View Full Version : Trojans and Malware
rstandefer
2007-12-19, 00:33
Here are my log files. This is what's still left after someone used my computer over the weekend. Need Help.
Hijack:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:49 PM, on 12/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Unlhbg\command.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Router\Router.exe
C:\PROGRA~1\COMMON~1\wzfu\wzfum.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TurboNote\tbnote.exe
C:\PROGRA~1\COMMON~1\wzfu\wzfua.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [003d10a1] rundll32.exe "C:\WINDOWS\system32\ejdndjug.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Qxg] "C:\Documents and Settings\Ryan\Application Data\F?nts\?srss.exe"
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Ryan\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Ryan\Application Data\Microsoft\Windows\ggbuhah.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [wzfu] C:\PROGRA~1\COMMON~1\wzfu\wzfum.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.travelers.com
O15 - Trusted Zone: http://*.travelerspc.com
O15 - Trusted Zone: http://*.travelers.com (HKLM)
O15 - Trusted Zone: http://*.travelerspc.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197298526390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197298517109
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC86835B-D792-49A6-81EF-465486469C1D}: NameServer = 192.168.5.1
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Unlhbg\command.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 7109 bytes
Kaspersky:
Too large to post.
pskelley
2007-12-20, 14:39
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Not sure I would be letting them use your computer again, they have you very infected. You have a Vundo infection (and that's not all) which can be hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help. If you wish to proceed, read and follow the directions carefully.
1) Because the Junk can download more, keep the computer offline except when troubleshooting until you are clean.
2) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< return here and rename HJT, call it rstandefer.exe that will work. After a restart we should get a better look at the infection.
3) Do not run and post the Kaspersky scan until I request it, please read and follow all instructions carefully.
4) Thanks to Atribune and any others who helped with this fix.
http://vundofix.atribune.org/ <<< tutorial
"Download VundoFix" to your Desktop
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\
(wait until you finish to post reports and logs)
2) Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the Vundofix.txt, combofix log and a new HJT log.
Thanks
rstandefer
2007-12-20, 18:29
ComboFix 07-12-20.1 - Ryan 2007-12-20 10:18:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.194 [GMT -6:00]
Running from: C:\Documents and Settings\Ryan\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Ryan\Application Data\FNTS~1
C:\Documents and Settings\Ryan\Application Data\MCROSO~1.NET
C:\Documents and Settings\Ryan\Application Data\WinTouch
C:\Documents and Settings\Ryan\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Ryan\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Ryan\My Documents\RACLE~1
C:\Program Files\Common Files\PagingSYS.dll
C:\Program Files\Common Files\wzfu\wzfua.exe
C:\Program Files\Common Files\wzfu\wzfua.lck
C:\Program Files\Common Files\wzfu\wzfud\class-barrel
C:\Program Files\Common Files\wzfu\wzfud\vocabulary
C:\Program Files\Common Files\wzfu\wzfud\wzfuc.dll
C:\Program Files\Common Files\wzfu\wzfuh
C:\Program Files\Common Files\wzfu\wzful.lck
C:\Program Files\Common Files\wzfu\wzfum.exe
C:\Program Files\Common Files\wzfu\wzfum.lck
C:\Program Files\QdrPack
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\PagingSYS.sys
C:\WINDOWS\system32\windbg___
C:\WINDOWS\system32\wnsapisv.exe
C:\WINDOWS\wzfu
C:\WINDOWS\wzfu\wu
C:\WINDOWS\wzfu\wzfu.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_PAGINGSYS
((((((((((((((((((((((((( Files Created from 2007-11-20 to 2007-12-20 )))))))))))))))))))))))))))))))
.
2007-12-19 16:20 . 2007-12-19 16:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-19 16:20 . 2007-12-19 16:20 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-19 16:17 . 2007-12-19 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-19 16:15 . 2007-12-19 16:15 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-19 16:15 . 2007-12-19 16:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-19 16:12 . 2007-12-19 16:19 <DIR> d-------- C:\Program Files\QuickTime
2007-12-18 16:28 . 2007-12-18 16:28 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-18 15:17 . 2007-12-18 15:17 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-18 15:17 . 2007-12-18 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-18 15:02 . 2007-12-19 09:52 <DIR> d-------- C:\VundoFix Backups
2007-12-18 14:23 . 2007-12-18 14:23 174 --a------ C:\WINDOWS\wininit.ini
2007-12-18 13:46 . 2007-12-18 13:46 <DIR> d-------- C:\Program Files\Spy Blaster Demo
2007-12-18 08:16 . 2007-12-18 08:16 294 ---hs---- C:\WINDOWS\system32\ergiyukn.ini
2007-12-17 10:10 . 2007-12-17 10:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Symantec
2007-12-17 09:26 . 2007-12-17 09:26 4,096 --ahs---- C:\WINDOWS\system32\5558.dat
2007-12-17 09:07 . 2007-12-17 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-16 10:31 . 2007-12-16 10:31 97 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-16 10:03 . 2007-12-16 10:03 <DIR> d-------- C:\Program Files\Router
2007-12-16 09:59 . 2007-12-17 09:19 <DIR> d--hs---- C:\WINDOWS\Unlhbg
2007-12-16 09:37 . 2007-12-16 09:37 970,434 ---hs---- C:\WINDOWS\system32\vwdgqiqw.tmp
2007-12-16 09:37 . 2007-12-16 10:31 970,434 ---hs---- C:\WINDOWS\system32\vwdgqiqw.ini2
2007-12-16 09:36 . 2007-12-16 09:37 970,374 ---hs---- C:\WINDOWS\system32\vwdgqiqw.ini
2007-12-15 09:34 . 2007-12-16 10:31 970,434 ---hs---- C:\WINDOWS\system32\gujdndje.ini
2007-12-15 09:23 . 2007-12-15 09:23 957,787 ---hs---- C:\WINDOWS\system32\sdcjrbph.ini
2007-12-14 09:11 . 2007-12-17 09:09 <DIR> d-------- C:\WINDOWS\system32\ineWc01
2007-12-14 09:11 . 2007-12-14 09:11 <DIR> d-------- C:\Temp\tpBe12
2007-12-14 09:11 . 2007-12-14 09:11 <DIR> d-------- C:\Temp
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-11 09:41 . 2007-12-20 08:24 <DIR> d-------- C:\Program Files\TurboNote
2007-12-11 08:43 . 2002-08-14 06:03 34,578 --a------ C:\WINDOWS\system32\drivers\NPDRIVER.SYS
2007-12-11 08:43 . 2007-12-11 08:43 256 --a------ C:\WINDOWS\_delis32.ini
2007-12-11 08:40 . 2007-12-17 08:39 <DIR> d-------- C:\Program Files\Symantec
2007-12-11 08:40 . 2007-12-17 08:42 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-12-11 08:40 . 2007-12-20 08:29 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-11 08:40 . 2007-12-17 08:29 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Symantec
2007-12-11 08:40 . 2007-12-12 08:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-11 08:40 . 2006-09-15 22:52 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-11 08:40 . 2006-09-15 22:52 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-11 08:40 . 2007-12-11 08:40 4,608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-12-10 12:35 . 2007-12-10 12:35 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Motive
2007-12-10 12:34 . 2007-12-11 08:36 <DIR> d-------- C:\WINDOWS\Motive
2007-12-10 12:34 . 2007-12-10 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2007-12-10 09:50 . 2007-12-10 09:51 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-10 09:48 . 2007-12-10 09:48 <DIR> d-------- C:\Program Files\Google
2007-12-10 09:10 . 2007-12-10 09:10 <DIR> d-------- C:\Wallpaper
2007-12-10 08:59 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-10 08:57 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-10 08:57 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-10 08:55 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-12-10 08:55 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-10 08:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-10 08:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-10 08:55 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-10 08:54 . 2007-12-10 08:54 <DIR> d---s---- C:\Documents and Settings\Ryan\UserData
2007-12-10 08:53 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-12-10 08:53 . 2007-12-10 08:53 376 --a------ C:\WINDOWS\ODBC.INI
2007-12-10 08:52 . 2007-12-10 08:52 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-12-10 08:52 . 2007-12-10 08:52 <DIR> d-------- C:\Program Files\Microsoft Works
2007-12-10 08:52 . 2007-12-10 08:52 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-12-10 08:52 . 2007-12-10 08:52 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-12-10 08:51 . 2007-12-10 08:52 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-12-10 08:49 . 2007-12-10 08:49 <DIR> dr-h----- C:\MSOCache
2007-12-10 08:40 . 2007-12-10 08:40 <DIR> d-------- C:\Program Files\Remote Desktop
2007-12-10 08:39 . 2007-12-10 08:39 <DIR> d-------- C:\Program Files\triCerat
2007-12-10 08:39 . 2007-05-23 10:31 1,105,920 --a------ C:\WINDOWS\system32\SDrdp5.dll
2007-12-10 08:39 . 2007-05-23 10:31 483,328 --a------ C:\WINDOWS\system32\sdclient.cpl
2007-12-10 08:38 . 2007-12-10 08:38 <DIR> d-------- C:\DORIS32
2007-12-08 12:27 . 2007-12-08 12:27 <DIR> d-------- C:\Program Files\Realtek AC97
2007-12-08 12:27 . 2007-12-08 12:27 <DIR> d-------- C:\Program Files\AvRack
2007-12-08 12:27 . 2005-10-26 00:32 18,776,064 -r------- C:\WINDOWS\system32\alsndmgr.cpl
2007-12-08 12:18 . 2007-12-08 12:18 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2007-12-08 12:16 . 2007-12-08 12:16 <DIR> dr------- C:\Documents and Settings\Ryan\Application Data\Brother
2007-12-08 12:14 . 2007-12-18 10:11 <DIR> d-------- C:\Program Files\Brownie
2007-12-08 12:14 . 2007-12-08 12:14 <DIR> d-------- C:\Program Files\Brother
2007-12-08 12:13 . 2007-12-08 12:13 <DIR> d-------- C:\Program Files\D-Link
2007-12-08 12:13 . 2004-10-12 01:24 188,416 --a------ C:\WINDOWS\system32\Pdrvinst.dll
2007-12-08 12:13 . 2002-10-31 01:09 81,920 --a------ C:\WINDOWS\system32\BrWebIns.dll
2007-12-08 12:13 . 2003-07-03 01:08 65,536 --a------ C:\WINDOWS\system32\BRWEBUP.EXE
2007-12-08 12:07 . 2007-12-08 12:07 <DIR> d-------- C:\Program Files\S3
2007-12-08 12:07 . 2007-12-10 08:40 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-12-08 12:07 . 2007-12-08 12:14 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-12-08 12:01 . 1999-07-22 18:14 306,688 --a------ C:\WINDOWS\IsUninst.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 18:28 155,995 ----a-w C:\WINDOWS\java\Packages\93F3NP3T.ZIP
2007-12-08 17:54 --------- d-----w C:\Program Files\microsoft frontpage
2005-08-02 22:46 187,904 --sha-r C:\WINDOWS\Unlhbg\asappsrv.dll
2005-08-02 22:58 293,888 --sha-r C:\WINDOWS\Unlhbg\command.exe
.
((((((((((((((((((((((((((((( snapshot@2007-12-20_10.04.52.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-20 16:04:04 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-20 16:16:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-20 16:04:04 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-20 16:16:46 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-12-20 16:04:04 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-20 16:16:46 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63B35F39-E8AE-428A-9E92-CF3847D0CD5E}]
C:\WINDOWS\system32\gebca.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B0D4EB98-E5CD-47D8-8D5E-37F6356F1E71}]
C:\WINDOWS\system32\gebcd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4A88941-1DF3-721C-DE26-30E675865CC2}]
C:\WINDOWS\system32\mlhlk.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ebce63ac-3ed5-4e5f-a652-7d2ccaf64ce1}]
C:\WINDOWS\system32\jpdwbqiy.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 06:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-10 09:48]
"Qxg"="C:\Documents and Settings\Ryan\Application Data\F?nts\?srss.exe" []
"Router"="C:\Program Files\Router\Router.exe" [2007-12-16 10:03]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 03:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-11-01 04:15 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-10-24 00:45 C:\WINDOWS\soundman.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
"Advanced Tools Check"="C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" [2004-08-30 18:34]
"003d10a1"="C:\WINDOWS\system32\ejdndjug.dll" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-19 16:12]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TurboNote.lnk - C:\Program Files\TurboNote\tbnote.exe [2005-12-11 15:26:02]
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys [2005-03-10 07:42]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2002-08-14 06:03]
.
Contents of the 'Scheduled Tasks' folder
"2007-12-19 22:16:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-17 14:29:30 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Ryan.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-20 10:21:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\WINDOWS\system32\baseouf32.dll
.
Completion time: 2007-12-20 10:22:25
.
2007-12-10 17:01:03 --- E O F ---
rstandefer
2007-12-20, 18:30
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:11 AM, on 12/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Documents and Settings\Ryan\Application Data\WinTouch\WinTouch.exe
C:\Program Files\Router\Router.exe
C:\PROGRA~1\COMMON~1\wzfu\wzfum.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TurboNote\tbnote.exe
C:\PROGRA~1\COMMON~1\wzfu\wzfua.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\rstandefer.exe.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {24AB898D-1771-47ED-B141-E617207EAF3C} - C:\WINDOWS\system32\awvtt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63B35F39-E8AE-428A-9E92-CF3847D0CD5E} - C:\WINDOWS\system32\gebca.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B0D4EB98-E5CD-47D8-8D5E-37F6356F1E71} - C:\WINDOWS\system32\gebcd.dll (file missing)
O2 - BHO: (no name) - {B4A88941-1DF3-721C-DE26-30E675865CC2} - C:\WINDOWS\system32\mlhlk.dll (file missing)
O2 - BHO: (no name) - {B4BC14FD-52F5-4FFB-85A1-EDDBDF2E890B} - (no file)
O2 - BHO: (no name) - {B857F5C2-21A0-4591-8EB3-7676CC69341E} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: {1ec46fac-c2d7-256a-f5e4-5de3ca36ecbe} - {ebce63ac-3ed5-4e5f-a652-7d2ccaf64ce1} - C:\WINDOWS\system32\jpdwbqiy.dll (file missing)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\iifdeda.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [003d10a1] rundll32.exe "C:\WINDOWS\system32\ejdndjug.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Qxg] "C:\Documents and Settings\Ryan\Application Data\F?nts\?srss.exe"
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Ryan\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Ryan\Application Data\Microsoft\Windows\ggbuhah.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [wzfu] C:\PROGRA~1\COMMON~1\wzfu\wzfum.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.travelers.com
O15 - Trusted Zone: http://*.travelerspc.com
O15 - Trusted Zone: http://*.travelers.com (HKLM)
O15 - Trusted Zone: http://*.travelerspc.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197298526390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197298517109
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC86835B-D792-49A6-81EF-465486469C1D}: NameServer = 192.168.5.1
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 8195 bytes
rstandefer
2007-12-20, 18:31
C:\windows\system32\awvtt.dll
C:\windows\system32\ttvwa.ini
C:\windows\system32\ttvwa.ini2
Beginning removal...
Attempting to delete C:\windows\system32\awvtt.dll
C:\windows\system32\awvtt.dll Has been deleted!
Attempting to delete C:\windows\system32\ttvwa.ini
C:\windows\system32\ttvwa.ini Has been deleted!
Attempting to delete C:\windows\system32\ttvwa.ini2
C:\windows\system32\ttvwa.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
pskelley
2007-12-20, 18:40
Thanks for returning you information, you cut the top of the Vundo report and there is information there I wish to see. Please post that information, no need to post the information you already posted again.
2007-12-20 10:18:42.3 <<< combofix run time
Logfile of Trend Micro HijackThis v2.0.2 <<< HJT run time
Scan saved at 9:24:11 AM, on 12/20/2007
HJT shows us what is left after the other tools have been run. Please run the tools in the order I post them.
I do not need to see another combofix report, post:
1) A complete Vundofix report
2) A new HJT log
Thanks
rstandefer
2007-12-20, 23:51
My apologies for that. I don't know how I didn't get all of it. Hopefully, this is what you're looking for.
VundoFix V6.7.7
Checking Java version...
Sun Java not detected
Scan started at 3:48:04 PM 12/20/2007
Listing files found while scanning....
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:09 PM, on 12/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Router\Router.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TurboNote\tbnote.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\sndvol32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ryan\Desktop\VundoFix.exe
C:\Program Files\Trend Micro\HijackThis\rstandefer.exe.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63B35F39-E8AE-428A-9E92-CF3847D0CD5E} - C:\WINDOWS\system32\gebca.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B0D4EB98-E5CD-47D8-8D5E-37F6356F1E71} - C:\WINDOWS\system32\gebcd.dll (file missing)
O2 - BHO: (no name) - {B4A88941-1DF3-721C-DE26-30E675865CC2} - C:\WINDOWS\system32\mlhlk.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: {1ec46fac-c2d7-256a-f5e4-5de3ca36ecbe} - {ebce63ac-3ed5-4e5f-a652-7d2ccaf64ce1} - C:\WINDOWS\system32\jpdwbqiy.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [003d10a1] rundll32.exe "C:\WINDOWS\system32\ejdndjug.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Qxg] "C:\Documents and Settings\Ryan\Application Data\F?nts\?srss.exe"
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.travelers.com
O15 - Trusted Zone: http://*.travelerspc.com
O15 - Trusted Zone: http://*.travelers.com (HKLM)
O15 - Trusted Zone: http://*.travelerspc.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197298526390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197298517109
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC86835B-D792-49A6-81EF-465486469C1D}: NameServer = 192.168.5.1
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 7708 bytes
pskelley
2007-12-21, 00:08
Thanks for returning your information and the feedback. I am not sure if this item showed up as a result of running combofix, or if it is a new infection. You have been keeping this computer offline?
I need to make you aware it is a bad one:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
http://www.symantec.com/security_response/writeup.jsp?docid=2007-040208-5335-99&tabid=1
Infostealer.Banker.C
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000
Infostealer.Banker.C is a Trojan horse that may steal sensitive information from the compromised computer.
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
Let me know if you want to continue in light of this information.
Thanks
pskelley
2007-12-28, 13:31
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
If it had been 10 days or more since your last post, and especially if the helper assisting you posted a response to that post to which you did not reply, the topic will not be reopened.
In that situation, if you still require help, it would be best to start a new topic and include a fresh HijackThis log with a link to your original thread.
Everyone else please begin a New Topic.