-
Can't remove Win32.Autorun.tmp
Hi there,
I am having problems with a Trojan called Win32.Autorun.tmp. Spybot is able to detect it, and I request that it fixes it each time it does so, but it seems to return every time I run the scan. Very persistent and annoying!
If anyone could help me purge it from my system forever that would be brilliant.
Logs are posted below.
Also I should note that I'm a complete noob, so if anyone can offer me advice, please do it in the most easy-to-understand way possible. Thanks!
DDS (Ver_10-03-17.01) - FAT32x86
Run by Owner at 12:26:02.54 on Sun 05/09/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.209 [GMT 10:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\DOCUME~1\WILLMO~1\LOCALS~1\TEMP\INSTAL~1.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\willmonotti\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\willmonotti\Desktop\dds.scr
C:\DOCUME~1\WILLMO~1\LOCALS~1\Temp\033.exe
C:\DOCUME~1\WILLMO~1\LOCALS~1\Temp\089.exe
C:\DOCUME~1\WILLMO~1\LOCALS~1\Temp\977.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://trinity.unimelb.edu.au/portal
mDefault_Page_URL = hxxp://global.acer.com
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uInternet Settings,ProxyServer = wwwproxy.student.unimelb.edu.au:8000
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
mWinlogon: Taskman=c:\recycler\s-1-5-21-7356296101-1933998588-915145784-2179\yv8g67.exe
uWinlogon: Shell=c:\recycler\s-1-5-21-9624512614-5829467475-673620608-5226\rundll32.exe,explorer.exe,c:\recycler\s-1-5-21-7356296101-1933998588-915145784-2179\yv8g67.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [vgr60] c:\windows\system32\6xc81oz.exe
uRun: [lbhc6y] c:\windows\system32\lr2xd2jk.exe
uRun: [llmcdi] c:\windows\system32\bm5hdyuu.exe
uRun: [rcc86] c:\windows\system32\q1gw1ni13p.exe
uRun: [mcdi3e] c:\windows\system32\bm86y3pl.exe
uRun: [yuupgg] c:\windows\system32\ytkkfwwr.exe
uRun: [zuvqm] c:\windows\system32\kkfwwrii.exe
uRun: [upggbs] c:\windows\system32\dzpplbbxnn.exe
uRun: [wbxxoo3] c:\windows\system32\0xdyep0.exe
uRun: [teea6r] c:\windows\system32\w39ee5v1wb.exe
uRun: [tkkfww] c:\windows\system32\i1eaavmmhy.exe
uRun: [pkkgww] c:\windows\system32\ni1eaavmmh.exe
uRun: [ezqqlcc] c:\windows\system32\oojaavmmhy.exe
uRun: [Google Update] "c:\documents and settings\willmonotti\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [snoejuf] c:\windows\system32\86y2ff6.exe
uRun: [yzpf0w] c:\windows\system32\n20zvfbw.exe
uRun: [nojpk0r] c:\windows\system32\0jff66w.exe
uRun: [falhcc] c:\windows\system32\1qmmhyy.exe
uRun: [xdtyuua] c:\windows\system32\vlw2nyojzav.exe
uRun: [dzuklg2] c:\windows\system32\rsnt66k8708.exe
uRun: [uplbbxc] c:\windows\system32\pff69m1i.exe
uRun: [faawmm] c:\windows\system32\3wwriid.exe
uRun: [mmiyy6k] c:\windows\system32\fwwriiduupg.exe
uRun: [hcyytkk] c:\windows\system32\qlccxoojaa.exe
uRun: [zaflw] c:\windows\system32\70bxny1.exe
uRun: [cydo8] c:\windows\system32\cttuzf81.exe
uRun: [wcxtoeu] c:\windows\system32\70i1zuv.exe
uRun: [akvwx] c:\windows\system32\e1vbg3sn.exe
uRun: [vqwxin] c:\windows\system32\60niy1p.exe
uRun: [qhxiioj] c:\windows\system32\1cdi81u.exe
uRun: [hxdtp] c:\windows\system32\hm2noj081q.exe
uRun: [xsoo8] c:\windows\system32\sndu1klq.exe
uRun: [wrmns] c:\windows\system32\60xs0zf.exe
uRun: [cito0] c:\windows\system32\chxd60flvr.exe
uRun: [dezpq] c:\windows\system32\w2xyt081alm.exe
uRun: [dzuva] c:\windows\system32\1epqlr8.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [LaunchApp] Alaunch
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [KTPWare] c:\program files\elantech\ktp.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\willmo~1\applic~1\mozilla\firefox\profiles\qtrsc0zj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxps://www.trinitycollege.vic.edu.au/portal/today/today.php
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - prefs.js: network.proxy.ftp - wwwproxy.unimelb.edu.au
FF - prefs.js: network.proxy.ftp_port - 8000
FF - prefs.js: network.proxy.gopher - wwwproxy.unimelb.edu.au
FF - prefs.js: network.proxy.gopher_port - 8000
FF - prefs.js: network.proxy.http - wwwproxy.unimelb.edu.au
FF - prefs.js: network.proxy.http_port - 8000
FF - prefs.js: network.proxy.socks - wwwproxy.unimelb.edu.au
FF - prefs.js: network.proxy.socks_port - 8000
FF - prefs.js: network.proxy.ssl - wwwproxy.unimelb.edu.au
FF - prefs.js: network.proxy.ssl_port - 8000
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\willmonotti\application data\mozilla\firefox\profiles\qtrsc0zj.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\willmonotti\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R? Lbd;Lbd
R? WDC_SAM;WD SCSI Pass Thru driver
R? ywyyitdy;System Monitor
S? vsdatant;vsdatant
S? WDDMService;WD SmartWare Drive Manager
S? WDSmartWareBackgroundService;WD SmartWare Background Service
=============== Created Last 30 ================
2010-09-03 13:25:36 0 d-sh--w- C:\FOUND.026
2010-09-02 12:08:00 0 d-sh--w- C:\FOUND.025
2010-09-01 13:56:04 0 d-----w- c:\program files\Safer Networking
2010-09-01 13:53:23 0 d-----w- c:\windows\pss
2010-09-01 04:55:38 0 d-sh--w- C:\FOUND.024
2010-08-31 13:58:24 0 d-sh--w- C:\FOUND.023
2010-08-31 09:41:40 0 d-sh--w- C:\FOUND.022
2010-08-27 11:22:10 0 d-sh--w- C:\FOUND.021
2010-08-26 13:15:04 0 d-sh--w- C:\FOUND.020
==================== Find3M ====================
2008-10-16 01:46:40 700 ----a-w- c:\program files\studentVPN.pcf
2008-08-29 04:00:22 1073 ----a-w- c:\program files\sig.dat
2008-08-29 04:00:20 1099 ----a-w- c:\program files\vpnclient_setup.ini
2008-08-29 04:00:18 52224 ----a-w- c:\program files\vpnclient_jp.mst
2008-08-29 04:00:06 10935808 ----a-w- c:\program files\vpnclient_setup.msi
2008-08-29 04:00:04 51200 ----a-w- c:\program files\vpnclient_fc.mst
2008-08-29 04:00:00 819 ----a-w- c:\program files\vpnclient_setup.sms
2008-08-29 04:00:00 640 ----a-w- c:\program files\vpnclient_setup.pdf
2008-08-29 04:00:00 1822520 ----a-w- c:\program files\instmsiw.exe
2008-08-29 04:00:00 1708856 ----a-w- c:\program files\instmsi.exe
2008-08-29 03:59:58 56832 ----a-w- c:\program files\vpnclient_setup.exe
2008-08-29 03:58:04 221315 ----a-w- c:\program files\installservice.exe
2008-08-29 03:57:32 16505 ----a-w- c:\program files\DelayInst.exe
2004-08-03 19:00:00 160603 --sh--r- c:\windows\system32\gnhnveo.dll
============= FINISH: 12:28:04.40 ===============
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
