Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

WIN32:VUNDO@dll [CLOSED]

Started by Dan26 , May 30 2008 05:25 PM

This topic is locked

#1
Dan26

Posted 30 May 2008 - 05:25 PM

New Member

Member
2 posts

I ran the suggested progs and was not able to get panda scan to dl because avast kept flagging the files as viruses. Heres the Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:18:47 PM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lexmark 6500 Series\lxdfmon.exe
C:\Program Files\Lexmark 6500 Series\lxdfamon.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\WINDOWS\system32\lxdfcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {DC5F4129-CAD7-4D74-B03C-245D39173455} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [lxdfmon.exe] "C:\Program Files\Lexmark 6500 Series\lxdfmon.exe"
O4 - HKLM\..\Run: [lxdfamon] "C:\Program Files\Lexmark 6500 Series\lxdfamon.exe"
O4 - HKLM\..\Run: [Lexmark 6500 Series Fax Server] "C:\Program Files\Lexmark 6500 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-2546349588-695602044-64674266-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2546349588-695602044-64674266-1005\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - HKUS\S-1-5-21-2546349588-695602044-64674266-1005\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User '?')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe
O23 - Service: lxdf_device - - C:\WINDOWS\system32\lxdfcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Z-SAN Service (Z-SANService) - Zetera Corporation - C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe

--
End of file - 9610 bytes

#2
greyknight17

Posted 31 May 2008 - 10:33 AM

Malware Expert

Visiting Consultant
16,560 posts

Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

Viewpoint

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {DC5F4129-CAD7-4D74-B03C-245D39173455} - (no file)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\Program Files\Viewpoint\

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

#3
Dan26

Posted 01 June 2008 - 11:46 AM

New Member

Topic Starter
Member
2 posts

Finally got combo fix to finish. When it was running I got a corrupt file warning and after the reboot chkdsk removed the file ncobjapi.dll and i had to replace so system.exe would work again. If this will affect the output of the log file let me know and I will do it again.

ComboFix 08-05-29.1 - Dan 2008-05-31 16:09:40.1 - NTFSx86
Running from: C:\Documents and Settings\Dan\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Dan\Application Data\macromedia\Flash Player\#SharedObjects\2VP2WSH6\www.broadcaster.com
C:\Documents and Settings\Dan\Application Data\macromedia\Flash Player\#SharedObjects\2VP2WSH6\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Dan\Application Data\macromedia\Flash Player\#SharedObjects\2VP2WSH6\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Dan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Dan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\system32\ncobjapi.dll
C:\WINDOWS\system32\nWabdcfe.ini
C:\WINDOWS\system32\nWabdcfe.ini2
C:\WINDOWS\system32\pcyxndxq.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-05-30 18:16 . 2008-05-30 18:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-30 17:58 . 2008-05-30 17:58 <DIR> d-------- C:\Program Files\Panda Security
2008-05-30 15:24 . 2008-05-30 15:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-30 15:24 . 2008-05-30 15:24 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-30 15:24 . 2008-05-30 15:24 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Malwarebytes
2008-05-30 15:24 . 2008-05-30 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-30 15:24 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-30 15:24 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-30 13:41 . 2008-05-30 15:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-30 13:41 . 2008-05-30 13:41 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\SUPERAntiSpyware.com
2008-05-30 13:41 . 2008-05-30 13:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-30 06:28 . 2008-05-30 06:28 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-29 18:55 . 2008-05-29 16:53 163,840 --a------ C:\WINDOWS\emfk.exe
2008-05-26 18:03 . 2008-05-26 18:03 231 --ah----- C:\H.lnk
2008-05-08 21:27 . 2008-05-08 21:27 <DIR> d-------- C:\Program Files\Seagate
2008-05-04 19:39 . 2007-08-14 21:29 345,984 --a------ C:\WINDOWS\system32\drivers\sfsz.sys
2008-05-04 19:39 . 2007-08-08 19:55 163,927 --a------ C:\WINDOWS\system32\ZSANCoInst.dll
2008-05-04 19:39 . 2007-08-08 19:57 15,488 --a------ C:\WINDOWS\system32\drivers\ZetBus.sys
2008-05-04 19:39 . 2007-08-08 19:57 12,800 --a------ C:\WINDOWS\system32\drivers\ZetSFD.sys
2008-05-04 19:39 . 2007-08-08 19:57 5,120 --a------ C:\WINDOWS\system32\drivers\ZetMPD.sys
2008-05-04 19:20 . 2008-05-04 19:20 <DIR> d-------- C:\cabs
2008-05-04 18:29 . 2008-05-04 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Maxtor
2008-05-04 18:21 . 2008-05-04 18:21 400,864 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2008-05-04 18:21 . 2008-05-04 18:21 120,992 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-05-04 18:21 . 2008-05-04 18:21 32,768 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-05-04 18:20 . 2008-05-04 18:20 <DIR> d-------- C:\Program Files\Maxtor
2008-05-04 18:20 . 2008-05-04 18:20 <DIR> d-------- C:\Program Files\Common Files\Maxtor
2008-05-04 15:26 . 2008-05-04 19:39 <DIR> d-------- C:\Program Files\NETGEAR
2008-05-03 22:34 . 2008-05-03 22:34 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-05-03 22:34 . 2008-05-03 22:34 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2008-05-03 22:33 . 2008-05-03 22:35 <DIR> d-------- C:\Program Files\Zune
2008-05-03 22:33 . 2008-01-11 17:39 145,408 --a------ C:\WINDOWS\system32\ZuneMTPZ.dll
2008-05-03 22:33 . 2008-01-11 17:39 70,656 --a------ C:\WINDOWS\system32\ZuneIpTransport.dll
2008-05-03 22:33 . 2008-01-11 17:39 62,464 --a------ C:\WINDOWS\system32\ZuneUsbTransport.dll
2008-05-03 22:33 . 2008-01-11 17:39 35,840 --a------ C:\WINDOWS\system32\ZuneUsbCOnnection.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 20:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-30 18:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 23:27 --------- d-----w C:\Documents and Settings\Dan\Application Data\BitTorrent
2008-05-14 11:10 --------- d-----w C:\Program Files\Lexmark 6500 Series
2008-05-05 00:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-03 23:19 --------- d-----w C:\Program Files\TuneUp Utilities 2006
2008-05-02 16:04 --------- d-----w C:\Documents and Settings\Dan\Application Data\AdobeUM
2008-04-27 20:47 --------- d-----w C:\Program Files\Western Digital Technologies
2008-04-22 23:06 --------- d-----w C:\Program Files\Runtime Software
2008-04-20 16:19 --------- d-----w C:\Program Files\Absolute MP3 Splitter
2008-04-20 15:53 --------- d-----w C:\Program Files\Expstudio
2008-04-20 15:42 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-20 15:42 --------- d-----w C:\Program Files\NetWaiting
2008-04-20 15:42 --------- d-----w C:\Program Files\music_now
2008-04-20 15:42 --------- d-----w C:\Program Files\MagicISO
2008-04-20 15:42 --------- d-----w C:\Program Files\LimeWire
2008-04-20 15:42 --------- d-----w C:\Program Files\GemMaster
2008-04-20 15:42 --------- d-----w C:\Program Files\Encarta Online
2008-04-20 15:42 --------- d-----w C:\Program Files\AIM
2008-04-14 22:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-04-14 22:36 --------- d-----w C:\Program Files\IVT Corporation
2008-04-07 01:49 --------- d-----w C:\Program Files\Quicken
2008-04-02 00:11 --------- d-----w C:\Program Files\Gutterball 2
2007-07-08 23:04 87,608 ----a-w C:\Documents and Settings\Dan\Application Data\ezpinst.exe
2007-07-08 23:04 47,360 ----a-w C:\Documents and Settings\Dan\Application Data\pcouffin.sys
.

------- Sigcheck -------

2006-03-15 23:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe

2006-03-15 23:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\system32\user32.dll

2006-03-15 23:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll

2005-07-03 05:09 659456 6e533d155b259eb2363d3e04b5be309f C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll
2006-03-15 23:00 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\$NtUninstallKB896727$\wininet.dll
2006-01-09 13:02 662016 dde9597a3311748c1519444e2bc147bd C:\WINDOWS\system32\wininet.dll

2005-05-25 22:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 20:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-03-15 23:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 22:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 05:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\system32\drivers\tcpip.sys

2006-03-15 23:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe

2006-03-15 23:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\$NtUninstallKB912436$\ndis.sys
2006-01-09 20:01 182528 aa898f84d2b59129fb92e143a2c73434 C:\WINDOWS\system32\drivers\ndis.sys

2006-03-15 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2004-08-04 00:59 2015232 fb142b7007ca2eea76966c6c5cc12150 C:\WINDOWS\$NtUninstallKB896256$\ntkrnlpa.exe
2005-09-28 18:35 2015744 48472d224e1703882b4de0e28e205e9b C:\WINDOWS\$NtUninstallKB909095$\ntkrnlpa.exe
2005-10-11 18:54 2057344 ddbfa4eae9251712f20193dd47b361bd C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2005-10-11 18:54 2015232 0c691ecad81707d3a7797512ac932c62 C:\WINDOWS\system32\ntkrnlpa.exe

2004-08-04 01:18 2148352 626309040459c3915997ef98ec1c8d40 C:\WINDOWS\$NtUninstallKB896256$\ntoskrnl.exe
2005-09-28 19:02 2136064 25c36dbc46e8eff2a811769a60715ac5 C:\WINDOWS\$NtUninstallKB909095$\ntoskrnl.exe
2005-10-11 19:20 2180096 7b69ea89c7b9966bf552a070d97c5013 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2005-10-11 19:18 2136064 c5290e302241594b668a378d89fd903e C:\WINDOWS\system32\ntoskrnl.exe

2006-03-15 23:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\explorer.exe

2006-03-15 23:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe

2006-03-15 23:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe

2006-03-15 23:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 23:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-30 15:22 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 00:58 458752]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 00:58 7581696]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 00:58 86016]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 00:22 794713]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23 1187840]
"AGEIA PhysX SysTray"="C:\Program Files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 14:43 331776]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 10:58 159744]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-09 22:30 188416]
"lxdfmon.exe"="C:\Program Files\Lexmark 6500 Series\lxdfmon.exe" [2007-06-11 20:53 455600]
"lxdfamon"="C:\Program Files\Lexmark 6500 Series\lxdfamon.exe" [2007-06-01 15:06 20480]
"Lexmark 6500 Series Fax Server"="C:\Program Files\Lexmark 6500 Series\fm3032.exe" [2007-06-11 20:56 308144]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2006-03-15 23:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2008-01-11 17:54 166304]
"MaxBlastMonitor.exe"="C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe" [2007-08-08 17:26 1169440]
"AcronisTimounterMonitor"="C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe" [2007-08-08 17:39 1945448]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe" [2007-08-08 17:31 148760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-30 15:22 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-30 15:22 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QlbCtrl"=%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"ehTray"=C:\WINDOWS\ehome\ehtray.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
"Cpqset"=C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"High Definition Audio Property Page Shortcut"=CHDAudPropShortcut.exe
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe"
"Profiler"=C:\Program Files\Saitek\Software\Profiler.exe
"nwiz"=nwiz.exe /installquiet /nodetect
"SaiSmart"=C:\Program Files\Saitek\Software\SaiSmart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"C:\\WINDOWS\\ehome\\ehExtHost.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\HP Games\\JEOPARDY\\JEOPARDY!.exe"=
"C:\\WINDOWS\\system32\\lxdfcoms.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\lxdfamon.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\frun.exe"=
"C:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\lxdfmon.exe"=
"C:\\WINDOWS\\system32\\lxdfcfg.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdftime.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\LXDFFax.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfjswx.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\Wireless\\lxdfwpss.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23432:TCP"= 23432:TCP:BitComet 23432 TCP
"23432:UDP"= 23432:UDP:BitComet 23432 UDP
"19048:TCP"= 19048:TCP:BitComet 19048 TCP
"19048:UDP"= 19048:UDP:BitComet 19048 UDP
"20001:UDP"= 20001:UDP:MicroSAN
"80:TCP"= 80:TCP:Web

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##spyder#g]
\Shell\AutoRun\command - Z:\AutoPlay.exe -c

.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 22:51:11 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 09:41:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\DOCUME~1\Dan\LOCALS~1\Temp\SSUPDATE.EXE
.
**************************************************************************
.
Completion time: 2008-06-01 10:26:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 15:26:13

Pre-Run: 47,284,195,328 bytes free
Post-Run: 47,224,233,984 bytes free

234

#4
greyknight17

Posted 01 June 2008 - 11:59 AM

Malware Expert

Visiting Consultant
16,560 posts

You sure it was system.exe? Make sure because if it's system.exe, it's a bad file....

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\WINDOWS\emfk.exe
C:\H.lnk
Folder::
C:\Documents and Settings\All Users\Application Data\Viewpoint

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Make sure you turn off any antivirus programs you have running while performing the online scan below. Using Internet Explorer, run a virus scan at http://www.kaspersky.com/virusscanner Click on 'Launch Kaspersky Anti-Virus Web Scanner' and install the ActiveX component from Kaspersky. Click Yes and it will begin downloading the latest definition files. Once that's done, click on 'Scan Settings' and make sure the following are selected:

Scan using the following Anti-Virus database:
- Extended

Scan Options:
- Scan Archives
- Scan Mail Bases

Click OK. Now under select a target to scan, select 'My Computer'. It will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the 'Save as Text' button. Save the file to your desktop. Copy and paste that information in your next post.

#5
greyknight17

Posted 08 June 2008 - 10:14 AM

Malware Expert

Visiting Consultant
16,560 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.