Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Adware and Trojan Vundo [RESOLVED]


  • This topic is locked This topic is locked

#1
lauraa7

lauraa7

    Member

  • Member
  • PipPip
  • 30 posts
I have read all the directions you have posted to try to get rid of the malware and trojan vundo viruses. These are the things I have tried already:

System restore, vundofix, superantispyware, avast, atfcleaner.

I went ahead and ran the ATF and then ran the superantispyware in safe mode on my computer. It found 31 threats and had them removed. Now when I startup my computer I get some messages saying that some dll file was not found, however, it still starts up. After about two minutes, it freezes. I really can't get into anything because it freezes right away. I tried running Hijack this but my computer kept freezing up on me. Is there anything else I can do? I really thought I had gotten rid of those trojans with superantispyware but I guess not. HELP!!
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
See if you can run the below programs:

Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.


If they are giving you problems (freezing), try download Malwarebytes first and then run it in Safe Mode instead. Restart the computer to get back to Normal Mode and then try running Combofix. Try not to run Combofix in Safe Mode if possible....
  • 0

#3
lauraa7

lauraa7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Can I download this program onto a pen drive and run it onto my computer from there?
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, you may do that. Make sure the pen drive doesn't get infected in the process. There's been a lot of that going on lately...Copy from the pen drive to the computer and then run it from the desktop...
  • 0

#5
lauraa7

lauraa7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Thank you so much!!! I think I finally fixed the problem with those two programs you asked me to run. Here are the logs:

Malware:
Malwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Full Scan (C:\|)
Objects scanned: 54703
Time elapsed: 1 hour(s), 7 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0cac6a25 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM0f9f59b9 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Downloader) -> Data: c:\windows\config\csrss.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Config\csrss.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Combofix:
ComboFix 08-04-24.1 - Laura 2008-04-26 11:16:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.49 [GMT -5:00]
Running from: C:\Documents and Settings\Laura\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\DLlUDJjl.ini
C:\WINDOWS\system32\DLlUDJjl.ini2
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\efhttqdc.ini
C:\WINDOWS\system32\nauchrbt.ini
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\ygydreyk.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-26 09:44 . 2008-04-26 09:44 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Malwarebytes
2008-04-26 09:43 . 2008-04-26 09:44 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 09:43 . 2008-04-26 09:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-22 17:55 . 2008-04-22 17:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-22 17:54 . 2008-04-23 21:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-22 17:54 . 2008-04-22 17:54 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\SUPERAntiSpyware.com
2008-04-22 17:52 . 2008-04-22 17:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-22 16:57 . 2008-04-22 17:45 1,542,969 ---hs---- C:\WINDOWS\system32\pxmuvqcy.ini
2008-04-21 20:33 . 2008-04-21 20:33 <DIR> d-------- C:\VundoFix Backups
2008-04-21 20:28 . 2008-04-21 20:28 <DIR> d-------- C:\Program Files\ALWIL Software
2008-04-21 18:58 . 2008-04-21 18:58 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-21 18:58 . 2008-04-26 11:16 1,024 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT.LOG
2008-04-21 17:19 . 2008-04-21 19:53 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-21 17:17 . 2008-04-21 19:53 <DIR> d-------- C:\Documents and Settings\Laura\.housecall6.6
2008-04-21 16:49 . 2008-04-22 16:57 1,542,849 ---hs---- C:\WINDOWS\system32\mitovgjm.ini
2008-04-20 18:14 . 2008-04-20 18:14 0 --a------ C:\WINDOWS\VPC32.INI
2008-04-20 12:14 . 2008-04-20 12:19 <DIR> d-------- C:\Program Files\RegCleaner
2008-04-20 11:48 . 2008-04-20 11:48 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-20 11:19 . 2008-04-20 11:21 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\AVG7
2008-04-19 22:26 . 2008-04-19 22:26 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-04-19 22:12 . 2008-04-21 16:47 1,541,785 ---hs---- C:\WINDOWS\system32\dpypaqci.ini
2008-04-13 19:58 . 2008-04-13 19:55 124,167 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-04-13 19:58 . 2008-04-13 19:55 83,208 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-13 19:58 . 2008-04-13 19:55 73,496 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-13 19:57 . 2008-04-13 19:57 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2008-04-13 18:44 . 2008-04-26 11:16 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-09 17:39 . 2008-04-22 17:27 109,125 --a------ C:\WINDOWS\BM0f9f59b9.xml
2008-04-08 22:02 . 2008-04-08 22:02 <DIR> d-------- C:\Program Files\real
2008-04-08 22:02 . 2008-04-08 22:06 <DIR> d-------- C:\Program Files\eread7.0
2008-04-08 20:15 . 2008-04-08 20:15 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-06 20:36 . 2008-04-07 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Time Dead Warn Default
2008-03-29 09:25 . 2008-03-29 09:25 13 --a------ C:\Winvdrvr.dll
2008-03-29 09:25 . 2008-03-29 09:25 13 --a------ C:\Portprcr.dvr
2008-03-29 09:25 . 2008-03-29 09:43 0 --a------ C:\hfcrgrt.ini
2008-03-29 09:24 . 2008-04-07 21:14 <DIR> d-------- C:\Program Files\Hormonal Forecaster
2008-03-29 09:23 . 2008-03-29 09:24 286,720 --------- C:\WINDOWS\Setup1.exe
2008-03-29 09:23 . 2008-03-29 09:24 73,216 --a------ C:\WINDOWS\ST6UNST.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 15:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 22:15 --------- d-----w C:\Documents and Settings\Laura\Application Data\uTorrent
2008-04-20 17:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-20 03:52 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-14 00:58 --------- d-----w C:\Program Files\Symantec
2008-04-14 00:57 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-14 00:48 --------- d-----w C:\Program Files\VSO
2008-04-14 00:48 --------- d-----w C:\Documents and Settings\Laura\Application Data\Vso
2008-04-09 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-09 22:45 --------- d-----w C:\Program Files\MSN Games
2008-04-04 14:47 --------- d-----w C:\Documents and Settings\Laura\Application Data\LimeWire
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-16 23:43 --------- d-----w C:\Program Files\Rar
2008-03-16 22:38 1,206,367 ----a-w C:\WINDOWS\system32\wrar371.exe
2008-03-16 22:29 41,153 ----a-w C:\WINDOWS\system32\keygen.exe
2008-03-14 16:45 --------- d-----w C:\Program Files\Java
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-01-17 23:29 87,608 -c--a-w C:\Documents and Settings\Laura\Application Data\inst.exe
2008-01-17 23:29 47,360 -c--a-w C:\Documents and Settings\Laura\Application Data\pcouffin.sys
2007-08-06 22:40 21,848 -c--a-w C:\Documents and Settings\Laura\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]
2007-06-28 17:25 57344 --a------ C:\Program Files\eread7.0\IEeREAD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A19C29D-ED45-4483-8999-9F939C8161F2}]
2008-03-10 12:08 81920 --a------ C:\Program Files\eread7.0\WebHook.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F212C0B8-831F-44BA-A55E-4248E220F2A7}]
C:\WINDOWS\system32\ljJDUlLD.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-07 14:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 04:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
"Cmaudio"="cmicnfg.cpl" []
"NWEReboot"="" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"LXSUPMON"="C:\WINDOWS\system32\LXSUPMON.exe" [2002-01-28 07:48 885760]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\eread7.0\\eREAD_Cookcase.exe"=

S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 11:23:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2008-04-26 11:27:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-26 16:27:25

Pre-Run: 140,764,184,576 bytes free
Post-Run: 140,700,864,512 bytes free

165 --- E O F --- 2008-04-09 01:16:52

You are AWESOME!!!!
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Do you have Avast and AVG Antivirus installed? If so, uninstall one of them now....

Download NoLop.exe to your desktop from one of the following mirrors:
http://www.thespykil...=tpmod;dl=get16
http://www.greyknigh...m/spy/NoLop.exe

Close any other programs you have running as this will require a reboot.
Double-click NoLop.exe to run it.
Now click the button labeled Search and Destroy.
When scanning is finished you will be prompted to reboot only if infected. Click OK.
Now click the Reboot button. A message should pop up from NoLop. If not, double-click the program again and it will finish.
Post the contents of C:\NoLop.log here.

If you receive an error mscomctl.ocx or one of its dependencies are not correctly registered, then download the mscomctl.ocx file from http://www.boletrice...ds/mscomctl.ocx to your system32 folder and then rerun the NoLop.


Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\WINDOWS\system32\pxmuvqcy.ini
C:\WINDOWS\system32\mitovgjm.ini
C:\WINDOWS\VPC32.INI
C:\WINDOWS\system32\dpypaqci.ini
C:\WINDOWS\BM0f9f59b9.xml
C:\Winvdrvr.dll
C:\Portprcr.dvr
C:\hfcrgrt.ini
C:\WINDOWS\system32\ljJDUlLD.dll
Folder::
C:\Documents and Settings\All Users\Application Data\Time Dead Warn Default
C:\Documents and Settings\Laura\Application Data\.wyzo
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F212C0B8-831F-44BA-A55E-4248E220F2A7}]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is it running so far? Everything still good? :)

Edited by greyknight17, 01 May 2008 - 07:01 PM.

  • 0

#7
lauraa7

lauraa7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Before I read this, I went ahead and uninstalled Avast and AVG. I then installed Spybot. My antivirus is Symantec. Do I still run the above programs? As of yet, so far so good. :)
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, definitely. You still have those malware files in your system there. They are probably just remaining dormant....

Run CFScript.txt and post back the new log when ready.
  • 0

#9
lauraa7

lauraa7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
So far, so good. I went ahead and ran the programs you listed. I also copied the script into the Combofix folder and ran that too. Here are my logs:

NoLop:
NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Laura\Desktop
[4/30/2008]
[8:41:23 PM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\1click Dvd Copy
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Ahead
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Cyberlink
C:\Documents and Settings\All Users\Application Data\Flood Light Games
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Hp
C:\Documents and Settings\All Users\Application Data\Jollybear
C:\Documents and Settings\All Users\Application Data\Malwarebytes
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Sonic
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Superantispyware.com
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Time Dead Warn Default -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Vsosdk
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Laura\Application Data\.wyzo -- EMPTY Directory
C:\Documents and Settings\Laura\Application Data\Adobe
C:\Documents and Settings\Laura\Application Data\Ahead
C:\Documents and Settings\Laura\Application Data\Avg7
C:\Documents and Settings\Laura\Application Data\Cyberlink
C:\Documents and Settings\Laura\Application Data\Flood Light Games
C:\Documents and Settings\Laura\Application Data\Floodlightgames
C:\Documents and Settings\Laura\Application Data\Google
C:\Documents and Settings\Laura\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Laura\Application Data\Hp
C:\Documents and Settings\Laura\Application Data\Identities
C:\Documents and Settings\Laura\Application Data\Iwin
C:\Documents and Settings\Laura\Application Data\Limewire
C:\Documents and Settings\Laura\Application Data\Macromedia
C:\Documents and Settings\Laura\Application Data\Malwarebytes
C:\Documents and Settings\Laura\Application Data\Microsoft
C:\Documents and Settings\Laura\Application Data\Myspace
C:\Documents and Settings\Laura\Application Data\Sun
C:\Documents and Settings\Laura\Application Data\Superantispyware.com
C:\Documents and Settings\Laura\Application Data\U3
C:\Documents and Settings\Laura\Application Data\Utorrent
C:\Documents and Settings\Laura\Application Data\Vso
C:\Documents and Settings\Laura\Application Data\Winrar -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft

Combofix:
ComboFix 08-04-24.1 - Laura 2008-04-30 20:59:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.43 [GMT -5:00]
Running from: C:\Documents and Settings\Laura\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

2008-04-30 20:41 . 2008-04-30 20:41 106 --a------ C:\delete.bat
2008-04-27 17:29 . 2008-04-27 17:29 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-27 17:29 . 2008-04-27 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-26 13:34 . 2008-04-26 13:35 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-26 09:44 . 2008-04-26 09:44 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Malwarebytes
2008-04-26 09:43 . 2008-04-26 09:44 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 09:43 . 2008-04-26 09:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-22 17:55 . 2008-04-22 17:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-22 17:54 . 2008-04-27 17:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-22 17:54 . 2008-04-22 17:54 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\SUPERAntiSpyware.com
2008-04-22 17:52 . 2008-04-22 17:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-22 16:57 . 2008-04-22 17:45 1,542,969 ---hs---- C:\WINDOWS\system32\pxmuvqcy.ini
2008-04-21 20:33 . 2008-04-21 20:33 <DIR> d-------- C:\VundoFix Backups
2008-04-21 20:28 . 2008-04-21 20:28 <DIR> d-------- C:\Program Files\ALWIL Software
2008-04-21 18:58 . 2008-04-21 18:58 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-21 18:58 . 2008-04-27 17:30 1,024 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT.LOG
2008-04-21 17:19 . 2008-04-21 19:53 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-21 17:17 . 2008-04-21 19:53 <DIR> d-------- C:\Documents and Settings\Laura\.housecall6.6
2008-04-21 16:49 . 2008-04-22 16:57 1,542,849 ---hs---- C:\WINDOWS\system32\mitovgjm.ini
2008-04-20 18:14 . 2008-04-20 18:14 0 --a------ C:\WINDOWS\VPC32.INI
2008-04-20 12:14 . 2008-04-20 12:19 <DIR> d-------- C:\Program Files\RegCleaner
2008-04-20 11:48 . 2008-04-20 11:48 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-20 11:19 . 2008-04-20 11:21 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\AVG7
2008-04-19 22:26 . 2008-04-19 22:26 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-04-19 22:12 . 2008-04-21 16:47 1,541,785 ---hs---- C:\WINDOWS\system32\dpypaqci.ini
2008-04-13 19:58 . 2008-04-13 19:55 124,167 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-04-13 19:58 . 2008-04-13 19:55 83,208 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-13 19:58 . 2008-04-13 19:55 73,496 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-13 19:57 . 2008-04-13 19:57 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2008-04-13 18:44 . 2008-04-26 11:16 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-09 17:39 . 2008-04-22 17:27 109,125 --a------ C:\WINDOWS\BM0f9f59b9.xml
2008-04-08 22:02 . 2008-04-08 22:02 <DIR> d-------- C:\Program Files\real
2008-04-08 22:02 . 2008-04-08 22:06 <DIR> d-------- C:\Program Files\eread7.0
2008-04-08 20:15 . 2008-04-08 20:15 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-06 20:36 . 2008-04-07 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Time Dead Warn Default

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 00:27 --------- d-----w C:\Documents and Settings\Laura\Application Data\uTorrent
2008-04-27 21:06 --------- d-----w C:\Documents and Settings\Laura\Application Data\Vso
2008-04-26 15:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 17:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-20 03:52 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-14 00:58 --------- d-----w C:\Program Files\Symantec
2008-04-14 00:57 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-14 00:48 --------- d-----w C:\Program Files\VSO
2008-04-09 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-09 22:45 --------- d-----w C:\Program Files\MSN Games
2008-04-08 02:14 --------- d-----w C:\Program Files\Hormonal Forecaster
2008-04-04 14:47 --------- d-----w C:\Documents and Settings\Laura\Application Data\LimeWire
2008-03-29 14:25 13 ----a-w C:\Winvdrvr.dll
2008-03-29 14:24 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-03-29 14:24 286,720 ------w C:\WINDOWS\Setup1.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-16 23:43 --------- d-----w C:\Program Files\Rar
2008-03-16 22:38 1,206,367 ----a-w C:\WINDOWS\system32\wrar371.exe
2008-03-16 22:29 41,153 ----a-w C:\WINDOWS\system32\keygen.exe
2008-03-14 16:45 --------- d-----w C:\Program Files\Java
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-01-17 23:29 87,608 -c--a-w C:\Documents and Settings\Laura\Application Data\inst.exe
2008-01-17 23:29 47,360 -c--a-w C:\Documents and Settings\Laura\Application Data\pcouffin.sys
2007-08-06 22:40 21,848 -c--a-w C:\Documents and Settings\Laura\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-04-26_11.26.50.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-26 16:21:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-01 01:24:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-10-11 21:58:53 167,936 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2008-05-01 01:41:08 167,936 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2007-10-11 21:58:53 2,560 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-05-01 01:41:08 2,560 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2007-10-11 21:58:54 81,920 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2008-05-01 01:41:08 81,920 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
- 2007-10-11 21:58:53 34,304 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-05-01 01:41:08 34,304 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2007-10-11 21:58:54 8,192 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-05-01 01:41:08 8,192 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2007-10-11 21:58:54 3,584 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-05-01 01:41:09 3,584 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2007-10-11 21:58:54 114,688 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-05-01 01:41:09 114,688 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2007-10-11 21:58:53 16,384 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-05-01 01:41:08 16,384 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2007-10-11 21:58:53 30,720 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2008-05-01 01:41:08 30,720 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2007-10-11 21:58:54 22,528 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-05-01 01:41:09 22,528 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2007-10-11 21:58:52 45,056 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-05-01 01:41:08 45,056 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2007-10-11 21:58:52 90,112 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-05-01 01:41:08 90,112 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-04-26 18:36:30 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
- 2007-04-24 16:32:06 1,485,696 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 23:06:36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
- 2006-09-25 22:58:48 14,640 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2008-03-20 19:41:20 14,640 ------w C:\WINDOWS\system32\spmsg.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]
2007-06-28 17:25 57344 --a------ C:\Program Files\eread7.0\IEeREAD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A19C29D-ED45-4483-8999-9F939C8161F2}]
2008-03-10 12:08 81920 --a------ C:\Program Files\eread7.0\WebHook.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F212C0B8-831F-44BA-A55E-4248E220F2A7}]
C:\WINDOWS\system32\ljJDUlLD.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-07 14:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 04:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
"Cmaudio"="cmicnfg.cpl" []
"NWEReboot"="" []
"LXSUPMON"="C:\WINDOWS\system32\LXSUPMON.exe" [2002-01-28 07:48 885760]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\eread7.0\\eREAD_Cookcase.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 21:01:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-04-30 21:03:35
ComboFix-quarantined-files.txt 2008-05-01 02:03:24
ComboFix2.txt 2008-04-26 16:27:40

Pre-Run: 136,962,568,192 bytes free
Post-Run: 137,057,775,616 bytes free

175 --- E O F --- 2008-04-09 01:16:52

Once again, thank you so much for all your expert help!!!
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Don't copy anything to the ComboFix folder. I edited my last reply. Please copy and paste those lines in the quotebox into Notepad. Save the file as CFScript.txt on your desktop. Then close notepad. Now, drag the CFScript.txt file and hover it over the ComboFix tool (Red circle with an X icon). Let go of the left mouse button to drop that file into ComboFix. It should run the script. Let it run and post the new log here when ready.
  • 0

#11
lauraa7

lauraa7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Sorry it took so long. Here is my combofix log with the CFScript.txt.

Log:
ComboFix 08-05-01.3 - Laura 2008-05-07 20:49:55.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.50 [GMT -5:00]
Running from: C:\Documents and Settings\Laura\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Laura\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\hfcrgrt.ini
C:\Portprcr.dvr
C:\WINDOWS\BM0f9f59b9.xml
C:\WINDOWS\system32\dpypaqci.ini
C:\WINDOWS\system32\ljJDUlLD.dll
C:\WINDOWS\system32\mitovgjm.ini
C:\WINDOWS\system32\pxmuvqcy.ini
C:\WINDOWS\VPC32.INI
C:\Winvdrvr.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Time Dead Warn Default
C:\Documents and Settings\Laura\Application Data\.wyzo
C:\Documents and Settings\Laura\Application Data\inst.exe
C:\hfcrgrt.ini
C:\Portprcr.dvr
C:\WINDOWS\BM0f9f59b9.xml
C:\WINDOWS\system32\dpypaqci.ini
C:\WINDOWS\system32\mitovgjm.ini
C:\WINDOWS\system32\pxmuvqcy.ini
C:\WINDOWS\VPC32.INI
C:\Winvdrvr.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))
.

2008-04-30 21:30 . 2008-04-30 21:30 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2008-04-30 21:30 . 2008-04-30 21:27 124,167 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-04-30 21:30 . 2008-04-30 21:27 83,208 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-30 21:30 . 2008-04-30 21:27 73,496 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-27 17:29 . 2008-04-30 21:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-27 17:29 . 2008-04-30 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-26 13:34 . 2008-04-26 13:35 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-26 09:44 . 2008-04-26 09:44 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Malwarebytes
2008-04-26 09:43 . 2008-04-26 09:44 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 09:43 . 2008-04-26 09:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-22 17:55 . 2008-04-22 17:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-22 17:54 . 2008-04-27 17:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-22 17:54 . 2008-04-22 17:54 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\SUPERAntiSpyware.com
2008-04-22 17:52 . 2008-04-22 17:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-21 20:33 . 2008-04-21 20:33 <DIR> d-------- C:\VundoFix Backups
2008-04-21 20:28 . 2008-04-21 20:28 <DIR> d-------- C:\Program Files\ALWIL Software
2008-04-21 18:58 . 2008-04-30 21:08 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-21 18:58 . 2008-05-07 20:49 1,024 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT.LOG
2008-04-21 17:19 . 2008-04-21 19:53 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-21 17:17 . 2008-04-21 19:53 <DIR> d-------- C:\Documents and Settings\Laura\.housecall6.6
2008-04-20 12:14 . 2008-04-20 12:19 <DIR> d-------- C:\Program Files\RegCleaner
2008-04-20 11:48 . 2008-04-20 11:48 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-20 11:19 . 2008-04-20 11:21 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\AVG7
2008-04-19 22:26 . 2008-04-19 22:26 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-04-13 18:44 . 2008-05-07 20:49 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-08 22:02 . 2008-04-08 22:02 <DIR> d-------- C:\Program Files\real
2008-04-08 22:02 . 2008-04-08 22:06 <DIR> d-------- C:\Program Files\eread7.0
2008-04-08 20:15 . 2008-04-08 20:15 118 --a------ C:\WINDOWS\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 14:11 --------- d-----w C:\Documents and Settings\Laura\Application Data\Vso
2008-05-02 03:09 --------- d-----w C:\Documents and Settings\Laura\Application Data\uTorrent
2008-05-01 02:30 --------- d-----w C:\Program Files\Symantec
2008-05-01 02:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-26 15:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 17:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-20 03:52 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-14 00:48 --------- d-----w C:\Program Files\VSO
2008-04-09 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-09 22:45 --------- d-----w C:\Program Files\MSN Games
2008-04-08 02:14 --------- d-----w C:\Program Files\Hormonal Forecaster
2008-04-04 14:47 --------- d-----w C:\Documents and Settings\Laura\Application Data\LimeWire
2008-03-29 14:24 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-03-29 14:24 286,720 ------w C:\WINDOWS\Setup1.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-16 23:43 --------- d-----w C:\Program Files\Rar
2008-03-16 22:38 1,206,367 ----a-w C:\WINDOWS\system32\wrar371.exe
2008-03-16 22:29 41,153 ----a-w C:\WINDOWS\system32\keygen.exe
2008-03-14 16:45 --------- d-----w C:\Program Files\Java
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-01-17 23:29 47,360 -c--a-w C:\Documents and Settings\Laura\Application Data\pcouffin.sys
2007-08-06 22:40 21,848 -c--a-w C:\Documents and Settings\Laura\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-04-26_11.26.50.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-26 16:21:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-08 01:30:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-26 18:36:30 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
- 2007-04-24 16:32:06 1,485,696 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 23:06:36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
- 2008-04-08 02:04:07 52,880 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-05-01 02:08:38 1,876,768 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
- 2006-09-25 22:58:48 14,640 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2008-03-20 19:41:20 14,640 ------w C:\WINDOWS\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]
2007-06-28 17:25 57344 --a------ C:\Program Files\eread7.0\IEeREAD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A19C29D-ED45-4483-8999-9F939C8161F2}]
2008-03-10 12:08 81920 --a------ C:\Program Files\eread7.0\WebHook.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-07 14:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 04:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
"Cmaudio"="cmicnfg.cpl" []
"NWEReboot"="" []
"LXSUPMON"="C:\WINDOWS\system32\LXSUPMON.exe" [2002-01-28 07:48 885760]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\eread7.0\\eREAD_Cookcase.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 20:52:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-05-07 20:54:21
ComboFix-quarantined-files.txt 2008-05-08 01:54:15
ComboFix2.txt 2008-05-02 04:16:50
ComboFix3.txt 2008-05-01 02:03:39
ComboFix4.txt 2008-04-26 16:27:40

Pre-Run: 134,767,300,608 bytes free
Post-Run: 134,756,765,696 bytes free

168 --- E O F --- 2008-04-09 01:16:52
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I see that you are using pirated software....this is one of the major contributors to infections for those doing this.

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#13
lauraa7

lauraa7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Thank you so much for all your help! I extremely appreciate it. Do I have to remove the combofix?
  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Follow the instructions I gave you above to remove the Combofix files leftover. If the tool still remains after running the command, you may delete it manually.
  • 0

#15
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP