Results 1 to 2 of 2

Thread: Virulent Vundo. Help!!!

  1. #1
    Junior Member
    Join Date
    Dec 2008
    Location
    New Mexico
    Posts
    3

    Exclamation Virulent Vundo. Help!!!

    I thought I had gotten rid of this Vundo virus by running AntiMalwareBytes, but it keeps coming back again and again. What am I missing? Somebody please help me get rid of this thing! Here is my HJT log. Thanks in advance!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:34:06 AM, on 12/27/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ClamWin\bin\ClamTray.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Thunderbird\thunderbird.exe
    C:\Program Files\Flock\flock.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {454f9a16-8238-4e4b-b8b9-90d0304f85e5} - C:\WINDOWS\system32\risowupa.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [puvijoyero] Rundll32.exe "C:\WINDOWS\system32\ketoyibo.dll",s
    O4 - HKLM\..\Run: [f41cc4d0] rundll32.exe "C:\WINDOWS\system32\debeviva.dll",b
    O4 - HKLM\..\Run: [CPMf72ff74c] Rundll32.exe "c:\windows\system32\kofedapu.dll",a
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [puvijoyero] Rundll32.exe "C:\WINDOWS\system32\ketoyibo.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [puvijoyero] Rundll32.exe "C:\WINDOWS\system32\ketoyibo.dll",s (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-434013016-1634020872-3626054308-1010\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'QBDataServiceUser17')
    O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: QuickBooks Database Server Manager.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1227804974828
    O17 - HKLM\System\CCS\Services\Tcpip\..\{65DFB2B4-F0E2-4C79-981F-7D9F9EE8AFE6}: NameServer = 192.168.1.5,192.168.1.2
    O17 - HKLM\System\CCS\Services\Tcpip\..\{91651F67-2230-4EFF-B1E3-E3F0AEAE8024}: NameServer = 192.168.1.2,192.168.1.5
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL ykymnu.dll c:\windows\system32\zelosubo.dll C:\WINDOWS\system32\yetevato.dll c:\windows\system32\kofedapu.dll
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kofedapu.dll
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kofedapu.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
    O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe

    --
    End of file - 10584 bytes
    -----------------------------
    http://forums.spybot.info/showthread.php?t=41590
    Last edited by tashi; 2008-12-27 at 18:33. Reason: Added link for infection time stamp

  2. #2
    Junior Member
    Join Date
    Dec 2008
    Location
    New Mexico
    Posts
    3

    Default

    Here is my combofix log.

    ComboFix 08-12-26.03 - Compaq_Owner 2008-12-27 17:08:23.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.524 [GMT -7:00]
    Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 )))))))))))))))))))))))))))))))
    .

    2008-12-23 10:04 . 2008-12-23 10:04 268 --ah----- C:\sqmdata12.sqm
    2008-12-23 10:04 . 2008-12-23 10:04 244 --ah----- C:\sqmnoopt12.sqm
    2008-12-22 13:40 . 2008-12-22 13:40 268 --ah----- C:\sqmdata11.sqm
    2008-12-22 13:40 . 2008-12-22 13:40 244 --ah----- C:\sqmnoopt11.sqm
    2008-12-22 11:59 . 2008-12-22 11:59 <DIR> d-------- c:\program files\MSECache
    2008-12-21 22:32 . 2008-12-21 22:32 268 --ah----- C:\sqmdata10.sqm
    2008-12-21 22:32 . 2008-12-21 22:32 244 --ah----- C:\sqmnoopt10.sqm
    2008-12-20 23:52 . 2008-12-20 23:52 268 --ah----- C:\sqmdata09.sqm
    2008-12-20 23:52 . 2008-12-20 23:52 244 --ah----- C:\sqmnoopt09.sqm
    2008-12-20 23:47 . 2008-12-20 23:47 268 --ah----- C:\sqmdata08.sqm
    2008-12-20 23:47 . 2008-12-20 23:47 244 --ah----- C:\sqmnoopt08.sqm
    2008-12-20 22:17 . 2008-12-20 22:17 268 --ah----- C:\sqmdata07.sqm
    2008-12-20 22:17 . 2008-12-20 22:17 244 --ah----- C:\sqmnoopt07.sqm
    2008-12-19 23:41 . 2008-12-19 23:41 268 --ah----- C:\sqmdata06.sqm
    2008-12-19 23:41 . 2008-12-19 23:41 244 --ah----- C:\sqmnoopt06.sqm
    2008-12-19 16:05 . 2008-12-19 16:05 268 --ah----- C:\sqmdata05.sqm
    2008-12-19 16:05 . 2008-12-19 16:05 244 --ah----- C:\sqmnoopt05.sqm
    2008-12-18 17:15 . 2008-12-18 17:15 268 --ah----- C:\sqmdata04.sqm
    2008-12-18 17:15 . 2008-12-18 17:15 244 --ah----- C:\sqmnoopt04.sqm
    2008-12-17 20:06 . 2008-12-17 20:06 268 --ah----- C:\sqmdata03.sqm
    2008-12-17 20:06 . 2008-12-17 20:06 244 --ah----- C:\sqmnoopt03.sqm
    2008-12-17 15:29 . 2008-12-17 15:29 268 --ah----- C:\sqmdata02.sqm
    2008-12-17 15:29 . 2008-12-17 15:29 244 --ah----- C:\sqmnoopt02.sqm
    2008-12-16 19:42 . 2008-12-16 19:42 268 --ah----- C:\sqmdata01.sqm
    2008-12-16 19:42 . 2008-12-16 19:42 244 --ah----- C:\sqmnoopt01.sqm
    2008-12-16 09:24 . 2008-12-16 14:25 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\gtk-2.0
    2008-12-16 08:48 . 2008-12-27 08:48 <DIR> d-------- c:\program files\mIRC
    2008-12-16 08:48 . 2008-12-27 09:30 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\mIRC
    2008-12-16 08:06 . 2008-12-16 08:06 268 --ah----- C:\sqmdata00.sqm
    2008-12-16 08:06 . 2008-12-16 08:06 244 --ah----- C:\sqmnoopt00.sqm
    2008-12-15 16:31 . 2008-12-15 16:31 <DIR> d-------- c:\program files\Common Files\Adobe AIR
    2008-12-15 13:52 . 2008-12-15 13:52 <DIR> d-------- c:\documents and settings\Compaq_Owner\Contacts
    2008-12-15 13:51 . 2008-12-15 13:51 <DIR> d----c--- c:\windows\system32\DRVSTORE
    2008-12-15 13:50 . 2008-12-15 13:51 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
    2008-12-15 13:49 . 2008-12-15 13:51 <DIR> d-------- c:\program files\Windows Live
    2008-12-15 13:49 . 2008-12-15 13:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
    2008-12-15 11:43 . 2008-12-15 11:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2008-12-15 11:43 . 2008-12-15 11:43 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
    2008-12-15 11:43 . 2008-12-15 11:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2008-12-15 11:43 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
    2008-12-15 11:43 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
    2008-12-15 08:04 . 2008-12-15 08:04 <DIR> d-------- c:\program files\Trend Micro
    2008-12-15 07:58 . 2008-12-27 17:04 <DIR> d-------- c:\program files\Flock
    2008-12-15 07:58 . 2008-12-15 07:58 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Flock
    2008-12-14 18:19 . 2008-12-14 18:19 <DIR> d-------- C:\VundoFix Backups
    2008-12-14 17:45 . 2008-12-14 17:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
    2008-12-14 17:40 . 2008-12-14 17:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Spyware
    2008-12-14 16:52 . 2008-12-14 16:52 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\InstallShield
    2008-12-13 15:14 . 2008-12-13 15:14 <DIR> d-------- c:\program files\7-Zip
    2008-12-13 15:10 . 2008-12-27 17:02 <DIR> d-------- c:\program files\DNA
    2008-12-13 15:10 . 2008-12-27 17:02 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\DNA
    2008-12-13 11:30 . 2008-12-13 11:30 <DIR> d-------- c:\program files\GPLGS
    2008-12-13 11:29 . 2008-12-13 11:29 <DIR> d-------- c:\program files\Acro Software
    2008-12-13 11:29 . 2007-07-12 22:33 87,552 --a------ c:\windows\system32\cpwmon2k.dll
    2008-12-10 18:32 . 2008-12-10 18:32 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\OpenOffice.org
    2008-12-08 11:29 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\drivers\SONYPVU1.SYS
    2008-12-08 11:29 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\dllcache\sonypvu1.sys
    2008-12-07 12:08 . 2008-12-14 16:52 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\My Games
    2008-12-07 11:46 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
    2008-12-01 14:56 . 2008-12-01 14:56 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\AdobeUM
    2008-12-01 10:42 . 2008-12-01 10:42 1,094 --a------ c:\windows\mozver.dat
    2008-12-01 08:14 . 2008-12-01 08:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sling Media
    2008-12-01 08:13 . 2008-12-01 08:14 <DIR> d-------- c:\program files\Sling Media
    2008-11-30 12:09 . 2008-11-30 12:10 <DIR> d-------- c:\program files\Winamp
    2008-11-30 12:09 . 2008-11-30 12:10 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Winamp
    2008-11-30 12:06 . 2008-11-30 12:06 <DIR> d-------- c:\program files\QCAD Professional
    2008-11-30 12:06 . 2008-11-30 12:06 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\RibbonSoft
    2008-11-30 11:55 . 2008-12-18 13:58 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\skypePM
    2008-11-30 11:55 . 2008-11-30 11:55 56 --ah----- c:\windows\system32\ezsidmv.dat
    2008-11-30 10:48 . 2008-11-30 11:02 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\vlc
    2008-11-28 09:03 . 2008-11-28 09:03 <DIR> d-------- c:\program files\Kyocera

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-12-27 23:56 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\.purple
    2008-12-27 23:25 --------- d-----w c:\program files\Mozilla Thunderbird
    2008-12-18 23:11 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Skype
    2008-12-16 15:00 --------- d-----w c:\program files\Spybot - Search & Destroy
    2008-12-16 14:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2008-12-15 23:31 --------- d-----w c:\program files\Common Files\Adobe
    2008-12-14 23:53 --------- d--h--w c:\program files\InstallShield Installation Information
    2008-12-07 18:59 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Ahead
    2008-12-07 18:46 --------- d-----w c:\program files\Common Files\InstallShield
    2008-11-27 18:23 --------- d-----w c:\documents and settings\All Users\Application Data\LightScribe
    2008-11-27 18:22 --------- d-----w c:\program files\Common Files\LightScribe
    2008-11-27 18:22 --------- d-----w c:\program files\Common Files\Ahead
    2008-11-27 18:17 --------- d-----w c:\program files\Nero
    2008-11-27 18:17 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
    2008-11-27 18:11 --------- d-----w c:\program files\Intuit
    2008-11-27 18:11 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Intuit
    2008-11-27 18:10 --------- d-----w c:\program files\Google
    2008-11-27 18:08 --------- d-----w c:\program files\Common Files\Intuit
    2008-11-27 18:07 --------- d-----w c:\program files\Common Files\AnswerWorks 4.0
    2008-11-27 18:07 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
    2008-11-27 18:05 --------- d-----w c:\documents and settings\All Users\Application Data\COMMON FILES
    2008-11-27 18:04 --------- d-----w c:\program files\MSXML 4.0
    2008-11-27 18:02 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
    2008-11-27 17:57 --------- d-----w c:\program files\OpenOffice.org 3
    2008-11-27 17:57 --------- d-----w c:\program files\JRE
    2008-11-27 17:44 61,440 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
    2008-11-27 17:44 45,056 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
    2008-11-27 17:44 44,032 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
    2008-11-27 17:44 40,960 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
    2008-11-27 17:44 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
    2008-11-27 17:44 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
    2008-11-27 17:44 287,310 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection.dll
    2008-11-27 17:44 163,840 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
    2008-11-27 17:06 --------- d-----w c:\program files\Microsoft.NET
    2008-11-27 17:06 --------- d-----w c:\program files\Microsoft ActiveSync
    2008-11-27 16:51 --------- d-----w c:\program files\Java
    2008-11-27 06:32 --------- d-----w c:\program files\Skype
    2008-11-27 06:32 --------- d-----w c:\program files\Common Files\Skype
    2008-11-27 06:32 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
    2008-11-27 06:21 --------- d-----w c:\program files\Creative
    2008-11-27 06:19 --------- d-----w c:\program files\Symantec
    2008-11-27 06:19 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
    2008-11-27 06:10 --------- d-----w c:\program files\Audacity
    2008-11-27 06:03 --------- d-----w c:\program files\Sonic
    2008-11-27 06:01 --------- d-----w c:\program files\Quicken
    2008-11-27 06:01 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\.clamwin
    2008-11-27 06:00 --------- d-----w c:\program files\Microsoft Works
    2008-11-27 06:00 --------- d-----w c:\program files\ClamWin
    2008-11-27 05:58 --------- d-----w c:\program files\Pidgin
    2008-11-27 05:57 --------- d-----w c:\program files\Common Files\GTK
    2008-11-27 05:49 --------- d-----w c:\program files\VideoLAN
    2008-11-27 05:48 --------- d-----w c:\program files\Hewlett-Packard
    2008-11-27 05:46 --------- d-----w c:\program files\Easy Internet signup
    2008-11-27 05:45 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Thunderbird
    2008-11-27 05:32 1,838 --sha-r c:\windows\system32\drivers\103C_HP_CPC_EG733AA-ABA SR1620NX NA540_YC_0Pres_QCNN536_E54NAheRED2_48_IAMETHYST-M_SMSI_V1.0_B3.33_T050817_WXH2_L409_M959_J500_7AMD_8Sempron_91.99_#081127_N10EC8139_Z_G10025954_OHL-DT-ST DVDRRW GWA-4164B_DDPC7770.MRK
    2008-11-27 04:40 118,842 ----a-r c:\windows\HPCPCUninstaller-6.3.2.116-5577497.exe
    2008-11-27 04:39 12,994 ----a-w c:\windows\system32\CHODDI.SYS
    2008-11-27 04:21 --------- d-----w c:\program files\iTunes
    2008-11-27 04:21 --------- d-----w c:\program files\iPod
    2008-11-27 04:16 --------- d-----w c:\program files\WildTangent
    2008-11-27 04:15 --------- d-----w c:\program files\Real
    2008-11-27 04:15 --------- d-----w c:\program files\QuickTime
    2008-11-27 04:15 --------- d-----w c:\program files\PC-Doctor for DOS
    2008-11-27 04:13 --------- d-----w c:\program files\MSN Encarta Standard
    2008-11-27 04:12 --------- d-----w c:\program files\microsoft frontpage
    2008-11-27 04:10 --------- d-----w c:\program files\InterVideo
    2008-11-27 04:10 --------- d-----w c:\program files\Common Files\xing shared
    2008-11-27 04:09 --------- d-----w c:\program files\Common Files\Real
    2008-11-27 04:08 --------- d-----w c:\program files\Common Files\Java
    2008-11-27 04:07 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Symantec
    2008-11-27 04:07 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\SampleView
    2008-11-27 04:07 --------- d-----w c:\program files\ATI Technologies
    2008-11-27 04:07 --------- d-----w c:\documents and settings\QBDataServiceUser17\Application Data\Symantec
    2008-11-27 04:07 --------- d-----w c:\documents and settings\QBDataServiceUser17\Application Data\SampleView
    2008-11-27 04:07 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Symantec
    2008-11-27 04:07 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\SampleView
    2008-11-27 04:06 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Intuit
    2008-11-27 04:06 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Apple Computer
    2008-11-27 04:06 --------- d-----w c:\documents and settings\QBDataServiceUser17\Application Data\Intuit
    2008-11-27 04:06 --------- d-----w c:\documents and settings\QBDataServiceUser17\Application Data\Apple Computer
    2008-11-27 04:06 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Apple Computer
    2008-11-27 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\SBSI
    2008-11-27 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\QuickTime
    2008-11-27 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
    2008-11-27 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
    2008-11-27 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
    2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
    2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
    2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
    2008-10-17 09:08 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
    2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
    2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
    2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
    2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
    2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
    2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
    2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
    2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
    2008-10-16 22:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
    2008-10-16 21:06 268,648 ----a-w c:\windows\system32\mucltui.dll
    2008-11-27 18:11 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    2008-09-19 23:01 63,629 --sha-w c:\windows\system32\daluwimo.dll
    2008-09-21 00:02 63,726 --sha-w c:\windows\system32\jimikesu.dll
    2008-09-21 00:02 63,726 --sha-w c:\windows\system32\judobida.dll
    2008-09-26 17:01 63,543 --sha-w c:\windows\system32\kevidobi.dll
    2008-09-19 23:01 4,096 --sha-w c:\windows\system32\lejivaya.dll
    2008-09-23 17:00 69,632 --sha-w c:\windows\system32\mufezuwi.dll
    2008-09-26 17:01 63,543 --sha-w c:\windows\system32\noyahopi.dll
    2008-09-17 21:07 84,992 --sha-w c:\windows\system32\pimihiva.dll
    2008-09-26 17:02 64,512 --sha-w c:\windows\system32\pojezija.dll
    2008-09-19 23:01 63,629 --sha-w c:\windows\system32\telariva.dll
    2008-09-23 17:00 63,618 --sha-w c:\windows\system32\vujabono.dll
    2008-09-23 17:00 63,618 --sha-w c:\windows\system32\zezesuhe.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-04 149040]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-13 342848]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
    "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-10 253952]
    "ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2008-11-09 86016]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-26 180269]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-27 29744]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-05-04 161328]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "WINDVDPatch"="CTHELPER.EXE" [2002-07-02 c:\windows\system32\CTHELPER.EXE]

    c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
    OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-27 113664]
    QuickBooks Database Server Manager.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe [2006-09-19 149024]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-09-19 960032]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    --a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 []
    R2 SlingAgentService;SlingAgent Service;"c:\program files\Sling Media\SlingAgent\SlingAgentService.exe" [2008-09-21 93960]
    S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-27 29744]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c618b66-041a-11da-89cd-806d6172696f}]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e506b5bd-c489-11dd-8995-005022e37aa6}]
    \Shell\AutoRun\command - J:\autorun.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    "c:\program files\Common Files\LightScribe\LSRunOnce.exe"
    .
    Contents of the 'Scheduled Tasks' folder

    2008-12-24 c:\windows\Tasks\Pareto UNS.job
    - c:\program files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe []
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    TCP: {65DFB2B4-F0E2-4C79-981F-7D9F9EE8AFE6} = 192.168.1.5,192.168.1.2
    TCP: {91651F67-2230-4EFF-B1E3-E3F0AEAE8024} = 192.168.1.2,192.168.1.5
    FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\gt91ruui.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - component: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\gt91ruui.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
    FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
    FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-12-27 17:09:47
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(480)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2008-12-27 17:11:08
    ComboFix-quarantined-files.txt 2008-12-28 00:10:21
    ComboFix2.txt 2008-12-28 00:04:01

    Pre-Run: 344,941,088,768 bytes free
    Post-Run: 344,924,774,400 bytes free

    295 --- E O F --- 2008-12-12 17:22:20

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •