Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Packed.Win32.Monder.gen [RESOLVED]


  • This topic is locked This topic is locked

#1
tcastle

tcastle

    Member

  • Member
  • PipPip
  • 10 posts
HijackThis Log---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:53 PM, on 4/29/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
D:\WINDOW\System32\smss.exe
D:\WINDOW\system32\winlogon.exe
D:\WINDOW\system32\services.exe
D:\WINDOW\system32\lsass.exe
D:\WINDOW\system32\svchost.exe
D:\WINDOW\System32\svchost.exe
D:\Program Files\Lavasoft\aawservice.exe
D:\WINDOW\Explorer.EXE
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\WINDOW\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\WINDOW\System32\taskmgr.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zeropaid.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {95ad647a-11c7-dc7a-5634-8a1cc33042c8} - {8c24033c-c1a8-4365-a7cd-7c11a746da59} - D:\WINDOW\System32\wvjvqicp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOW\System32\msdxm.ocx
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] D:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [000000af] rundll32.exe "D:\WINDOW\System32\dwbginmb.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] D:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe -p
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOW\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOW\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1201735493873
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: fccaXNHw - D:\WINDOW\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 4289 bytes


If you all need this - - Malware byte's antimalware log.

Malwarebytes' Anti-Malware 1.11
Database version: 694

Scan type: Full Scan (D:\|)
Objects scanned: 153172
Time elapsed: 11 hour(s), 30 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM23c3d46e (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
D:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.

Files Infected:
D:\Documents and Settings\Terry\Local Settings\Temp\djevrsgd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Documents and Settings\Terry\Local Settings\Temp\hwafhyfh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Documents and Settings\Terry\Local Settings\Temp\lxqubyua.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Documents and Settings\Terry\Local Settings\Temp\outerinfo.ico (Malware.Trace) -> Quarantined and deleted successfully.
D:\Documents and Settings\Terry\Local Settings\Temp\wkdxgssi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Documents and Settings\Terry\Local Settings\Temporary Internet Files\Content.IE5\LZF979F8\CAK5AV4P (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{9BCA5F72-8F82-4DC1-B032-FF39491B9174}\RP77\A0002687.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{9BCA5F72-8F82-4DC1-B032-FF39491B9174}\RP77\A0002692.dll (Adware.ZenoSearch) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{9BCA5F72-8F82-4DC1-B032-FF39491B9174}\RP77\A0002693.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{9BCA5F72-8F82-4DC1-B032-FF39491B9174}\RP77\A0002714.exe (Adware.Purityscan) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{9BCA5F72-8F82-4DC1-B032-FF39491B9174}\RP78\A0003742.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{9BCA5F72-8F82-4DC1-B032-FF39491B9174}\RP78\A0003743.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{9BCA5F72-8F82-4DC1-B032-FF39491B9174}\RP81\A0003839.exe (Rogue.AntiSpyMaster) -> Quarantined and deleted successfully.
D:\WINDOW\system32\jsllcbqr.VIR (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\AntiSpywareMaster\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\AntiSpywareMaster\Uninstall AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
D:\WINDOW\system32\xtwcyduh.dll (Trojan.Agent) -> Delete on reboot.
D:\Documents and Settings\Terry\Desktop\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
D:\Documents and Settings\Terry\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.



And a kaspersky online scan log- -

KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 29, 2008 9:17:13 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/04/2008
Kaspersky Anti-Virus database records: 731399
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 95046
Number of viruses found 6
Number of infected objects 12
Number of suspicious objects 0
Duration of the scan process 07:51:06

Infected Object Name Virus Name Last Action
D:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\Terry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-29-2008( 13-0-21 ).LOG Object is locked skipped
D:\Documents and Settings\Terry\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Terry\Desktop\Download_mbam-setup.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
D:\Documents and Settings\Terry\Desktop\Download_spyzookasetup1.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
D:\Documents and Settings\Terry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Terry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Terry\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Terry\Local Settings\History\History.IE5\MSHist012008042920080430\index.dat Object is locked skipped
D:\Documents and Settings\Terry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Terry\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Terry\NTUSER.DAT.LOG Object is locked skipped
D:\Documents and Settings\Terry Castleman\Application Data\Kontiki\GameSpot\thumbnails\Thumbs.db Object is locked skipped
D:\Program Files\Old Hard Drive\Previous Installation\mirc\backup\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.571 skipped
D:\Program Files\Old Hard Drive\Previous Installation\mirc\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
D:\Program Files\Old Hard Drive\Previous Installation\mirc\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
D:\Program Files\Old Hard Drive\Previous Installation\mirc\mirc616.exe mIRC: infected - 1 skipped
D:\System Volume Information\_restore{9BCA5F72-8F82-4DC1-B032-FF39491B9174}\RP77\A0002717.dll Infected: Packed.Win32.Monder.gen skipped
D:\System Volume Information\_restore{9BCA5F72-8F82-4DC1-B032-FF39491B9174}\RP78\A0002733.dll Infected: Packed.Win32.Monder.gen skipped
D:\System Volume Information\_restore{9BCA5F72-8F82-4DC1-B032-FF39491B9174}\RP78\A0003733.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrg skipped
D:\System Volume Information\_restore{9BCA5F72-8F82-4DC1-B032-FF39491B9174}\RP78\A0003745.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrh skipped
D:\System Volume Information\_restore{9BCA5F72-8F82-4DC1-B032-FF39491B9174}\RP82\change.log Object is locked skipped
D:\WINDOW\Debug\oakley.log Object is locked skipped
D:\WINDOW\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOW\SchedLgU.Txt Object is locked skipped
D:\WINDOW\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOW\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOW\system32\config\default Object is locked skipped
D:\WINDOW\system32\config\default.LOG Object is locked skipped
D:\WINDOW\system32\config\SAM Object is locked skipped
D:\WINDOW\system32\config\SAM.LOG Object is locked skipped
D:\WINDOW\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOW\system32\config\SECURITY Object is locked skipped
D:\WINDOW\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOW\system32\config\software Object is locked skipped
D:\WINDOW\system32\config\software.LOG Object is locked skipped
D:\WINDOW\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOW\system32\config\system Object is locked skipped
D:\WINDOW\system32\config\system.LOG Object is locked skipped
D:\WINDOW\system32\h323log.txt Object is locked skipped
D:\WINDOW\system32\QUACMDVQ.VIR Infected: Packed.Win32.Monder.gen skipped
D:\WINDOW\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOW\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOW\system32\wvjvqicp.dll Infected: Packed.Win32.Monder.gen skipped
D:\WINDOW\WindowsUpdate.log Object is locked skipped
D:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped
D:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
D:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
Scan process completed.


Thank you all so much!!
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    D:\Documents and Settings\Terry\Desktop\Download_spyzookasetup1.exe
    D:\WINDOW\system32\QUACMDVQ.VIR 
    D:\WINDOW\system32\wvjvqicp.dll
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
tcastle

tcastle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Rorschach112!
Thanks for the reply.
I wonder what sort of infection that i even have. at first i thought it was vundo. i think it must be a combination. :)

Log from ComboFix - - -

ComboFix 08-04-26.3 - Terry 2008-04-30 17:19:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.588 [GMT -5:00]
Running from: D:\Documents and Settings\Terry\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOW\cookies.ini
D:\WINDOW\pskt.ini
D:\WINDOW\system32\bbLSAJlm.ini
D:\WINDOW\system32\bbLSAJlm.ini2
D:\WINDOW\system32\bmnigbwd.ini
D:\WINDOW\system32\rcisskvn.ini
D:\WINDOW\system32\yGOVCcdd.ini
D:\WINDOW\system32\yGOVCcdd.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-30 17:00 . 2008-04-30 17:00 <DIR> d-------- D:\_OTMoveIt
2008-04-29 22:17 . 2008-04-29 22:17 <DIR> d-------- D:\Program Files\Uniblue
2008-04-29 22:17 . 2008-04-29 22:17 <DIR> d-------- D:\Documents and Settings\Terry\Application Data\Uniblue
2008-04-29 21:31 . 2008-04-29 21:31 <DIR> d-------- D:\Program Files\Trend Micro
2008-04-29 00:44 . 2008-04-29 00:44 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-04-29 00:44 . 2008-04-29 00:44 <DIR> d-------- D:\Documents and Settings\Terry\Application Data\Malwarebytes
2008-04-29 00:44 . 2008-04-29 00:44 <DIR> d-------- D:\Documents and Settings\All Users.WINDOW\Application Data\Malwarebytes
2008-04-27 15:47 . 2008-04-27 19:02 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2008-04-27 15:47 . 2008-04-27 15:47 <DIR> d-------- D:\Documents and Settings\Terry\Application Data\SUPERAntiSpyware.com
2008-04-27 15:47 . 2008-04-27 15:47 <DIR> d-------- D:\Documents and Settings\All Users.WINDOW\Application Data\SUPERAntiSpyware.com
2008-04-27 03:32 . 2008-04-27 03:32 <DIR> d-------- D:\VundoFix Backups
2008-04-27 03:21 . 2008-04-27 03:21 <DIR> d-------- D:\Program Files\Enigma Software Group
2008-04-27 01:06 . 2008-04-27 01:06 <DIR> d-------- D:\WINDOW\system32\Kaspersky Lab
2008-04-27 01:06 . 2008-04-27 01:06 <DIR> d-------- D:\Documents and Settings\All Users.WINDOW\Application Data\Kaspersky Lab
2008-04-26 01:08 . 2008-04-29 00:43 <DIR> d-------- D:\Program Files\Common Files\Download Manager
2008-04-25 07:21 . 2008-04-25 07:21 294 --ahs---- D:\WINDOW\system32\khtyvgdh.ini
2008-04-25 00:12 . 2008-04-28 18:07 109,774 --a------ D:\WINDOW\BM23c3d46e.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 22:16 --------- d-----w D:\Program Files\PeerGuardian2
2008-04-30 22:07 --------- d-----w D:\Documents and Settings\Terry\Application Data\uTorrent
2008-04-30 02:54 --------- d-----w D:\Program Files\hijackthiss
2008-04-27 23:27 --------- d-----w D:\Program Files\HIjack_This
2008-04-27 20:46 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2008-04-27 06:58 --------- d-----w D:\Program Files\Java
2008-04-26 09:29 --------- d-----w D:\Documents and Settings\Terry\Application Data\vlc
2008-02-01 01:30 16,192 ----a-w D:\Documents and Settings\Terry\Application Data\GDIPFONTCACHEV1.DAT
2008-01-27 22:23 7,168 --sha-w D:\Program Files\Thumbs.db
2006-05-29 04:24 8,282,187 ----a-w D:\Program Files\vlc-0.8.5-win32.exe
2005-07-07 21:19 0 ----a-w D:\Program Files\ut2004-betademo.exe
2005-07-07 21:18 296,049,152 ----a-w D:\Program Files\ut2004-demo3334.exe
2005-07-05 20:34 1,175,592 -c--a-w D:\Program Files\GoogleVideoViewer1.0_Win.exe
2005-04-20 17:04 13,195 ----a-w D:\Documents and Settings\Terry Castleman\zguicfgw.dat
2005-03-30 04:40 386 -c--a-w D:\Program Files\stickykeysdelete.reg
2004-03-20 07:18 25,549,467 ----a-w D:\Program Files\wxp-w2k-catalyst-7-991-040224m-013831c.exe
2003-10-17 00:40 451,136 -c--a-w D:\Program Files\GoogleToolbarInstaller.exe
.

------- Sigcheck -------

2001-08-23 07:00 12800 0f7d9c87b0ce1fa520473119752c6f79 D:\WINDOW\system32\svchost.exe
2001-08-23 07:00 12800 0f7d9c87b0ce1fa520473119752c6f79 D:\WINDOW\system32\dllcache\svchost.exe

2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 D:\WINDOW\$hf_mig$\KB890859\SP2GDR\user32.dll
2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 D:\WINDOW\$hf_mig$\KB890859\SP2QFE\user32.dll
2005-03-02 13:20 561152 74202eb1bd67e8be9509e38c8d2234b0 D:\WINDOW\LastGood\System32\user32.dll
2001-08-23 07:00 561152 be57a5c3abd240514b98f6bca872fb21 D:\WINDOW\system32\user32.dll
2001-08-23 07:00 561152 be57a5c3abd240514b98f6bca872fb21 D:\WINDOW\system32\dllcache\user32.dll

2001-08-23 07:00 75264 8529c295df59b564d37a73b5629162b1 D:\WINDOW\system32\ws2_32.dll
2001-08-23 07:00 75264 8529c295df59b564d37a73b5629162b1 D:\WINDOW\system32\dllcache\ws2_32.dll

2002-08-29 05:41 599040 f3587750a7481dccbea13d473a0700be D:\WINDOW\$NtUninstallKB905915-IE6SP1-20051122.175908$\wininet.dll
2005-10-21 12:51 575488 4d7f35d26e955fcb4a572908d216cf00 D:\WINDOW\$NtUninstallKB912812-IE6SP1-20060322.182418$\wininet.dll
2006-02-24 13:26 575488 9d3bf3efcd3470fbeca54dee9a3332b6 D:\WINDOW\$NtUninstallKB916281-IE6SP1-20060526.162249$\wininet.dll
2001-08-23 07:00 593920 cf9f1eef71f42ede71b6f4aa05d5ca1a D:\WINDOW\system32\wininet.dll
2001-08-23 07:00 593920 cf9f1eef71f42ede71b6f4aa05d5ca1a D:\WINDOW\system32\dllcache\wininet.dll

2005-05-25 14:04 359808 88763a98a4c26c409741b4aa162720c9 D:\WINDOW\$hf_mig$\KB893066\SP2GDR\tcpip.sys
2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e D:\WINDOW\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 D:\WINDOW\$hf_mig$\KB913446\SP2GDR\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 D:\WINDOW\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 D:\WINDOW\$hf_mig$\KB917953\SP2GDR\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 D:\WINDOW\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2005-05-25 14:41 339968 228b0385bbfca24332fa22db45a8b684 D:\WINDOW\$NtUninstallKB913446$\tcpip.sys
2006-01-12 20:13 340480 8c101c9c566e2384af28ef7c1de4a36e D:\WINDOW\$NtUninstallKB917953$\tcpip.sys
2001-08-23 07:00 327168 e7774698bb0d14b0710a9a31e209f9b6 D:\WINDOW\system32\dllcache\tcpip.sys
2001-08-23 07:00 327168 e7774698bb0d14b0710a9a31e209f9b6 D:\WINDOW\system32\drivers\tcpip.sys

2002-08-29 05:41 516608 2246d8d8f4714a2cedb21ab9b1849abb D:\WINDOW\$NtUninstallKB840987$\winlogon.exe
2002-08-29 05:41 516608 2246d8d8f4714a2cedb21ab9b1849abb D:\WINDOW\LastGood\System32\winlogon.exe
2001-08-23 07:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 D:\WINDOW\system32\winlogon.exe
2001-08-23 07:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 D:\WINDOW\system32\dllcache\winlogon.exe

2001-08-23 07:00 161536 3efd4f59ba0a340de0a3ab984001dbf7 D:\WINDOW\system32\dllcache\ndis.sys
2001-08-23 07:00 161536 3efd4f59ba0a340de0a3ab984001dbf7 D:\WINDOW\system32\drivers\ndis.sys

2005-03-01 19:34 2056832 81013f36b21c7f72cf784cc6731e0002 D:\WINDOW\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe
2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b D:\WINDOW\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2003-04-24 08:57 1949440 46ae6f2d416c39ffdcfc8bcb01203ea3 D:\WINDOW\$NtUninstallKB885835$\ntkrnlpa.exe
2002-08-29 03:04 1947904 0e8efb15746878a9b256e75267337233 D:\WINDOW\$NtUninstallQ811493$\ntkrnlpa.exe
2003-04-24 08:57 1949440 46ae6f2d416c39ffdcfc8bcb01203ea3 D:\WINDOW\$xpsp1hfm$\Q811493\ntkrnlpa.exe
2003-04-24 08:57 1949440 46ae6f2d416c39ffdcfc8bcb01203ea3 D:\WINDOW\LastGood\Driver Cache\i386\ntkrnlpa.exe
2003-04-24 08:57 1949440 46ae6f2d416c39ffdcfc8bcb01203ea3 D:\WINDOW\LastGood\System32\ntkrnlpa.exe
2001-08-23 07:00 1896704 46e2e3dcf54b819cfb2ebfe48a22b5c9 D:\WINDOW\system32\ntkrnlpa.exe

2005-03-01 19:59 2179328 4d4cf2c14550a4b7718e94a6e581856e D:\WINDOW\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe
2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb D:\WINDOW\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2003-04-24 08:57 1925760 97ec4ab4650da6fc521cf16f8a6ddcb0 D:\WINDOW\$NtUninstallKB885835$\ntoskrnl.exe
2002-08-29 04:03 2042240 b9080d97dbd631aadf9128f7316958d2 D:\WINDOW\$NtUninstallQ811493$\ntoskrnl.exe
2003-04-24 08:57 1925760 97ec4ab4650da6fc521cf16f8a6ddcb0 D:\WINDOW\$xpsp1hfm$\Q811493\ntoskrnl.exe
2003-04-24 08:57 1925760 97ec4ab4650da6fc521cf16f8a6ddcb0 D:\WINDOW\LastGood\Driver Cache\i386\ntoskrnl.exe
2003-04-24 08:57 1925760 97ec4ab4650da6fc521cf16f8a6ddcb0 D:\WINDOW\LastGood\System32\ntoskrnl.exe
2001-08-23 07:00 1982208 a29222d5281056e497408fcc9062f749 D:\WINDOW\system32\ntoskrnl.exe

2001-08-23 07:00 1000960 5a26fc6010886d25b3e412493dd95ed8 D:\WINDOW\explorer.exe
2002-08-29 05:41 1004032 a82b28bfc2e4455fe43022a498c0ef0a D:\WINDOW\$NtUninstallKB820291$\explorer.exe
2002-08-29 05:41 1004032 a82b28bfc2e4455fe43022a498c0ef0a D:\WINDOW\LastGood\explorer.exe
2001-08-23 07:00 1000960 5a26fc6010886d25b3e412493dd95ed8 D:\WINDOW\system32\dllcache\explorer.exe

2001-08-23 07:00 13312 85b1054db58d13aa42d7dca778c30f57 D:\WINDOW\system32\ctfmon.exe
2001-08-23 07:00 13312 85b1054db58d13aa42d7dca778c30f57 D:\WINDOW\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8c24033c-c1a8-4365-a7cd-7c11a746da59}]
D:\WINDOW\System32\wvjvqicp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kmw_run.exe"="kmw_run.exe" [2005-02-03 15:30 106496 D:\WINDOW\system32\kmw_run.exe]
"MSWheel"="" []
"MCUpdateExe"="D:\PROGRA~1\McAfee.com\Agent\McUpdate.exe" [2006-01-11 12:05 212992]
"MCAgentExe"="D:\PROGRA~1\McAfee.com\Agent\McAgent.exe" [2005-09-22 18:29 303104]
"avgnt"="D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-14 21:26 262401]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"000000af"="D:\WINDOW\System32\dwbginmb.dll" [ ]

D:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\Program Files\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccaXNHw]

R0 avgntmgr;avgntmgr;D:\WINDOW\System32\DRIVERS\avgntmgr.sys [2008-04-14 21:26]
R1 avgntdd;avgntdd;D:\WINDOW\System32\DRIVERS\avgntdd.sys [2008-04-14 21:26]
R3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);D:\WINDOW\System32\DRIVERS\atirtcap.sys [2001-08-17 07:49]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;D:\WINDOW\System32\DRIVERS\fetnd5bv.sys [2008-01-02 02:12]
R3 KMW_KBD;Kensington Input Devices Class filter driver;D:\WINDOW\System32\DRIVERS\KMW_KBD.sys [2005-02-03 14:44]
S3 KMW_SYS;Kensington MouseWorks Mouse filter driver;D:\WINDOW\System32\DRIVERS\KMW_SYS.sys [2005-02-03 14:45]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-30 03:17:45 D:\WINDOW\Tasks\Uniblue SpeedUpMyPC Nag.job"
- D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-04-30 03:17:42 D:\WINDOW\Tasks\Uniblue SpeedUpMyPC.job"
- D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 17:24:33
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Lavasoft\aawservice.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\WINDOW\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-04-30 17:30:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-30 22:30:19

Pre-Run: 8,092,676,096 bytes free
Post-Run: 8,045,817,856 bytes free

173



log from hijack this - - -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:37 PM, on 4/30/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
D:\WINDOW\System32\smss.exe
D:\WINDOW\system32\winlogon.exe
D:\WINDOW\system32\services.exe
D:\WINDOW\system32\lsass.exe
D:\WINDOW\system32\svchost.exe
D:\WINDOW\System32\svchost.exe
D:\Program Files\Lavasoft\aawservice.exe
D:\WINDOW\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\WINDOW\explorer.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zeropaid.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {95ad647a-11c7-dc7a-5634-8a1cc33042c8} - {8c24033c-c1a8-4365-a7cd-7c11a746da59} - D:\WINDOW\System32\wvjvqicp.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOW\System32\msdxm.ocx
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] D:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [000000af] rundll32.exe "D:\WINDOW\System32\dwbginmb.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOW\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOW\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1201735493873
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: fccaXNHw - D:\WINDOW\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 4282 bytes


one of the things that i can notice in the hijack this log is mccafee and avira antivirus look to be running in the 04 HKLM area.

Thanks again for the assist.
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
It's Vundo for sure :)

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: {95ad647a-11c7-dc7a-5634-8a1cc33042c8} - {8c24033c-c1a8-4365-a7cd-7c11a746da59} - D:\WINDOW\System32\wvjvqicp.dll (file missing)
O4 - HKLM\..\Run: [000000af] rundll32.exe "D:\WINDOW\System32\dwbginmb.dll",b
O20 - Winlogon Notify: fccaXNHw - D:\WINDOW\


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
D:\WINDOW\system32\khtyvgdh.ini
D:\WINDOW\BM23c3d46e.xml

Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and post a new HijackThis log
  • 0

#5
tcastle

tcastle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
k a new hjt log - - -


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:01 PM, on 4/30/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
D:\WINDOW\System32\smss.exe
D:\WINDOW\system32\winlogon.exe
D:\WINDOW\system32\services.exe
D:\WINDOW\system32\lsass.exe
D:\WINDOW\system32\svchost.exe
D:\WINDOW\System32\svchost.exe
D:\WINDOW\Explorer.EXE
D:\Program Files\Lavasoft\aawservice.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\WINDOW\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\WINDOW\System32\wuauclt.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zeropaid.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOW\System32\msdxm.ocx
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] D:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOW\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOW\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1201735493873
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 4324 bytes



I wonder if i can remove these 3 items? they have been giving me a couple start up notices i would like to do without. :)

O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] D:\PROGRA~1\McAfee.com\Agent\McAgent.exe

the top is kensington mouse works software and the other two are mcafee related that i am no longer using.

Thanks again!

Edited by tcastle, 30 April 2008 - 05:06 PM.

  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
You can fix those if you want

Download and run the McAfee Removal tool from here

http://download.mcaf...atches/MCPR.exe


Also post the ComboFix log



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


And tell me how your PC is running
  • 0

#7
tcastle

tcastle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Combo fix log


ComboFix 08-04-26.3 - Terry 2008-04-30 18:34:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.580 [GMT -5:00]
Running from: D:\Documents and Settings\Terry\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Terry\Desktop\CFScript.txt
* Created a new restore point

FILE ::
D:\WINDOW\BM23c3d46e.xml
D:\WINDOW\system32\khtyvgdh.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOW\BM23c3d46e.xml
D:\WINDOW\system32\khtyvgdh.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-30 17:00 . 2008-04-30 17:00 <DIR> d-------- D:\_OTMoveIt
2008-04-29 22:17 . 2008-04-30 18:03 <DIR> d-------- D:\Documents and Settings\Terry\Application Data\Uniblue
2008-04-29 21:31 . 2008-04-29 21:31 <DIR> d-------- D:\Program Files\Trend Micro
2008-04-29 00:44 . 2008-04-29 00:44 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-04-29 00:44 . 2008-04-29 00:44 <DIR> d-------- D:\Documents and Settings\Terry\Application Data\Malwarebytes
2008-04-29 00:44 . 2008-04-29 00:44 <DIR> d-------- D:\Documents and Settings\All Users.WINDOW\Application Data\Malwarebytes
2008-04-27 15:47 . 2008-04-27 19:02 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2008-04-27 15:47 . 2008-04-27 15:47 <DIR> d-------- D:\Documents and Settings\Terry\Application Data\SUPERAntiSpyware.com
2008-04-27 15:47 . 2008-04-27 15:47 <DIR> d-------- D:\Documents and Settings\All Users.WINDOW\Application Data\SUPERAntiSpyware.com
2008-04-27 03:32 . 2008-04-27 03:32 <DIR> d-------- D:\VundoFix Backups
2008-04-27 03:21 . 2008-04-27 03:21 <DIR> d-------- D:\Program Files\Enigma Software Group
2008-04-27 01:06 . 2008-04-27 01:06 <DIR> d-------- D:\WINDOW\system32\Kaspersky Lab
2008-04-27 01:06 . 2008-04-27 01:06 <DIR> d-------- D:\Documents and Settings\All Users.WINDOW\Application Data\Kaspersky Lab
2008-04-26 01:08 . 2008-04-29 00:43 <DIR> d-------- D:\Program Files\Common Files\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 22:16 --------- d-----w D:\Program Files\PeerGuardian2
2008-04-30 22:07 --------- d-----w D:\Documents and Settings\Terry\Application Data\uTorrent
2008-04-30 02:54 --------- d-----w D:\Program Files\hijackthiss
2008-04-27 23:27 --------- d-----w D:\Program Files\HIjack_This
2008-04-27 20:46 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2008-04-27 06:58 --------- d-----w D:\Program Files\Java
2008-04-26 09:29 --------- d-----w D:\Documents and Settings\Terry\Application Data\vlc
2008-02-04 02:57 43,520 ----a-w D:\WINDOW\system32\CmdLineExt03.dll
2008-02-01 01:30 16,192 ----a-w D:\Documents and Settings\Terry\Application Data\GDIPFONTCACHEV1.DAT
2008-01-27 22:23 7,168 --sha-w D:\Program Files\Thumbs.db
2006-05-29 04:24 8,282,187 ----a-w D:\Program Files\vlc-0.8.5-win32.exe
2005-07-07 21:19 0 ----a-w D:\Program Files\ut2004-betademo.exe
2005-07-07 21:18 296,049,152 ----a-w D:\Program Files\ut2004-demo3334.exe
2005-07-05 20:34 1,175,592 -c--a-w D:\Program Files\GoogleVideoViewer1.0_Win.exe
2005-04-20 17:04 13,195 ----a-w D:\Documents and Settings\Terry Castleman\zguicfgw.dat
2005-03-30 04:40 386 -c--a-w D:\Program Files\stickykeysdelete.reg
2004-03-20 07:18 25,549,467 ----a-w D:\Program Files\wxp-w2k-catalyst-7-991-040224m-013831c.exe
2003-10-17 00:40 451,136 -c--a-w D:\Program Files\GoogleToolbarInstaller.exe
.

------- Sigcheck -------

2001-08-23 07:00 12800 0f7d9c87b0ce1fa520473119752c6f79 D:\WINDOW\system32\svchost.exe
2001-08-23 07:00 12800 0f7d9c87b0ce1fa520473119752c6f79 D:\WINDOW\system32\dllcache\svchost.exe

2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 D:\WINDOW\$hf_mig$\KB890859\SP2GDR\user32.dll
2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 D:\WINDOW\$hf_mig$\KB890859\SP2QFE\user32.dll
2005-03-02 13:20 561152 74202eb1bd67e8be9509e38c8d2234b0 D:\WINDOW\LastGood\System32\user32.dll
2001-08-23 07:00 561152 be57a5c3abd240514b98f6bca872fb21 D:\WINDOW\system32\user32.dll
2001-08-23 07:00 561152 be57a5c3abd240514b98f6bca872fb21 D:\WINDOW\system32\dllcache\user32.dll

2001-08-23 07:00 75264 8529c295df59b564d37a73b5629162b1 D:\WINDOW\system32\ws2_32.dll
2001-08-23 07:00 75264 8529c295df59b564d37a73b5629162b1 D:\WINDOW\system32\dllcache\ws2_32.dll

2002-08-29 05:41 599040 f3587750a7481dccbea13d473a0700be D:\WINDOW\$NtUninstallKB905915-IE6SP1-20051122.175908$\wininet.dll
2005-10-21 12:51 575488 4d7f35d26e955fcb4a572908d216cf00 D:\WINDOW\$NtUninstallKB912812-IE6SP1-20060322.182418$\wininet.dll
2006-02-24 13:26 575488 9d3bf3efcd3470fbeca54dee9a3332b6 D:\WINDOW\$NtUninstallKB916281-IE6SP1-20060526.162249$\wininet.dll
2001-08-23 07:00 593920 cf9f1eef71f42ede71b6f4aa05d5ca1a D:\WINDOW\system32\wininet.dll
2001-08-23 07:00 593920 cf9f1eef71f42ede71b6f4aa05d5ca1a D:\WINDOW\system32\dllcache\wininet.dll

2005-05-25 14:04 359808 88763a98a4c26c409741b4aa162720c9 D:\WINDOW\$hf_mig$\KB893066\SP2GDR\tcpip.sys
2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e D:\WINDOW\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 D:\WINDOW\$hf_mig$\KB913446\SP2GDR\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 D:\WINDOW\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 D:\WINDOW\$hf_mig$\KB917953\SP2GDR\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 D:\WINDOW\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2005-05-25 14:41 339968 228b0385bbfca24332fa22db45a8b684 D:\WINDOW\$NtUninstallKB913446$\tcpip.sys
2006-01-12 20:13 340480 8c101c9c566e2384af28ef7c1de4a36e D:\WINDOW\$NtUninstallKB917953$\tcpip.sys
2001-08-23 07:00 327168 e7774698bb0d14b0710a9a31e209f9b6 D:\WINDOW\system32\dllcache\tcpip.sys
2001-08-23 07:00 327168 e7774698bb0d14b0710a9a31e209f9b6 D:\WINDOW\system32\drivers\tcpip.sys

2002-08-29 05:41 516608 2246d8d8f4714a2cedb21ab9b1849abb D:\WINDOW\$NtUninstallKB840987$\winlogon.exe
2002-08-29 05:41 516608 2246d8d8f4714a2cedb21ab9b1849abb D:\WINDOW\LastGood\System32\winlogon.exe
2001-08-23 07:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 D:\WINDOW\system32\winlogon.exe
2001-08-23 07:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 D:\WINDOW\system32\dllcache\winlogon.exe

2001-08-23 07:00 161536 3efd4f59ba0a340de0a3ab984001dbf7 D:\WINDOW\system32\dllcache\ndis.sys
2001-08-23 07:00 161536 3efd4f59ba0a340de0a3ab984001dbf7 D:\WINDOW\system32\drivers\ndis.sys

2005-03-01 19:34 2056832 81013f36b21c7f72cf784cc6731e0002 D:\WINDOW\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe
2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b D:\WINDOW\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2003-04-24 08:57 1949440 46ae6f2d416c39ffdcfc8bcb01203ea3 D:\WINDOW\$NtUninstallKB885835$\ntkrnlpa.exe
2002-08-29 03:04 1947904 0e8efb15746878a9b256e75267337233 D:\WINDOW\$NtUninstallQ811493$\ntkrnlpa.exe
2003-04-24 08:57 1949440 46ae6f2d416c39ffdcfc8bcb01203ea3 D:\WINDOW\$xpsp1hfm$\Q811493\ntkrnlpa.exe
2003-04-24 08:57 1949440 46ae6f2d416c39ffdcfc8bcb01203ea3 D:\WINDOW\LastGood\Driver Cache\i386\ntkrnlpa.exe
2003-04-24 08:57 1949440 46ae6f2d416c39ffdcfc8bcb01203ea3 D:\WINDOW\LastGood\System32\ntkrnlpa.exe
2001-08-23 07:00 1896704 46e2e3dcf54b819cfb2ebfe48a22b5c9 D:\WINDOW\system32\ntkrnlpa.exe

2005-03-01 19:59 2179328 4d4cf2c14550a4b7718e94a6e581856e D:\WINDOW\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe
2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb D:\WINDOW\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2003-04-24 08:57 1925760 97ec4ab4650da6fc521cf16f8a6ddcb0 D:\WINDOW\$NtUninstallKB885835$\ntoskrnl.exe
2002-08-29 04:03 2042240 b9080d97dbd631aadf9128f7316958d2 D:\WINDOW\$NtUninstallQ811493$\ntoskrnl.exe
2003-04-24 08:57 1925760 97ec4ab4650da6fc521cf16f8a6ddcb0 D:\WINDOW\$xpsp1hfm$\Q811493\ntoskrnl.exe
2003-04-24 08:57 1925760 97ec4ab4650da6fc521cf16f8a6ddcb0 D:\WINDOW\LastGood\Driver Cache\i386\ntoskrnl.exe
2003-04-24 08:57 1925760 97ec4ab4650da6fc521cf16f8a6ddcb0 D:\WINDOW\LastGood\System32\ntoskrnl.exe
2001-08-23 07:00 1982208 a29222d5281056e497408fcc9062f749 D:\WINDOW\system32\ntoskrnl.exe

2001-08-23 07:00 1000960 5a26fc6010886d25b3e412493dd95ed8 D:\WINDOW\explorer.exe
2002-08-29 05:41 1004032 a82b28bfc2e4455fe43022a498c0ef0a D:\WINDOW\$NtUninstallKB820291$\explorer.exe
2002-08-29 05:41 1004032 a82b28bfc2e4455fe43022a498c0ef0a D:\WINDOW\LastGood\explorer.exe
2001-08-23 07:00 1000960 5a26fc6010886d25b3e412493dd95ed8 D:\WINDOW\system32\dllcache\explorer.exe

2001-08-23 07:00 13312 85b1054db58d13aa42d7dca778c30f57 D:\WINDOW\system32\ctfmon.exe
2001-08-23 07:00 13312 85b1054db58d13aa42d7dca778c30f57 D:\WINDOW\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((( [email protected]_17.30.03.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-30 22:23:40 2,048 --s-a-w D:\WINDOW\bootstat.dat
+ 2008-04-30 23:29:22 2,048 --s-a-w D:\WINDOW\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kmw_run.exe"="kmw_run.exe" [2005-02-03 15:30 106496 D:\WINDOW\system32\kmw_run.exe]
"MSWheel"="" []
"MCUpdateExe"="D:\PROGRA~1\McAfee.com\Agent\McUpdate.exe" [2006-01-11 12:05 212992]
"MCAgentExe"="D:\PROGRA~1\McAfee.com\Agent\McAgent.exe" [2005-09-22 18:29 303104]
"avgnt"="D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-14 21:26 262401]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

D:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\Program Files\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 avgntmgr;avgntmgr;D:\WINDOW\System32\DRIVERS\avgntmgr.sys [2008-04-14 21:26]
R1 avgntdd;avgntdd;D:\WINDOW\System32\DRIVERS\avgntdd.sys [2008-04-14 21:26]
R3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);D:\WINDOW\System32\DRIVERS\atirtcap.sys [2001-08-17 07:49]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;D:\WINDOW\System32\DRIVERS\fetnd5bv.sys [2008-01-02 02:12]
R3 KMW_KBD;Kensington Input Devices Class filter driver;D:\WINDOW\System32\DRIVERS\KMW_KBD.sys [2005-02-03 14:44]
S3 KMW_SYS;Kensington MouseWorks Mouse filter driver;D:\WINDOW\System32\DRIVERS\KMW_SYS.sys [2005-02-03 14:45]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-30 03:17:45 D:\WINDOW\Tasks\Uniblue SpeedUpMyPC Nag.job"
- D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-04-30 03:17:42 D:\WINDOW\Tasks\Uniblue SpeedUpMyPC.job"
- D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 18:37:27
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-30 18:41:12
ComboFix-quarantined-files.txt 2008-04-30 23:41:09
ComboFix2.txt 2008-04-30 22:30:26

Pre-Run: 8,956,985,344 bytes free
Post-Run: 8,948,985,856 bytes free

163



MBAM log - - -


Malwarebytes' Anti-Malware 1.11
Database version: 704

Scan type: Full Scan (D:\|)
Objects scanned: 136863
Time elapsed: 1 hour(s), 29 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\_OTMoveIt\MovedFiles\04302008_170035\WINDOW\system32\wvjvqicp.dll (Trojan.Vundo) -> No action taken.


pc has been running much more consistently! Thanks!! Avira popped up a trojan warning when MBAM was cleaning. other than that no virus warnings have popped up.
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image


  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#9
tcastle

tcastle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
ok. thanks again for your help. i cleaned up with OTMove it and got rid of combofix.

my avira was doing its scan and found a TR/Trash.Gen in my System Volume Information folder.
i don't know if it is a concern for me. avira said it was set as low for infection.

I will follow the rest of your notes for helping make my pc more secure!
  • 0

#10
tcastle

tcastle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
woops forgot also in my add or remove programs folder all i have that is java related is Java™6 update 3 and Java™6 update 5.
  • 0

#11
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Don't worry about Avast detecting that infection in the System Restore folder, if you follow my steps then that will be gone

all i have that is java related is Java™6 update 3 and Java™6 update 5.

That is what you want to remove

Any other questions ?
  • 0

#12
tcastle

tcastle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks again and I have no other questions. all appears well.

That Mcafee remover tool worked well too :)
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP