Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: virtumonde virus on machine

  1. #1
    Junior Member
    Join Date
    Apr 2008
    Posts
    8

    Default virtumonde virus on machine

    Can sombody help me with this issue. I would rather not have to reformatt.

    here is a copy of hijakthis log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:47:36 AM, on 4/20/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Hewlett-Packard\HP OfficeJet T Series NT\Bin\HPOstr05.exe
    C:\Winzip\WZQKPICK.EXE
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Hewlett-Packard\HP OfficeJet T Series NT\bin\HPOVDX05.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\FrankF\Application Data\U3\000018742C615F1A\LaunchPad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Hijackthis\HiJackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\userinit.exe
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series NT\Bin\HPOstr05.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Winzip\WZQKPICK.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.msnbc.com/diskless/bin/tgctlcm.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098891825688
    O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://aolsvc.aol.com/onlinegames/fr...h.1.0.0.47.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 7722 bytes


    thanks
    Frank,

  2. #2
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hello Frank

    Welcome to Safer Networking.

    Please read Before You Post
    That said, All advice given by anyone volunteering here, is taken at own risk.
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


    I am not looking at any Vundo on your log not to say its not present as the slimeballs that write this garbage are constantly adding new files. Lets do this.

    Download VundoFix to your desktop

    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.


    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.



    Please download Malwarebytes' Anti-Malware from Here or Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and Paste the entire report in your next reply along with a Hijackthis log.



    C:\Program Files\Hijackthis\HiJackThis.exe <-- Right click on the HJT icon, looks like a man with a spyglass and rename it Frank.exe


    Post the Vundofix log, the Malwarebytes log and a new HJT log renamed please
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Junior Member
    Join Date
    Apr 2008
    Posts
    8

    Default Can't run Vundo.exe.....says not a 32 bit app

    Please help. Vundo will not run. It says that it's not a 32 bit app.

    My Internet is running dog slow

    thanks in advanced

    Frank

  4. #4
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Skip Vundo and run Malwarebytes
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  5. #5
    Junior Member
    Join Date
    Apr 2008
    Posts
    8

    Default Malwarebytes and Hijackthis log to examine

    Here is Malwarebytes info

    Malwarebytes' Anti-Malware 1.11
    Database version: 599

    Scan type: Quick Scan
    Objects scanned: 42540
    Time elapsed: 13 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 2
    Registry Keys Infected: 11
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 7

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\WINDOWS\system32\xxywXOFW.dll (Trojan.Vundo) -> Unloaded module successfully.
    C:\WINDOWS\system32\ybbbkxfj.dll (Trojan.Vundo) -> Unloaded module successfully.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a60a9073-9acf-41eb-a64f-358b4a43121d} (Trojan.Vundo) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{a60a9073-9acf-41eb-a64f-358b4a43121d} (Trojan.Vundo) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxywxofw -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxywxofw -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\xxywXOFW.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\WFOXwyxx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\WFOXwyxx.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ybbbkxfj.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\jfxkbbby.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\ncdwfalw\zydofwro.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\FrankF\bx18dxv.dat (Trojan.Agent) -> Quarantined and deleted successfully.


    Here is HJT file

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:56:04 PM, on 4/25/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    C:\Program Files\Hewlett-Packard\HP OfficeJet T Series NT\Bin\HPOstr05.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Winzip\WZQKPICK.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Hewlett-Packard\HP OfficeJet T Series NT\bin\HPOVDX05.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\userinit.exe
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [70fdccde] rundll32.exe "C:\WINDOWS\system32\vtfginpr.dll",b
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series NT\Bin\HPOstr05.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Winzip\WZQKPICK.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.msnbc.com/diskless/bin/tgctlcm.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098891825688
    O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://aolsvc.aol.com/onlinegames/fr...h.1.0.0.47.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 7734 bytes


    Thanks
    Frank Freedman

  6. #6
    Junior Member
    Join Date
    Apr 2008
    Posts
    8

    Default I need to send another Mal log and HJT log

    Since my internet comnnection is slower than a turtle. I ran the Malware without doing the update. After I did that. It ran much faster, so I'm doing another one with the update checked. I will send both logs in a few minutes.

    sorry about that. It's just very frustrating.

    Thanks for your help
    Frank Freedman

  7. #7
    Junior Member
    Join Date
    Apr 2008
    Posts
    8

    Default 2nd round with Malware and HJT logs - Sorry about this

    Sorry for the confusion.

    I appreicate your help and support

    Malwarebytes' Anti-Malware 1.11
    Database version: 682

    Scan type: Quick Scan
    Objects scanned: 46114
    Time elapsed: 16 minute(s), 52 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 3
    Registry Keys Infected: 21
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 14

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    c:\WINDOWS\system32\rqRLdAtt.dll (Trojan.Vundo) -> Unloaded module successfully.
    C:\WINDOWS\system32\efcYQJyv.dll (Trojan.Vundo) -> Unloaded module successfully.
    C:\WINDOWS\system32\vtfginpr.dll (Trojan.Vundo) -> Unloaded module successfully.

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{c14e6230-757d-4246-81ce-b34e2940c722} (Trojan.Vundo) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c14e6230-757d-4246-81ce-b34e2940c722} (Trojan.Vundo) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrldatt (Trojan.Vundo) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3301d890-9cc5-48b5-9448-ec05229ac7fd} (Trojan.Vundo) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{3301d890-9cc5-48b5-9448-ec05229ac7fd} (Trojan.Vundo) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{7930c862-4d6a-101b-8650-00aa003a4d8e} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{8996b0a1-d7be-101b-8650-00aa003a5593} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{a9cf1100-4f9c-101b-8650-00aa003a4d8e} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{a9cf1102-4f9c-101b-8650-00aa003a4d8e} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{a9cf1104-4f9c-101b-8650-00aa003a4d8e} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{a9cf1106-4f9c-101b-8650-00aa003a4d8e} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{a9cf1108-4f9c-101b-8650-00aa003a4d8e} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{a9cf110a-4f9c-101b-8650-00aa003a4d8e} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{ac583f40-4f20-101b-8650-00aa003a4d8e} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{c14e6230-757d-4246-81ce-b34e2940c722} (Trojan.Vundo) -> Delete on reboot.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\system32\rqRLdAtt.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\efcYQJyv.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\vyJQYcfe.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\vyJQYcfe.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\vtfginpr.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\rpnigftv.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\xxywXOFW.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\WFOXwyxx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\WFOXwyxx.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ybbbkxfj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\jfxkbbby.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\FrankF\Local Settings\Temporary Internet Files\Content.IE5\ZMO3R5C1\kriv[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\cfx32.ocx (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\CFX32.LIC (Trojan.Agent) -> Quarantined and deleted successfully.

    HJT log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:35:24 PM, on 4/25/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    C:\Program Files\Hewlett-Packard\HP OfficeJet T Series NT\Bin\HPOstr05.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\Winzip\WZQKPICK.EXE
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Hewlett-Packard\HP OfficeJet T Series NT\bin\HPOVDX05.EXE
    C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\userinit.exe
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [70fdccde] rundll32.exe "C:\WINDOWS\system32\vtfginpr.dll",b
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series NT\Bin\HPOstr05.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Winzip\WZQKPICK.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.msnbc.com/diskless/bin/tgctlcm.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098891825688
    O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://aolsvc.aol.com/onlinegames/fr...h.1.0.0.47.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 8287 bytes


    Thanks
    Frank Freedman

  8. #8
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hello Frank,

    No need to be sorry, getting infected with this garbage is very frustrating

    Malwarebytes removed a ton of Vundo but I am sure there is still some left so run both these tools please, I am still looking at some Vundo on your HJT log


    Please download ATF Cleaner by Atribune to your desktop.
    • This program is for XP and Windows 2000 only
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.

    Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up




    Download ComboFix from Here to your Desktop.

    **Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**

    • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
    • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
    • Please do not re-connect your machine back to the Internet until Combofix has completely finished.

    Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

    1. Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze
    2. If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.



    Post the Combofix log and a new HJT log
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  9. #9
    Junior Member
    Join Date
    Apr 2008
    Posts
    8

    Default ComboFix and HJT logs

    Here are the 2 log you requested.


    ////////////////////////////////////////////////////
    When I rebooted? I still get and error message

    Error loading C:\windows\systems\vtfginpr.dll

    The specified modual could not be found.
    ////////////////////////////////////////////////////
    After Combofix was completed.
    It removed half of my desktop shortcut.

    Is that normal??
    ////////////////////////////////////////////////////

    ComboFix 08-04-24.1 - FrankF 2008-04-25 14:27:13.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1657 [GMT -4:00]
    Running from: C:\Documents and Settings\FrankF\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\cookies.ini
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\winhelp.ini

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
    .

    2008-04-25 14:38 . 2008-04-25 14:38 <DIR> d-------- C:\Documents and Settings\FrankF\Application Data\MailFrontier
    2008-04-25 14:37 . 2008-04-25 14:37 53,248 --a------ C:\Documents and Settings\FrankF\catchme.dll
    2008-04-25 14:36 . 2008-04-25 14:36 <DIR> d-------- C:\Documents and Settings\FrankF\WPDNSE
    2008-04-25 14:35 . 2008-04-25 14:35 <DIR> d--h----- C:\Documents and Settings\FrankF\WLANProfiles
    2008-04-25 12:55 . 2008-04-25 12:55 <DIR> d-------- C:\Program Files\Trend Micro
    2008-04-25 11:51 . 2008-04-25 10:49 1,596,094 --a------ C:\mbam-setup.exe
    2008-04-25 10:34 . 2008-04-25 11:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-04-25 10:34 . 2008-04-25 10:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-04-21 15:34 . 2008-04-21 15:34 162 --ah----- C:\~$paration2.doc
    2008-04-20 09:46 . 2008-04-20 09:46 401,720 --a------ C:\Frank.exe
    2008-04-18 19:20 . 2008-04-25 14:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-04-18 19:20 . 2008-04-18 19:20 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-04-18 17:42 . 2008-04-18 17:42 <DIR> d-------- C:\Program Files\Bonjour
    2008-04-18 17:30 . 2008-04-18 17:37 <DIR> d-------- C:\Program Files\QuickTime
    2008-04-18 17:14 . 2008-04-18 17:14 <DIR> d-------- C:\Program Files\Apple Software Update
    2008-04-18 17:09 . 2008-04-18 17:09 <DIR> d-------- C:\Program Files\Common Files\Apple
    2008-04-18 17:09 . 2008-04-18 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2008-04-18 12:43 . 2008-04-25 13:24 <DIR> d-------- C:\Program Files\Spyware Doctor
    2008-04-18 12:43 . 2008-04-25 14:25 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-04-18 12:43 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
    2008-04-18 12:43 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
    2008-04-18 12:43 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
    2008-04-18 12:43 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
    2008-04-18 11:35 . 2008-04-18 11:35 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-04-18 11:35 . 2008-04-25 14:27 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
    2008-04-18 09:52 . 2008-04-18 09:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-18 09:44 . 2008-04-18 09:51 <DIR> d-------- C:\Adaware
    2008-04-18 07:24 . 2008-04-18 07:23 2,630 --a------ C:\dpl.jpg
    2008-04-17 13:15 . 2008-04-18 09:25 <DIR> d-------- C:\Program Files\Symantec AntiVirus
    2008-04-17 13:15 . 2008-04-18 09:25 <DIR> d-------- C:\Program Files\Symantec
    2008-04-17 13:15 . 2008-04-18 09:25 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
    2008-04-17 13:15 . 2008-04-17 13:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
    2008-04-14 18:47 . 2008-04-14 18:35 3,325,587 --a------ C:\2008-04-14-66917.wmv
    2008-04-14 18:10 . 2008-04-25 12:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ncdwfalw
    2008-04-14 12:07 . 2008-04-14 12:07 5,347 --a------ C:\Frank3test.pdf
    2008-04-10 12:01 . 2008-04-14 11:29 5,347 --a------ C:\erase3.pdf
    2008-04-10 10:30 . 2008-04-10 10:30 36,381 --a------ C:\erase1.rtf
    2008-04-09 16:23 . 2008-04-09 16:23 6,399 --a------ C:\test.pdf
    2008-04-09 16:18 . 2008-04-09 16:17 49,152 --a------ C:\WINDOWS\system32\gtQRExpBDS2006.bpl
    2008-04-08 15:46 . 2007-04-18 20:51 640,512 --a------ C:\WINDOWS\system32\gtDocEngBDS2006Pro.bpl
    2008-04-08 15:46 . 2007-04-18 20:51 233,984 --a------ C:\WINDOWS\system32\gtDocEngBDS2006.bpl
    2008-04-08 15:46 . 2007-04-16 11:01 59,904 --a------ C:\WINDOWS\system32\gtCompressionBDS2006.bpl
    2008-04-08 15:46 . 2007-04-16 11:01 57,856 --a------ C:\WINDOWS\system32\gtRtlBDS2006.bpl
    2008-04-08 15:46 . 2007-04-16 11:02 35,840 --a------ C:\WINDOWS\system32\gtFontBDS2006.bpl
    2008-04-08 15:46 . 2007-04-16 11:02 29,184 --a------ C:\WINDOWS\system32\gtCryptBDS2006.bpl
    2008-04-08 15:46 . 2007-04-16 11:02 25,088 --a------ C:\WINDOWS\system32\gtFiltersBDS2006.bpl
    2008-04-07 14:51 . 2008-04-08 15:46 <DIR> d-------- C:\Program Files\Gnostice
    2008-03-30 11:19 . 2008-03-30 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-03-30 10:53 . 2008-03-30 10:53 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
    2008-03-30 10:51 . 2008-03-30 10:51 <DIR> d-------- C:\Rosetta Stone
    2008-03-30 10:51 . 2008-04-02 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rosetta Stone DEMO
    2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
    2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
    2008-03-26 13:26 . 2008-04-03 13:04 27,648 --a------ C:\LSSIPriority.doc

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-25 18:33 232,508 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
    2008-04-25 18:33 17,690,656 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
    2008-04-25 14:58 2,877,952 ----a-w C:\WINDOWS\Internet Logs\xDB3A.tmp
    2008-04-21 19:44 --------- d-----w C:\Program Files\personal
    2008-04-19 13:30 262,144 ----a-w C:\WINDOWS\Internet Logs\xDB38.tmp
    2008-04-19 13:30 15,732,736 ----a-w C:\WINDOWS\Internet Logs\xDB39.tmp
    2008-04-18 21:52 --------- d-----w C:\Program Files\iTunes
    2008-04-18 21:52 --------- d-----w C:\Program Files\iPod
    2008-04-18 17:57 55,316 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_04_18_13_38_17_small.dmp.zip
    2008-04-18 17:48 152,576 ----a-w C:\WINDOWS\Internet Logs\xDB37.tmp
    2008-04-18 17:06 291,328 ----a-w C:\WINDOWS\Internet Logs\xDB36.tmp
    2008-04-18 15:25 260,096 ----a-w C:\WINDOWS\Internet Logs\xDB34.tmp
    2008-04-18 15:25 15,689,216 ----a-w C:\WINDOWS\Internet Logs\xDB35.tmp
    2008-04-18 13:53 --------- d-----w C:\Program Files\Lavasoft
    2008-04-18 13:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-04-18 12:43 15,689,728 ----a-w C:\WINDOWS\Internet Logs\xDB33.tmp
    2008-04-18 12:43 1,239,552 ----a-w C:\WINDOWS\Internet Logs\xDB2F.tmp
    2008-04-17 15:50 --------- d--h--w C:\Documents and Settings\All Users\Application Data\{2EB4C530-C94F-4893-ABDC-C1E05A89956E}
    2008-04-17 14:52 214,016 ----a-w C:\WINDOWS\Internet Logs\xDB30.tmp
    2008-04-17 14:52 15,687,168 ----a-w C:\WINDOWS\Internet Logs\xDB31.tmp
    2008-04-17 13:40 4,546,560 ----a-w C:\WINDOWS\Internet Logs\xDB2D.tmp
    2008-04-17 13:40 15,687,168 ----a-w C:\WINDOWS\Internet Logs\xDB2E.tmp
    2008-03-20 14:56 --------- d-----w C:\Program Files\PDFCovert
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
    2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
    2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-02-14 08:09 2,819,072 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp
    2008-01-29 16:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
    2004-02-01 00:54 331,776 ----a-w C:\WINDOWS\inf\pdfinst2.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77701e16-9bfe-4b63-a5b4-7bd156758a37}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Aim6"="" []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-26 13:01 4632576]
    "nwiz"="nwiz.exe" [2004-10-26 13:01 921600 C:\WINDOWS\system32\nwiz.exe]
    "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 13:33 86016]
    "CARPService"="carpserv.exe" [2002-10-17 11:54 4608 C:\WINDOWS\system32\carpserv.exe]
    "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2002-08-22 19:28 143360]
    "AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28 684032]
    "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-26 21:51 180269]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 17:05 919016]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
    "70fdccde"="C:\WINDOWS\system32\vtfginpr.dll" [ ]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe [2004-10-27 15:52:12 43520]
    HP OfficeJet T Series Startup.lnk - C:\Program Files\Hewlett-Packard\HP OfficeJet T Series NT\Bin\HPOstr05.exe [2004-10-27 13:57:35 1175552]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 11:05:56 65588]
    WinZip Quick Pick.lnk - C:\Winzip\WZQKPICK.EXE [2006-01-13 11:08:21 122880]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
    C:\WINDOWS\System32\LgNotify.dll 2003-03-24 11:26 110592 C:\WINDOWS\system32\LgNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\Rosetta Stone\\Rosetta Stone V3 DEMO\\RosettaStoneVersion3.exe"=
    "C:\\Rosetta Stone\\Rosetta Stone V3 DEMO\\support\\bin\\RosettaStoneLtdServices.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "<NO NAME>"=

    R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
    S3 hpoid407;IEEE-1284.4 Driver hpoid407;C:\WINDOWS\system32\DRIVERS\hpoid407.sys [2000-12-12 12:54]
    S3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;C:\WINDOWS\system32\Drivers\nx6000.sys [2007-04-12 17:46]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad501ca0-ffd9-11db-92ff-000d56aa7643}]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e32bb789-0faf-11dd-b1a6-000d56aa7643}]
    \Shell\AutoRun\command - E:\WD_Windows_Tools\Setup.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-18 21:15:55 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-25 14:37:26
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\DOCUME~1\FrankF\TWAIN.LOG 0 bytes
    C:\DOCUME~1\FrankF\Twain001.Mtx 2 bytes

    scan completed successfully
    hidden files: 2

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\S24EvMon.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Apoint\ApntEx.exe
    C:\Program Files\Hewlett-Packard\HP OfficeJet T Series NT\Bin\hpovdx05.exe
    C:\Program Files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2008-04-25 14:43:09 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-04-25 18:43:02

    Pre-Run: 16,797,880,320 bytes free
    Post-Run: 17,591,328,768 bytes free

    191 --- E O F --- 2008-04-12 14:54:41


    HJT Log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:01:06 PM, on 4/25/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    C:\Program Files\Hewlett-Packard\HP OfficeJet T Series NT\Bin\HPOstr05.exe
    C:\Winzip\WZQKPICK.EXE
    C:\Program Files\Hewlett-Packard\HP OfficeJet T Series NT\bin\HPOVDX05.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [70fdccde] rundll32.exe "C:\WINDOWS\system32\vtfginpr.dll",b
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series NT\Bin\HPOstr05.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Winzip\WZQKPICK.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.msnbc.com/diskless/bin/tgctlcm.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098891825688
    O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://aolsvc.aol.com/onlinegames/fr...h.1.0.0.47.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 8105 bytes

  10. #10
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hi Frank,

    Looking better This will fix that error at startup.

    Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

    O4 - HKLM\..\Run: [70fdccde] rundll32.exe "C:\WINDOWS\system32\vtfginpr.dll",b

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe




    Go to your Add Remove Programs in the Control Panel and uninstall Viewpoint, its not malicious but installs without your knowledge or consent , uses system resources and basically is not needed.

    C:\Program Files\Viewpoint <--delete this folder if still present


    Time for some housekeeping
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.




    • When shown the disclaimer, Select "2"


    The above procedure will:
    • Delete the following:
      • ComboFix and its associated files and folders.
      • VundoFix backups, if present
      • The C:\Deckard folder, if present
      • The C:_OtMoveIt folder, if present

    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Reset System Restore.




    How are things running now ??
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •