Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Vundo Variant Removal [RESOLVED]


  • This topic is locked This topic is locked

#1
namspa

namspa

    New Member

  • Member
  • Pip
  • 7 posts
For the past couple weeks I have been working on my sonís computer. He was experiencing slow booting & loading, a weird variety of popups. Then the back ground changed with an infection warning along with infection warning popups. I ran Hijackthis and found many problems. I Googled all entries and have gotten rid of almost everything. The computer boots up fine and the background is back to normal. It is still extremely slow. I have downloaded and ran: HijackThis, SDFix, Malwarebytes, and Combofix. HijackThis is clean with the exception of one rootkit. I believe this to be a Vundo variant (C:\WINDOWS\SYSTEM32\vtUlKCvw.dll). I am not sure what the next step with Combofix is and have not yet created the CFscript.txt file. I would ask for some assistance with this. I ran Combofix twice because the first time the computer stalled. I rebooted and ran it again. This time it completed and returned a text file. I have posted the latest HijackThis log and Combofix text. Thank you in advance for taking the time to review this. Note: I was using HijackThis v1.99.1 and had to bootup and run v2.02 to post this. The computer has been turned off sence 5/31/2008.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:33 PM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {B1A64443-6FCA-41CE-8D51-5F8991257555} - C:\WINDOWS\system32\vtUlKCvw.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace...ronGameHost.cab
O20 - Winlogon Notify: vtUlKCvw - C:\WINDOWS\SYSTEM32\vtUlKCvw.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--





ComboFix 08-05-29.1 - Administrator 2008-05-30 19:39:33.2 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\inst.exe
C:\WINDOWS\x.exe
C:\WINDOWS\y.exe
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\AntiSpywareExpert
C:\Program Files\AntiSpywareExpert\ase.exe
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whagent.ini
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\setup.exe
C:\WINDOWS\BM3bdc1717.xml
C:\WINDOWS\default.htm
C:\WINDOWS\explore.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\lfn.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\fledvbqf.dll
C:\WINDOWS\system32\kfroviqp.ini
C:\WINDOWS\system32\mpoerxcp.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pqivorfk_old.dll
C:\WINDOWS\system32\qrpulpyu.dll
C:\WINDOWS\system32\tebjnpdo.dll
C:\WINDOWS\system32\xEgMnnmp.ini
C:\WINDOWS\system32\xEgMnnmp.ini2
C:\WINDOWS\system32\yvldkgit.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-29 19:23 . 2008-05-29 19:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 19:23 . 2008-05-29 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-29 19:23 . 2008-05-29 19:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-29 19:23 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-29 19:23 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-29 19:10 . 2008-05-29 19:10 17,664 --a------ C:\WINDOWS\funny.exe
2008-05-28 20:37 . 2008-05-28 20:37 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-28 20:33 . 2008-05-29 07:15 <DIR> d-------- C:\SDFix
2008-05-28 20:31 . 2008-05-28 20:31 <DIR> d-------- C:\Deckard
2008-05-27 20:33 . 2008-05-27 20:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-27 20:33 . 2008-05-27 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-27 20:31 . 2008-05-27 20:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 18:14 . 2008-05-30 19:30 <DIR> d-------- C:\Program Files\Hijack This
2008-05-24 17:29 . 2008-05-24 17:29 315,120 --a------ C:\WINDOWS\system32\pmnnMgEx_old.dll
2008-05-24 17:25 . 2008-05-29 05:09 <DIR> d-------- C:\Temp
2008-05-24 17:24 . 2008-05-24 17:24 26,384 --a------ C:\WINDOWS\system32\vtUlKCvw.dll
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-27 14:51 . 2008-04-27 14:51 <DIR> d-------- C:\Program Files\iPod
2008-04-27 14:50 . 2008-04-27 14:51 <DIR> d-------- C:\Program Files\iTunes
2008-04-27 14:47 . 2008-04-27 14:48 <DIR> d-------- C:\Program Files\QuickTime
2008-04-20 09:23 . 2008-04-21 08:22 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 23:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-05-30 23:12 1,311,232 ----a-w C:\WINDOWS\Internet Logs\rDB13.tmp
2008-05-30 07:20 1,317,888 ----a-w C:\WINDOWS\Internet Logs\rDB3.tmp
2008-05-28 20:18 1,309,696 ----a-w C:\WINDOWS\Internet Logs\rDB1F.tmp
2008-05-18 08:11 --------- d-----w C:\Program Files\Norton SystemWorks
2008-05-10 01:31 --------- d-----w C:\Program Files\3GP Player
2008-05-05 07:15 1,207,296 ----a-w C:\WINDOWS\Internet Logs\rDB1E.tmp
2008-04-27 22:17 --------- d-----w C:\Program Files\Java
2008-04-27 19:03 --------- d-----w C:\Program Files\Apple Software Update
2008-04-20 15:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
2008-04-14 07:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-03-22 09:14 1,078,784 ----a-w C:\WINDOWS\Internet Logs\rDB1D.tmp
2008-03-15 03:32 1,071,104 ----a-w C:\WINDOWS\Internet Logs\rDB1C.tmp
2008-02-23 03:24 1,062,912 ----a-w C:\WINDOWS\Internet Logs\rDB1B.tmp
2008-02-09 15:45 1,065,472 ----a-w C:\WINDOWS\Internet Logs\rDB1A.tmp
2008-01-14 16:58 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2008-01-14 16:55 87,608 ----a-w C:\Documents and Settings\Administrator\Application Data\ezpinst.exe
2008-01-05 11:12 7,237,952 ----a-w C:\Documents and Settings\torrents\vsoConvertXtoDVD2_setup.exe
2007-10-22 22:08 79,856 ----a-w C:\Documents and Settings\torrents\MySpaceIM_Setup.exe
2007-09-17 16:01 612,152 ----a-w C:\Documents and Settings\torrents\DivoCodec-1.3.0.0-setup-0708.exe
2007-09-10 19:17 6,211,190 ----a-w C:\Documents and Settings\torrents\Combined-Community-Codec-Pack-2007-07-22.exe
2007-07-25 01:07 9,372,240 ----a-w C:\Program Files\DivXCreate.exe
2007-07-06 00:47 4,377,640 ----a-w C:\Documents and Settings\setup\LimeWireWin.exe
2007-02-03 16:37 6,576,504 ----a-w C:\Program Files\vsoConvertXtoDVD2_setup.exe
2007-02-03 16:35 7,744 ----a-w C:\Program Files\te.nfo
2007-02-03 16:35 413 ----a-w C:\Program Files\file_id.diz
2006-09-10 22:34 5,917,258 ----a-w C:\Program Files\powertab.zip
2006-02-11 13:35 13,312 ----a-w C:\Documents and Settings\Crack\ConvertXtoDVD2x_GOLDCrack.exe
2005-06-16 00:31 9,372,240 ----a-w C:\Program Files\DivXCreate.exe.BAK
2005-06-15 23:36 9,681 ----a-w C:\Program Files\ARTeam.nfo
2005-06-15 23:36 162 ----a-w C:\Program Files\ARTeam.sfv
2005-06-15 23:35 95,232 ----a-w C:\Program Files\DivX.Pro.v6.0.and.Converter.v1.0.patch.exe
2004-08-28 23:52 113 ----a-w C:\Documents and Settings\Downloaded\registration.reg
2004-08-28 23:48 544,768 ----a-w C:\Documents and Settings\Downloaded\Mp3Mate.exe
2007-12-16 01:44 32 --sha-w C:\WINDOWS\{0FC147B1-546D-4484-AEDD-0F73AECD56A3}.dat
2007-12-16 01:49 32 --sha-w C:\WINDOWS\{4EBAEA51-FB54-415A-AD03-4C9A669992B9}.dat
2007-12-16 01:46 32 --sha-w C:\WINDOWS\{5EF8D301-4AC0-48DD-B4EC-A363CD65563D}.dat
2007-12-16 01:48 32 --sha-w C:\WINDOWS\{6BE9F5BA-9041-44A0-962F-915B93D08C8F}.dat
2007-12-16 01:48 32 --sha-w C:\WINDOWS\{75F45582-67BC-41E1-8888-C125AE961041}.dat
2007-12-16 01:46 32 --sha-w C:\WINDOWS\{7D615075-59A4-4BE4-9CD0-3682664E3C39}.dat
2007-12-16 01:46 32 --sha-w C:\WINDOWS\{D6416FA0-D047-428B-B6DC-635F113FD320}.dat
2007-12-16 01:46 32 --sha-w C:\WINDOWS\system32\{1222392D-1E1B-4023-A322-40C0C03F45E7}.dat
2007-12-16 01:44 32 --sha-w C:\WINDOWS\system32\{4C6632E1-AF6C-41E6-8056-17FDAA01ECFF}.dat
2007-12-16 01:48 32 --sha-w C:\WINDOWS\system32\{6E9ED633-9F77-442F-98E6-50107A9115D4}.dat
2007-12-16 01:46 32 --sha-w C:\WINDOWS\system32\{BDFC48EB-D892-4154-B8FB-9EF3123D0A6C}.dat
2007-12-16 01:49 32 --sha-w C:\WINDOWS\system32\{C8EAE0FE-BFD2-4C1E-B3BF-1D08D17749E3}.dat
2007-12-16 01:48 32 --sha-w C:\WINDOWS\system32\{F69BC3B5-0F31-4484-A21C-64A89BE7C1E6}.dat
2007-12-16 01:46 32 --sha-w C:\WINDOWS\system32\{FBBBDEF1-6BA4-4255-98F0-4FDEC7A07D1F}.dat
.

((((((((((((((((((((((((((((( [email protected]_ 8.07.56.66 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 12:00:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 23:21:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1A64443-6FCA-41CE-8D51-5F8991257555}]
2008-05-24 17:24 26384 --a------ C:\WINDOWS\system32\vtUlKCvw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-07-24 21:45 171448]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-08 11:06 94208]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [2006-06-20 22:36 1207080]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17 50736]
"Microsoft Windows Installer"="C:\Documents and Settings\Administrator\Application Data\Microsoft\dtsc\18852.exe" [2008-05-24 17:24 129024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-09-10 20:38 45056]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2007-09-20 00:59 28672]
"GhostStartTrayApp"="C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" [2008-05-27 20:23 94208]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"CloneCDElbyCDFL"="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2002-11-02 02:33 45056]
"CloneCDTray"="C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe" [2002-12-02 10:17 73728]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2007-12-21 18:38 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"webHancer Agent"="C:\Program Files\webHancer\Programs\whagent.exe" [ ]
"combofix"="C:\WINDOWS\system32\CF25734.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B1A64443-6FCA-41CE-8D51-5F8991257555}"= C:\WINDOWS\system32\vtUlKCvw.dll [2008-05-24 17:24 26384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUlKCvw]
vtUlKCvw.dll 2008-05-24 17:24 26384 C:\WINDOWS\system32\vtUlKCvw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys [2002-11-28 06:43]
R0 pueqhkby;pueqhkby;C:\WINDOWS\system32\drivers\hgyxkfaw.dat []
R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2002-08-14 16:11]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 22:31]
R3 ess;ESS Audio Driver (WDM);C:\WINDOWS\system32\drivers\ess.sys [2001-08-17 12:19]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 09:47]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 13:49:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-30 04:00:01 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 13:00:06 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 14:05:20 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 15:00:07 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 16:00:05 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 17:00:18 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 18:00:23 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 19:00:10 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 20:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 21:00:02 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 22:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 05:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 23:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-31 00:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-31 01:00:01 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 02:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 03:00:01 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 06:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 07:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 08:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 09:00:01 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 10:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-30 11:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-29 12:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\0j6K3yvh.exe
"2008-05-31 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-05-30 21:30:01 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-05-31 01:49:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 19:56:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\pueqhkby]
"ImagePath"="system32\drivers\hgyxkfaw.dat"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\vtUlKCvw.dll
.
Completion time: 2008-05-30 21:56:36
ComboFix-quarantined-files.txt 2008-05-31 01:53:07

Pre-Run: 28,967,522,304 bytes free
Post-Run: 28,935,499,776 bytes free

270
  • 0

Advertisements


#2
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Hi, namspa :)

Welcome.
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::C:\WINDOWS\Tasks\At1.jobC:\WINDOWS\Tasks\At10.jobC:\WINDOWS\Tasks\At11.jobC:\WINDOWS\Tasks\At12.jobC:\WINDOWS\Tasks\At13.jobC:\WINDOWS\Tasks\At14.jobC:\WINDOWS\Tasks\At15.jobC:\WINDOWS\Tasks\At16.jobC:\WINDOWS\Tasks\At17.jobC:\WINDOWS\Tasks\At18.jobC:\WINDOWS\Tasks\At19.jobC:\WINDOWS\Tasks\At2.jobC:\WINDOWS\Tasks\At20.jobC:\WINDOWS\Tasks\At21.jobC:\WINDOWS\Tasks\At22.jobC:\WINDOWS\Tasks\At23.jobC:\WINDOWS\Tasks\At24.jobC:\WINDOWS\Tasks\At3.jobC:\WINDOWS\Tasks\At4.jobC:\WINDOWS\Tasks\At5.jobC:\WINDOWS\Tasks\At6.jobC:\WINDOWS\Tasks\At7.jobC:\WINDOWS\Tasks\At8.jobC:\WINDOWS\Tasks\At9.jobCollect::C:\WINDOWS\system32\0j6K3yvh.exeC:\WINDOWS\system32\drivers\hgyxkfaw.datC:\WINDOWS\funny.exeC:\WINDOWS\system32\pmnnMgEx_old.dllC:\WINDOWS\system32\vtUlKCvw.dllC:\Documents and Settings\Administrator\Application Data\Microsoft\dtsc\18852.exeDriver::pueqhkbyRegistry::[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1A64443-6FCA-41CE-8D51-5F8991257555}][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Microsoft Windows Installer"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"webHancer Agent"=-"combofix"=-[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"DisableTaskMgr"=-[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]"DisableTaskMgr"=-[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]"{B1A64443-6FCA-41CE-8D51-5F8991257555}"=-[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUlKCvw]

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..

Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
Please submit this file to:

http://www.bleepingc...e.php?channel=4

Please include a link to this topic in the message.
  • 0

#3
namspa

namspa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you for the quick reply. I ran the CFScript.txt file. Here is the new HijackThis log and the Combofix text. HijackThis log looks good. The only thing I see now is the missing Java dll and Norton Antivirus has been disabled and will not enable. Once Java is updated and I manually remove and reinstall Norton all should be good to go. I will hold off on these repairs until we are finished here. Many thanks.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:42 PM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\AIM6\aim6.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace...ronGameHost.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--



ComboFix 08-05-29.1 - Administrator 2008-06-08 23:36:45.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.190 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\Microsoft\dtsc\18852.exe
C:\WINDOWS\system32\drivers\hgyxkfaw.dat
C:\WINDOWS\system32\pmnnMgEx.dll
C:\WINDOWS\system32\vtUlKCvw.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PUEQHKBY
-------\Service_pueqhkby


((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-05-29 19:23 . 2008-05-29 19:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 19:23 . 2008-05-29 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-29 19:23 . 2008-05-29 19:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-29 19:23 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-29 19:23 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-29 05:11 . 2008-05-29 05:11 13,312 --a------ C:\WINDOWS\funny_old.exe
2008-05-28 20:37 . 2008-05-28 20:37 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-28 20:33 . 2008-05-31 19:42 <DIR> d-------- C:\SDFix
2008-05-28 20:31 . 2008-05-28 20:31 <DIR> d-------- C:\Deckard
2008-05-27 20:33 . 2008-05-27 20:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-27 20:33 . 2008-05-27 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-27 20:31 . 2008-05-27 20:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 18:14 . 2008-06-08 19:15 <DIR> d-------- C:\Program Files\Hijack This
2008-05-24 17:25 . 2008-05-29 05:09 <DIR> d-------- C:\Temp
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 06:42 1,314,816 ----a-w C:\WINDOWS\Internet Logs\rDB21.tmp
2008-05-31 13:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-05-31 07:34 1,311,232 ----a-w C:\WINDOWS\Internet Logs\rDB20.tmp
2008-05-30 23:12 1,311,232 ----a-w C:\WINDOWS\Internet Logs\rDB13.tmp
2008-05-30 07:20 1,317,888 ----a-w C:\WINDOWS\Internet Logs\rDB3.tmp
2008-05-28 20:18 1,309,696 ----a-w C:\WINDOWS\Internet Logs\rDB1F.tmp
2008-05-18 08:11 --------- d-----w C:\Program Files\Norton SystemWorks
2008-05-10 01:31 --------- d-----w C:\Program Files\3GP Player
2008-05-05 07:15 1,207,296 ----a-w C:\WINDOWS\Internet Logs\rDB1E.tmp
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-27 22:17 --------- d-----w C:\Program Files\Java
2008-04-27 19:03 --------- d-----w C:\Program Files\Apple Software Update
2008-04-27 18:51 --------- d-----w C:\Program Files\iTunes
2008-04-27 18:51 --------- d-----w C:\Program Files\iPod
2008-04-27 18:48 --------- d-----w C:\Program Files\QuickTime
2008-04-20 15:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
2008-04-14 07:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-03-22 09:14 1,078,784 ----a-w C:\WINDOWS\Internet Logs\rDB1D.tmp
2008-03-15 03:32 1,071,104 ----a-w C:\WINDOWS\Internet Logs\rDB1C.tmp
2008-01-14 16:58 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2008-01-14 16:55 87,608 ----a-w C:\Documents and Settings\Administrator\Application Data\ezpinst.exe
2008-01-05 11:12 7,237,952 ----a-w C:\Documents and Settings\torrents\vsoConvertXtoDVD2_setup.exe
2007-10-22 22:08 79,856 ----a-w C:\Documents and Settings\torrents\MySpaceIM_Setup.exe
2007-09-17 16:01 612,152 ----a-w C:\Documents and Settings\torrents\DivoCodec-1.3.0.0-setup-0708.exe
2007-09-10 19:17 6,211,190 ----a-w C:\Documents and Settings\torrents\Combined-Community-Codec-Pack-2007-07-22.exe
2007-07-25 01:07 9,372,240 ----a-w C:\Program Files\DivXCreate.exe
2007-07-06 00:47 4,377,640 ----a-w C:\Documents and Settings\setup\LimeWireWin.exe
2007-02-03 16:37 6,576,504 ----a-w C:\Program Files\vsoConvertXtoDVD2_setup.exe
2007-02-03 16:35 7,744 ----a-w C:\Program Files\te.nfo
2007-02-03 16:35 413 ----a-w C:\Program Files\file_id.diz
2006-09-10 22:34 5,917,258 ----a-w C:\Program Files\powertab.zip
2006-02-11 13:35 13,312 ----a-w C:\Documents and Settings\Crack\ConvertXtoDVD2x_GOLDCrack.exe
2005-06-16 00:31 9,372,240 ----a-w C:\Program Files\DivXCreate.exe.BAK
2005-06-15 23:36 9,681 ----a-w C:\Program Files\ARTeam.nfo
2005-06-15 23:36 162 ----a-w C:\Program Files\ARTeam.sfv
2005-06-15 23:35 95,232 ----a-w C:\Program Files\DivX.Pro.v6.0.and.Converter.v1.0.patch.exe
2004-08-28 23:52 113 ----a-w C:\Documents and Settings\Downloaded\registration.reg
2004-08-28 23:48 544,768 ----a-w C:\Documents and Settings\Downloaded\Mp3Mate.exe
2007-12-16 01:44 32 --sha-w C:\WINDOWS\{0FC147B1-546D-4484-AEDD-0F73AECD56A3}.dat
2007-12-16 01:49 32 --sha-w C:\WINDOWS\{4EBAEA51-FB54-415A-AD03-4C9A669992B9}.dat
2007-12-16 01:46 32 --sha-w C:\WINDOWS\{5EF8D301-4AC0-48DD-B4EC-A363CD65563D}.dat
2007-12-16 01:48 32 --sha-w C:\WINDOWS\{6BE9F5BA-9041-44A0-962F-915B93D08C8F}.dat
2007-12-16 01:48 32 --sha-w C:\WINDOWS\{75F45582-67BC-41E1-8888-C125AE961041}.dat
2007-12-16 01:46 32 --sha-w C:\WINDOWS\{7D615075-59A4-4BE4-9CD0-3682664E3C39}.dat
2007-12-16 01:46 32 --sha-w C:\WINDOWS\{D6416FA0-D047-428B-B6DC-635F113FD320}.dat
2007-12-16 01:46 32 --sha-w C:\WINDOWS\system32\{1222392D-1E1B-4023-A322-40C0C03F45E7}.dat
2007-12-16 01:44 32 --sha-w C:\WINDOWS\system32\{4C6632E1-AF6C-41E6-8056-17FDAA01ECFF}.dat
2007-12-16 01:48 32 --sha-w C:\WINDOWS\system32\{6E9ED633-9F77-442F-98E6-50107A9115D4}.dat
2007-12-16 01:46 32 --sha-w C:\WINDOWS\system32\{BDFC48EB-D892-4154-B8FB-9EF3123D0A6C}.dat
2007-12-16 01:49 32 --sha-w C:\WINDOWS\system32\{C8EAE0FE-BFD2-4C1E-B3BF-1D08D17749E3}.dat
2007-12-16 01:48 32 --sha-w C:\WINDOWS\system32\{F69BC3B5-0F31-4484-A21C-64A89BE7C1E6}.dat
2007-12-16 01:46 32 --sha-w C:\WINDOWS\system32\{FBBBDEF1-6BA4-4255-98F0-4FDEC7A07D1F}.dat
.

((((((((((((((((((((((((((((( [email protected]_ 8.07.56.66 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 12:00:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 03:50:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-29 00:37:48 5,496,832 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-31 22:31:28 5,496,832 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-05-29 00:37:48 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-31 22:31:28 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-07-24 21:45 171448]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-08 11:06 94208]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [2006-06-20 22:36 1207080]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-09-10 20:38 45056]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2007-09-20 00:59 28672]
"GhostStartTrayApp"="C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" [2008-05-27 20:23 94208]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"CloneCDElbyCDFL"="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2002-11-02 02:33 45056]
"CloneCDTray"="C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe" [2002-12-02 10:17 73728]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2007-12-21 18:38 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-07-14 23:17:45 25214]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 08:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys [2002-11-28 06:43]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2002-08-14 16:11]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 22:31]
R3 ess;ESS Audio Driver (WDM);C:\WINDOWS\system32\drivers\ess.sys [2001-08-17 12:19]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-05-05 20:46]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 09:47]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 13:49:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-31 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exe
"2008-05-30 21:30:01 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-06-09 03:54:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-08 23:51:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-08 23:54:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-09 03:54:18
ComboFix2.txt 2008-05-31 01:57:02

Pre-Run: 28,981,559,296 bytes free
Post-Run: 28,945,596,416 bytes free

252
  • 0

#4
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Hi, namspa :)

Were you able to download the .zip folder to BC?

Many peer-to-peer networks are under constant attack by people with a variety of motives.

Examples include:
  • poisoning attacks (e.g. providing files whose contents are different than the description)
  • denial of service attacks (attacks that may make the network run very slowly or break completely)
  • defection attacks (users or software that make use of the network without contributing resources to it)
  • insertion of viruses to carried data (e.g. downloaded or carried files may be infected with viruses or other malware)
  • malware in the peer-to-peer network software itself (e.g. distributed software may contain spyware)
  • filtering (network operators may attempt to prevent peer-to-peer network data from being carried)
  • identity attacks (e.g. tracking down the users of the network and harassing or legally attacking them)
  • spamming (e.g. sending unsolicited information across the network- not necessarily as a denial of service attack)

The rest of the log looks clear. How is the computer doing?
  • 0

#5
namspa

namspa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi JSntgRvr,
I have the .ZIP file on the desktop but I have not reconnected that computer to the Internet as yet. I ran Malwarebytes again and I still have a few things (16) to remove. Every time I try to have Malwarebytes remove the infected files, the computer shuts down and reboots. Guess Iíll go in manually and remove them. Also, Norton Antivirus is still disabled and will not enable. Iíll need to manually uninstall and reinstall that, once Iím sure everything bad is removed, before I reconnect to the Internet. Hope to have it back up and running by the weekend. Thank you again so very much for your assistance. These things are getting harder and harder to remove and I was not too sure how to construct the CFScript.txt file. I didnít want to miss anything.



Malwarebytes' Anti-Malware 1.12
Database version: 799

Scan type: Full Scan (C:\|)
Objects scanned: 79359
Time elapsed: 54 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Downloads\games\CORE10k.EXE (Trojan.Agent) -> No action taken.
C:\Program Files\Hijack This\backups\backup-20080529-191639-447.dll (Adware.WebHancer) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\webhdll.dll.vir (Adware.WebHancer) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\whagent.exe.vir (Adware.WebHancer) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\whinstaller.exe.vir (Adware.WebHancer) -> No action taken.
C:\System Volume Information\_restore{8E13F4CD-52E1-4FAD-8A69-3E2AF66FBBAF}\RP299\A0034084.dll (Adware.WebHancer) -> No action taken.
C:\System Volume Information\_restore{8E13F4CD-52E1-4FAD-8A69-3E2AF66FBBAF}\RP299\A0036097.exe (Trojan.LowZones) -> No action taken.
C:\System Volume Information\_restore{8E13F4CD-52E1-4FAD-8A69-3E2AF66FBBAF}\RP299\A0036100.exe (Trojan.LowZones) -> No action taken.
C:\System Volume Information\_restore{8E13F4CD-52E1-4FAD-8A69-3E2AF66FBBAF}\RP300\A0036119.dll (Adware.WebHancer) -> No action taken.
C:\System Volume Information\_restore{8E13F4CD-52E1-4FAD-8A69-3E2AF66FBBAF}\RP300\A0036120.exe (Adware.WebHancer) -> No action taken.
C:\System Volume Information\_restore{8E13F4CD-52E1-4FAD-8A69-3E2AF66FBBAF}\RP300\A0036122.exe (Adware.WebHancer) -> No action taken.
C:\System Volume Information\_restore{8E13F4CD-52E1-4FAD-8A69-3E2AF66FBBAF}\RP300\A0037210.exe (Adware.SearchAid) -> No action taken.
  • 0

#6
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Hi, namspa :)

You wont be able to remove anything in these folders:

C:\System Volume Information ->System Restore
C:\Qoobox ->Combofix backup folder

I will remove those shortly.

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

File::
C:\Downloads\games\CORE10k.EXE

Registry::
[-HKEY_CURRENT_USER\Software\Trymedia Systems]
[-HKEY_CURRENT_USER\Software\Microsoft\affri]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan]


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..

How is the computer performance-wise. I will remove leftovers backed-up by either Windows of a Security program shortly. I need to see these reports first.
  • 0

#7
namspa

namspa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
The computers performance is much better. I think that was the last of it. I had already turned off system restore and rebooted. That cleared the C:\System Volume Information ->System Restore. I enabled System Restore and rebooted again to reestablish a restore point. Today I ran the new CFScript.txt, then HijackThis and Malwarebytes. See new posts below. HijackThis and Malwarebytes look clean. The new ComboFix.txt has one item I noticed:

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

Is this why I cannot enable Norton AntiVirus? Can I regedit and change the dword value to Ď00000000í so I can enable Auto-Protect? Also, Norton AntiVirus Email Scanning status is showing ĎERRORí.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:44 PM, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\AIM6\aim6.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace...ronGameHost.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--



ComboFix 08-05-29.1 - Administrator 2008-06-10 16:57:46.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.202 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Downloads\games\CORE10k.EXE
.

((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-05-29 19:23 . 2008-05-29 19:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 19:23 . 2008-05-29 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-29 19:23 . 2008-05-29 19:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-29 19:23 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-29 19:23 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-29 05:11 . 2008-05-29 05:11 13,312 --a------ C:\WINDOWS\funny_old.exe
2008-05-28 20:37 . 2008-05-28 20:37 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-28 20:33 . 2008-05-31 19:42 <DIR> d-------- C:\SDFix
2008-05-28 20:31 . 2008-05-28 20:31 <DIR> d-------- C:\Deckard
2008-05-27 20:33 . 2008-05-27 20:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-27 20:33 . 2008-05-27 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-27 20:31 . 2008-05-27 20:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 18:14 . 2008-06-08 23:57 <DIR> d-------- C:\Program Files\Hijack This
2008-05-24 17:25 . 2008-05-29 05:09 <DIR> d-------- C:\Temp
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 02:38 1,318,400 ----a-w C:\WINDOWS\Internet Logs\rDB24.tmp
2008-06-09 23:43 1,318,400 ----a-w C:\WINDOWS\Internet Logs\rDB23.tmp
2008-06-09 04:04 1,318,400 ----a-w C:\WINDOWS\Internet Logs\rDB22.tmp
2008-06-01 06:42 1,314,816 ----a-w C:\WINDOWS\Internet Logs\rDB21.tmp
2008-05-31 13:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-05-31 07:34 1,311,232 ----a-w C:\WINDOWS\Internet Logs\rDB20.tmp
2008-05-30 23:12 1,311,232 ----a-w C:\WINDOWS\Internet Logs\rDB13.tmp
2008-05-30 07:20 1,317,888 ----a-w C:\WINDOWS\Internet Logs\rDB3.tmp
2008-05-28 20:18 1,309,696 ----a-w C:\WINDOWS\Internet Logs\rDB1F.tmp
2008-05-18 08:11 --------- d-----w C:\Program Files\Norton SystemWorks
2008-05-10 01:31 --------- d-----w C:\Program Files\3GP Player
2008-05-05 07:15 1,207,296 ----a-w C:\WINDOWS\Internet Logs\rDB1E.tmp
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-27 22:17 --------- d-----w C:\Program Files\Java
2008-04-27 19:03 --------- d-----w C:\Program Files\Apple Software Update
2008-04-27 18:51 --------- d-----w C:\Program Files\iTunes
2008-04-27 18:51 --------- d-----w C:\Program Files\iPod
2008-04-27 18:48 --------- d-----w C:\Program Files\QuickTime
2008-04-20 15:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
2008-04-14 07:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-03-22 09:14 1,078,784 ----a-w C:\WINDOWS\Internet Logs\rDB1D.tmp
2008-03-15 03:32 1,071,104 ----a-w C:\WINDOWS\Internet Logs\rDB1C.tmp
2008-01-14 16:58 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2008-01-14 16:55 87,608 ----a-w C:\Documents and Settings\Administrator\Application Data\ezpinst.exe
2008-01-05 11:12 7,237,952 ----a-w C:\Documents and Settings\torrents\vsoConvertXtoDVD2_setup.exe
2007-10-22 22:08 79,856 ----a-w C:\Documents and Settings\torrents\MySpaceIM_Setup.exe
2007-09-17 16:01 612,152 ----a-w C:\Documents and Settings\torrents\DivoCodec-1.3.0.0-setup-0708.exe
2007-09-10 19:17 6,211,190 ----a-w C:\Documents and Settings\torrents\Combined-Community-Codec-Pack-2007-07-22.exe
2007-07-25 01:07 9,372,240 ----a-w C:\Program Files\DivXCreate.exe
2007-07-06 00:47 4,377,640 ----a-w C:\Documents and Settings\setup\LimeWireWin.exe
2007-02-03 16:37 6,576,504 ----a-w C:\Program Files\vsoConvertXtoDVD2_setup.exe
2007-02-03 16:35 7,744 ----a-w C:\Program Files\te.nfo
2007-02-03 16:35 413 ----a-w C:\Program Files\file_id.diz
2006-09-10 22:34 5,917,258 ----a-w C:\Program Files\powertab.zip
2006-02-11 13:35 13,312 ----a-w C:\Documents and Settings\Crack\ConvertXtoDVD2x_GOLDCrack.exe
2005-06-16 00:31 9,372,240 ----a-w C:\Program Files\DivXCreate.exe.BAK
2005-06-15 23:36 9,681 ----a-w C:\Program Files\ARTeam.nfo
2005-06-15 23:36 162 ----a-w C:\Program Files\ARTeam.sfv
2005-06-15 23:35 95,232 ----a-w C:\Program Files\DivX.Pro.v6.0.and.Converter.v1.0.patch.exe
2004-08-28 23:52 113 ----a-w C:\Documents and Settings\Downloaded\registration.reg
2004-08-28 23:48 544,768 ----a-w C:\Documents and Settings\Downloaded\Mp3Mate.exe
2007-12-16 01:44 32 --sha-w C:\WINDOWS\{0FC147B1-546D-4484-AEDD-0F73AECD56A3}.dat
2007-12-16 01:49 32 --sha-w C:\WINDOWS\{4EBAEA51-FB54-415A-AD03-4C9A669992B9}.dat
2007-12-16 01:46 32 --sha-w C:\WINDOWS\{5EF8D301-4AC0-48DD-B4EC-A363CD65563D}.dat
2007-12-16 01:48 32 --sha-w C:\WINDOWS\{6BE9F5BA-9041-44A0-962F-915B93D08C8F}.dat
2007-12-16 01:48 32 --sha-w C:\WINDOWS\{75F45582-67BC-41E1-8888-C125AE961041}.dat
2007-12-16 01:46 32 --sha-w C:\WINDOWS\{7D615075-59A4-4BE4-9CD0-3682664E3C39}.dat
2007-12-16 01:46 32 --sha-w C:\WINDOWS\{D6416FA0-D047-428B-B6DC-635F113FD320}.dat
2007-12-16 01:46 32 --sha-w C:\WINDOWS\system32\{1222392D-1E1B-4023-A322-40C0C03F45E7}.dat
2007-12-16 01:44 32 --sha-w C:\WINDOWS\system32\{4C6632E1-AF6C-41E6-8056-17FDAA01ECFF}.dat
2007-12-16 01:48 32 --sha-w C:\WINDOWS\system32\{6E9ED633-9F77-442F-98E6-50107A9115D4}.dat
2007-12-16 01:46 32 --sha-w C:\WINDOWS\system32\{BDFC48EB-D892-4154-B8FB-9EF3123D0A6C}.dat
2007-12-16 01:49 32 --sha-w C:\WINDOWS\system32\{C8EAE0FE-BFD2-4C1E-B3BF-1D08D17749E3}.dat
2007-12-16 01:48 32 --sha-w C:\WINDOWS\system32\{F69BC3B5-0F31-4484-A21C-64A89BE7C1E6}.dat
2007-12-16 01:46 32 --sha-w C:\WINDOWS\system32\{FBBBDEF1-6BA4-4255-98F0-4FDEC7A07D1F}.dat
.

((((((((((((((((((((((((((((( [email protected]_ 8.07.56.66 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 12:00:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-10 20:47:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-29 00:37:48 5,496,832 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-31 22:31:28 5,496,832 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-05-29 00:37:48 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-31 22:31:28 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2008-05-15 05:05:12 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-10 20:52:01 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-15 05:05:13 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-10 20:52:01 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-07-24 21:45 171448]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-08 11:06 94208]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [2006-06-20 22:36 1207080]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-09-10 20:38 45056]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2007-09-20 00:59 28672]
"GhostStartTrayApp"="C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" [2008-05-27 20:23 94208]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"CloneCDElbyCDFL"="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2002-11-02 02:33 45056]
"CloneCDTray"="C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe" [2002-12-02 10:17 73728]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2007-12-21 18:38 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-07-14 23:17:45 25214]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 08:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys [2002-11-28 06:43]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2002-08-14 16:11]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 22:31]
R3 ess;ESS Audio Driver (WDM);C:\WINDOWS\system32\drivers\ess.sys [2001-08-17 12:19]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 09:47]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-10 13:49:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-31 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exe
"2008-05-30 21:30:01 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-06-10 20:59:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 17:01:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-10 17:02:55
ComboFix-quarantined-files.txt 2008-06-10 21:02:40
ComboFix2.txt 2008-06-09 03:54:30
ComboFix3.txt 2008-05-31 01:57:02

Pre-Run: 29,221,687,296 bytes free
Post-Run: 29,200,195,584 bytes free

182

--


Malwarebytes' Anti-Malware 1.12
Database version: 799

Scan type: Full Scan (C:\|)
Objects scanned: 78598
Time elapsed: 53 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#8
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Lets remove that entry:

Download the enclosed folder. [attachment=21407:MonitorFix.zip]Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, MonitorFix.reg . Once extracted, open the folder and double click on the MonitorFix.reg file and select Yes when prompted to merge it into the registry.

Restart the computer.

Let me know if that makes a difference.
  • 0

#9
namspa

namspa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Downloaded, unzipped, and ran MonitorFix then rebooted. I tried to enable Norton AntiVirus and no change. It would not enable. I ran regedit and took a look at that registry key. The disable was still there. I ran MonitorFix again while regedit was still open and confirmed that the key was removed. I tried to enable Norton AntiVirus again before I rebooted but it still would not enable. I rebooted and ran regedit again and the disable key returned. So, something is still loading this disable key at bootup. I restarted the computer in Safemode. I ran regedit and the registry key was still there. I ran MonitorFix again and verified that the key was removed. I rebooted again into Safemode, ran regedit and the key did not return. I verified it a second time by rebooting into Safemode and it did not return. So, I rebooted normal and ran regedit as soon as Start would open. It wasnít until the end of the bootup process that the key returned.
  • 0

#10
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Hi, namspa :)

Try removing Zone Alarm. There is no need for an additional Firewall when running Norton. Also try disabling Adaware. I may hinder changes in the registry.
  • 0

#11
namspa

namspa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Zone Alarm and Norton have never been a problem. I do not use Norton Firewall. It is not very user friendly! I did uninstall Zone Alarm anyway just to see. I also uninstalled Ad Aware. Nether had any effect. AntiVirus is still disabled after a normal boot. I also used msconfig to disable all startup files. Ran regedit and monitored the registry key. The key is removed by your MonitorFix. After a reboot with all startup files disabled, the disable key still returns. I downloaded the updated version of SpybotSD 1.5.2 and installed that. I connected to the internet long enough to downloaded the updates. I ran a scan and it found 16 items. One was Smitfraud-C, one was Webhancer, and the rest were Cool(something) canít remember. I could not find a way to get a log file, so I just fixed them. I got a green check by each one. I have rebooted and run another Spybot scan and it is clean. I tried the AntiVirus enable again but nothing has changed.
  • 0

#12
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Hi, namspa :)

If you are having issue with Norton why use it? There are better programs online free of charge, for example:

In your position I would remove Norton and install any of the above.
  • 0

#13
namspa

namspa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi JSntgRvr,

Everything is back to normal. After I ran Spybot and removed the last of the infected files, I then did a Norton scan just to see what it would do. Norton found five additional infected files and automatically deleted them. I then uninstalled Norton via add and remove programs. Then I manually uninstalled Norton via Symantecís manual remove instructions. All files including registry entries were removed. I have had to do this procedure several times in the past. That is one negative aspect of Norton, when it hangs up like this, about all you can do is completely remove everything and reinstall it. I rebooted and ran Malwarebytes again and it was clean. Ran Spybot scan and it was clean. I ran Hijack This and it was clean. I reinstalled Norton and updated everything. Ran a system scan with Norton and all is clean and the Antivirus Auto-Protect is enabled. I installed Zone Alarm and the firewall is all set up working normal. I downloaded the cleanup instructions for all the files I used during this episode. So all is cleaned up and back to the way it was BV (Before Vundo) Thank you again very much for your assistance with Combofix. Now that everything is back to normal, I want to examine all the log files and your CFScript.txt fix files to see how they are constructed. If this should ever occur again, I should be able to handle it. I will look into the other Antivirus programs you listed. I have noticed through all the research I have done that nothing has been able to stop this Trojan/virus/malware from causing havoc on any system. Seems the first thing that Vundo does is disable whatever Antivirus program is running. Then it just spreads at will. I went back and looked at the Norton log files before I uninstalled it. Norton did put up quite a fight, listing over thirty some files it quarantined on the day this thing took off before it was disabled. Glad this one is over! Thanks again!
  • 0

#14
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Hi, namspa. :)

Congratulations.Posted Image

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Note: Never run Combofix or attempt to run CFScript without proper supervision.

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image
Create a Restore point (If the above process fails to do so):
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
  • Read and follow the suggestions given at this web site by Miekiemoes http://users.telenet...prevention.html .
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Best wishes! Posted Image
  • 0

#15
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP