Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

nothing can rid me of this trojan.vundo?

Started by SuperJuice , Jun 06 2008 02:26 PM

  • Please log in to reply

#1
SuperJuice
Posted 06 June 2008 - 02:26 PM

SuperJuice

    Member

  • Member
  • PipPip
  • 19 posts
This computer is used as a surveillence system for about 5 cameras. I made the mistake of installing a program that I downloaded and immediately computer started acting weird and the installation never launched. Symantec alerted and I realized that something was at least attempting to infect my machine.

I immediately did the following:

Allowed Symantec (Corp ver 10) to quarantine & then clean infection noted as “Trojan low zones”
Followed instructions for removal on Symantec site which included
• Disable System Restore (Windows Me/XP).
• Update the virus definitions.
• Ran a full system scan and delete all the files detected. (both while computer running and in safe mode) Nothing found in safe mode but repeatedly pops up autoprotect aftewrwards while computer running.
• Delete any values added to the registry. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (random dll’s being launched using rundll32.exe from the c:\winnt\system32 folder)
• Edited the Win.ini file. (found nothing as instructed)
• Reset the Internet security zone settings.

After rebooting, i realized had not solved my problem, because i continued to receive symantec notifications that trojan low zones keeps getting quarantined.
I ended both rundll32.exe and child processes using taskkill.
I opened cmd line and deleted dll’s listed in registry (under windows they were hidden)
Rebooted into safe mode and checked tasklist - none created in safe mode
Reboot regular mode & started getting alerts from symantec that trojan low zones was stopped & quarantined
Saw entries for randomly named dlls recreated in registry under the the same reg key as above. (One name kept being reproduced for entry bm27b31488.exe) from the c:\winnt\system32 folder
Killed tasks, deleted new dll’s again, removed entries in registry, restored rundll32.exe from CD to verify rundll32.exe not corrupted.
Manually deleted folders forcing hidden and system from command prompt that Symantec says were infected. Used cmd prompt because windows explorer couldn’t’ see. (Folders were randomly generated names.)
Rebooted & still same problem.

Not knowing what else to do, I started with procedures listed in the “Must-Read-Before-Posting-HijackThisLog” After doing all of that and running the panda active scan, I am seeing i am still infected and it appears to be a variant of vundo. Here are the results of the scans and HJT log.

Malwarebytes' Anti-Malware 1.15
Database version: 834

1:17:27 PM 6/6/2008
mbam-log-6-6-2008 (13-17-27).txt

Scan type: Quick Scan
Objects scanned: 38818
Time elapsed: 7 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINNT\system32\awTligGY.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINNT\system32\cbxYOIbb.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c329f020-96e9-42f5-a152-f768e2d64295} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c329f020-96e9-42f5-a152-f768e2d64295} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bd962bab-f429-460f-805b-b137087ab623} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bd962bab-f429-460f-805b-b137087ab623} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxyoibb (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM27b31488 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{bd962bab-f429-460f-805b-b137087ab623} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\winnt\system32\awtliggy -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\winnt\system32\awtliggy -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\awTligGY.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\YGgilTwa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\YGgilTwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\cbojloap.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\edruncuc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\epwvvvsw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

SUPERAntiSpyware Scan Log
Generated 06/06/2008 at 02:56 PM

Application Version : 3.6.1000

Core Rules Database Version : 3476
Trace Rules Database Version: 1467

Scan type : Complete Scan
Total Scan Time : 01:27:39

Memory items scanned : 399
Memory threats detected : 0
Registry items scanned : 6291
Registry threats detected : 0
File items scanned : 70433
File threats detected : 18

Adware.Tracking Cookie
C:\Documents and Settings\Administrator.JAH\Cookies\administrator@adnetserver[1].txt

Adware.Vundo Variant/Rel
C:\WINNT\SYSTEM32\MCRH.TMP

Trace.Known Threat Sources
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\0L8DO5O7\green_point[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\6XKXEZGB\all_bg[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\6XKXEZGB\found[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\0D0X8VMD\ycell[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\SL6BKPA3\red_point[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\0D0X8VMD\prod_bg[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\0D0X8VMD\top[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\0L8DO5O7\settings[1].js
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\SL6BKPA3\prod_right[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\0L8DO5O7\line_dot[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\0D0X8VMD\midl_bg[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet

;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-06-06 16:15:28
PROTECTIONS: 1
MALWARE: 5
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Symantec AntiVirus Corporate Edition 10.1.0.394 Yes Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.JAH\Application Data\Mozilla\Firefox\Profiles\iipisylg.default\cookies.txt[.doubleclick.net/]
02998680 Spyware/Virtumonde Spyware No 1 Yes No C:\WINNT\system32\upgnejrw.dll
03015501 Spyware/Virtumonde Spyware No 1 Yes No C:\WINNT\system32\xgjannya.dll
03021432 Spyware/Virtumonde Spyware No 1 Yes No C:\WINNT\system32\rxmavbrh.dll
03042529 Spyware/Virtumonde Spyware No 1 Yes No C:\WINNT\system32\fdrvaavn.dll
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location o
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description o
;===============================================================================
================================================================================
=
===================
108742 MEDIUM MS06-006 o
;===============================================================================
============================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:40 PM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng7.exe
C:\WINNT\system32\WgaTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Advanced Networking & ComputerS
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: {16125534-db6b-545b-7504-3d3f5f6113f8} - {8f3116f5-f3d3-4057-b545-b6bd43552161} - C:\WINNT\system32\paxcpqmh.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NGServer] C:\Program Files\Symantec\Ghost\ngserver.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\System32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [webcamXP] "W:\Program Files\webcamXP\webcamXP.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131241954171
O16 - DPF: {EFFDEEEC-F9E1-4461-91D2-DAEB8CC595F1} (CSViewer Control) - http://66.47.111.253:84/CSViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jah.com
O17 - HKLM\Software\..\Telephony: DomainName = jah.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E01E0A74-4D61-478E-B5E1-4854E6D8E6BD}: Domain = jah.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E01E0A74-4D61-478E-B5E1-4854E6D8E6BD}: NameServer = 10.100.100.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jah.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9217 bytes

Edited by SuperJuice, 08 June 2008 - 09:38 AM.

  • 0

Advertisements

#2
SuperJuice
Posted 06 June 2008 - 03:17 PM

SuperJuice

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Ran combofix based upon another post almost exact like mine....here is the log. The first time combofix hung after rebooting, so i had to end task and run it again. This is the log from the 2nd time.

ComboFix 08-06-06.4 - Administrator 2008-06-06 17:10:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.684 [GMT -4:00]
Running from: \\nas\software\camsrv repair\06 combofix\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINNT\BM27b31488.xml
C:\WINNT\pskt.ini
C:\WINNT\system32\lthsacmr.dll
C:\WINNT\system32\npuhpifr.dll
C:\WINNT\system32\paxcpqmh.dll
C:\WINNT\system32\unbwxdef.dll
C:\WINNT\system32\xwpyacok.dll
C:\WINNT\system32\YGgilTwa.ini
C:\WINNT\system32\YGgilTwa.ini2
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-06 16:23 . 2008-06-06 16:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-06 15:10 . 2008-06-06 15:11 <DIR> d-------- C:\Program Files\Panda Security
2008-06-06 13:26 . 2008-06-06 15:34 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-06 13:26 . 2008-06-06 13:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-06 13:26 . 2008-06-06 13:26 <DIR> d-------- C:\Documents and Settings\Administrator.JAH\Application Data\SUPERAntiSpyware.com
2008-06-06 13:24 . 2008-06-06 13:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-06 13:03 . 2008-06-06 13:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-06 13:03 . 2008-06-06 13:03 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-06 13:03 . 2008-06-06 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-06 13:03 . 2008-06-06 13:03 <DIR> d-------- C:\Documents and Settings\Administrator.JAH\Application Data\Malwarebytes
2008-06-06 13:03 . 2008-06-05 16:04 34,296 --a------ C:\WINNT\system32\drivers\mbamcatchme.sys
2008-06-06 13:03 . 2008-06-05 16:04 15,864 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-05-31 09:07 . 2008-05-31 09:21 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-05-29 15:14 . 2008-05-29 15:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-29 14:09 . 2008-05-29 14:09 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-23 04:09 . 2008-05-23 04:09 <DIR> d-------- C:\Program Files\File Shredder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 21:08 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-02 21:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-02 00:16 --------- d-----w C:\Program Files\Common Files\L&H
2008-05-02 00:15 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-02 00:14 --------- d-----w C:\Program Files\Microsoft Works
2008-05-02 00:08 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-16 14:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-16 14:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\AccessData
2008-04-16 12:00 --------- d-----w C:\Program Files\Cache View
2008-04-16 11:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-16 11:10 --------- d-----w C:\Program Files\Symantec
2008-04-16 11:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-15 22:38 3,712 ----a-w C:\WINNT\system32\drivers\PIOdriver.sys
2008-04-15 16:58 --------- d-----w C:\Program Files\AccessData
2008-03-27 08:12 151,583 ----a-w C:\WINNT\system32\msjint40.dll
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP