Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan Vundo won't go away [RESOLVED]


  • This topic is locked This topic is locked

#1
bradyg23

bradyg23

    Member

  • Member
  • PipPip
  • 66 posts
I seem to have a TrojanVundo that I can kill.

I've run ATF and Malwarebytes (which detected and removed Vundo, but it comes back).
I'm running Symantec AV Corp Edition (which detects and removes Vundo, but it comes back)

I'm running XP Pro with newly installed SP3.

I've uninstalled Limewire and other similar programs, which I think is where this came from...

HJT below, and you have my many many thanks!





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:44 PM, on 5/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\Jennifer\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yogajournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\nzsearch\nzsearchenh.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: {5decfb16-f9bc-bdab-a194-d8a1680797a1} - {1a797086-1a8d-491a-badb-cb9f61bfced5} - C:\WINNT\system32\exgejoyb.dll
O2 - BHO: (no name) - {3B2AA361-4383-4170-A9A4-8995F3409628} - (no file)
O2 - BHO: (no name) - {5C4E7755-8BCE-401C-B11A-01D280461D6A} - (no file)
O2 - BHO: (no name) - {6610ab65-f686-4efb-9887-bd9ec3819f1c} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7A272DCE-2F87-477E-9A16-F8076ED70E68} - (no file)
O2 - BHO: (no name) - {9baf8304-24b4-4760-828b-b52b286a4954} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {b88b60b8-a35e-41ee-af32-8c8e6704b618} - (no file)
O2 - BHO: (no name) - {C057C617-65F6-4AA3-82D3-04EAAD4E9FE8} - C:\WINNT\system32\cbxyxuvv.dll (file missing)
O2 - BHO: (no name) - {C0D5046C-14D1-4F2A-9B20-D14D0A71205D} - (no file)
O2 - BHO: (no name) - {D616B6B0-7475-43E0-BBD0-C3932F6A89DF} - (no file)
O2 - BHO: (no name) - {D9B075EF-CB7E-4449-81CA-EE6499AB2BE6} - (no file)
O2 - BHO: (no name) - {F782F5BC-E446-4B1A-B29C-BDDDDEAA65FC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jennifer\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Web-Based Email Tools - http://email.secures...et/Download.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://webmail.kemet.com/iNotes6.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121988725277
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://webmail.kemet.com/dwa7W.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://vgate0.kemet...perSetupSP1.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9425 bytes
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: {5decfb16-f9bc-bdab-a194-d8a1680797a1} - {1a797086-1a8d-491a-badb-cb9f61bfced5} - C:\WINNT\system32\exgejoyb.dll
O2 - BHO: (no name) - {3B2AA361-4383-4170-A9A4-8995F3409628} - (no file)
O2 - BHO: (no name) - {5C4E7755-8BCE-401C-B11A-01D280461D6A} - (no file)
O2 - BHO: (no name) - {6610ab65-f686-4efb-9887-bd9ec3819f1c} - (no file)
O2 - BHO: (no name) - {7A272DCE-2F87-477E-9A16-F8076ED70E68} - (no file)
O2 - BHO: (no name) - {9baf8304-24b4-4760-828b-b52b286a4954} - (no file)
O2 - BHO: (no name) - {b88b60b8-a35e-41ee-af32-8c8e6704b618} - (no file)
O2 - BHO: (no name) - {C057C617-65F6-4AA3-82D3-04EAAD4E9FE8} - C:\WINNT\system32\cbxyxuvv.dll (file missing)
O2 - BHO: (no name) - {C0D5046C-14D1-4F2A-9B20-D14D0A71205D} - (no file)
O2 - BHO: (no name) - {D616B6B0-7475-43E0-BBD0-C3932F6A89DF} - (no file)
O2 - BHO: (no name) - {D9B075EF-CB7E-4449-81CA-EE6499AB2BE6} - (no file)
O2 - BHO: (no name) - {F782F5BC-E446-4B1A-B29C-BDDDDEAA65FC} - (no file)


Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINNT\system32\exgejoyb.dll

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
bradyg23

bradyg23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Thanks Greyknight!
Here is the result of ComboFix:


ComboFix 08-05-12.1 - Jennifer 2008-05-14 6:22:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.170 [GMT -4:00]
Running from: C:\Documents and Settings\Jennifer\Desktop\Computer Repair\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\cookies.ini
C:\WINNT\pskt.ini
C:\WINNT\system32\acvejnfy.ini
C:\WINNT\system32\agwbwntp.ini
C:\WINNT\system32\csytivka.dll
C:\WINNT\system32\ddpwcode.ini
C:\WINNT\system32\dnevvavs.ini
C:\WINNT\system32\ehmpewmy.dll
C:\WINNT\system32\gomecoym.dll
C:\WINNT\system32\jjahetkw.ini
C:\WINNT\system32\khtwnesc.ini
C:\WINNT\system32\lpfydxfw.ini
C:\WINNT\system32\lwwpqsjd.ini
C:\WINNT\system32\magshgem.ini
C:\WINNT\system32\masrptyt.ini
C:\WINNT\system32\mcrxkllc.dll
C:\WINNT\system32\mlnyqium.ini
C:\WINNT\system32\ntkrgovp.dll
C:\WINNT\system32\oaikriie.dll
C:\WINNT\system32\okadwwce.dll
C:\WINNT\system32\ossegewu.ini
C:\WINNT\system32\pjylkbec.ini
C:\WINNT\system32\pwjtlqpn.ini
C:\WINNT\system32\rosdyari.ini
C:\WINNT\system32\rqkuoaak.dll
C:\WINNT\system32\srjaytqn.ini
C:\WINNT\system32\svobhkrl.dll
C:\WINNT\system32\tkabehay.ini
C:\WINNT\system32\trbxrmjg.ini
C:\WINNT\system32\ueuftdsp.ini
C:\WINNT\system32\ukjtdedq.ini
C:\WINNT\system32\ukssbgqr.ini
C:\WINNT\system32\usnkkhbt.dll
C:\WINNT\system32\vgxcaawo.dll
C:\WINNT\system32\vtwetuwa.ini
C:\WINNT\system32\vvuxyxbc.ini
C:\WINNT\system32\vvuxyxbc.ini2
C:\WINNT\system32\vxoddoyp.ini
C:\WINNT\system32\wuisdxif.dll
C:\WINNT\system32\xmmuyhqr.dll
C:\WINNT\system32\xrwwpepu.dll
C:\WINNT\system32\xspcwltb.ini
C:\WINNT\system32\yqdtlbcy.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-13 21:28 . 2004-08-04 03:56 221,184 --a------ C:\WINNT\system32\wmpns.dll
2008-05-13 21:17 . 2008-05-13 21:17 <DIR> d-------- C:\WINNT\system32\scripting
2008-05-13 21:17 . 2008-05-13 21:17 <DIR> d-------- C:\WINNT\system32\en
2008-05-13 21:17 . 2008-05-13 21:17 <DIR> d-------- C:\WINNT\l2schemas
2008-05-13 20:29 . 2008-04-13 20:12 712,704 --------- C:\WINNT\system32\windowscodecs.dll
2008-05-13 20:29 . 2008-04-13 20:12 346,112 --------- C:\WINNT\system32\windowscodecsext.dll
2008-05-13 20:29 . 2008-04-13 20:12 276,992 --------- C:\WINNT\system32\wmphoto.dll
2008-05-13 20:29 . 2008-04-13 20:12 69,120 --------- C:\WINNT\system32\wlanapi.dll
2008-05-13 20:29 . 2008-04-13 20:12 53,248 --------- C:\WINNT\system32\tsgqec.dll
2008-05-13 20:29 . 2008-04-13 20:12 50,688 --------- C:\WINNT\system32\tspkg.dll
2008-05-13 20:27 . 2008-04-13 20:11 650,752 --------- C:\WINNT\system32\dot3ui.dll
2008-05-13 20:26 . 2008-04-13 20:11 233,472 --------- C:\WINNT\system32\azroles.dll
2008-05-13 20:26 . 2008-04-13 20:11 136,192 --------- C:\WINNT\system32\aaclient.dll
2008-05-13 20:26 . 2008-04-13 20:11 12,800 --------- C:\WINNT\system32\credssp.dll
2008-05-13 20:26 . 2008-04-13 20:11 7,168 --------- C:\WINNT\system32\bitsprx4.dll
2008-05-13 18:17 . 2008-05-13 18:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-13 18:17 . 2008-05-13 18:17 <DIR> d-------- C:\Documents and Settings\Jennifer\Application Data\Malwarebytes
2008-05-13 18:17 . 2008-05-13 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-13 18:17 . 2008-05-05 20:46 27,048 --a------ C:\WINNT\system32\drivers\mbamcatchme.sys
2008-05-13 18:17 . 2008-05-05 20:46 15,864 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-05-13 18:16 . 2008-05-13 18:16 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-13 18:16 . 2008-05-13 18:16 2,112 --a------ C:\WINNT\system32\oeuumlof.exe
2008-05-13 18:10 . 2008-05-13 18:29 100,928 --a------ C:\WINNT\system32\tcjhyobk.old
2008-05-13 14:40 . 2008-05-13 14:40 2,112 --a------ C:\WINNT\system32\smtvyxjv.exe
2008-05-13 11:07 . 2008-05-13 11:07 2,112 --a------ C:\WINNT\system32\cqhqmwfh.exe
2008-05-12 14:29 . 2008-05-12 14:29 2,112 --a------ C:\WINNT\system32\nqwrxbuh.exe
2008-05-12 09:42 . 2008-05-12 09:42 2,112 --a------ C:\WINNT\system32\mbahvmwx.exe
2008-05-09 10:17 . 2008-05-09 10:17 2,112 --a------ C:\WINNT\system32\odmtejdr.exe
2008-05-08 14:39 . 2008-05-08 14:39 2,112 --a------ C:\WINNT\system32\utxsccvg.exe
2008-05-07 11:03 . 2008-05-07 11:03 2,112 --a------ C:\WINNT\system32\mxaeobwb.exe
2008-05-07 09:18 . 2008-05-07 09:18 2,112 --a------ C:\WINNT\system32\nvljefnc.exe
2008-05-06 14:29 . 2008-05-06 14:29 2,112 --a------ C:\WINNT\system32\vjjklflv.exe
2008-05-06 12:45 . 2008-05-06 12:45 2,112 --a------ C:\WINNT\system32\dmwsjcgq.exe
2008-05-05 20:45 . 2008-05-06 14:34 <DIR> d-------- C:\VundoFix Backups
2008-04-20 14:19 . 2008-04-21 16:00 946 --ahs---- C:\WINNT\system32\sloystbi.ini
2008-04-19 13:35 . 2008-04-20 14:17 594 --ahs---- C:\WINNT\system32\pxrrdtsj.ini
2008-04-19 13:15 . 2008-04-19 13:15 294 --ahs---- C:\WINNT\system32\suvjivqn.ini
2008-04-19 13:00 . 2008-05-05 20:34 651 --a------ C:\WINNT\wininit.ini
2008-04-17 19:33 . 2008-04-17 19:33 <DIR> d-------- C:\Program Files\Audacity
2008-04-16 15:40 . 2008-05-13 10:54 109,709 --a------ C:\WINNT\BM6f147072.xml
2008-04-15 18:29 . 2008-04-15 18:32 <DIR> d-------- C:\WINNT\system32\bharebio05
2008-04-15 18:29 . 2008-04-15 18:29 <DIR> d-------- C:\Temp\wdlw14

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 10:18 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-13 23:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-13 15:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-05 22:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-05 22:11 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-25 18:50 --------- d-----w C:\Program Files\QUICKENW
2008-04-17 23:18 --------- d-----w C:\Documents and Settings\Jennifer\Application Data\LimeWire
2008-04-14 09:42 985,088 ----a-w C:\WINNT\system32\setupapi.dll
2008-04-14 09:42 11,264 ----a-w C:\WINNT\system32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\WINNT\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINNT\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINNT\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINNT\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINNT\system32\rdpwsx.dll
2008-04-14 00:13 40,840 ----a-w C:\WINNT\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINNT\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINNT\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ----a-w C:\WINNT\system32\tsddd.dll
2008-04-14 00:13 12,040 ----a-w C:\WINNT\system32\drivers\tdpipe.sys
2008-04-14 00:11 997,376 ----a-w C:\WINNT\system32\msgina.dll
2008-04-14 00:10 67,584 ----a-w C:\WINNT\system32\dllcache\pmigrate.dll
2008-04-14 00:10 53,279 ----a-w C:\WINNT\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINNT\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINNT\system32\msafd.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINNT\system32\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\WINNT\system32\drivers\rdbss.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINNT\system32\ntoskrnl.exe
2008-04-13 19:21 162,816 ----a-w C:\WINNT\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINNT\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINNT\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINNT\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINNT\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINNT\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINNT\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINNT\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINNT\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINNT\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINNT\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINNT\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINNT\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINNT\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINNT\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINNT\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINNT\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINNT\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINNT\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINNT\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINNT\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINNT\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINNT\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINNT\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINNT\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINNT\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINNT\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINNT\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINNT\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINNT\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINNT\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINNT\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINNT\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINNT\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINNT\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINNT\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINNT\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINNT\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINNT\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ------w C:\WINNT\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINNT\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINNT\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINNT\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINNT\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINNT\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ------w C:\WINNT\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ------w C:\WINNT\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINNT\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINNT\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINNT\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINNT\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINNT\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ----a-w C:\WINNT\system32\drivers\usbprint.sys
2008-04-13 18:46 61,696 ----a-w C:\WINNT\system32\drivers\ohci1394.sys
2008-04-13 18:46 59,136 ------w C:\WINNT\system32\drivers\rfcomm.sys
2008-04-13 18:46 53,376 ----a-w C:\WINNT\system32\drivers\1394bus.sys
2008-04-13 18:46 37,888 ------w C:\WINNT\system32\drivers\bthmodem.sys
2008-04-13 18:46 36,480 ------w C:\WINNT\system32\drivers\bthprint.sys
2008-04-13 18:46 273,024 ------w C:\WINNT\system32\drivers\bthport.sys
2008-04-13 18:46 25,600 ------w C:\WINNT\system32\drivers\hidbth.sys
2008-04-13 18:46 25,344 ----a-w C:\WINNT\system32\drivers\sonydcam.sys
2008-04-13 18:46 18,944 ------w C:\WINNT\system32\drivers\bthusb.sys
2008-04-13 18:46 17,024 ------w C:\WINNT\system32\drivers\bthenum.sys
2008-04-13 18:46 121,984 ------w C:\WINNT\system32\drivers\usbvideo.sys
2008-04-13 18:44 81,664 ----a-w C:\WINNT\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINNT\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINNT\system32\drivers\vga.sys
2008-04-13 18:44 17,664 ----a-w C:\WINNT\system32\watchdog.sys
2008-04-13 18:44 153,344 ----a-w C:\WINNT\system32\drivers\dmio.sys
2008-04-13 18:43 9,728 ----a-w C:\WINNT\system32\comsdupd.exe
2008-04-13 18:43 14,208 ------w C:\WINNT\system32\drivers\wacompen.sys
2008-04-13 18:43 12,800 ----a-w C:\WINNT\system32\spiisupd.exe
2008-04-13 18:43 12,672 ------w C:\WINNT\system32\drivers\mutohpen.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-08 22:10 68856]
"Google Update"="C:\Documents and Settings\Jennifer\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" [2008-04-19 10:27 51184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 15:50 66048 C:\WINNT\system32\SK9910DM.EXE]
"GWMDMMSG"="GWMDMMSG.exe" [2002-05-06 20:12 65536 C:\WINNT\GWMDMMSG.exe]
"Keyboard Preload Check"="C:\OEMDRVRS\KEYB\Preload.exe" [ ]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-06-19 02:05 684032]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27 85696]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINNT\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-08 22:10:33 125624]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-04 20:39:41 784912]
Quicken Scheduled Updates.lnk - C:\Program Files\QUICKENW\bagent.exe [2003-07-29 22:49:48 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 11:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 mrtRate;mrtRate;C:\WINNT\system32\drivers\mrtRate.sys [2001-02-28 11:42]
R2 NMSSvc;Intel® NMS;C:\WINNT\System32\NMSSvc.exe [2002-05-03 13:36]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINNT\system32\DRIVERS\dsNcAdpt.sys [2007-08-10 00:47]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINNT\system32\drivers\NMSCFG.SYS [2002-05-03 13:36]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINNT\system32\DRIVERS\netusbxp.sys [2002-02-20 03:34]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys [2008-04-13 14:47]

*Newly Created Service* - CATCHME
*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC
*Newly Created Service* - SYMTDI
.
Contents of the 'Scheduled Tasks' folder
"2002-08-12 23:46:51 C:\WINNT\Tasks\ISP signup reminder 3.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2008-05-13 23:33:31 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 06:25:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-14 6:29:05
ComboFix-quarantined-files.txt 2008-05-14 10:29:00

Pre-Run: 32,940,429,312 bytes free
Post-Run: 33,106,268,160 bytes free

269 --- E O F --- 2008-04-09 21:30:29
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Double click on C:\WINNT\wininit.ini to open it up in Notepad. Copy and paste all the contents of that file here. Then go back to the file and delete everything. Copy/Paste the below two lines into it and save the file:

[rename]
nul=

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\WINNT\system32\oeuumlof.exe
C:\WINNT\system32\tcjhyobk.old
C:\WINNT\system32\smtvyxjv.exe
C:\WINNT\system32\cqhqmwfh.exe
C:\WINNT\system32\nqwrxbuh.exe
C:\WINNT\system32\mbahvmwx.exe
C:\WINNT\system32\odmtejdr.exe
C:\WINNT\system32\utxsccvg.exe
C:\WINNT\system32\mxaeobwb.exe
C:\WINNT\system32\nvljefnc.exe
C:\WINNT\system32\vjjklflv.exe
C:\WINNT\system32\dmwsjcgq.exe
C:\WINNT\system32\sloystbi.ini
C:\WINNT\system32\pxrrdtsj.ini
C:\WINNT\system32\suvjivqn.ini
C:\WINNT\BM6f147072.xml
Folder::
C:\VundoFix Backups
C:\WINNT\system32\bharebio05
C:\Temp\wdlw14

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far?
  • 0

#5
bradyg23

bradyg23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Seems to be running much better, with much fewer popups. However I'm still getting tons of Symantec detections of viruses. Most recent have been Vundo or Trojan.LowZones.

Attached are the logs you requested. Thanks again for all of your efforts:

Wininit.ini
[rename]
c:\tempjunk7797.tmp=C:\WINNT\system32\jaytluro.dll_old
nul=c:\tempjunk361.tmp
c:\tempjunk5237.tmp=C:\WINNT\system32\kdrwvptg.dll_old
c:\tempjunk3694.tmp=C:\WINNT\system32\uwegesso.dll_old
c:\tempjunk6577.tmp=C:\WINNT\system32\dikusfwx.dll_old
c:\tempjunk4058.tmp=C:\WINNT\system32\gxbkwqji.dll_old
c:\tempjunk7305.tmp=C:\WINNT\system32\ixtpmvkh.dll_old
c:\tempjunk3531.tmp=C:\WINNT\system32\kxmwuuwt.dll_old
c:\tempjunk2332.tmp=C:\WINNT\system32\vxvehwwd.dll_old
c:\tempjunk9642.tmp=C:\WINNT\system32\wpiydaya.dll_old
c:\tempjunk6683.tmp=C:\WINNT\system32\cbxyxuvv.dll_old
c:\tempjunk361.tmp=C:\WINNT\system32\cbxyxuvv.dll_old



ComboFix 08-05-12.1 - Jennifer 2008-05-17 16:15:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.177 [GMT -4:00]
Running from: C:\Documents and Settings\Jennifer\Desktop\Computer Repair\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jennifer\Desktop\Computer Repair\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\BM6f147072.xml
C:\WINNT\system32\cqhqmwfh.exe
C:\WINNT\system32\dmwsjcgq.exe
C:\WINNT\system32\mbahvmwx.exe
C:\WINNT\system32\mxaeobwb.exe
C:\WINNT\system32\nqwrxbuh.exe
C:\WINNT\system32\nvljefnc.exe
C:\WINNT\system32\odmtejdr.exe
C:\WINNT\system32\oeuumlof.exe
C:\WINNT\system32\pxrrdtsj.ini
C:\WINNT\system32\sloystbi.ini
C:\WINNT\system32\smtvyxjv.exe
C:\WINNT\system32\suvjivqn.ini
C:\WINNT\system32\tcjhyobk.old
C:\WINNT\system32\utxsccvg.exe
C:\WINNT\system32\vjjklflv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\wdlw14
C:\VundoFix Backups
C:\VundoFix Backups\ntsqwhty.dll.bad
C:\VundoFix Backups\wpweloqx.dll.bad
C:\VundoFix Backups\xqolewpw.ini.bad
C:\VundoFix Backups\ythwqstn.ini.bad
C:\WINNT\BM6f147072.xml
C:\WINNT\system32\bharebio05
C:\WINNT\system32\cqhqmwfh.exe
C:\WINNT\system32\dmwsjcgq.exe
C:\WINNT\system32\mbahvmwx.exe
C:\WINNT\system32\mxaeobwb.exe
C:\WINNT\system32\nqwrxbuh.exe
C:\WINNT\system32\nvljefnc.exe
C:\WINNT\system32\odmtejdr.exe
C:\WINNT\system32\oeuumlof.exe
C:\WINNT\system32\pxrrdtsj.ini
C:\WINNT\system32\sloystbi.ini
C:\WINNT\system32\smtvyxjv.exe
C:\WINNT\system32\suvjivqn.ini
C:\WINNT\system32\tcjhyobk.old
C:\WINNT\system32\utxsccvg.exe
C:\WINNT\system32\vjjklflv.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-13 21:28 . 2004-08-04 03:56 221,184 --a------ C:\WINNT\system32\wmpns.dll
2008-05-13 21:17 . 2008-05-13 21:17 <DIR> d-------- C:\WINNT\system32\scripting
2008-05-13 21:17 . 2008-05-13 21:17 <DIR> d-------- C:\WINNT\system32\en
2008-05-13 21:17 . 2008-05-13 21:17 <DIR> d-------- C:\WINNT\l2schemas
2008-05-13 20:29 . 2008-04-13 20:12 712,704 --------- C:\WINNT\system32\windowscodecs.dll
2008-05-13 20:29 . 2008-04-13 20:12 346,112 --------- C:\WINNT\system32\windowscodecsext.dll
2008-05-13 20:29 . 2008-04-13 20:12 276,992 --------- C:\WINNT\system32\wmphoto.dll
2008-05-13 20:29 . 2008-04-13 20:12 69,120 --------- C:\WINNT\system32\wlanapi.dll
2008-05-13 20:29 . 2008-04-13 20:12 53,248 --------- C:\WINNT\system32\tsgqec.dll
2008-05-13 20:29 . 2008-04-13 20:12 50,688 --------- C:\WINNT\system32\tspkg.dll
2008-05-13 20:27 . 2008-04-13 20:11 650,752 --------- C:\WINNT\system32\dot3ui.dll
2008-05-13 20:26 . 2008-04-13 20:11 233,472 --------- C:\WINNT\system32\azroles.dll
2008-05-13 20:26 . 2008-04-13 20:11 136,192 --------- C:\WINNT\system32\aaclient.dll
2008-05-13 20:26 . 2008-04-13 20:11 12,800 --------- C:\WINNT\system32\credssp.dll
2008-05-13 20:26 . 2008-04-13 20:11 7,168 --------- C:\WINNT\system32\bitsprx4.dll
2008-05-13 18:17 . 2008-05-13 18:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-13 18:17 . 2008-05-13 18:17 <DIR> d-------- C:\Documents and Settings\Jennifer\Application Data\Malwarebytes
2008-05-13 18:17 . 2008-05-13 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-13 18:17 . 2008-05-05 20:46 27,048 --a------ C:\WINNT\system32\drivers\mbamcatchme.sys
2008-05-13 18:17 . 2008-05-05 20:46 15,864 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-05-13 18:16 . 2008-05-13 18:16 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-19 13:00 . 2008-05-17 16:12 14 --a------ C:\WINNT\wininit.ini
2008-04-17 19:33 . 2008-04-17 19:33 <DIR> d-------- C:\Program Files\Audacity

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 20:01 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-16 23:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-13 23:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-05 22:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-05 22:11 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-25 18:50 --------- d-----w C:\Program Files\QUICKENW
2008-04-17 23:18 --------- d-----w C:\Documents and Settings\Jennifer\Application Data\LimeWire
2008-04-14 09:42 985,088 ----a-w C:\WINNT\system32\setupapi.dll
2008-04-14 09:42 11,264 ----a-w C:\WINNT\system32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\WINNT\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINNT\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINNT\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINNT\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINNT\system32\rdpwsx.dll
2008-04-14 00:13 40,840 ----a-w C:\WINNT\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINNT\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINNT\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ----a-w C:\WINNT\system32\tsddd.dll
2008-04-14 00:13 12,040 ----a-w C:\WINNT\system32\drivers\tdpipe.sys
2008-04-14 00:11 997,376 ----a-w C:\WINNT\system32\msgina.dll
2008-04-14 00:10 67,584 ----a-w C:\WINNT\system32\dllcache\pmigrate.dll
2008-04-14 00:10 53,279 ----a-w C:\WINNT\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINNT\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINNT\system32\msafd.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINNT\system32\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\WINNT\system32\drivers\rdbss.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINNT\system32\ntoskrnl.exe
2008-04-13 19:21 162,816 ----a-w C:\WINNT\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINNT\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINNT\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINNT\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINNT\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINNT\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINNT\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINNT\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINNT\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINNT\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINNT\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINNT\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINNT\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINNT\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINNT\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINNT\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINNT\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINNT\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINNT\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINNT\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINNT\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINNT\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINNT\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINNT\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINNT\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINNT\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINNT\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINNT\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINNT\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINNT\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINNT\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINNT\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINNT\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINNT\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINNT\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINNT\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINNT\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINNT\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINNT\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ------w C:\WINNT\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINNT\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINNT\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINNT\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINNT\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINNT\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ------w C:\WINNT\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ------w C:\WINNT\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINNT\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINNT\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINNT\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINNT\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINNT\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ----a-w C:\WINNT\system32\drivers\usbprint.sys
2008-04-13 18:46 61,696 ----a-w C:\WINNT\system32\drivers\ohci1394.sys
2008-04-13 18:46 59,136 ------w C:\WINNT\system32\drivers\rfcomm.sys
2008-04-13 18:46 53,376 ----a-w C:\WINNT\system32\drivers\1394bus.sys
2008-04-13 18:46 37,888 ------w C:\WINNT\system32\drivers\bthmodem.sys
2008-04-13 18:46 36,480 ------w C:\WINNT\system32\drivers\bthprint.sys
2008-04-13 18:46 273,024 ------w C:\WINNT\system32\drivers\bthport.sys
2008-04-13 18:46 25,600 ------w C:\WINNT\system32\drivers\hidbth.sys
2008-04-13 18:46 25,344 ----a-w C:\WINNT\system32\drivers\sonydcam.sys
2008-04-13 18:46 18,944 ------w C:\WINNT\system32\drivers\bthusb.sys
2008-04-13 18:46 17,024 ------w C:\WINNT\system32\drivers\bthenum.sys
2008-04-13 18:46 121,984 ------w C:\WINNT\system32\drivers\usbvideo.sys
2008-04-13 18:44 81,664 ----a-w C:\WINNT\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINNT\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINNT\system32\drivers\vga.sys
2008-04-13 18:44 17,664 ----a-w C:\WINNT\system32\watchdog.sys
2008-04-13 18:44 153,344 ----a-w C:\WINNT\system32\drivers\dmio.sys
2008-04-13 18:43 9,728 ----a-w C:\WINNT\system32\comsdupd.exe
2008-04-13 18:43 14,208 ------w C:\WINNT\system32\drivers\wacompen.sys
2008-04-13 18:43 12,800 ----a-w C:\WINNT\system32\spiisupd.exe
2008-04-13 18:43 12,672 ------w C:\WINNT\system32\drivers\mutohpen.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-14_ 6.28.50.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 10:17:03 2,048 --s-a-w C:\WINNT\bootstat.dat
+ 2008-05-17 20:00:13 2,048 --s-a-w C:\WINNT\bootstat.dat
- 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINNT\system32\MRT.exe
+ 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINNT\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-08 22:10 68856]
"Google Update"="C:\Documents and Settings\Jennifer\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" [2008-04-19 10:27 51184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 15:50 66048 C:\WINNT\system32\SK9910DM.EXE]
"GWMDMMSG"="GWMDMMSG.exe" [2002-05-06 20:12 65536 C:\WINNT\GWMDMMSG.exe]
"Keyboard Preload Check"="C:\OEMDRVRS\KEYB\Preload.exe" [ ]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-06-19 02:05 684032]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27 85696]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINNT\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-08 22:10:33 125624]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-04 20:39:41 784912]
Quicken Scheduled Updates.lnk - C:\Program Files\QUICKENW\bagent.exe [2003-07-29 22:49:48 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 11:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 mrtRate;mrtRate;C:\WINNT\system32\drivers\mrtRate.sys [2001-02-28 11:42]
R2 NMSSvc;Intel® NMS;C:\WINNT\System32\NMSSvc.exe [2002-05-03 13:36]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINNT\system32\DRIVERS\dsNcAdpt.sys [2007-08-10 00:47]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINNT\system32\drivers\NMSCFG.SYS [2002-05-03 13:36]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINNT\system32\DRIVERS\netusbxp.sys [2002-02-20 03:34]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys [2008-04-13 14:47]

*Newly Created Service* - NMSSVC
*Newly Created Service* - SYMTDI
.
Contents of the 'Scheduled Tasks' folder
"2002-08-12 23:46:51 C:\WINNT\Tasks\ISP signup reminder 3.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2008-05-17 19:33:22 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 16:19:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-17 16:24:10
ComboFix-quarantined-files.txt 2008-05-17 20:24:02
ComboFix2.txt 2008-05-14 10:29:06

Pre-Run: 33,034,227,712 bytes free
Post-Run: 33,020,297,216 bytes free

254 --- E O F --- 2008-05-17 07:01:21
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Where is Symantec detecting these infections?

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.
  • 0

#7
bradyg23

bradyg23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Your question raised a good point... I recalled that Symantec will sometime re-scan the Quarantine directory. I have deleted all files in this directory and am doing a full system scan now. I will give you an update later today.

We may be there!
Brady
  • 0

#8
bradyg23

bradyg23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
The last scan still found many instances, but throughout use today we saw no signs of the virus activity. Thanks for your help! I'm marking this as closed, and will reopen at a later time if there are any new issues.

THANK YOU!!
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Where are the infected files found and what kind of files are they? I recommend getting rid of all the threats now unless they are just minor issues like cookies.

Go to Start->Run, copy/paste in combofix /u and hit OK to remove Combofix.
  • 0

#10
bradyg23

bradyg23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
I ran another scan last night and rec'd no detections. I've removed Combofix.

How do I mark a ticket as closed?

Thank you again!
  • 0

#11
bradyg23

bradyg23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Also, a Paypal donation has been made. I wish it could have been more. I do appreciate your time tremendously.
(Made from my wife's account (jennifer)).

Thanks
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. Thanks for the donation.

We will close the topic for you :)
  • 0

#13
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP