View Full Version : Bah, Virtumonde and a slew of other infections. :(
jalbertind
2009-05-07, 00:46
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:12 PM, on 5/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: C:\WINDOWS\system32\afnoinkdsfe.dll - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\afnoinkdsfe.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKUS\S-1-5-21-4151277044-4031585965-30426550-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Mom & Dad')
O4 - HKUS\S-1-5-21-4151277044-4031585965-30426550-1005\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe" (User 'Mom & Dad')
O4 - HKUS\S-1-5-21-4151277044-4031585965-30426550-1005\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User 'Mom & Dad')
O4 - HKUS\S-1-5-21-4151277044-4031585965-30426550-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Mom & Dad')
O4 - HKUS\S-1-5-21-4151277044-4031585965-30426550-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Allie')
O4 - HKUS\S-1-5-21-4151277044-4031585965-30426550-1007\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'Allie')
O4 - HKUS\S-1-5-21-4151277044-4031585965-30426550-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Katherine')
O4 - HKUS\S-1-5-21-4151277044-4031585965-30426550-1008\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Katherine')
O4 - HKUS\S-1-5-21-4151277044-4031585965-30426550-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\h5qnmvl9mv.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\h5qnmvl9mv.exe (User 'Default user')
O4 - S-1-5-21-4151277044-4031585965-30426550-1005 Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'Mom & Dad')
O4 - S-1-5-21-4151277044-4031585965-30426550-1005 Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE (User 'Mom & Dad')
O4 - S-1-5-21-4151277044-4031585965-30426550-1008 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Katherine')
O4 - S-1-5-21-4151277044-4031585965-30426550-1008 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Katherine')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O15 - Trusted Zone: *.antimalwareguard.com
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/virtools/CacheManager.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\windows\system32\ C:\WINDOWS\system32\difoyuro c:\windows\system32\matiberi.dll c:\windows\system32\ c:\windows\system32\ c:\windows\system32\pefedamu.dll,C:\WINDOWS\system32\difoyuro.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pefedamu.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pefedamu.dll (file missing)
O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\afnoinkdsfe.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
--
End of file - 12854 bytes
Any help would be really, really appreciated. Thanks!
http://forums.spybot.info/showthread.php?t=48385
Hello and welcome to Safer Networking
My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
Please observe these rules while we work:
I f you don't know or understand something please don't hesitate to ask
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.
1 - Download and Run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
3 - Status Check
Please reply with
1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log
Thanks peku006
jalbertind
2009-05-08, 00:10
Thanks so much, peku006.
For the sake of simplicity, I'll post each as an attachment.
Thanks again!
Hi jalbertind
All logs should be copy/pasted into topic and not attached
1 - Remove bad HijackThis entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavili on&pf=laptop
O15 - Trusted Zone: *.antimalwareguard.com
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
2 - Run CFScript
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\system32\lmn_setup.exe
c:\windows\system32\loader49.exe
c:\windows\system32\yosusimu.dll
c:\windows\system32\zupizuma.exe
c:\windows\system32\rn.tmp
c:\windows\system32\ziyizuri.exe
c:\windows\system32\puleziwu.dll
c:\windows\system32\tosigupa.dll
c:\windows\system32\vujufiko.dll
c:\windows\system32\zovujiwu.dll
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
3 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to a convenient location.
Double click on mbam-setup.exe to install it.
Before clicking the Finish button, make sure that these 2 boxes are checked (ticked): Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
Select the Scanner tab. Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
When done, you will be prompted. Click OK, then click on Show Results.
Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.
http://i35.photobucket.com/albums/d165/ndmmxiaomayi/mayi/mbam1.png
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
5 - Status Check
Please reply with
1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log
Thanks peku006
jalbertind
2009-05-09, 07:15
Thanks as always, Peku006. I'm forever indebted to you.
Combofix log:
ComboFix 09-05-08.03 - James 05/08/2009 18:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.442 [GMT -5:00]
Running from: c:\documents and settings\James\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\James\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((( Files Created from 2009-04-08 to 2009-05-08 )))))))))))))))))))))))))))))))
.
2009-05-07 21:39 . 2009-05-07 21:39 4096 ----a-w c:\windows\system32\lmn_setup.exe
2009-05-04 00:41 . 2009-05-04 00:41 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\MySpace
2009-05-01 00:44 . 2009-05-01 00:44 -------- d-----w c:\program files\CCleaner
2009-05-01 00:33 . 2009-05-02 15:33 -------- d-----w C:\VundoFix Backups
2009-04-30 23:09 . 2009-05-01 01:00 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-30 23:09 . 2009-04-30 23:10 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-30 22:59 . 2009-04-30 22:59 22024 ----a-w c:\windows\system32\drivers\pxscan.sys
2009-04-30 22:59 . 2009-04-30 22:59 27656 ----a-w c:\windows\system32\drivers\pxsec.sys
2009-04-30 22:59 . 2009-04-30 22:59 -------- d-----w c:\program files\Prevx
2009-04-30 22:59 . 2009-04-30 23:06 -------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-04-30 06:35 . 2009-04-30 23:39 8061 ----a-w c:\windows\system32\loader49.exe
2009-04-26 17:46 . 2009-04-26 17:46 7885 --sha-w c:\windows\system32\yosusimu.dll
2009-04-19 21:56 . 2009-04-19 21:56 -------- d-sh--w C:\found.003
2009-04-19 21:47 . 2009-04-24 22:19 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-16 21:05 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 21:05 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-16 21:05 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 21:05 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 21:05 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 21:05 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 21:05 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 21:05 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 21:05 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 21:05 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 21:03 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 21:03 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-11 20:53 . 2009-04-11 20:53 -------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-04-11 17:00 . 2009-05-04 23:16 -------- d-----w c:\program files\World of Warcraft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 00:23 . 2006-07-28 00:06 -------- d-----w c:\program files\Viewpoint
2009-05-04 00:59 . 2008-12-12 01:22 -------- d-----w c:\program files\MySpace
2009-05-04 00:45 . 2009-05-04 00:45 8518 ----a-w c:\windows\system32\rn.tmp
2009-04-30 22:43 . 2006-07-27 23:32 -------- d-----w c:\program files\Trend Micro
2009-04-24 22:19 . 2008-05-27 21:17 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-24 22:19 . 2008-05-27 21:17 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-22 04:58 . 2009-01-22 04:58 47104 --sha-w c:\windows\system32\zupizuma.exe
2009-04-21 16:58 . 2009-01-21 16:58 47616 --sha-w c:\windows\system32\ziyizuri.exe
2009-04-18 00:48 . 2006-07-27 23:40 -------- d-----w c:\program files\Webroot
2009-04-01 03:46 . 2009-04-01 03:46 92776 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-01 03:26 . 2009-04-01 03:25 -------- d-----w c:\program files\iTunes
2009-04-01 03:25 . 2009-04-01 03:25 -------- d-----w c:\program files\iPod
2009-04-01 03:25 . 2007-12-11 23:39 -------- d-----w c:\program files\Common Files\Apple
2009-04-01 03:23 . 2008-12-25 16:01 -------- d-----w c:\program files\QuickTime
2009-04-01 03:15 . 2009-04-01 03:14 -------- d-----w c:\program files\Safari
2009-04-01 03:13 . 2009-04-01 03:13 -------- d-----w c:\program files\Bonjour
2009-03-06 14:22 . 2004-08-10 15:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 04:59 . 2009-04-01 03:18 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 04:59 . 2008-12-25 15:58 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2004-08-10 15:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-10 15:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-10 15:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 15:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 15:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-10 15:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-10 15:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2004-08-10 15:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-03-24 17:08 . 2007-03-24 17:08 251 ----a-w c:\program files\wt3d.ini
2009-01-25 18:48 . 2009-01-25 18:48 9345 --sha-w c:\windows\system32\puleziwu.dll
2009-01-23 22:46 . 2009-01-23 22:46 18076 --sha-w c:\windows\system32\tosigupa.dll
2009-01-26 17:44 . 2009-01-26 17:44 7885 --sha-w c:\windows\system32\vujufiko.dll
2009-01-28 21:32 . 2009-01-28 21:32 9316 --sha-w c:\windows\system32\zovujiwu.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-14 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-24 1947928]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
c:\documents and settings\Mom & Dad.YOUR-727A0A4E7C\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
c:\documents and settings\Katherine\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-24 22:19 11952 ----a-w c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=c:\windows\pss\officejet 6100.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\World of Warcraft\\WoW.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=
"c:\\WINDOWS\\system32\\lxddcoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\QQGames.exe"=
"c:\\Python25\\pythonw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.1.9806-to-3.1.1.9835-enUS-downloader.exe"=
"c:\\Program Files\\CCleaner\\CCleaner.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [4/30/2009 5:59 PM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [4/30/2009 5:59 PM 27656]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/27/2008 4:17 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/19/2009 4:47 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/27/2008 4:16 PM 298776]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [4/30/2009 5:59 PM 4368952]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2/16/2008 3:46 PM 99248]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2/18/2005 2:04 PM 203024]
R2 Tmntsrv;Trend NT Realtime Service;c:\program files\Trend Micro\Antivirus\Tmntsrv.exe [2/17/2004 5:57 PM 241737]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/18/2005 2:04 PM 36112]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Antivirus\tmproxy.exe [2/17/2004 5:58 PM 204873]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 4:06 AM 231424]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [11/12/2008 6:28 PM 1527900]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87538cf9-8995-11db-b70e-0014a5a8d769}]
\Shell\AutoRun\command - G:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d496f102-e011-11dc-b925-0014a5a8d769}]
\Shell\AutoRun\command - F:\OblivionLauncher.exe
.
Contents of the 'Scheduled Tasks' folder
2009-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
2009-05-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-14 04:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\0dyk4xae.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-08 18:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-4151277044-4031585965-30426550-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* �*ê*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-4151277044-4031585965-30426550-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* �*ê*\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2964)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-08 18:12
ComboFix-quarantined-files.txt 2009-05-08 23:10
ComboFix2.txt 2009-05-07 22:05
Pre-Run: 7,154,032,640 bytes free
Post-Run: 7,135,350,784 bytes free
Current=5 Default=5 Failed=1 LastKnownGood=2 Sets=1,2,3,4,5
241 --- E O F --- 2009-04-17 22:50
jalbertind
2009-05-09, 07:16
Malwarebytes Log:
Malwarebytes' Anti-Malware 1.36
Database version: 2096
Windows 5.1.2600 Service Pack 3
5/9/2009 12:07:57 AM
mbam-log-2009-05-09 (00-07-57).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 267964
Time elapsed: 1 hour(s), 57 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 17
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\adpanel.panel1 (Adware.SuperiorAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adpanel.panel1.1 (Adware.SuperiorAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dc_ads.ads (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dc_ads.ads.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{643fe4cf-77c4-4e4a-aa9d-edd8a798adbd} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{643fe4cf-77c4-4e4a-aa9d-edd8a798adbd} (Trojan.Vundo) -> Quarantined and deleted successfully.
KHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthuufgoiemnqxnocxthphnfeyxorcdxahb.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthgsaycndnwxjbiqdlcvpmmlxqeljdmqlw.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthspcorenalstwdxsbqbyxtdfdsparlypj.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\prnet.tmp.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\superiorads-uninst.exe.vir (Adware.SuperiorAds) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthduxiorjindtdqneixxkyqdbxpbwuxkrq.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP443\A0559725.exe (Adware.SuperiorAds) -> Not selected for removal.
C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP443\A0559697.sys (Trojan.TDSS) -> Not selected for removal.
C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP443\A0559698.dll (Trojan.TDSS) -> Not selected for removal.
C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP443\A0559699.dll (Trojan.TDSS) -> Not selected for removal.
C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP443\A0559700.dll (Trojan.TDSS) -> Not selected for removal.
C:\WINDOWS\system32\puleziwu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tosigupa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zovujiwu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\robejaku.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\loader49.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmn_setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
jalbertind
2009-05-09, 07:17
HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:56 AM, on 5/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/virtools/CacheManager.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
--
End of file - 9460 bytes
Hi jalbertind
1 - Download and Run OTMoveIt3
Download OTMoveIt3 (http://oldtimer.geekstogo.com/OTMoveIt3.exe) by Old Timer and save it to your Desktop.
Double-click OTMoveIt3.exe.
Copy the lines in the codebox below.
:files
c:\windows\system32\lmn_setup.exe
c:\windows\system32\loader49.exe
c:\windows\system32\yosusimu.dll
c:\windows\system32\zupizuma.exe
c:\windows\system32\rn.tmp
c:\windows\system32\ziyizuri.exe
c:\windows\system32\puleziwu.dll
c:\windows\system32\tosigupa.dll
c:\windows\system32\vujufiko.dll
c:\windows\system32\zovujiwu.dll
:Commands
[EmptyTemp]
Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3
2 - Status Check
Please reply with
1. the OTMoveIt3 Log
description of any problems you are having with your PC
Thanks peku006
jalbertind
2009-05-09, 21:21
Thanks Peku006.
Log:
========== FILES ==========
File/Folder c:\windows\system32\lmn_setup.exe not found.
File/Folder c:\windows\system32\loader49.exe not found.
LoadLibrary failed for c:\windows\system32\yosusimu.dll
c:\windows\system32\yosusimu.dll NOT unregistered.
c:\windows\system32\yosusimu.dll moved successfully.
c:\windows\system32\zupizuma.exe moved successfully.
c:\windows\system32\rn.tmp moved successfully.
c:\windows\system32\ziyizuri.exe moved successfully.
File/Folder c:\windows\system32\puleziwu.dll not found.
File/Folder c:\windows\system32\tosigupa.dll not found.
LoadLibrary failed for c:\windows\system32\vujufiko.dll
c:\windows\system32\vujufiko.dll NOT unregistered.
c:\windows\system32\vujufiko.dll moved successfully.
File/Folder c:\windows\system32\zovujiwu.dll not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\James\LOCALS~1\Temp\etilqs_bMS5rlhIWPJ10lbqqQhw scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\James\LOCALS~1\Temp\fla49.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\02a2d576-951f-4d64-a144-b9ed4c2ad189.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\0f6d0fa4-68c6-4d71-9b1c-cc90b90d13ad.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\16b7adaf-a9a6-41ca-b1c9-c7ebdaea53c1.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\2cf9b408-ae49-4596-8404-1bc5275385b8.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\30e5e7ec-6f22-4170-ad44-46dcfde38413.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\7da17ad6-fd02-45c9-b665-e3faf476118f.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\83512c77-f0ae-4613-800f-4f773874b6c6.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\905cdaae-77b9-41e6-bd62-a4399f70a20d.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\9bea790a-8c94-4874-863c-46d80407d3a2.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\a9f005fc-a184-479c-81e8-1e2e16866a13.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\d8a2d7eb-4081-4136-9df2-858af5361cdb.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\e000b73c-dfd3-40fa-8771-ad0023cf4180.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\e0827ba2-e719-43c2-b087-0f7a1fadfdd4.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\f9b1537e-7bf6-41fd-8024-a024613f15b1.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\fcbc91c9-2c52-415e-964f-71d7759adee8.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\James\Local Settings\Application Data\Mozilla\Firefox\Profiles\0dyk4xae.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\James\Local Settings\Application Data\Mozilla\Firefox\Profiles\0dyk4xae.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\James\Local Settings\Application Data\Mozilla\Firefox\Profiles\0dyk4xae.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\James\Local Settings\Application Data\Mozilla\Firefox\Profiles\0dyk4xae.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\James\Local Settings\Application Data\Mozilla\Firefox\Profiles\0dyk4xae.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\James\Local Settings\Application Data\Mozilla\Firefox\Profiles\0dyk4xae.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05092009_141935
Hi jalbertind
Looking better
Let's make sure we got everything
1 - Clean temp files
Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program
2 - F-Secure Online Scan
F-Secure Online Scan
Note: You will need to use Internet explorer for this scan
Go here (http://support.f-secure.com/enu/home/ols.shtml) to run an online scan from F-Secure
Click on Start scanning
This will open a new internet explorer window
It will require an activex control, please install it
Click Accept
Click Full System Scan
It will now download the scanner, this may take a while, please be patient
It will then start scanning, wait for the scan to finish
Click Automatic cleaning (recommended)
Wait for it finish the cleaning process
Click show report
This will open up a window with the results of the scan, copy and paste those results as a reply to this topic
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
4 - Status Check
Please reply with
1. the F-Secure online scanner report
2. a fresh HijackThis log
How's the computer running now? Any problems?
Thanks peku006
jalbertind
2009-05-11, 06:02
Thanks, Peku006. Things are going much, much better. I can't think of any specific problems; it's moving a lot faster than it was PRE-Vundo.
Here's the F-Secure log:
Scanning Report
Sunday, May 10, 2009 20:24:32 - 22:54:32
Computer name: YOUR-727A0A4E7C
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ D:\
10 malware found
Trojan:W32/Vundo.gen!A (spyware)
* System (Disinfected)
TrackingCookie.Advertising (spyware)
* System (Disinfected)
TrackingCookie.Atwola (spyware)
* System (Disinfected)
Vundo.FBW (virus)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP443\A0556703.INI (Not cleaned & Submitted)
Vundo.FBW (virus)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP443\A0557704.INI (Not cleaned & Submitted)
Trojan:W32/Vundo.gen!A (virus)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP443\A0559734.DLL (Not cleaned)
Vundo.FBW (virus)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP442\A0549677.INI (Not cleaned & Submitted)
Vundo.FBW (virus)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP440\A0542665.INI (Not cleaned & Submitted)
Vundo.FBW (virus)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP440\A0548654.INI (Not cleaned & Submitted)
Trojan:W32/Vundo.gen!A (virus)
* C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20090430-174718-871.DLL (Not cleaned)
Statistics
Scanned:
* Files: 75424
* System: 4197
* Not scanned: 25
Actions:
* Disinfected: 3
* Renamed: 0
* Deleted: 0
* Not cleaned: 7
* Submitted: 5
Files not scanned:
* C:\PAGEFILE.SYS
* C:\_OTMOVEIT\MOVEDFILES\05092009_141935\WINDOWS\SYSTEM32\VUJUFIKO.DLL
* C:\_OTMOVEIT\MOVEDFILES\05092009_141935\WINDOWS\SYSTEM32\YOSUSIMU.DLL
* C:\_OTMOVEIT\MOVEDFILES\05092009_141935\WINDOWS\SYSTEM32\ZIYIZURI.EXE
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP443\A0559697.SYS
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP443\A0559698.DLL
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP443\A0559699.DLL
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP443\A0559700.DLL
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP443\A0559721.EXE
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP443\A0559733.DLL
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP443\A0559735.DLL
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP443\A0559736.EXE
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP443\A0559740.EXE
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP443\A0559742.EXE
* C:\DOCUMENTS AND SETTINGS\MOM & DAD.YOUR-727A0A4E7C\LOCAL SETTINGS\TEMP\HSPERFDATA_MOM & DAD\2216
* C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\FCIEWTJN\RATES[1].XML
* C:\DOCUMENTS AND SETTINGS\JAMES\DESKTOP\VUNDOFIX.EXE
* C:\DOCUMENTS AND SETTINGS\JAMES\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0DYK4XAE.DEFAULT\SESSIONSTORE-1.JS
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MUVEE TECHNOLOGIES\030625\0102\0314\VALUES
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\E919CD3BAF4748E21D62E78C618D498E_44A4FAD8-FF69-4532-890F-C6DCB18149F4
Options
Scanning engines:
* F-Secure USS: 3.0.0
* F-Secure Hydra: 3.8.9080, 2009-05-10
* F-Secure AVP: 7.0.171, 2009-05-09
* F-Secure Pegasus: 1.20.0
* F-Secure Blacklight
Scanning options:
* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use advanced heuristics
jalbertind
2009-05-11, 06:04
And here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:37 PM, on 5/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\James\LOCALS~1\Temp\fsonlinescanner.exe
C:\DOCUME~1\James\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\James\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/virtools/CacheManager.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
--
End of file - 9525 bytes
Hi jalbertind
it seems that you have Trend Micro\Antivirus ,Symantec and AVG8 install on your computer,which of them you are using ?
Thanks peku006
jalbertind
2009-05-12, 00:33
From what I can tell, AVG8 is the only active one.
Hi jalbertind
we need to remove the other two
McAfee Removal Tool
Dowload and save McAfee Removal Tool (http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe) to your desktop.
Run it to remove McAfee. After this, please restart your computer.
------------------------------------------------------------
Norton Removal Tool
Download and save Norton Removal Tool (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039) to your desktop. Choose: I have a Norton xxxxxxxxxxxxxxxxxxxxx product link to open the removal instructions and the download link.
Run it to remove Norton. After this, please restart your computer.
With that done, please post back a fresh HiJackThis log.
Thanks peku006
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.