00 AM 12800]
S3 bleepFmn;bleepFmn;\??\c:\program files\avisplit\bleepFmn.sys --> c:\program files\avisplit\bleepFmn.sys [?]
S3 MIDUSB;Driver for Midistart-2;c:\windows\SYSTEM32\DRIVERS\mstart-2drv.sys [7/17/2006 4:55 PM 46976]
S3 Mnmshspitest;Mnmshspitest; [x]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\SYSTEM32\DRIVERS\xbreader.sys [1/2/2001 11:53 PM 19677]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
*NewlyCreated* - PGFILTER

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
- - - - ORPHANS REMOVED - - - -

BHO-{c91c9f6f-95ab-4266-91da-a717ce4d91cf} - c:\windows\system32\fehamito.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-zorewubovo - c:\windows\system32\jehibowi.dll
HKLM-Run-98db2883 - c:\windows\system32\zilolowa.dll
HKU-Default-RunOnce-RunNarrator - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://umass.edu/umhome/index.php
uDefault_Search_URL =
mStart Page = hxxp://www.comcast.net/
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Andy\Application Data\Mozilla\Firefox\Profiles\l1am3en0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - http:/www.google.com
FF - component: c:\documents and settings\Andy\Application Data\Mozilla\Firefox\Profiles\l1am3en0.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\Andy\Application Data\Mozilla\Firefox\Profiles\l1am3en0.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-24 16:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk21]
"ImagePath"="\??\c:\windows\system32\Drivers\HNPsSdk.drv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1817575022-2413344216-1473767868-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5FF241ED-3170-72CF-C73C-A555D060A271}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\mstart-2int.cpl
c:\windows\system32\mstud-2int.cpl
c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'lsass.exe'(716)
c:\windows\system32\mstart-2int.cpl
c:\windows\system32\mstud-2int.cpl

- - - - - - - > 'explorer.exe'(2564)
c:\windows\system32\mstart-2int.cpl
c:\windows\system32\mstud-2int.cpl
c:\windows\System32\msls31.dll
c:\windows\System32\shdoclc.dll
c:\windows\System32\msimtf.dll
c:\windows\System32\MSCTF.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP3\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Grisoft\AVGFRE~1\avgamsvr.exe
c:\progra~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\program files\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\Maxtor\OneTouch\Utils\SyncServices.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\3M\PSNotes\PSNGive.exe
c:\program files\Webroot\Spy Sweeper\ssu.exe
c:\program files\TVersity\Media Server\web\admin\TVersity.exe
c:\program files\TVersity\Media Server\MediaServer.exe
.
**************************************************************************
.
Completion time: 2009-05-24 17:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-24 21:09

Pre-Run: 16,070,893,568 bytes free
Post-Run: 24,968,314,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

303

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:39 AM

Posted 25 May 2009 - 04:25 AM

Hi appage21,

The log looks good. How is the computer running?

Let's do a clean-up.

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 appage21

appage21
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 26 May 2009 - 12:55 PM

KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, May 26, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 25, 2009 20:41:00
Records in database: 2244091
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
G:\
Scan statistics
Files scanned 173242
Threat name 6
Infected objects 7
Suspicious objects 0
Duration of the scan 09:41:47

File name Threat name Threats count
C:\!KillBox\owinlrag.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.n 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
C:\QUARANTINE\31218[1].Vir Infected: Exploit.VBS.Phel.i 1
C:\QUARANTINE\ar3[1].jar.Vir Infected: Trojan.Java.ClassLoader.k 1
C:\QUARANTINE\archive[1].jar.Vir Infected: Trojan-Dropper.Java.Beyond.d 1
C:\QUARANTINE\Gd9alOg[1].php.Vir Infected: Exploit.VBS.Phel.i 1
C:\QUARANTINE\input[1].php.Vir Infected: Exploit.HTML.DragDrop 1
The selected area was scanned.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:39 AM

Posted 26 May 2009 - 01:48 PM

Nice and clean, appage21. Combofix did the job really well.

Your log is clean. Good stuff! :thumbup2:

Let's firstly do some housekeeping

Delete ComboFix and Clean Up
Click Start > Run and type combofix /u click OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.

Here's a list of ways you can avoid problems in the future:

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


That's it appage21, happy surfing!

Cheers,


m0le
Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:39 AM

Posted 31 May 2009 - 04:17 AM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users