View Full Version : xxwxuuu.dll and ddcyv.dll
Dashrender
2007-12-05, 01:54
I have two files I can't get rid of.
xxwxuuu.dll and ddcyv.dll I found them using Security task Manager. I am not able to remove them using this Security Task Manager.
I know that xxwxuuu.dll is some how hooked into the winlogon process. (a registry search showed me that, but I stopped there)
Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:34 PM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PANDA SOFTWARE\AVTC\PavSrv51.exe
C:\Program Files\PANDA SOFTWARE\AVTC\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe
C:\Program Files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PANDA SOFTWARE\AVTC\PsCtrlS.exe
C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
C:\Program Files\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\pagentwd.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\PANDA SOFTWARE\AVTC\PSKMsSvc.exe
C:\Program Files\PANDA SOFTWARE\AVTC\PsImSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe /Station
O4 - HKLM\..\Run: [Panda Controller Client] "C:\Program Files\PANDA SOFTWARE\AVTC\PSCtrlC.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://clinician.urologycenterpc.net
O15 - Trusted Zone: http://clinician.urologycenterpc.net (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {26700CD9-6157-4B72-B46F-EC93C952F19C} (SWToolSet.Engine) - http://orion.coxomaha.net/SWToolset.exe
O16 - DPF: {2A59CE46-2E9E-4B00-BC9B-A183638E8D4E} (CimDocImageViewerApp.CimDocImageViewer) - http://clinician.urologycenterpc.net/live/_cab_files/CimDocImageViewerApp.CAB
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {350E05DD-0C07-4D30-A8A3-8CBFA35FE3D2} (CIMScannerControl.CIMDocumentScanning) - http://clinician.urologycenterpc.net/live/_cab_files/CIMScannerControl.CAB
O16 - DPF: {4912ED81-BD9F-485E-86CA-BD62EC957435} (Soarian Frame Tools for Internet Explorer) - https://sca.myalegent.com/020530153_AHP1_p_htm//sframe/IETools.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187106893171
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - https://urology.asptran.com/Transcription/XUpload.ocx
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = urologycenterpc.net
O17 - HKLM\Software\..\Telephony: DomainName = urologycenterpc.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA802566-B231-46D8-AA9B-726BD884DDA0}: NameServer = 68.13.16.30,172.16.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = urologycenterpc.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{AA802566-B231-46D8-AA9B-726BD884DDA0}: NameServer = 68.13.16.30,172.16.1.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = urologycenterpc.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{AA802566-B231-46D8-AA9B-726BD884DDA0}: NameServer = 68.13.16.30,172.16.1.1
O23 - Service: 46575 - Unknown owner - \\69.63.112.50\Admin$\eraseme_25207.exe (file missing)
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: FJTWMKSV - PFU LIMITED - C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe
O23 - Service: HPWJA Service (HPWJAService) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\Web Jetadmin 10\bin\HPWJAService.exe
O23 - Service: HP WJA Update Service (HPWJAUpdateService) - Unknown owner - C:\Program Files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\PANDA SOFTWARE\AVTC\PsCtrlS.exe
O23 - Service: Panda AdminSecure Communications Agent (PAVAGENTE) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
O23 - Service: Panda AdminSecure Scheduler (PavAtScheduler) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda Antivirus Report Service (PavReport) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\PavReport\PavReport.exe
O23 - Service: Panda Antivirus Service (PavSrv) - Panda Software International - C:\Program Files\PANDA SOFTWARE\AVTC\PavSrv51.exe
O23 - Service: Panda AntiSpam Engine (PMShellSrv) - Panda Software International - C:\Program Files\PANDA SOFTWARE\AVTC\PSKMsSvc.exe
O23 - Service: Panda IManager Service (PsImSvc) - Panda Software International - C:\Program Files\PANDA SOFTWARE\AVTC\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 9771 bytes
Kaspersky log.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, December 04, 2007 6:25:59 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/12/2007
Kaspersky Anti-Virus database records: 472655
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 66208
Number of viruses found: 4
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 00:57:37
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\SecTaskMan\wxbkkjyf.dll.q_8043C41_q Infected: Trojan.Win32.BHO.abs skipped
C:\Documents and Settings\backupplan\.housecall6.6\Quarantine\efcyxya.dll.bac_a05620 Infected: not-a-virus:AdWare.Win32.Virtumonde.aqr skipped
C:\Documents and Settings\backupplan\.housecall6.6\Quarantine\wvwttrq.dll.bac_a05620 Infected: not-a-virus:AdWare.Win32.Virtumonde.aqr skipped
C:\Documents and Settings\backupplan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\backupplan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\backupplan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\backupplan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\backupplan\Local Settings\Temp\NERO13899\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\backupplan\Local Settings\Temp\snapsnet.exe/data0006 Infected: Trojan-Downloader.Win32.VB.bto skipped
C:\Documents and Settings\backupplan\Local Settings\Temp\snapsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\backupplan\Local Settings\Temp\~DFE35B.tmp Object is locked skipped
C:\Documents and Settings\backupplan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\backupplan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\backupplan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Hewlett-Packard\HPWebJetadmin\tracing\HPWJAService.tracing.log Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_29c.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\f84fde3c6b733e10e9\%temp%dd_msxml_retMSI.txt Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\HPWJA.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\HPWJA_log.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_22.trc Object is locked skipped
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked skipped
C:\Program Files\Panda Software\AVTC\21cc8b677510b883e1620d7d62756f18PSK_NAMES Object is locked skipped
C:\Program Files\Panda Software\AVTC\21cc8b677510b883e1620d7d62756f18PSK_NAMES2 Object is locked skipped
C:\Program Files\Panda Software\AVTC\psqstore\Invent.QCF Object is locked skipped
C:\Program Files\Panda Software\AVTC\psqstore\Invent.QCF.ext Object is locked skipped
C:\Program Files\Panda Software\AVTC\psqstore\PSQ.CFG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\rMa01yy\rMa01yy1065.exe Infected: Trojan-Downloader.Win32.VB.bto skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Thanks for any and all help.
Dashrender,
Welcome to Safer Networking
Those two files are related to the Vundo Trojan
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
This is important , do this and post a new Hijackthis log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass ) and rename it to Scanner.exe
I need to see the Vundofix log, the Combofix log and a new HJT renamed please
Dashrender
2007-12-05, 05:02
Hello and thanks for the quick reply. I downloaded and ran this and it told me there was no files found.
Other suggestions?
Dashrender
2007-12-05, 05:04
Sorry for my quick reply,
I tried the Vundo fix already, but not the combofix.exe. I will do that and get a new renamed HJT log tomorrow morning.
Thanks
Dashrender
2007-12-05, 15:13
As I already mentioned the VundoFix showed there were no files found.
ComboFix 07-12-02.7 - backupplan 2007-12-05 6:00:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1132 [GMT -6:00]
Running from: C:\Documents and Settings\backupplan\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp\abW9
C:\WINDOWS\system32\ddcbxago.dll
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\eqnokqnk.dll
C:\WINDOWS\system32\kejktmah.dll
C:\WINDOWS\system32\knqkonqe.ini
C:\WINDOWS\system32\lvcgfabv.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rMa01yy\rMa01yy1065.exe
C:\WINDOWS\system32\vycdd.bak1
C:\WINDOWS\system32\vycdd.bak2
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini2
C:\WINDOWS\system32\vycdd.tmp
.
((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.
2007-12-04 17:21 . 2007-12-04 17:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-04 17:01 . 2007-12-04 17:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-04 17:01 . 2007-12-04 17:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 16:58 . 2007-12-04 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 14:13 . 2007-12-04 14:13 <DIR> d-------- C:\VundoFix Backups
2007-12-04 13:56 . 2007-12-04 13:56 <DIR> d-------- C:\Program Files\Security Task Manager
2007-12-04 13:56 . 2007-12-04 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-03 01:49 . 2007-12-03 01:49 73,280 --a------ C:\WINDOWS\system32\gvavsdri.dll
2007-11-28 17:41 . 2007-11-28 17:41 <DIR> d-------- C:\Program Files\AC3Filter
2007-11-28 17:41 . 2007-08-18 01:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2007-11-28 15:11 . 2007-11-28 15:11 244 --ah----- C:\sqmnoopt02.sqm
2007-11-28 15:11 . 2007-11-28 15:11 232 --ah----- C:\sqmdata02.sqm
2007-11-14 16:01 . 2007-11-14 16:01 <DIR> d-------- C:\Program Files\Nero
2007-11-14 16:01 . 2007-11-14 16:03 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-14 14:19 . 2007-12-04 07:04 <DIR> d-------- C:\Documents and Settings\backupplan\.housecall6.6
2007-11-14 13:41 . 2007-11-14 13:41 <DIR> d-------- C:\Documents and Settings\backupplan\Application Data\Nero
2007-11-14 13:38 . 2007-11-14 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-11-14 08:34 . 2007-11-14 10:37 <DIR> d-------- C:\Farrah
2007-11-13 17:11 . 2007-11-13 17:11 <DIR> d-------- C:\Documents and Settings\backupplan\Application Data\ImgBurn
2007-11-13 17:10 . 2007-11-13 17:10 <DIR> d-------- C:\Program Files\ImgBurn
2007-11-13 16:32 . 2007-11-13 16:43 <DIR> d-------- C:\Laura's Old PC
2007-11-13 13:38 . 2007-11-26 07:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-13 13:38 . 2007-11-13 13:38 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-13 07:38 . 2007-12-04 14:40 <DIR> d-------- C:\Documents and Settings\backupplan\Application Data\OpenOffice.org2
2007-11-13 07:32 . 2007-11-13 07:32 <DIR> d-------- C:\Program Files\OpenOffice.org 2.3
2007-11-13 07:31 . 2007-11-13 07:31 <DIR> d-------- C:\install files
2007-11-12 08:10 . 2007-11-12 08:10 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-09 11:46 . 2007-11-15 18:46 87,352 --a------ C:\WINDOWS\system32\LMIinit.dll
2007-11-09 11:46 . 2007-10-18 20:48 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll.000.bak
2007-11-09 11:46 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2007-11-09 11:46 . 2007-10-18 20:47 75,064 --a------ C:\WINDOWS\system32\LMIinit.dll.000.bak
2007-11-09 11:46 . 2007-09-12 10:20 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2007-11-09 11:46 . 2007-11-15 18:46 21,496 --a------ C:\WINDOWS\system32\LMIport.dll
2007-11-09 11:46 . 2007-11-09 11:46 1,024 --a------ C:\.rnd
2007-11-09 11:45 . 2007-12-05 05:39 <DIR> d-------- C:\Program Files\LogMeIn
2007-11-08 10:30 . 2007-11-08 10:30 <DIR> d-------- C:\Documents and Settings\backupplan\Application Data\Corel
2007-11-08 10:30 . 2007-11-19 10:38 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-06 15:05 . 2007-11-06 15:05 <DIR> d-------- C:\Program Files\UltraMon
2007-11-06 15:05 . 2007-11-06 15:05 <DIR> d-------- C:\Documents and Settings\backupplan\Application Data\Realtime Soft
2007-11-06 15:05 . 2007-11-06 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Realtime Soft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 23:57 --------- d-----w C:\Program Files\Full Tilt Poker
2007-11-29 04:33 --------- d-----w C:\Documents and Settings\backupplan\Application Data\U3
2007-11-28 20:03 --------- d-----w C:\Documents and Settings\backupplan\Application Data\uTorrent
2007-11-19 13:56 --------- d-----w C:\Documents and Settings\backupplan\Application Data\Vso
2007-11-14 22:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-14 22:21 --------- d-----w C:\Program Files\Olympus
2007-11-14 21:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-11-13 23:00 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-12 22:12 --------- d-----w C:\Program Files\Java
2007-11-02 17:39 --------- d-----w C:\Documents and Settings\backupplan\Application Data\Wireshark
2007-11-01 20:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-01 20:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-11-01 20:48 --------- d-----w C:\Program Files\Corel
2007-11-01 20:48 --------- d-----w C:\Program Files\Common Files\Corel
2007-11-01 15:40 --------- d-----w C:\Documents and Settings\backupplan\Application Data\gnupg
2007-11-01 13:17 --------- d-----w C:\Documents and Settings\backupplan\Application Data\winpt
2007-11-01 13:14 --------- d-----w C:\Program Files\GNU
2007-10-31 21:10 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-10-31 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-31 21:07 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-30 16:56 --------- d-----w C:\Program Files\Panda Software
2007-10-30 16:56 --------- d-----w C:\Program Files\Common Files\Cisco Systems
2007-10-30 15:32 --------- d-----w C:\Program Files\Common Files\Panda Software
2007-10-30 12:41 --------- d-----w C:\Program Files\Wireshark
2007-10-30 12:41 --------- d-----w C:\Program Files\WinPcap
2007-10-29 21:37 --------- d-----w C:\Program Files\Solarwinds
2007-10-22 21:35 --------- d-----w C:\Program Files\TOSHIBA
2007-10-22 21:34 286,720 ----a-w C:\WINDOWS\eSTsnmp.dll
2007-10-22 21:34 24,576 ----a-w C:\WINDOWS\SPortLG.dll
2007-10-22 21:34 20,480 ----a-w C:\WINDOWS\eSINLDLG.dll
2007-10-22 21:34 147,456 ----a-w C:\WINDOWS\eSINLD.dll
2007-10-22 18:52 --------- d-----w C:\Program Files\DYMO Label
2007-10-16 15:50 --------- d-----w C:\Documents and Settings\backupplan\Application Data\CIM
2007-10-16 15:49 --------- d-----w C:\Documents and Settings\backupplan\Application Data\Fujitsu
2007-10-16 15:44 --------- d-----w C:\Program Files\ScandAll 21
2007-10-16 15:38 --------- d-----w C:\Program Files\fjtwain
2007-10-16 15:37 --------- d-----w C:\Documents and Settings\backupplan\Application Data\InstallShield
2007-10-15 22:55 --------- d-----w C:\Documents and Settings\backupplan\Application Data\Ahead
2007-10-15 20:16 --------- d-----w C:\Program Files\Bond Technologies
2007-10-15 19:45 --------- d-----w C:\Documents and Settings\backupplan\Application Data\Clinician
2007-10-12 19:14 --------- d-----w C:\Program Files\WinImage
2007-10-11 20:04 --------- d-----w C:\Program Files\A.F.5 Rename your files 1.1
2007-10-11 19:58 --------- d-----w C:\Program Files\VSO
2007-10-08 20:51 --------- d-----w C:\Documents and Settings\backupplan\Application Data\DivX
2007-10-05 14:31 --------- d-----w C:\Documents and Settings\backupplan\Application Data\Apple Computer
2007-09-20 15:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 15:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 06:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-04-19 12:26 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 06:00 C:\WINDOWS\system32\rundll32.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 07:08 C:\WINDOWS\RTHDCPL.EXE]
"FtLnSOP_setup"="C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe" [2007-03-07 18:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-27 12:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"FJTWAIN Setup"="C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe" [2007-03-08 15:25]
"Panda Controller Client"="C:\Program Files\PANDA SOFTWARE\AVTC\PSCtrlC.exe" [2007-03-14 12:07]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30]
"UltraMon"="C:\Program Files\UltraMon\UltraMon.exe" [2006-10-12 21:27]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 10:20]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
C:\Documents and Settings\backupplan\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxwxuuu]
xxwxuuu.dll
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\Drivers\ShlDrv51.sys
R2 FJTWMKSV;FJTWMKSV;C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe
R2 HPWJAService;HPWJA Service;"C:\Program Files\Hewlett-Packard\Web Jetadmin 10\bin\HPWJAService.exe"
R2 HPWJAUpdateService;HP WJA Update Service;"C:\Program Files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe"
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R2 MSSQL$HPWJA;SQL Server (HPWJA);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sHPWJA
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R3 DSSUSBF;DSSUSBF Device;C:\WINDOWS\system32\DRIVERS\DSSUSBF.sys
R3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-11-05 12:40:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 06:36:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-05 6:37:53 - machine was rebooted
.
--- E O F ---
Dashrender
2007-12-05, 15:14
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:14, on 2007-12-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PANDA SOFTWARE\AVTC\PavSrv51.exe
C:\Program Files\PANDA SOFTWARE\AVTC\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe
C:\Program Files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PANDA SOFTWARE\AVTC\PsCtrlS.exe
C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
C:\Program Files\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\pagentwd.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\PANDA SOFTWARE\AVTC\PSKMsSvc.exe
C:\Program Files\PANDA SOFTWARE\AVTC\PsImSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe
C:\Program Files\PANDA SOFTWARE\AVTC\PSCtrlC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Panda Software\Panda Administrator 3\PavReport\PavReport.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\HiJackThis\scanner.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe /Station
O4 - HKLM\..\Run: [Panda Controller Client] "C:\Program Files\PANDA SOFTWARE\AVTC\PSCtrlC.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://clinician.urologycenterpc.net
O15 - Trusted Zone: http://clinician.urologycenterpc.net (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {26700CD9-6157-4B72-B46F-EC93C952F19C} (SWToolSet.Engine) - http://orion.coxomaha.net/SWToolset.exe
O16 - DPF: {2A59CE46-2E9E-4B00-BC9B-A183638E8D4E} (CimDocImageViewerApp.CimDocImageViewer) - http://clinician.urologycenterpc.net/live/_cab_files/CimDocImageViewerApp.CAB
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {350E05DD-0C07-4D30-A8A3-8CBFA35FE3D2} (CIMScannerControl.CIMDocumentScanning) - http://clinician.urologycenterpc.net/live/_cab_files/CIMScannerControl.CAB
O16 - DPF: {4912ED81-BD9F-485E-86CA-BD62EC957435} (Soarian Frame Tools for Internet Explorer) - https://sca.myalegent.com/020530153_AHP1_p_htm//sframe/IETools.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187106893171
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - https://urology.asptran.com/Transcription/XUpload.ocx
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = urologycenterpc.net
O17 - HKLM\Software\..\Telephony: DomainName = urologycenterpc.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA802566-B231-46D8-AA9B-726BD884DDA0}: NameServer = 68.13.16.30,172.16.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = urologycenterpc.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{AA802566-B231-46D8-AA9B-726BD884DDA0}: NameServer = 68.13.16.30,172.16.1.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = urologycenterpc.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{AA802566-B231-46D8-AA9B-726BD884DDA0}: NameServer = 68.13.16.30,172.16.1.1
O20 - Winlogon Notify: xxwxuuu - xxwxuuu.dll (file missing)
O23 - Service: 46575 - Unknown owner - \\69.63.112.50\Admin$\eraseme_25207.exe (file missing)
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: FJTWMKSV - PFU LIMITED - C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe
O23 - Service: HPWJA Service (HPWJAService) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\Web Jetadmin 10\bin\HPWJAService.exe
O23 - Service: HP WJA Update Service (HPWJAUpdateService) - Unknown owner - C:\Program Files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\PANDA SOFTWARE\AVTC\PsCtrlS.exe
O23 - Service: Panda AdminSecure Communications Agent (PAVAGENTE) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
O23 - Service: Panda AdminSecure Scheduler (PavAtScheduler) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda Antivirus Report Service (PavReport) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\PavReport\PavReport.exe
O23 - Service: Panda Antivirus Service (PavSrv) - Panda Software International - C:\Program Files\PANDA SOFTWARE\AVTC\PavSrv51.exe
O23 - Service: Panda AntiSpam Engine (PMShellSrv) - Panda Software International - C:\Program Files\PANDA SOFTWARE\AVTC\PSKMsSvc.exe
O23 - Service: Panda IManager Service (PsImSvc) - Panda Software International - C:\Program Files\PANDA SOFTWARE\AVTC\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 10811 bytes
Hello,
Just to make you aware, Vundo we believe is written by the people that write all this other garbage, the RBN ( Russian Business Network ) its a company that projects itself as legitimate yet deals in this type of infections, child porn, plihsing and all the rest of this great stuff. As fast as we find and remove files they are changing file names and adding new ones, its a never ending process. Your infected with Vundo even though Vundofix did not find any files, but Combofix did, most all of the files Combofix deleted where a part of Vundo.
C:\Documents and Settings\backupplan\.housecall6.6\Quarantine <-- Delete everything in Quarantine
Open Hijackthis to Scan Only, close all open windows including this one , place a checkmark in the following entries and click on Fix Checked.
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.2.1.cab
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad. Make sure there is no space above and to the left of File::
File::
C:\WINDOWS\system32\gvavsdri.dll
C:\WINDOWS\system32\xxwxuuu.dll
Folder::
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxwxuuu]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
Post the new Combofix log, the SAS log and a new HJT log please
Dashrender
2007-12-05, 22:39
OK here are the new logs
Dashrender
2007-12-05, 22:41
OK here are the new logs
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:39, on 2007-12-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PANDA SOFTWARE\AVTC\PavSrv51.exe
C:\Program Files\PANDA SOFTWARE\AVTC\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe
C:\Program Files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PANDA SOFTWARE\AVTC\PsCtrlS.exe
C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\pagentwd.exe
C:\Program Files\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\PANDA SOFTWARE\AVTC\PSKMsSvc.exe
C:\Program Files\PANDA SOFTWARE\AVTC\PsImSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe
C:\Program Files\PANDA SOFTWARE\AVTC\PSCtrlC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\scanner.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe /Station
O4 - HKLM\..\Run: [Panda Controller Client] "C:\Program Files\PANDA SOFTWARE\AVTC\PSCtrlC.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://clinician.urologycenterpc.net
O15 - Trusted Zone: http://clinician.urologycenterpc.net (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {26700CD9-6157-4B72-B46F-EC93C952F19C} (SWToolSet.Engine) - http://orion.coxomaha.net/SWToolset.exe
O16 - DPF: {2A59CE46-2E9E-4B00-BC9B-A183638E8D4E} (CimDocImageViewerApp.CimDocImageViewer) - http://clinician.urologycenterpc.net/live/_cab_files/CimDocImageViewerApp.CAB
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {350E05DD-0C07-4D30-A8A3-8CBFA35FE3D2} (CIMScannerControl.CIMDocumentScanning) - http://clinician.urologycenterpc.net/live/_cab_files/CIMScannerControl.CAB
O16 - DPF: {4912ED81-BD9F-485E-86CA-BD62EC957435} (Soarian Frame Tools for Internet Explorer) - https://sca.myalegent.com/020530153_AHP1_p_htm//sframe/IETools.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187106893171
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - https://urology.asptran.com/Transcription/XUpload.ocx
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = urologycenterpc.net
O17 - HKLM\Software\..\Telephony: DomainName = urologycenterpc.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA802566-B231-46D8-AA9B-726BD884DDA0}: NameServer = 68.13.16.30,172.16.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = urologycenterpc.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{AA802566-B231-46D8-AA9B-726BD884DDA0}: NameServer = 68.13.16.30,172.16.1.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = urologycenterpc.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{AA802566-B231-46D8-AA9B-726BD884DDA0}: NameServer = 68.13.16.30,172.16.1.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: 46575 - Unknown owner - \\69.63.112.50\Admin$\eraseme_25207.exe (file missing)
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: FJTWMKSV - PFU LIMITED - C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe
O23 - Service: HPWJA Service (HPWJAService) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\Web Jetadmin 10\bin\HPWJAService.exe
O23 - Service: HP WJA Update Service (HPWJAUpdateService) - Unknown owner - C:\Program Files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\PANDA SOFTWARE\AVTC\PsCtrlS.exe
O23 - Service: Panda AdminSecure Communications Agent (PAVAGENTE) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
O23 - Service: Panda AdminSecure Scheduler (PavAtScheduler) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda Antivirus Report Service (PavReport) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\PavReport\PavReport.exe
O23 - Service: Panda Antivirus Service (PavSrv) - Panda Software International - C:\Program Files\PANDA SOFTWARE\AVTC\PavSrv51.exe
O23 - Service: Panda AntiSpam Engine (PMShellSrv) - Panda Software International - C:\Program Files\PANDA SOFTWARE\AVTC\PSKMsSvc.exe
O23 - Service: Panda IManager Service (PsImSvc) - Panda Software International - C:\Program Files\PANDA SOFTWARE\AVTC\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 10761 bytes
Dashrender
2007-12-05, 22:45
ComboFix 07-12-02.7 - backupplan 2007-12-05 13:54:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1109 [GMT -6:00]
Running from: C:\Documents and Settings\backupplan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\backupplan\Desktop\cfscript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.
2007-12-04 17:21 . 2007-12-04 17:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-04 17:01 . 2007-12-04 17:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-04 17:01 . 2007-12-04 17:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 16:58 . 2007-12-04 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 13:56 . 2007-12-04 13:56 <DIR> d-------- C:\Program Files\Security Task Manager
2007-12-04 13:56 . 2007-12-05 09:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-03 01:49 . 2007-12-03 01:49 73,280 --a------ C:\WINDOWS\system32\gvavsdri.dll
2007-11-28 17:41 . 2007-11-28 17:41 <DIR> d-------- C:\Program Files\AC3Filter
2007-11-28 17:41 . 2007-08-18 01:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2007-11-28 15:11 . 2007-11-28 15:11 244 --ah----- C:\sqmnoopt02.sqm
2007-11-28 15:11 . 2007-11-28 15:11 232 --ah----- C:\sqmdata02.sqm
2007-11-14 16:01 . 2007-11-14 16:01 <DIR> d-------- C:\Program Files\Nero
2007-11-14 16:01 . 2007-11-14 16:03 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-14 14:19 . 2007-12-04 07:04 <DIR> d-------- C:\Documents and Settings\backupplan\.housecall6.6
2007-11-14 13:41 . 2007-11-14 13:41 <DIR> d-------- C:\Documents and Settings\backupplan\Application Data\Nero
2007-11-14 13:38 . 2007-11-14 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-11-14 08:34 . 2007-11-14 10:37 <DIR> d-------- C:\Farrah
2007-11-13 17:11 . 2007-11-13 17:11 <DIR> d-------- C:\Documents and Settings\backupplan\Application Data\ImgBurn
2007-11-13 17:10 . 2007-11-13 17:10 <DIR> d-------- C:\Program Files\ImgBurn
2007-11-13 16:32 . 2007-11-13 16:43 <DIR> d-------- C:\Laura's Old PC
2007-11-13 13:38 . 2007-11-26 07:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-13 13:38 . 2007-11-13 13:38 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-13 07:38 . 2007-12-05 13:08 <DIR> d-------- C:\Documents and Settings\backupplan\Application Data\OpenOffice.org2
2007-11-13 07:32 . 2007-11-13 07:32 <DIR> d-------- C:\Program Files\OpenOffice.org 2.3
2007-11-13 07:31 . 2007-11-13 07:31 <DIR> d-------- C:\install files
2007-11-12 08:10 . 2007-11-12 08:10 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-09 11:46 . 2007-11-15 18:46 87,352 --a------ C:\WINDOWS\system32\LMIinit.dll
2007-11-09 11:46 . 2007-10-18 20:48 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll.000.bak
2007-11-09 11:46 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2007-11-09 11:46 . 2007-10-18 20:47 75,064 --a------ C:\WINDOWS\system32\LMIinit.dll.000.bak
2007-11-09 11:46 . 2007-09-12 10:20 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2007-11-09 11:46 . 2007-11-15 18:46 21,496 --a------ C:\WINDOWS\system32\LMIport.dll
2007-11-09 11:46 . 2007-11-09 11:46 1,024 --a------ C:\.rnd
2007-11-09 11:45 . 2007-12-05 05:39 <DIR> d-------- C:\Program Files\LogMeIn
2007-11-08 10:30 . 2007-11-08 10:30 <DIR> d-------- C:\Documents and Settings\backupplan\Application Data\Corel
2007-11-08 10:30 . 2007-11-19 10:38 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-06 15:05 . 2007-11-06 15:05 <DIR> d-------- C:\Program Files\UltraMon
2007-11-06 15:05 . 2007-11-06 15:05 <DIR> d-------- C:\Documents and Settings\backupplan\Application Data\Realtime Soft
2007-11-06 15:05 . 2007-11-06 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Realtime Soft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-05 19:52 --------- d-----w C:\Program Files\Full Tilt Poker
2007-11-29 04:33 --------- d-----w C:\Documents and Settings\backupplan\Application Data\U3
2007-11-19 13:56 --------- d-----w C:\Documents and Settings\backupplan\Application Data\Vso
2007-11-16 00:46 23,736 ----a-w C:\WINDOWS\system32\lmimirr.dll
2007-11-16 00:46 10,040 ----a-w C:\WINDOWS\system32\lmimirr2.dll
2007-11-14 22:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-14 22:21 --------- d-----w C:\Program Files\Olympus
2007-11-14 21:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-11-13 23:00 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-12 22:12 --------- d-----w C:\Program Files\Java
2007-11-02 17:39 --------- d-----w C:\Documents and Settings\backupplan\Application Data\Wireshark
2007-11-01 20:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-01 20:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-11-01 20:48 --------- d-----w C:\Program Files\Corel
2007-11-01 20:48 --------- d-----w C:\Program Files\Common Files\Corel
2007-11-01 15:40 --------- d-----w C:\Documents and Settings\backupplan\Application Data\gnupg
2007-11-01 13:17 --------- d-----w C:\Documents and Settings\backupplan\Application Data\winpt
2007-11-01 13:14 --------- d-----w C:\Program Files\GNU
2007-10-31 21:10 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-10-31 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-31 21:07 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-30 16:56 --------- d-----w C:\Program Files\Panda Software
2007-10-30 16:56 --------- d-----w C:\Program Files\Common Files\Cisco Systems
2007-10-30 15:32 --------- d-----w C:\Program Files\Common Files\Panda Software
2007-10-30 12:41 --------- d-----w C:\Program Files\Wireshark
2007-10-30 12:41 --------- d-----w C:\Program Files\WinPcap
2007-10-29 21:37 --------- d-----w C:\Program Files\Solarwinds
2007-10-22 21:35 --------- d-----w C:\Program Files\TOSHIBA
2007-10-22 21:34 286,720 ----a-w C:\WINDOWS\eSTsnmp.dll
2007-10-22 21:34 24,576 ----a-w C:\WINDOWS\SPortLG.dll
2007-10-22 21:34 20,480 ----a-w C:\WINDOWS\eSINLDLG.dll
2007-10-22 21:34 147,456 ----a-w C:\WINDOWS\eSINLD.dll
2007-10-22 18:52 --------- d-----w C:\Program Files\DYMO Label
2007-10-16 15:50 --------- d-----w C:\Documents and Settings\backupplan\Application Data\CIM
2007-10-16 15:49 --------- d-----w C:\Documents and Settings\backupplan\Application Data\Fujitsu
2007-10-16 15:44 --------- d-----w C:\Program Files\ScandAll 21
2007-10-16 15:38 --------- d-----w C:\Program Files\fjtwain
2007-10-16 15:37 --------- d-----w C:\Documents and Settings\backupplan\Application Data\InstallShield
2007-10-15 22:55 --------- d-----w C:\Documents and Settings\backupplan\Application Data\Ahead
2007-10-15 20:16 --------- d-----w C:\Program Files\Bond Technologies
2007-10-15 19:45 --------- d-----w C:\Documents and Settings\backupplan\Application Data\Clinician
2007-10-12 19:14 --------- d-----w C:\Program Files\WinImage
2007-10-11 20:04 --------- d-----w C:\Program Files\A.F.5 Rename your files 1.1
2007-10-11 19:58 --------- d-----w C:\Program Files\VSO
2007-10-08 20:51 --------- d-----w C:\Documents and Settings\backupplan\Application Data\DivX
2007-10-05 14:31 --------- d-----w C:\Documents and Settings\backupplan\Application Data\Apple Computer
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-20 15:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 15:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 15:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 06:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-04-19 12:26 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 06:00 C:\WINDOWS\system32\rundll32.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 07:08 C:\WINDOWS\RTHDCPL.EXE]
"FtLnSOP_setup"="C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe" [2007-03-07 18:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-27 12:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"FJTWAIN Setup"="C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe" [2007-03-08 15:25]
"Panda Controller Client"="C:\Program Files\PANDA SOFTWARE\AVTC\PSCtrlC.exe" [2007-03-14 12:07]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30]
"UltraMon"="C:\Program Files\UltraMon\UltraMon.exe" [2006-10-12 21:27]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 10:20]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
C:\Documents and Settings\backupplan\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxwxuuu]
xxwxuuu.dll
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\Drivers\ShlDrv51.sys
R2 FJTWMKSV;FJTWMKSV;C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe
R2 HPWJAService;HPWJA Service;"C:\Program Files\Hewlett-Packard\Web Jetadmin 10\bin\HPWJAService.exe"
R2 HPWJAUpdateService;HP WJA Update Service;"C:\Program Files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe"
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R2 MSSQL$HPWJA;SQL Server (HPWJA);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sHPWJA
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R3 DSSUSBF;DSSUSBF Device;C:\WINDOWS\system32\DRIVERS\DSSUSBF.sys
R3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-11-05 12:40:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 13:55:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
C:\WINDOWS\system32\cmd.exe [3592] 0x885C5020
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-05 13:56:27
.
--- E O F ---
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 12/05/2007 at 03:21 PM
Application Version : 3.9.1008
Core Rules Database Version : 3355
Trace Rules Database Version: 1354
Scan type : Complete Scan
Total Scan Time : 00:29:07
Memory items scanned : 831
Memory threats detected : 0
Registry items scanned : 8194
Registry threats detected : 0
File items scanned : 37644
File threats detected : 8
Adware.Tracking Cookie
C:\Documents and Settings\backupplan\Cookies\backupplan@revsci[2].txt
Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CC792250-6AC5-4498-830F-43FF20A158C1}\RP2\A0000004.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CC792250-6AC5-4498-830F-43FF20A158C1}\RP2\A0000005.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CC792250-6AC5-4498-830F-43FF20A158C1}\RP2\A0000006.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CC792250-6AC5-4498-830F-43FF20A158C1}\RP2\A0000007.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CC792250-6AC5-4498-830F-43FF20A158C1}\RP3\A0000757.DLL
Trojan.Downloader-Gen/BundleBase
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CC792250-6AC5-4498-830F-43FF20A158C1}\RP2\A0000010.EXE
Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CC792250-6AC5-4498-830F-43FF20A158C1}\RP2\A0000014.DLL
You may not have done the CFSCRIPT correctly as the files are still present.
Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\gvavsdri.dll
C:\WINDOWS\system32\xxwxuuu.dll
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
post the OtmoveIt log and let me know how your system is behaving now??
Dashrender
2007-12-06, 00:21
OTMoveIT Log:
File/Folder C:\WINDOWS\system32\gvavsdri.dll not found.
File/Folder C:\WINDOWS\system32\xxwxuuu.dll not found.
Created on 12-05-2007 17:12:59
When I ran Combofix it hung. So I had to kill it after 45 min and reboot my machine.
As mentioned, my machine did reboot slowly due to no Pre files... but that's to be expected..
Now, my computer is acting OK.
Do you want to see another Combofix log and HJT log before signing off on it?
Thats great :bigthumb:
Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0.0.6 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.
Glad we could help
Safe Surfn
Ken