Results 1 to 8 of 8

Thread: Yet another Virtumonder

  1. 2008-06-28, 07:50 #1
    Stengah
    Stengah is offline
    Junior Member
    Join Date
    Jun 2008
    Posts
    4

    Default Yet another Virtumonder

    My log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:39:57 PM, on 6/28/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    E:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    E:\Program Files\Muchobene\Muchobene.exe
    C:\Program Files\Common Files\VideoMate\ComproRemoteDTV.exe
    C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    E:\Program Files\foobar2000\foobar2000.exe
    E:\Program Files\mIRC\mirc.exe
    E:\Program Files\Trillian\trillian.exe
    E:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    E:\Program Files\iTunes\iTunes.exe
    E:\Program Files\Last.fm\LastFM.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - C:\WINDOWS\system32\ssqNDwxx.dll (file missing)
    O2 - BHO: (no name) - {D5E24DC2-C512-431F-BBA5-7A5BBC1DC483} - C:\Documents and Settings\brad.munro\Local Settings\Temporary Internet Files\Content.IE5\OJQ9YZQV\3077ahntdksr[1].dll
    O2 - BHO: (no name) - {D6D394CE-0A1C-4DC9-84DC-7CB7CDDF380B} - C:\WINDOWS\system32\iiffCrOE.dll (file missing)
    O2 - BHO: (no name) - {E214F4CB-8AAC-42BC-878F-E6F7A452B34d} - C:\WINDOWS\system32\ftrdioon.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [84e636a9] rundll32.exe "C:\WINDOWS\system32\axsdnhuc.dll",b
    O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Muchobene] E:\Program Files\Muchobene\Muchobene.exe
    O4 - Global Startup: ComproRemoteDTV.lnk = ?
    O4 - Global Startup: ComproSchedulerDTV.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00C40.dat
    O20 - Winlogon Notify: ssqNDwxx - ssqNDwxx.dll (file missing)
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 7346 bytes
  2. 2008-06-29, 16:43 #2
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hello Stengah

    Welcome to Safer Networking.

    Please read Before You Post
    That said, All advice given by anyone volunteering here, is taken at own risk.
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen.



    Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

    O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - C:\WINDOWS\system32\ssqNDwxx.dll (file missing)
    O2 - BHO: (no name) - {D5E24DC2-C512-431F-BBA5-7A5BBC1DC483} - C:\Documents and Settings\brad.munro\Local Settings\Temporary Internet Files\Content.IE5\OJQ9YZQV\3077ahntdksr[1].dll
    O2 - BHO: (no name) - {D6D394CE-0A1C-4DC9-84DC-7CB7CDDF380B} - C:\WINDOWS\system32\iiffCrOE.dll (file missing)
    O2 - BHO: (no name) - {E214F4CB-8AAC-42BC-878F-E6F7A452B34d} - C:\WINDOWS\system32\ftrdioon.dll

    O4 - HKLM\..\Run: [84e636a9] rundll32.exe "C:\WINDOWS\system32\axsdnhuc.dll",b

    O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00C40.dat
    O20 - Winlogon Notify: ssqNDwxx - ssqNDwxx.dll (file missing)

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


    Go to your Add Remove Programs in the Control Panel and uninstall Viewpoint, it installs without your knowledge or consent, uses system resources and basically is not needed for anything.



    Please download Malwarebytes' Anti-Malware from Here or Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and Paste the entire report in your next reply along with a New Hijackthis log.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
  3. 2008-06-30, 09:26 #3
    Stengah
    Stengah is offline
    Junior Member
    Join Date
    Jun 2008
    Posts
    4

    Default

    Thanks for your help so far, ken.

    New Hijack Log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:13:01 PM, on 6/30/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    E:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\VideoMate\ComproRemoteDTV.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: ComproRemoteDTV.lnk = ?
    O4 - Global Startup: ComproSchedulerDTV.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

    --
    End of file - 6720 bytes

    Malwarebytes Log

    Malwarebytes' Anti-Malware 1.19
    Database version: 907
    Windows 5.1.2600 Service Pack 2

    5:09:54 PM 6/30/2008
    mbam-log-6-30-2008 (17-09-54).txt

    Scan type: Quick Scan
    Objects scanned: 44183
    Time elapsed: 3 minute(s), 59 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 4
    Registry Values Infected: 5
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{be7e4ce1-8cba-44a6-956f-462a667d3286} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\brad.munro\Local Settings\Temporary Internet Files\Content.IE5\OJQ9YZQV\kb456456[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
  4. 2008-06-30, 10:39 #4
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Good Morning,

    Log looks good but there may be more Vundo.

    Please download ATF Cleaner by Atribune to your desktop.
    • This program is for XP and Windows 2000 only
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up




    Download ComboFix from Here or Here to your Desktop.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
  5. 2008-06-30, 12:01 #5
    Stengah
    Stengah is offline
    Junior Member
    Join Date
    Jun 2008
    Posts
    4

    Default

    Okay, here they are.

    ComboFix 08-06-20.4 - brad.munro 2008-06-30 19:53:52.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.661 [GMT 10:00]
    Running from: E:\Internet\Downloads\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\BM87d50535.xml
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\system32\cuhndsxa.ini
    C:\WINDOWS\system32\EOrCffii.ini
    C:\WINDOWS\system32\EOrCffii.ini2
    C:\WINDOWS\system32\fgblclma.ini
    C:\WINDOWS\system32\ftrdioon.dll
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\vyfiqfev.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
    .

    2008-06-30 17:04 . 2008-06-30 17:04 <DIR> d-------- C:\Documents and Settings\brad.munro\Application Data\Malwarebytes
    2008-06-30 17:04 . 2008-06-30 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-06-30 17:04 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
    2008-06-30 17:04 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-06-29 19:16 . 2008-06-29 19:16 56,312 --ah----- C:\WINDOWS\system32\mlfcache.dat
    2008-06-29 14:24 . 2008-06-29 14:24 0 --a------ C:\WINDOWS\ativpsrm.bin
    2008-06-29 11:29 . 2004-08-04 17:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2008-06-29 10:49 . 2008-06-29 10:49 <DIR> d-------- C:\WINDOWS\Sun
    2008-06-29 10:31 . 2008-06-13 23:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
    2008-06-29 10:31 . 2008-06-13 23:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
    2008-06-28 22:28 . 2008-06-30 15:50 <DIR> d--h----- C:\WINDOWS\$hf_mig$
    2008-06-28 22:28 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
    2008-06-28 15:39 . 2008-06-28 15:39 <DIR> d-------- C:\Program Files\Trend Micro
    2008-06-27 22:56 . 2008-06-27 22:56 <DIR> d-------- C:\Program Files\Java
    2008-06-27 22:56 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-06-27 22:55 . 2008-06-27 22:55 <DIR> d-------- C:\Program Files\Common Files\Java
    2008-06-27 14:40 . 2008-06-30 17:00 <DIR> d-------- C:\Documents and Settings\brad.munro\Application Data\Muchobene
    2008-06-26 14:16 . 2008-06-26 15:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-06-24 17:05 . 2008-06-27 14:50 <DIR> d-------- C:\Documents and Settings\brad.munro\Application Data\skypePM
    2008-06-24 17:05 . 2008-06-27 16:06 <DIR> d-------- C:\Documents and Settings\brad.munro\Application Data\Skype
    2008-06-24 17:05 . 2008-06-24 17:05 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
    2008-06-24 17:04 . 2008-06-24 17:04 <DIR> d-------- C:\Program Files\Skype
    2008-06-24 17:04 . 2008-06-24 17:04 <DIR> d-------- C:\Program Files\Common Files\Skype
    2008-06-24 17:04 . 2008-06-24 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
    2008-06-20 13:49 . 2008-06-20 13:49 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
    2008-06-18 21:13 . 2008-06-18 21:13 <DIR> d-------- C:\Program Files\AviSynth 2.5
    2008-06-16 21:42 . 2008-06-16 21:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
    2008-06-16 19:57 . 2008-06-16 19:57 <DIR> d-------- C:\Documents and Settings\brad.munro\Application Data\acccore
    2008-06-16 19:56 . 2008-06-30 17:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
    2008-06-16 19:56 . 2008-06-16 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
    2008-06-16 19:56 . 2008-06-16 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
    2008-06-16 19:56 . 2008-06-16 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
    2008-06-16 19:55 . 2008-06-16 19:55 <DIR> d-------- C:\Program Files\Common Files\AOL
    2008-06-16 19:52 . 2008-06-16 19:57 <DIR> d-------- C:\Program Files\AIM6
    2008-06-16 19:52 . 2008-06-16 19:57 385 --ah----- C:\IPH.PH
    2008-06-15 11:59 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
    2008-06-15 11:59 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
    2008-06-15 11:58 . 2008-06-21 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-06-15 11:41 . 2008-06-15 11:41 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
    2008-06-15 11:09 . 2008-06-15 11:09 <DIR> d-------- C:\Documents and Settings\brad.munro\Application Data\DAEMON Tools
    2008-06-15 11:09 . 2008-06-15 11:09 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
    2008-06-14 20:26 . 2008-06-14 20:26 <DIR> d-------- C:\Program Files\uTorrent
    2008-06-14 20:26 . 2008-06-26 20:09 <DIR> d-------- C:\Documents and Settings\brad.munro\Application Data\uTorrent
    2008-06-14 15:54 . 2008-06-15 12:51 <DIR> d-------- C:\WINDOWS\system32\Adobe
    2008-06-14 10:16 . 2008-06-14 10:16 <DIR> d-------- C:\Documents and Settings\debbie.munro\Application Data\Talkback
    2008-06-14 10:15 . 2008-06-14 10:15 <DIR> d-------- C:\Documents and Settings\debbie.munro
    2008-06-12 21:58 . 2008-06-12 21:58 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
    2008-06-12 21:58 . 2008-06-12 21:58 114,688 --a------ C:\WINDOWS\system32\OpenAL32.dll
    2008-06-12 21:58 . 2007-06-06 09:40 5,663 --a------ C:\WINDOWS\system32\ludap17.ini
    2008-06-12 21:58 . 2007-05-23 09:53 75 --a------ C:\WINDOWS\system32\ctzapxx.ini
    2008-06-12 17:17 . 2008-06-12 17:17 <DIR> d-------- C:\Documents and Settings\brad.munro\Application Data\Creative
    2008-06-12 16:46 . 2008-06-13 09:57 <DIR> d-------- C:\Documents and Settings\brad.munro\Application Data\AccurateRip
    2008-06-12 15:47 . 2008-06-12 22:00 584 --a------ C:\WINDOWS\system32\settingsbkup.sfm
    2008-06-12 15:47 . 2008-06-12 22:00 584 --a------ C:\WINDOWS\system32\settings.sfm
    2008-06-12 14:33 . 2008-06-15 11:47 <DIR> d-------- C:\Program Files\Common Files\Adobe
    2008-06-12 14:31 . 2008-06-14 15:54 1,244 --a------ C:\WINDOWS\mozver.dat
    2008-06-12 14:24 . 2004-01-14 11:10 163,840 --a------ C:\WINDOWS\BJPSUNST.EXE
    2008-06-12 14:23 . 2003-09-18 14:32 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
    2008-06-12 14:23 . 2003-09-18 14:32 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
    2008-06-12 14:22 . 2008-06-12 14:22 0 --a------ C:\WINDOWS\OpPrintServer.INI
    2008-06-12 14:19 . 2004-06-07 15:00 116,736 --a------ C:\WINDOWS\system32\CNMLM6d.DLL
    2008-06-12 14:19 . 2004-06-07 15:00 7,680 --a------ C:\WINDOWS\system32\CNMVS6d.DLL
    2008-06-12 14:18 . 2008-06-12 14:18 <DIR> d-------- C:\WINDOWS\StartHtmico
    2008-06-12 14:18 . 2008-06-12 14:18 <DIR> d-------- C:\WINDOWS\IP5000
    2008-06-12 14:18 . 2008-06-12 14:18 <DIR> d--h----- C:\BJPrinter
    2008-06-12 14:18 . 2004-06-05 01:34 86,016 -ra------ C:\WINDOWS\system32\CNMCP6d.exe
    2008-06-12 14:11 . 2008-06-12 14:24 <DIR> d-------- C:\Program Files\Canon
    2008-06-12 14:01 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
    2008-06-12 14:01 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
    2008-06-12 11:49 . 2008-06-12 11:49 <DIR> d-------- C:\Documents and Settings\brad.munro\Application Data\Apple Computer
    2008-06-12 11:45 . 2008-06-12 20:32 <DIR> d-------- C:\Program Files\QuickTime
    2008-06-12 11:45 . 2008-06-12 11:45 <DIR> d-------- C:\Program Files\iPod
    2008-06-12 11:45 . 2008-06-12 11:45 <DIR> d-------- C:\Program Files\Bonjour
    2008-06-12 11:45 . 2008-06-12 11:45 <DIR> d-------- C:\Program Files\Apple Software Update
    2008-06-12 11:45 . 2008-06-12 11:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-06-12 11:44 . 2008-06-12 11:44 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
    2008-06-12 11:44 . 2008-06-12 11:44 <DIR> d-------- C:\Program Files\Common Files\Apple
    2008-06-12 11:44 . 2008-06-12 11:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2008-06-12 11:44 . 2008-01-15 19:39 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
    2008-06-12 11:43 . 2008-06-12 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
    2008-06-12 11:42 . 2008-06-12 11:42 <DIR> d-------- C:\Documents and Settings\brad.munro\Application Data\vlc
    2008-06-12 11:32 . 2008-06-12 11:32 <DIR> d-------- C:\Documents and Settings\brad.munro\Application Data\Talkback
    2008-06-12 11:31 . 2004-08-04 16:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
    2008-06-12 11:27 . 2008-06-30 19:45 <DIR> d-------- C:\Documents and Settings\brad.munro\Application Data\foobar2000
    2008-06-12 11:22 . 2008-06-30 17:11 <DIR> d-------- C:\Documents and Settings\brad.munro
    2008-06-12 11:01 . 2006-10-27 12:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
    2008-06-12 11:00 . 2008-06-12 11:00 <DIR> d-------- C:\Program Files\MSBuild
    2008-06-12 11:00 . 2008-06-12 11:00 <DIR> d-------- C:\Program Files\Microsoft Works
    2008-06-12 10:57 . 2008-06-12 10:59 <DIR> d-------- C:\WINDOWS\SHELLNEW
    2008-06-12 10:57 . 2008-06-25 21:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-06-12 10:56 . 2008-06-12 10:56 <DIR> dr-h----- C:\MSOCache
    2008-06-12 10:38 . 2008-06-12 10:38 0 --a------ C:\WINDOWS\nsreg.dat
    2008-06-12 10:30 . 2008-06-12 10:30 <DIR> d-------- C:\WINDOWS\system32\windows media
    2008-06-12 10:30 . 2008-06-12 10:30 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
    2008-06-12 10:30 . 2008-06-12 10:30 <DIR> d-------- C:\Program Files\Windows Media Components
    2008-06-12 10:29 . 2004-03-16 05:34 24,576 --------- C:\WINDOWS\system32\UleadPhotoExplorer85_Res.dll
    2008-06-12 10:29 . 2004-03-16 05:33 24,576 --------- C:\WINDOWS\system32\Ulead Photo Explorer 85.scr
    2008-06-12 10:25 . 2008-06-12 10:29 <DIR> d-------- C:\Program Files\Ulead Systems
    2008-06-12 10:25 . 2008-06-12 10:25 <DIR> d-------- C:\Program Files\Common Files\VideoMate
    2008-06-12 10:25 . 2008-06-12 10:29 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
    2008-06-12 10:25 . 2008-06-12 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
    2008-06-12 10:25 . 2003-04-03 09:24 950,272 --a------ C:\WINDOWS\system32\u32Prod.dll
    2008-06-12 10:25 . 2003-02-22 13:42 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
    2008-06-12 10:25 . 2003-02-19 03:23 122,880 --a------ C:\WINDOWS\system32\u32Comm.dll
    2008-06-12 10:25 . 2002-09-18 03:19 73,728 --a------ C:\WINDOWS\system32\PhilipsVBI.ax
    2008-06-12 10:25 . 2003-04-18 09:34 61,440 --a------ C:\WINDOWS\system32\u32Cfg.dll
    2008-06-12 10:25 . 2002-08-03 14:25 53,248 --a------ C:\WINDOWS\system32\UVSC.DLL
    2008-06-12 10:25 . 2003-01-10 05:58 24,576 --a------ C:\WINDOWS\system32\U32SN.DLL
    2008-06-12 10:24 . 2008-06-12 10:26 <DIR> d-------- C:\Program Files\VideoMate
    2008-06-12 10:18 . 2000-05-22 18:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx
    2008-06-12 10:18 . 1999-10-11 11:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
    2008-06-12 10:15 . 2008-06-12 10:15 <DIR> d-------- C:\WINDOWS\system32\Data
    2008-06-12 10:13 . 2008-06-12 10:18 <DIR> d-------- C:\Program Files\Creative
    2008-06-12 10:12 . 99 C:\WINDOWS\E
    2008-06-12 10:07 . 2003-03-04 13:56 145,408 -ra------ C:\WINDOWS\system32\drivers\e100b325.sys
    2008-06-12 10:07 . 2003-03-04 13:56 145,408 --a--c--- C:\WINDOWS\system32\dllcache\e100b325.sys
    2008-06-12 10:07 . 2003-03-03 17:26 118,784 -ra------ C:\WINDOWS\system32\Prounstl.exe
    2008-06-12 10:07 . 2003-02-11 08:18 102,400 -ra------ C:\WINDOWS\system32\drivers\ianswxp.sys
    2008-06-12 10:07 . 2002-12-29 06:00 24,064 -ra------ C:\WINDOWS\system32\IntelNic.dll
    2008-06-12 10:07 . 2003-02-03 07:26 12,288 -ra------ C:\WINDOWS\system32\e100bmsg.dll
    2008-06-12 10:07 . 2002-06-27 07:53 5,110 -ra------ C:\WINDOWS\system32\e100b325.din
    2008-06-12 10:06 . 2008-06-12 10:06 <DIR> d-------- C:\Program Files\Gigabyte
    2008-06-12 10:06 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
    2008-06-12 10:04 . 2008-06-12 10:07 <DIR> d-------- C:\Program Files\Intel
    2008-06-12 10:03 . 2008-06-12 21:59 <DIR> d--h----- C:\Program Files\InstallShield Installation Information

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-06-11 23:50 --------- d-----w C:\Program Files\microsoft frontpage
    2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
    2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
    2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
    2007-12-17 12:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]
    "Aim6"="" []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-12 09:24 86016]
    "CTSysVol"="C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe" [2003-05-03 02:53 57344]
    "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 18:00 90112]
    "Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-08-28 12:22 90112]
    "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 17:47 31016]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-11 08:27 385024]
    "P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll]
    "Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 11:10 409600]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    ComproRemoteDTV.lnk - C:\Program Files\Common Files\VideoMate\ComproRemoteDTV.exe [2008-06-12 10:25:01 139264]
    ComproSchedulerDTV.lnk - C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe [2008-06-12 10:25:01 73728]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.I420"= i420vfw.dll
    "vidc.yv12"= yv12vfw.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "E:\\Program Files\\mIRC\\mirc.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "E:\\Program Files\\AIM\\aim.exe"=
    "E:\\Program Files\\Miranda IM\\miranda32.exe"=
    "E:\\Program Files\\Trillian\\trillian.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\Program Files\\AIM6\\aim6.exe"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 09:20]
    R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 09:16]
    R3 VMHybrid;VMHybrid service;C:\WINDOWS\system32\DRIVERS\VMHybrid.sys [2005-04-13 02:49]

    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-30 19:57:16
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ati2evxx.exe
    E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    E:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTSVCCDA.EXE
    C:\WINDOWS\system32\MsPMSPSv.exe
    E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\rundll32.exe
    .
    **************************************************************************
    .
    Completion time: 2008-06-30 19:59:30 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-06-30 09:59:16

    Pre-Run: 23,653,416,960 bytes free
    Post-Run: 23,577,784,320 bytes free

    232 --- E O F --- 2008-06-30 06:55:14
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:00:59 PM, on 6/30/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    E:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\VideoMate\ComproRemoteDTV.exe
    C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: ComproRemoteDTV.lnk = ?
    O4 - Global Startup: ComproSchedulerDTV.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

    --
    End of file - 6689 bytes
  6. 2008-06-30, 12:49 #6
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Looking Good For future reference there is no need to Quote the reports, that just makes it a bit harder to analyze.

    How are things running now??
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
  7. 2008-07-01, 09:07 #7
    Stengah
    Stengah is offline
    Junior Member
    Join Date
    Jun 2008
    Posts
    4

    Default

    Haha sorry, I thought it was doing the opposite.

    Everything seems to be running smoothly now, thanks.
  8. 2008-07-01, 11:18 #8
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    That's great

    ATF Cleaner <-- This is yours to keep and was written by one of our own.

    Malwarebytes <-- One of the better programs and this one is yours to keep also, check for updates and run a scan once in awhile.

    Combofix <-- This is a very powerful tool and not a general cleaning tool, if you run this on your own without supervision you could bork your system.



    This may or maynot work because you did not follow the instructions and downloaded it to your desktop, if it did not work, then go to where you have Combofix and drag it to the trash.

    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.




    • When shown the disclaimer, Select "2"


    The above procedure will:
    • Delete the following:
      • ComboFix and its associated files and folders.
      • VundoFix backups, if present
      • The C:\Deckard folder, if present
      • The C:_OtMoveIt folder, if present
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Reset System Restore.




    Malware Complaints
    Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.


    Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
    Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
    • Spybot Search and Destroy 1.5
      Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
    • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
    • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
    • IE-Spyad
      IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.


    Glad we could help

    Safe Surfn
    Ken
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules