safara
2008-12-10, 09:21
Hi All,
I have a Vundo infection and cant shift it. You help would be most appreciated :)
After reading few a few posts here I have installed Hijackthis and have the log.
I also ran Combofix and have the log.
They are both below.
Hijackthis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:40:35, on 10/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\XpertVision\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\GS30s.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.entropiaforum.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {358919af-bb88-4c5b-869f-34d1a90f201f} - C:\WINDOWS\system32\zaworido.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [fobahidiwe] Rundll32.exe "C:\WINDOWS\system32\zifewiba.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [fobahidiwe] Rundll32.exe "C:\WINDOWS\system32\zifewiba.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\wumomara.dll c:\windows\system32\jotejiho.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\jotejiho.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\jotejiho.dll (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GS30s - Unknown owner - C:\WINDOWS\SYSTEM32\GS30s.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 11298 bytes
*****************************************************
Combofix Log
**************************************************
ComboFix 08-12-09.02 - gr 2008-12-10 8:09:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1390 [GMT 0:00]
Running from: c:\documents and settings\gr\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc10.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc12.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc15.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc35.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc3B.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc47.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc4E.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc50.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc9.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc90.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mccB.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mccD.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mccF.tmp
c:\windows\IE4 Error Log.txt
c:\windows\system32\dupekayi.dll
c:\windows\system32\iyakepud.ini
c:\windows\system32\meyoreho.dll
c:\windows\system32\muvobuwe.dll
.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.
2008-12-10 08:10 . 2008-12-10 08:10 <DIR> d-------- c:\windows\LastGood
2008-12-10 07:19 . 2008-12-10 07:19 <DIR> d-------- c:\program files\Trend Micro
2008-12-09 19:10 . 2008-12-09 19:10 <DIR> d-------- c:\documents and settings\Administrator
2008-12-09 18:50 . 2008-12-10 08:07 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-09 18:49 . 2008-12-10 07:12 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-09 18:49 . 2008-12-09 18:49 <DIR> d-------- c:\documents and settings\gr\Application Data\PC Tools
2008-12-09 18:49 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-09 18:49 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-09 18:49 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-09 18:49 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-09 18:35 . 2008-10-16 01:00 3,067,904 --a------ c:\windows\system32\SET31.tmp
2008-12-09 18:35 . 2008-10-16 01:00 1,499,136 --a------ c:\windows\system32\SET30.tmp
2008-12-09 18:35 . 2008-10-16 01:00 666,112 --a------ c:\windows\system32\SET2E.tmp
2008-12-09 18:35 . 2008-10-16 01:00 619,520 --a------ c:\windows\system32\SET2F.tmp
2008-12-09 18:14 . 2008-12-09 18:14 211 --a------ c:\windows\wininit.ini
2008-12-09 17:35 . 2008-12-09 17:37 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-09 17:35 . 2008-12-09 18:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-26 18:36 . 2008-11-26 18:36 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-25 17:29 . 2008-11-25 17:35 <DIR> d-------- c:\documents and settings\gr\Application Data\Motive
2008-11-25 08:03 . 2008-11-25 08:06 <DIR> d-------- c:\program files\BT Broadband Desktop Help
2008-11-12 08:10 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 08:04 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 04:12 93,913 --sha-w c:\windows\system32\naruhogo.dll
2008-12-08 16:12 94,286 --sha-w c:\windows\system32\papororo.dll
2008-12-07 18:06 --------- d-----w c:\documents and settings\gr\Application Data\teamspeak2
2008-11-26 18:36 --------- d-----w c:\program files\Java
2008-11-25 17:35 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2008-11-25 17:29 --------- d-----w c:\program files\Common Files\Motive
2008-11-08 08:39 --------- d-----w c:\documents and settings\gr\Application Data\Teleca
2008-11-08 08:39 --------- d-----w c:\documents and settings\gr\Application Data\Sony Ericsson
2008-11-08 08:37 --------- d-----w c:\program files\Common Files\Teleca Shared
2008-11-08 08:37 --------- d-----w c:\documents and settings\All Users\Application Data\Teleca
2008-11-08 08:37 --------- d-----w c:\documents and settings\All Users\Application Data\Sony Ericsson
2008-11-08 08:36 --------- d-----w c:\program files\Sony Ericsson
2008-11-08 08:35 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\SET2A.tmp
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 06:58 94,720 --sha-w c:\windows\system32\venumeho.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-08 16:07 65,024 --sha-w c:\windows\system32\zaworido.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{358919af-bb88-4c5b-869f-34d1a90f201f}]
2008-09-08 16:07 65024 --ahs---- c:\windows\system32\zaworido.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\ypager.exe" [2005-08-31 2478080]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="c:\program files\XpertVision\TBPanel.exe" [2007-04-23 2165520]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Motive SmartBridge"="c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"btbb_wcm_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2008-08-28 1516032]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-26 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2008-09-11 1517056]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-04-19 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BT Home Hub\\Help\\SmartBridge\\BTHelpNotifier.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"e:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\TmNationsForever\\TmForever.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1235:UDP"= 1235:UDP:Windows Media Format SDK (iexplore.exe)
"1234:UDP"= 1234:UDP:Windows Media Format SDK (iexplore.exe)
"1237:UDP"= 1237:UDP:Windows Media Format SDK (iexplore.exe)
"1281:UDP"= 1281:UDP:Windows Media Format SDK (iexplore.exe)
"1280:UDP"= 1280:UDP:Windows Media Format SDK (iexplore.exe)
"1283:UDP"= 1283:UDP:Windows Media Format SDK (iexplore.exe)
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-29 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-29 231704]
R2 GS30d;GS30d;\??\c:\windows\system32\Drivers\GS30d.sys [2007-07-22 69792]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-09 356920]
S3 w200bus;Sony Ericsson W200 driver (WDM);c:\windows\system32\DRIVERS\w200bus.sys [2008-11-08 61504]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;c:\windows\system32\DRIVERS\w200mdfl.sys [2008-11-08 9328]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;c:\windows\system32\DRIVERS\w200mdm.sys [2008-11-08 97056]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\w200mgmt.sys [2008-11-08 88560]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\w200obex.sys [2008-11-08 86368]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e939a8a-383d-11dc-9bdc-0015588cceca}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-DSLAGENTEXE - c:\program files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
HKLM-Run-fobahidiwe - c:\windows\system32\zifewiba.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.entropiaforum.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd
FireFox -: Profile - c:\documents and settings\gr\Application Data\Mozilla\Firefox\Profiles\hr866j61.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.entropiaforum.com/
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 08:12:37
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-10 8:13:48
ComboFix-quarantined-files.txt 2008-12-10 08:13:45
Pre-Run: 224,900,648,960 bytes free
Post-Run: 224,886,763,520 bytes free
196 --- E O F --- 2008-12-09 19:04:06
Many thanks for your time and help.
Safara
I have a Vundo infection and cant shift it. You help would be most appreciated :)
After reading few a few posts here I have installed Hijackthis and have the log.
I also ran Combofix and have the log.
They are both below.
Hijackthis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:40:35, on 10/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\XpertVision\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\GS30s.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.entropiaforum.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {358919af-bb88-4c5b-869f-34d1a90f201f} - C:\WINDOWS\system32\zaworido.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [fobahidiwe] Rundll32.exe "C:\WINDOWS\system32\zifewiba.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [fobahidiwe] Rundll32.exe "C:\WINDOWS\system32\zifewiba.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\wumomara.dll c:\windows\system32\jotejiho.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\jotejiho.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\jotejiho.dll (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GS30s - Unknown owner - C:\WINDOWS\SYSTEM32\GS30s.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 11298 bytes
*****************************************************
Combofix Log
**************************************************
ComboFix 08-12-09.02 - gr 2008-12-10 8:09:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1390 [GMT 0:00]
Running from: c:\documents and settings\gr\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc10.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc12.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc15.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc35.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc3B.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc47.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc4E.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc50.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc9.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mcc90.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mccB.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mccD.tmp
c:\documents and settings\gr\Local Settings\Temporary Internet Files\mccF.tmp
c:\windows\IE4 Error Log.txt
c:\windows\system32\dupekayi.dll
c:\windows\system32\iyakepud.ini
c:\windows\system32\meyoreho.dll
c:\windows\system32\muvobuwe.dll
.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.
2008-12-10 08:10 . 2008-12-10 08:10 <DIR> d-------- c:\windows\LastGood
2008-12-10 07:19 . 2008-12-10 07:19 <DIR> d-------- c:\program files\Trend Micro
2008-12-09 19:10 . 2008-12-09 19:10 <DIR> d-------- c:\documents and settings\Administrator
2008-12-09 18:50 . 2008-12-10 08:07 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-09 18:49 . 2008-12-10 07:12 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-09 18:49 . 2008-12-09 18:49 <DIR> d-------- c:\documents and settings\gr\Application Data\PC Tools
2008-12-09 18:49 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-09 18:49 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-09 18:49 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-09 18:49 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-09 18:35 . 2008-10-16 01:00 3,067,904 --a------ c:\windows\system32\SET31.tmp
2008-12-09 18:35 . 2008-10-16 01:00 1,499,136 --a------ c:\windows\system32\SET30.tmp
2008-12-09 18:35 . 2008-10-16 01:00 666,112 --a------ c:\windows\system32\SET2E.tmp
2008-12-09 18:35 . 2008-10-16 01:00 619,520 --a------ c:\windows\system32\SET2F.tmp
2008-12-09 18:14 . 2008-12-09 18:14 211 --a------ c:\windows\wininit.ini
2008-12-09 17:35 . 2008-12-09 17:37 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-09 17:35 . 2008-12-09 18:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-26 18:36 . 2008-11-26 18:36 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-25 17:29 . 2008-11-25 17:35 <DIR> d-------- c:\documents and settings\gr\Application Data\Motive
2008-11-25 08:03 . 2008-11-25 08:06 <DIR> d-------- c:\program files\BT Broadband Desktop Help
2008-11-12 08:10 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 08:04 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 04:12 93,913 --sha-w c:\windows\system32\naruhogo.dll
2008-12-08 16:12 94,286 --sha-w c:\windows\system32\papororo.dll
2008-12-07 18:06 --------- d-----w c:\documents and settings\gr\Application Data\teamspeak2
2008-11-26 18:36 --------- d-----w c:\program files\Java
2008-11-25 17:35 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2008-11-25 17:29 --------- d-----w c:\program files\Common Files\Motive
2008-11-08 08:39 --------- d-----w c:\documents and settings\gr\Application Data\Teleca
2008-11-08 08:39 --------- d-----w c:\documents and settings\gr\Application Data\Sony Ericsson
2008-11-08 08:37 --------- d-----w c:\program files\Common Files\Teleca Shared
2008-11-08 08:37 --------- d-----w c:\documents and settings\All Users\Application Data\Teleca
2008-11-08 08:37 --------- d-----w c:\documents and settings\All Users\Application Data\Sony Ericsson
2008-11-08 08:36 --------- d-----w c:\program files\Sony Ericsson
2008-11-08 08:35 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\SET2A.tmp
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 06:58 94,720 --sha-w c:\windows\system32\venumeho.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-08 16:07 65,024 --sha-w c:\windows\system32\zaworido.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{358919af-bb88-4c5b-869f-34d1a90f201f}]
2008-09-08 16:07 65024 --ahs---- c:\windows\system32\zaworido.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\ypager.exe" [2005-08-31 2478080]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="c:\program files\XpertVision\TBPanel.exe" [2007-04-23 2165520]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Motive SmartBridge"="c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"btbb_wcm_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2008-08-28 1516032]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-26 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2008-09-11 1517056]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-04-19 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BT Home Hub\\Help\\SmartBridge\\BTHelpNotifier.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"e:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\TmNationsForever\\TmForever.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1235:UDP"= 1235:UDP:Windows Media Format SDK (iexplore.exe)
"1234:UDP"= 1234:UDP:Windows Media Format SDK (iexplore.exe)
"1237:UDP"= 1237:UDP:Windows Media Format SDK (iexplore.exe)
"1281:UDP"= 1281:UDP:Windows Media Format SDK (iexplore.exe)
"1280:UDP"= 1280:UDP:Windows Media Format SDK (iexplore.exe)
"1283:UDP"= 1283:UDP:Windows Media Format SDK (iexplore.exe)
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-29 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-29 231704]
R2 GS30d;GS30d;\??\c:\windows\system32\Drivers\GS30d.sys [2007-07-22 69792]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-09 356920]
S3 w200bus;Sony Ericsson W200 driver (WDM);c:\windows\system32\DRIVERS\w200bus.sys [2008-11-08 61504]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;c:\windows\system32\DRIVERS\w200mdfl.sys [2008-11-08 9328]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;c:\windows\system32\DRIVERS\w200mdm.sys [2008-11-08 97056]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\w200mgmt.sys [2008-11-08 88560]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\w200obex.sys [2008-11-08 86368]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e939a8a-383d-11dc-9bdc-0015588cceca}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-DSLAGENTEXE - c:\program files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
HKLM-Run-fobahidiwe - c:\windows\system32\zifewiba.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.entropiaforum.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd
FireFox -: Profile - c:\documents and settings\gr\Application Data\Mozilla\Firefox\Profiles\hr866j61.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.entropiaforum.com/
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 08:12:37
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-10 8:13:48
ComboFix-quarantined-files.txt 2008-12-10 08:13:45
Pre-Run: 224,900,648,960 bytes free
Post-Run: 224,886,763,520 bytes free
196 --- E O F --- 2008-12-09 19:04:06
Many thanks for your time and help.
Safara