Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Vundo gone but problems remain [Solved]

Started by JiNxX9500 , Jan 13 2009 03:16 PM

  • This topic is locked This topic is locked

#1
JiNxX9500
Posted 13 January 2009 - 03:16 PM

JiNxX9500

    Member

  • Member
  • PipPip
  • 20 posts
hello!

my computer contracted a variant of Vundo on Saturday, and I was able to stop the pop-ups yesterday afternoon after using a handful of different tools (Malwarebytes' Anti-Malware seemed to finally do the job).

however, using Sysinternals Process Explorer, I discovered that something on my computer was causing an instance of rundll32.exe to run as a child process of one of the valid svchost.exe processes (the one that governs the COM+ and DHCP Client services, among other things). this rundll32.exe instance is attempting to load a file in my SYSTEM32 directory called "qoMcaxYq.dll", a name which screams "VIRUS" to me. fortunately, this file doesn't seem to exist (Windows Explorer is set to show hidden files and it's just not there), but the process remains open until I kill it. the process also seems to be re-activated every hour (exactly on the hour) while the computer is running, accompanied by the Windows Critical Stop sound. (the sound was my initial clue that something was still wrong; it was happening when no windows were open. I'd never had this happen before.) the command line listed for the process is as follows: C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\qoMcaxYq.dll",AddRefActCtx

I've also experienced a major decrease in speed when browsing the web since the Vundo incident. most pages are loading quite slowly for a cable broadband connection. I've tried reinstalling Firefox but it doesn't seem to have helped.

thanks in advance to anyone who can help me out! logs below.

VundoFix completed its scan and reported that nothing was found. (I don't think it created a log.)

VirtumundoBeGone reported the same, as in the log below:

[01/13/2009, 15:37:18] - VirtumundoBeGone v1.5 ( "F:\JiNxXs Den\Apps-Games Zips\VirtumundoBeGone.exe" )
[01/13/2009, 15:37:22] - Detected System Information:
[01/13/2009, 15:37:22] -  Windows Version: 5.1.2600, Service Pack 2
[01/13/2009, 15:37:22] -  Current Username: Mike (Admin)
[01/13/2009, 15:37:22] -  Windows is in NORMAL mode.
[01/13/2009, 15:37:22] - Searching for Browser Helper Objects:
[01/13/2009, 15:37:22] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[01/13/2009, 15:37:22] -  BHO 2: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} ()
[01/13/2009, 15:37:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/13/2009, 15:37:22] -  No filename found. Continuing.
[01/13/2009, 15:37:22] -  BHO 3: {4437d3c5-3f8c-4808-bc51-3ee5664de070} ()
[01/13/2009, 15:37:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/13/2009, 15:37:22] -  No filename found. Continuing.
[01/13/2009, 15:37:22] -  BHO 4: {4544E79F-8E43-4128-A470-A07F180D749F} ()
[01/13/2009, 15:37:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/13/2009, 15:37:22] -  No filename found. Continuing.
[01/13/2009, 15:37:22] -  BHO 5: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[01/13/2009, 15:37:22] -  BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[01/13/2009, 15:37:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/13/2009, 15:37:22] -  No filename found. Continuing.
[01/13/2009, 15:37:22] -  BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[01/13/2009, 15:37:22] -  BHO 8: {BDF3E430-B101-42AD-A544-FADC6B084872} ()
[01/13/2009, 15:37:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/13/2009, 15:37:22] -  No filename found. Continuing.
[01/13/2009, 15:37:22] - Finished Searching Browser Helper Objects
[01/13/2009, 15:37:22] - Finishing up...
[01/13/2009, 15:37:22] - Nothing found! Exiting...

finally, HiJackThis came back with the following log. the rogue rundll32 instance is in the list of processes.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:24 PM, on 1/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Grxp4exe.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
F:\JiNxXs Den\Apps-Games Zips\Process Explorer\procexp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O1 - Hosts: 68.44.244.240 idenupdate.motorola.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: (no name) - {4437d3c5-3f8c-4808-bc51-3ee5664de070} - (no file)
O2 - BHO: (no name) - {4544E79F-8E43-4128-A470-A07F180D749F} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1150339680\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero 8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AtomTime98 v2.1.lnk = C:\Program Files\AtomTime\ATOMTIME.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Run VNC Server.lnk = C:\Program Files\RealVNC\VNC4\winvnc4.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04D1D0BB-9425-4DC7-97F9-B0DAE453DF4C}: NameServer = 68.87.64.146,68.87.75.194
O17 - HKLM\System\CS1\Services\Tcpip\..\{04D1D0BB-9425-4DC7-97F9-B0DAE453DF4C}: NameServer = 68.87.64.146,68.87.75.194
O17 - HKLM\System\CS2\Services\Tcpip\..\{04D1D0BB-9425-4DC7-97F9-B0DAE453DF4C}: NameServer = 68.87.64.146,68.87.75.194
O20 - AppInit_DLLs: zdovpl.dll
O23 - Service: Client - Unknown owner - C:\WINDOWS\Registration\CRMLog\service.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Windows Mapper Configuration - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)
O23 - Service: Windows Printer Activity - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8171 bytes

  • 0

Advertisements

#2
loophole
Posted 13 January 2009 - 05:45 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
JiNxX9500
Posted 14 January 2009 - 08:53 AM

JiNxX9500

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
loophole, thanks for your quick response.

disabling Norton AntiVirus seems to be more difficult than I thought. I right-clicked the system tray icon and selected "Disable", but then when I ran ComboFix, Norton still popped up a message telling me that there was a malicious script running. the window was frozen though, so I couldn't bypass it. I wound up restarting the computer. so then I went to Control Panel > Administrative Tools > Services and stopped the Auto-Protect service from there. tried running ComboFix again, same result. so now what? :)

also, I think ComboFix changed my system clock to appear in 24-hour time on my taskbar. is this normal?

EDIT: new development: Firefox is opening websites very slowly but MSIE is quick as ever.

Edited by JiNxX9500, 14 January 2009 - 01:50 PM.

  • 0

#4
loophole
Posted 14 January 2009 - 02:13 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Control Panel > Administrative Tools > Services and stopped the Auto-Protect service

 please follow the same procedure but stop this service SBService also
  • 0

#5
JiNxX9500
Posted 14 January 2009 - 03:02 PM

JiNxX9500

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
OK, I went ahead and disabled ScriptBlocker. I still got the same dialog from Norton when I ran ComboFix, but this time I was able to tell Norton to authorize the script. ComboFix installed the Windows Recovery Console for me (I didn't realize it was missing) and then ran through its paces. I had to step away from the computer for a minute; when I came back, the computer had been restarted and was waiting at Windows Logon. after I logged on, my copy of Spybot was active again; ComboFix continued operation and I told Spybot to allow all the changes that were being made to the registry. ComboFix finished and generated its log. I also ran HJT again and got a log for that. both are below.

I should probably mention, though, that my computer made that Critical Stop sound right on the top of the hour again, just a couple minutes ago.

EDIT [Sat 1/17]: I've done some research and I think my boot sector may be infected. I've tried repair-installing Windows (I'm going to need to do that anyway, as Vundo disabled my System Restore), but Windows Setup BSODs every time with stop error 7B (inaccessible boot device). I read that running fdisk with the /mbr switch would clear that up, but I'd like some guidance.

---

ComboFix:
ComboFix 09-01-13.04 - Mike 2009-01-14 15:32:14.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1535.1127 [GMT -5:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\byXRHWoo.dll
c:\windows\system32\cwpkdghf.ini
c:\windows\system32\geBsstQj.dll.vir

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


(((((((((((((((((((((((((   Files Created from 2008-12-14 to 2009-01-14  )))))))))))))))))))))))))))))))
.

2009-01-13 16:10 . 2009-01-13 16:10	<DIR>	d--------	c:\program files\Trend Micro
2009-01-12 13:06 . 2009-01-12 13:06	<DIR>	d--------	c:\program files\Malwarebytes' Anti-Malware
2009-01-12 13:06 . 2009-01-12 13:06	<DIR>	d--------	c:\documents and settings\Mike\Application Data\Malwarebytes
2009-01-12 13:06 . 2009-01-12 13:06	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-12 13:06 . 2009-01-04 18:38	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-12 13:06 . 2009-01-04 18:38	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2009-01-12 00:58 . 2009-01-12 10:20	<DIR>	d--------	c:\program files\EsetOnlineScanner
2009-01-11 21:00 . 2009-01-11 21:00	<DIR>	d--------	C:\VundoFix Backups
2008-12-25 05:20 . 2009-01-11 04:11	54,156	--ah-----	c:\windows\QTFont.qfn
2008-12-25 05:20 . 2008-12-25 05:20	1,409	--a------	c:\windows\QTFont.for
2008-12-25 03:03 . 2008-12-25 03:47	<DIR>	d--------	c:\documents and settings\Mike\Application Data\U3
2008-12-25 02:44 . 2008-12-25 02:48	<DIR>	d--------	c:\program files\Audacity
2008-12-25 00:01 . 2008-12-25 00:14	<DIR>	d--------	c:\documents and settings\Mike\Application Data\Free Audio Editor
2008-12-25 00:00 . 2005-05-17 12:37	1,986,560	--a------	c:\windows\system32\NCTAudioFile2.dll
2008-12-25 00:00 . 2005-05-18 11:52	1,212,416	--a------	c:\windows\system32\NCTAudioInformation2.dll
2008-12-25 00:00 . 2005-04-15 12:08	880,640	--a------	c:\windows\system32\NCTAudioEditor2.dll
2008-12-25 00:00 . 2004-11-04 13:31	835,584	--a------	c:\windows\system32\NCTAudioCDGrabber2.dll
2008-12-25 00:00 . 2005-04-04 17:21	602,112	--a------	c:\windows\system32\NCTAudioTransform2.dll
2008-12-25 00:00 . 2005-03-28 15:54	479,232	--a------	c:\windows\system32\NCTAudioVisualization2.dll
2008-12-25 00:00 . 2005-04-25 13:01	458,752	--a------	c:\windows\system32\NCTAudioRecord2.dll
2008-12-25 00:00 . 2005-04-25 13:01	458,752	--a------	c:\windows\system32\NCTAudioPlayer2.dll
2008-12-25 00:00 . 2005-03-28 15:52	417,792	--a------	c:\windows\system32\NCTTextToAudio2.dll
2008-12-25 00:00 . 2005-02-24 11:51	348,160	--a------	c:\windows\system32\NCTWMAFile2.dll
2008-12-25 00:00 . 2006-03-23 12:56	113,486	--a------	c:\windows\system32\NCTWMAProfiles.prx
2008-12-24 23:50 . 2008-12-24 23:50	<DIR>	d--------	c:\documents and settings\All Users\Application Data\AVS4YOU
2008-12-24 23:48 . 2008-12-24 23:48	<DIR>	d--------	c:\program files\Common Files\AVSMedia
2008-12-24 23:48 . 2008-12-24 23:59	<DIR>	d--------	c:\program files\AVS4YOU
2008-12-24 23:48 . 2008-12-24 23:48	<DIR>	d--------	c:\documents and settings\Mike\Application Data\AVS4YOU
2008-12-21 19:55 . 2008-12-21 19:57	<DIR>	d--------	c:\windows\NV3576376.TMP
2008-12-21 19:55 . 2008-10-07 13:33	201,157	--a------	c:\windows\system32\nvapps.nvb
2008-12-21 19:54 . 2008-12-21 19:54	<DIR>	d--------	C:\NVIDIA
2008-12-21 19:42 . 2008-12-21 19:43	<DIR>	d--------	c:\program files\SystemRequirementsLab
2008-12-21 19:42 . 2008-12-21 19:42	<DIR>	d--------	c:\documents and settings\Mike\Application Data\SystemRequirementsLab

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 07:55	---------	d-----w	c:\program files\Spybot - Search & Destroy
2009-01-11 07:49	---------	d-----w	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-10 01:36	---------	d-----w	c:\program files\Soulseek
2008-12-25 07:21	---------	d-----w	c:\program files\Nero 8
2008-12-05 05:20	---------	d-----w	c:\documents and settings\Mike\Application Data\GarageGames
2008-01-26 21:51	92,064	----a-w	c:\documents and settings\Mike\mqdmmdm.sys
2008-01-26 21:51	9,232	----a-w	c:\documents and settings\Mike\mqdmmdfl.sys
2008-01-26 21:51	79,328	----a-w	c:\documents and settings\Mike\mqdmserd.sys
2008-01-26 21:51	66,656	----a-w	c:\documents and settings\Mike\mqdmbus.sys
2008-01-26 21:51	6,208	----a-w	c:\documents and settings\Mike\mqdmcmnt.sys
2008-01-26 21:51	5,936	----a-w	c:\documents and settings\Mike\mqdmwhnt.sys
2008-01-26 21:51	4,048	----a-w	c:\documents and settings\Mike\mqdmcr.sys
2008-01-26 21:51	25,600	----a-w	c:\documents and settings\Mike\usbsermptxp.sys
2008-01-26 21:51	22,768	----a-w	c:\documents and settings\Mike\usbsermpt.sys
2005-06-08 16:51	13,053	----a-w	c:\documents and settings\Mike\ZGUICFG.DAT
2001-11-23 16:08	712,704	----a-w	c:\windows\inf\OTHER\AUDIO3D.DLL
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-23 155648]
"HostManager"="c:\program files\Common Files\AOL\1150339680\ee\AOLSoftware.exe" [2006-04-20 50792]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero 8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"NAV Agent"="c:\progra~1\NORTON~1\navapw32.exe" [2001-08-16 74832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Gravis Xperience Driver Support"="Grxp4exe.exe" [2002-02-26 c:\windows\system32\grxp4exe.exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-01-11 4898816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-20 113664]
AtomTime98 v2.1.lnk - c:\program files\AtomTime\ATOMTIME.EXE [1999-04-19 283676]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-11-26 278528]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-06-10 65588]
Run VNC Server.lnk - c:\program files\RealVNC\VNC4\winvnc4.exe [2007-01-22 685048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=zdovpl.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe"=
"e:\\QUAKE\\qwcl.exe"=
"e:\\QUAKE\\glqwcl.exe"=
"e:\\QUAKE2\\QUAKE2.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Worms Armageddon\\Wa.exe"=
"e:\\DOOM2\\zdoom.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"e:\\Diablo\\Diablo.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1150339680\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1150339680\\ee\\aim6.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"e:\\Quake III Arena\\quake3.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"e:\\Left 4 Dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12923:TCP"= 12923:TCP:BitComet 12923 TCP
"12923:UDP"= 12923:UDP:BitComet 12923 UDP

R0 rttmntr;R-TT Backup Archive Explorer;c:\windows\system32\drivers\rttmntr.sys [2005-08-09 211008]
R0 snaprtt;R-TT Snapshots Manager;c:\windows\system32\drivers\snaprtt.sys [2004-12-22 82080]
R1 kid_sys;Kensington Input Devices Class filter driver;c:\windows\system32\drivers\KID_SYS.sys [2005-04-27 11920]
R4 rttfsfilt;R-TT FS Filter;c:\windows\system32\drivers\rttfsfilt.sys [2004-12-22 28640]
S3 ntxpgp;Gravis Xperience GamePort device driver;c:\windows\system32\drivers\ntxpgp.sys [2005-04-27 240188]
S4 Client;Client;c:\windows\Registration\CRMLog\service.exe /name:"Client" /start:"hkcmd.exe cygwn.dll" --> c:\windows\Registration\CRMLog\service.exe  [?]
S4 Windows Mapper Configuration;Windows Mapper Configuration;c:\windows\system32\drivers\services.exe /name:"Windows Mapper Configuration" /start:"msi.exe" --> c:\windows\system32\drivers\services.exe  [?]
S4 Windows Printer Activity;Windows Printer Activity;c:\windows\system32\drivers\services.exe /name:"Windows Printer Activity" /start:"printserver.exe /h/i/s" --> c:\windows\system32\drivers\services.exe  [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64067daa-755d-11da-8892-806d6172696f}]
\Shell\AutoRun\command - H:\Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-03-10 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NAVW32.exe [2001-08-16 18:15]

2009-01-14 c:\windows\Tasks\pkxunbnk.job
- c:\windows\system32\rundll32.exe [2004-08-03 20:07]

2009-01-14 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2001-07-26 12:23]
.
- - - - ORPHANS REMOVED - - - -

BHO-{4437d3c5-3f8c-4808-bc51-3ee5664de070} - (no file)
BHO-{4544E79F-8E43-4128-A470-A07F180D749F} - (no file)
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-Name of App - c:\program files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
HKLM-Run-Cmaudio - cmicnfg.cpl


.
------- Supplementary Scan -------
.
uStart Page = about:blank

c:\windows\Downloaded Program Files\iaplayer.dll - O16 -: {DB7BF79A-FC51-4B5A-92BC-A65731174380}
hxxp://www.instantaction.com/download/iaplayer.cab
c:\windows\Downloaded Program Files\cab.inf
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\ht0upjfd.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\ht0upjfd.default\extensions\[email protected]\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\ht0upjfd.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\ht0upjfd.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJPI150_01.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 15:35:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Name of App = c:\program files\SAMSUNG\FW LiveUpdate\Liveupdate.exe??w???w???????w???w??i?????

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2009-01-14 15:41:58 - machine was rebooted [Mike]
ComboFix-quarantined-files.txt  2009-01-14 20:41:53

Pre-Run: 33,114,947,584 bytes free
Post-Run: 33,184,215,040 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

204	--- E O F ---	2008-12-18 16:49:34

HiJackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:45 PM, on 1/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Grxp4exe.exe
C:\Program Files\Common Files\AOL\1150339680\ee\AOLSoftware.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1150339680\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero 8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AtomTime98 v2.1.lnk = C:\Program Files\AtomTime\ATOMTIME.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Run VNC Server.lnk = C:\Program Files\RealVNC\VNC4\winvnc4.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O20 - AppInit_DLLs: zdovpl.dll
O23 - Service: Client - Unknown owner - C:\WINDOWS\Registration\CRMLog\service.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Windows Mapper Configuration - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)
O23 - Service: Windows Printer Activity - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7556 bytes

Edited by loophole, 18 January 2009 - 01:24 AM.

  • 0

#6
loophole
Posted 17 January 2009 - 12:44 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Sorry for the delay

We can check for the mbr has been altered,


Please rescan with Hijackthis and place a check next to the following entries:

O20 - AppInit_DLLs: zdovpl.dll

Now click "Fix Checked" and close Hijackthis



1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:


File:
c:\windows\Tasks\pkxunbnk.job

Driver::
Windows Mapper Configuration
Windows Printer Activity



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt .


Next please run th following

Download RootRepeal.zip and unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    Note: The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#7
JiNxX9500
Posted 17 January 2009 - 10:22 PM

JiNxX9500

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
no worries brother, I'm just a bit anxious to get back up and running!

I ran HJT and "fixed" the entry you specified.

I created the CFScript file as you instructed. however, when I try to drag-and-drop it onto ComboFix, it instead just moves the ComboFix icon. the "drag and drop into program" thing works for some of the other programs on my desktop, but not ComboFix... and I don't know how to fix that. (would be good to know for future reference though!) so that's as far as I got with your instructions. :)
  • 0

#8
loophole
Posted 18 January 2009 - 05:29 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
No worries, lets go a different route

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
c:\windows\Tasks\pkxunbnk.job
:Services 
Windows Mapper Configuration
Windows Printer Activity
:commands
[purity]
[emptytemp]
[start explorer]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next, continue with the root repeal scan as mentioned in my earlier post
  • 0

#9
JiNxX9500
Posted 18 January 2009 - 06:34 PM

JiNxX9500

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
alrighty!

OTMoveIt3 came back with:
========== FILES ==========
c:\windows\Tasks\pkxunbnk.job moved successfully.
========== SERVICES/DRIVERS ==========
Service Windows Mapper Configuration stopped successfully.
Service Windows Mapper Configuration deleted successfully.
Service Windows Printer Activity stopped successfully.
Service Windows Printer Activity deleted successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
 
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01182009_185356

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

and RootRepeal had the following:
ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time:			2009/01/18 19:02
Program Version:		Version 1.2.3.0
Windows Version:		Windows XP SP2
==================================================

Drivers
-------------------
Name:		  
Image Path:		  
Address: 0xF7472000	Size: 98304	File Visible: No
Status: -

Name:		  
Image Path:		  
Address: 0x00000000	Size: 0	File Visible: No
Status: -

Name: dump_diskdump.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_diskdump.sys
Address: 0xAB27A000	Size: 16384	File Visible: No
Status: -

Name: dump_viamraid.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_viamraid.sys
Address: 0xA69FD000	Size: 73728	File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAA4DF000	Size: 45056	File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 025	Function Name: NtClose
Status: Hooked by "a347bus.sys" at address 0xf75bc028

#: 041	Function Name: NtCreateKey
Status: Hooked by "a347bus.sys" at address 0xf75bbfe0

#: 045	Function Name: NtCreatePagingFile
Status: Hooked by "a347bus.sys" at address 0xf75afb00

#: 071	Function Name: NtEnumerateKey
Status: Hooked by "a347bus.sys" at address 0xf75b05dc

#: 073	Function Name: NtEnumerateValueKey
Status: Hooked by "a347bus.sys" at address 0xf75bc120

#: 116	Function Name: NtOpenFile
Status: Hooked by "a347bus.sys" at address 0xf75afb40

#: 119	Function Name: NtOpenKey
Status: Hooked by "a347bus.sys" at address 0xf75bbfa4

#: 160	Function Name: NtQueryKey
Status: Hooked by "a347bus.sys" at address 0xf75b05fc

#: 177	Function Name: NtQueryValueKey
Status: Hooked by "a347bus.sys" at address 0xf75bc076

#: 241	Function Name: NtSetSystemPowerState
Status: Hooked by "a347bus.sys" at address 0xf75bb550

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System	Address: 0x8988f428	Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System	Address: 0x8972e030	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLOSE]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_READ]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_WRITE]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_EA]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_EA]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLEANUP]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE_MAILSLOT]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_POWER]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CHANGE]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_PNP]
Process: System	Address: 0x89402bc0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System	Address: 0x893fc4f0	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System	Address: 0x893fcb40	Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System	Address: 0x894b5580	Size: -

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System	Address: 0x8900b158	Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System	Address: 0x894cc698	Size: -

Object: Hidden Code [Driver: Npfsȅ敓ȁఉ瑎捦܉@考, IRP_MJ_READ]
Process: System	Address: 0x894aafb0	Size: -

Object: Hidden Code [Driver: Msfsȅ敓ȁఉ瑎捦܉@考, IRP_MJ_READ]
Process: System	Address: 0x894abbd0	Size: -

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System	Address: 0x894abce0	Size: -

Object: Hidden Code [Driver: CdfsЅ剒敬Ёం扏楄梸۸褨Ђ䵃慖, IRP_MJ_READ]
Process: System	Address: 0x89883630	Size: -

  • 0

#10
loophole
Posted 18 January 2009 - 07:05 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
That looks fine. Computer behaving any better?
  • 0

Advertisements

#11
JiNxX9500
Posted 19 January 2009 - 12:40 PM

JiNxX9500

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
the rogue rundll32 process seems to have gone away. thanks for your help with that!

I still can't get Windows Setup to do a repair installation for me though, still getting the 7B stop error. I assumed this was an issue related to Vundo since I'd never before had a problem re-installing Windows on here, but maybe it's something else... should I take this problem to the Windows XP forum?
  • 0

#12
loophole
Posted 19 January 2009 - 03:31 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
We may, but first I'd like you to run the following, also, was the reason for the system repair because of the system restore not working? Also what were the parameters along with the stop code ie 000007B (xxxxxxx) (xxxxxxxx)

Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter    .

  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • System Memory
  • Startup Objects
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)


After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.


  • 0

#13
JiNxX9500
Posted 20 January 2009 - 12:09 PM

JiNxX9500

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I was planning to do the repair installation just because it's been a while since the last one and my computer hasn't been running as well as it should.

the stop error was listed as 0x0000007B (0xF78D2524, 0xC0000034, 0x00000000, 0x00000000).

I ran the Kaspersky tool as you asked. most of what it detected was inside Norton AV's Quarantine folder... I wasn't sure if I should neutralize those so I left them alone. I did neutralize all the items it found outside of that folder. I also noticed that it found no issues with the boot sectors it scanned. the section of the log you requested is below.

---

Kaspersky log, "Detected" section only:

Detected
--------
Status	Object
------	------
deleted: adware not-a-virus:AdWare.Win32.TimeSink	File: C:\Program Files\GlobalSCAPE\CuteFTP\TSUninstaller.exe
detected: Trojan program Exploit.Java.ByteVerify	File: C:\Program Files\Norton AntiVirus\Quarantine\08FE1CCD.tmp//Crypt.Quarantine
detected: Trojan program Trojan-Downloader.Win32.Agent.gat	File: C:\Program Files\Norton AntiVirus\Quarantine\0F1D1581.cmt//Crypt.Quarantine//PE_Patch.Upolyx//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Downloader.Win32.Small.hvx	File: C:\Program Files\Norton AntiVirus\Quarantine\0F203F7D//Crypt.Quarantine
detected: Trojan program Trojan-Downloader.Win32.Agent.gat	File: C:\Program Files\Norton AntiVirus\Quarantine\0F203F7D.tmp//Crypt.Quarantine//PE_Patch.Upolyx//PE_Patch.UPX//UPX
detected: Trojan program Exploit.Java.ByteVerify	File: C:\Program Files\Norton AntiVirus\Quarantine\0F24697A.tmp//Crypt.Quarantine
detected: Trojan program Packed.JS.Agent.n	File: C:\Program Files\Norton AntiVirus\Quarantine\22C025C5//Crypt.Quarantine
detected: Trojan program Trojan.Win32.Monderb.adqt	File: C:\Program Files\Norton AntiVirus\Quarantine\3EAF01F8.vir//Crypt.Quarantine
detected: Trojan program Trojan.Win32.Monderb.adqt	File: C:\Program Files\Norton AntiVirus\Quarantine\3EB22BF5.vir//Crypt.Quarantine

Edited by JiNxX9500, 20 January 2009 - 12:10 PM.

  • 0

#14
loophole
Posted 21 January 2009 - 05:30 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Yes, those are fine

I could probably help with this but the tech side of things would be faster. Start a topic in the XP forum, let them know you are free of malware and give them the full stop error.

Good luck to you
  • 0

#15
JiNxX9500
Posted 21 January 2009 - 11:53 AM

JiNxX9500

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
thank you! :)

Edited by JiNxX9500, 21 January 2009 - 11:54 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP