Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HijackThis log... [RESOLVED]


  • This topic is locked This topic is locked

#1
blind_stone

blind_stone

    Member

  • Member
  • PipPip
  • 23 posts
Hey all i have a really troublesome virus/malware. Whenever I right click on the Desktop the system hangs for a bit, Im also getting various popups when connected to the internet and Some very mysteryous .dll files in the system 32 folder that seem to have randomly generated names like khfGarRj.dll and efcBspPG.dll (google no help there). I've ran avast, AVG, and a spybot but the problem still persists.

Dell Dimension 9100
PD 940
3gb ram
250GB Seagate HD
8800GTS 640mb
Windows XP

Thanks Much :)




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:59 PM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\EVGA Precision\EVGAPrecision.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.next****.com/?rtp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9B904910-78A4-489D-A825-5111B883A5B2} - C:\WINDOWS\system32\khfGArRj.dll
O2 - BHO: (no name) - {C4547434-DC79-41D5-8827-D46ECEE540DF} - C:\WINDOWS\system32\efcBspPG.dll (file missing)
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EVGAPrecision] "C:\Program Files\EVGA Precision\EVGAPrecision.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BM3ff1bf1f] Rundll32.exe "C:\WINDOWS\system32\yrkoehjw.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.com/cab_files/InSPECS3_0.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - 
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AD9C5E6-77E4-48EB-9170-FE1C2DB80ADD}: NameServer = 204.87.167.251 205.242.230.2
O20 - Winlogon Notify: khfGArRj - C:\WINDOWS\SYSTEM32\khfGArRj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\RpcSandraSrv.exe

--
End of file - 8773 bytes

  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi blind_stone

welcome to geekstogo :)

in this post we will clear the malware i can see and do a couple of scans to find the rest of the infections on your machine.

also a couple of questions:

1. do you recognise this program: C:\Program Files\EVGA Precision\EVGAPrecision.exe? it is not one i am familiar with

2. do you recognise this address: Imagination Inc., 215 South Ohio Street, Sedalia, MO, 65301, US ? is it your company or your ISP?


====STEP 1====
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\khfGArRj.dll
    C:\WINDOWS\system32\efcBspPG.dll
    C:\WINDOWS\system32\yrkoehjw.dll
    C:\WINDOWS\SYSTEM32\khfGArRj.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B904910-78A4-489D-A825-5111B883A5B2}
    HKEY_CLASSES_ROOT\CLSID\{9B904910-78A4-489D-A825-5111B883A5B2}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4547434-DC79-41D5-8827-D46ECEE540DF}
    HKEY_CLASSES_ROOT\CLSID\{C4547434-DC79-41D5-8827-D46ECEE540DF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BM3ff1bf1f
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfGArRj
    EmptyTemp
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



====STEP 2====
Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.



====STEP 3====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



====STEP 4====
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
In your next reply could i see:
1. the answers to the above questions
2. the OTMoveIT log
3. the vundofix.txt log
4. the malwarebytes log
5. the 2 DSS logs (though there may only be one)

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

Edited by andrewuk, 25 July 2008 - 12:33 PM.

  • 0

#3
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Thank you very very much for the reply. I will not be home untill very late tonight but I will post the results as soon as i possibly can!


1. do you recognise this program: C:\Program Files\EVGA Precision\EVGAPrecision.exe? it is not one i am familiar with
ANSWER: Yes this program is fine, it is a tool for monitoring my video card temperature etc. made by my card vender (EVGA) so it should be ok.

2. do you recognise this address: Imagination Inc., 215 South Ohio Street, Sedalia, MO, 65301, US ? is it your company or your ISP?
ANSWER: I believe this is the address of my ISP provider, lol I will drive by and see!

Thank you again, more posts tonight!

Edited by blind_stone, 25 July 2008 - 02:41 PM.

  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
no problem, i will await your posts :)

andrewuk
  • 0

#5
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Well its 1:17 in the AM, and I've finished all the tests/scans Huzzah!! Before I get to the logs I can already tell my system is running better, Right clicking on the desktop now delivers a much faster response and most of the mysterious .dll's are gone except for ljJYQlYr.dll and the popups seem to be gone aswell.

Log posting order: OTmoveIT, vundofix.txt , malwarebytes, and 1 dss log

-----------------------------------------------------------------------------------------------------------------------------------------------------------
Explorer killed successfully
DllUnregisterServer procedure not found in C:\WINDOWS\system32\khfGArRj.dll
C:\WINDOWS\system32\khfGArRj.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\khfGArRj.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\efcBspPG.dll not found.
File/Folder C:\WINDOWS\system32\yrkoehjw.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\khfGArRj.dll
C:\WINDOWS\SYSTEM32\khfGArRj.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\khfGArRj.dll scheduled to be moved on reboot.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B904910-78A4-489D-A825-5111B883A5B2} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B904910-78A4-489D-A825-5111B883A5B2}\\ deleted successfully.
< HKEY_CLASSES_ROOT\CLSID\{9B904910-78A4-489D-A825-5111B883A5B2} >
Registry key HKEY_CLASSES_ROOT\CLSID\{9B904910-78A4-489D-A825-5111B883A5B2}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4547434-DC79-41D5-8827-D46ECEE540DF} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4547434-DC79-41D5-8827-D46ECEE540DF}\\ deleted successfully.
< HKEY_CLASSES_ROOT\CLSID\{C4547434-DC79-41D5-8827-D46ECEE540DF} >
Registry key HKEY_CLASSES_ROOT\CLSID\{C4547434-DC79-41D5-8827-D46ECEE540DF}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BM3ff1bf1f >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BM3ff1bf1f deleted successfully.
< HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions >
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions\\ deleted successfully.
< HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel >
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfGArRj >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfGArRj\\ deleted successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\Justin\LOCALS~1\Temp\~DF1113.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT07198.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT0719b.TMP scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07252008_233823

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\WINDOWS\system32\khfGArRj.dll
C:\WINDOWS\system32\khfGArRj.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\khfGArRj.dll scheduled to be moved on reboot.
C:\DOCUME~1\Justin\LOCALS~1\Temp\~DF1113.tmp moved successfully.
C:\WINDOWS\temp\ZLT07198.TMP moved successfully.
C:\WINDOWS\temp\ZLT0719b.TMP moved successfully.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


VundoFix V7.0.6

Scan started at 11:49:27 PM 7/25/2008

Listing files found while scanning....

C:\Windows\system32\ljJYQIYr.dll
C:\Windows\system32\mlJCRjJA.dll
C:\Windows\system32\nhasiord.dll
C:\Windows\system32\rYIQYJjl.ini
C:\Windows\system32\rYIQYJjl.ini2
C:\Windows\system32\vrxhypey.dll

Beginning removal...

Attempting to delete C:\Windows\system32\ljJYQIYr.dll
C:\Windows\system32\ljJYQIYr.dll Has been deleted!

Attempting to delete C:\Windows\system32\mlJCRjJA.dll
C:\Windows\system32\mlJCRjJA.dll Has been deleted!

Attempting to delete C:\Windows\system32\nhasiord.dll
C:\Windows\system32\nhasiord.dll Has been deleted!

Attempting to delete C:\Windows\system32\rYIQYJjl.ini
C:\Windows\system32\rYIQYJjl.ini Has been deleted!

Attempting to delete C:\Windows\system32\rYIQYJjl.ini2
C:\Windows\system32\rYIQYJjl.ini2 Has been deleted!

Attempting to delete C:\Windows\system32\vrxhypey.dll
C:\Windows\system32\vrxhypey.dll Has been deleted!

Performing Repairs to the registry.
Done!

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.23
Database version: 993
Windows 5.1.2600 Service Pack 2

1:04:33 AM 7/26/2008
mbam-log-7-26-2008 (01-04-33).txt

Scan type: Quick Scan
Objects scanned: 39907
Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 14
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\opnkklii.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qajfttsk.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\edmyocot.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\khfGArRj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lhljyt.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0af0be2e-b9d0-4a79-9fb4-042a6d1fd0d6} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0af0be2e-b9d0-4a79-9fb4-042a6d1fd0d6} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9e53effa-f69e-42c5-b935-53fcf7b2835b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9e53effa-f69e-42c5-b935-53fcf7b2835b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9b904910-78a4-489d-a825-5111b883a5b2} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9b904910-78a4-489d-a825-5111b883a5b2} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfgarrj (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3cc28c83 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm3ff1bf1f (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9b904910-78a4-489d-a825-5111b883a5b2} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnkklii -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnkklii -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\opnkklii.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\iilkknpo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iilkknpo.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lhljyt.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qajfttsk.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ksttfjaq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\edmyocot.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\khfGArRj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hgGvvuuu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jvwyqnjw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJYPgGV.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqOETmK.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvULBtQ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yaywULdD.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\BB70FH0X\ico[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\DX75A3E4\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\QR8A9K57\kb671231[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\QR8A9K57\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\XLUJOM2F\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\BM3ff1bf1f.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM3ff1bf1f.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  • 0

#6
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Last Log DSS:

Deckard's System Scanner v20071014.68
Run by Justin on 2008-07-26 01:08:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
93: 2008-07-26 06:08:39 UTC - RP1188 - Deckard's System Scanner Restore Point
92: 2008-07-26 00:28:19 UTC - RP1187 - System Checkpoint
91: 2008-07-25 00:01:06 UTC - RP1186 - Avira AntiVir Personal - 7/24/2008 19:01
90: 2008-07-24 23:16:20 UTC - RP1185 - Move file to quarantine: khfGArRj.dll
89: 2008-07-24 22:48:11 UTC - RP1184 - Removed Apple Software Update


-- First Restore Point --
1: 2008-04-28 05:20:05 UTC - RP1096 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Justin.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:14 AM, on 7/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\EVGA Precision\EVGAPrecision.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Documents and Settings\Justin\Desktop\per post\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Justin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nextpimp.com/?rtp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {F5810C17-0F3B-4E4D-B1E9-A6059FF760A1} - C:\WINDOWS\system32\ljJYQIYr.dll (file missing)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EVGAPrecision] "C:\Program Files\EVGA Precision\EVGAPrecision.exe" /s
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.../InSPECS3_0.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8631 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 oreans32 - c:\windows\system32\drivers\oreans32.sys
R3 RTCore32 - c:\program files\evga precision\rtcore32.sys

S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; NetGroup - Politecnico di Torino; WinPcap Netgroup Packet Filter Driver>
S3 NVR0Dev - c:\windows\nvoclock.sys (file missing)
S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\ids-di~1\20040813.178\symidsco.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (Avira AntiVir Personal – Free Antivirus Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; NetGroup - Politecnico di Torino; Remote Packet Capture Daemon>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_01A71028&REV_01\4&5855BE9&0&40F0
Manufacturer: Intel
Name: Intel® PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_01A71028&REV_01\4&5855BE9&0&40F0
Service: E100B


-- Scheduled Tasks -------------------------------------------------------------

2008-07-25 17:57:33 424 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{743C1170-7DBC-43BA-A4D3-84FD6221DAC9}.job


-- Files created between 2008-06-26 and 2008-07-26 -----------------------------

2008-07-26 00:50:10 0 d-------- C:\Documents and Settings\Justin\Application Data\Malwarebytes
2008-07-26 00:50:03 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 00:50:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 00:15:52 0 d-------- C:\Program Files\Common Files\Download Manager
2008-07-25 23:57:54 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-07-25 23:49:27 0 d-------- C:\VundoFix Backups
2008-07-25 19:31:41 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-07-24 21:25:39 0 d-------- C:\Documents and Settings\Justin\Application Data\MailFrontier
2008-07-24 21:21:54 0 d-------- C:\Program Files\ZoneAlarmSB
2008-07-24 21:21:13 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-24 21:18:07 0 d-------- C:\Documents and Settings\Justin\Application Data\Media Player Classic
2008-07-24 19:01:25 0 d-------- C:\Program Files\Avira
2008-07-24 19:01:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-24 18:21:14 0 d-------- C:\Documents and Settings\Justin\DoctorWeb
2008-07-24 17:44:05 0 d-------- C:\Program Files\Trend Micro
2008-07-23 22:44:16 860692 --ahs---- C:\WINDOWS\system32\GPpsBcfe.ini2
2008-07-23 21:41:45 0 d-------- C:\Program Files\Alwil Software
2008-07-23 18:53:15 855924 --ahs---- C:\WINDOWS\system32\cehjlnnn.ini2
2008-07-23 00:16:43 2336 --ahs---- C:\WINDOWS\system32\AHjknnpo.ini2
2008-07-03 17:45:02 0 d-------- C:\Documents and Settings\Justin\Application Data\Ubisoft
2008-07-02 07:46:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-07-01 23:11:43 0 d-------- C:\Program Files\Ubisoft
2008-06-29 12:23:51 0 d-------- C:\Documents and Settings\All Users\Application Data\NexonUS
2008-06-28 22:05:57 0 d-------- C:\Program Files\AviSynth 2.5
2008-06-28 22:05:28 0 d-------- C:\Program Files\Avi2Dvd


-- Find3M Report ---------------------------------------------------------------

2008-07-26 00:15:52 0 d-------- C:\Program Files\Common Files
2008-07-24 21:30:18 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-07-24 20:49:54 0 d-------- C:\Documents and Settings\Justin\Application Data\AVG7
2008-07-24 17:45:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-24 17:34:59 0 d-------- C:\Documents and Settings\Justin\Application Data\AdobeUM
2008-07-23 17:34:00 0 d-------- C:\Documents and Settings\Justin\Application Data\U3
2008-07-23 07:42:15 0 d-------- C:\Program Files\EVGA Precision
2008-07-23 00:54:37 0 d-------- C:\Documents and Settings\Justin\Application Data\Adobe
2008-07-07 22:53:26 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-07-05 22:29:20 0 d-------- C:\Program Files\Steam
2008-06-20 20:45:20 0 d-------- C:\Documents and Settings\Justin\Application Data\Bioshock
2008-06-19 23:52:05 0 d--h----- C:\Program Files\eMule
2008-06-12 22:04:03 0 d-------- C:\Program Files\LucasArts
2008-06-09 22:38:05 0 d-------- C:\Program Files\OpenAL
2008-06-02 17:30:42 0 d-------- C:\Program Files\Electronic Arts
2008-06-02 17:30:04 0 d-------- C:\Program Files\AGEIA Technologies
2008-06-02 17:29:23 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5810C17-0F3B-4E4D-B1E9-A6059FF760A1}]
C:\WINDOWS\system32\ljJYQIYr.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [07/24/2008 09:21 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [04/25/2005 08:50 AM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 08:12 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/29/2008 02:44 AM]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [09/17/2003 10:43 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 02:41 AM]
"EVGAPrecision"="C:\Program Files\EVGA Precision\EVGAPrecision.exe" [05/27/2008 11:28 AM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07/09/2008 09:05 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk.disabled [1/7/2007 6:38:46 PM]
HP Image Zone Fast Start.lnk.disabled [1/7/2007 6:40:21 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)
"NoSMHelp"=01000000
"NoLogoff"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 12/14/2007 01:10 AM 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
"C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" /startup
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"DMXLauncher"=C:\Program Files\Dell\Media Experience\DMXLauncher.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"mm_server"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_server.exe"
"nwiz"=nwiz.exe /install
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"PhilipsRemote"="C:\Program Files\Musicmatch\Musicmatch Jukebox\PhilipsRemote.exe"
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"HPHUPD08"=C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{daf4f994-d7fb-11db-a6d4-d264bf8508bd}]
AutoRun\command- I:\SETUP.EXE




-- End of Deckard's System Scanner: finished at 2008-07-26 01:11:44 ------------
  • 0

#7
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
1 more thing here is the screen of the mysterious .dll i still have, doubt it helps but i don't want people to think im insane. Do i need another HJ this log?

Posted Image

Edited by blind_stone, 26 July 2008 - 12:46 AM.

  • 0

#8
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will clear the malware revealed in those logs and do three other scans to seek out anything else. in the post after this we will clear out anything that those scans reveal and sort out some of your security programs.

the scans will likely take 3 hours, quite possibly much longer. so just let them run.

i also want to scan a file and we will fix your file associations.

also, is www.nextpimp.com a valid startpage for you?


====STEP 1====
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\ljJYQIYr.dll
    C:\WINDOWS\system32\GPpsBcfe.ini2
    C:\WINDOWS\system32\cehjlnnn.ini2
    C:\WINDOWS\system32\AHjknnpo.ini2
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F5810C17-0F3B-4E4D-B1E9-A6059FF760A1}]
    HKEY_CLASSES_ROOT\CLSID\{F5810C17-0F3B-4E4D-B1E9-A6059FF760A1}]
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{daf4f994-d7fb-11db-a6d4-d264bf8508bd}
    EmptyTemp
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



====STEP 2====
could you run vundofix again.

Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.



====STEP 3====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
====STEP 4====
Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.


====STEP 5====
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /daft
This will open up Deckard's File Association Tool
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.
if that does not work then Please download DAFT and save it to your desktop and Double-click the daft.exe icon, and then follow the above instructions from "Click on the Scan button"



====STEP 6====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
c:\windows\system32\drivers\oreans32.sys

Click on the submit button

Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal



====STEP 7====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

In your next reply could i see:
1. the OTMoveIT log
2. the vundofix log
3. the SUPERantispyware log
4. the GMER log, if applicable
5. the jotti log
6. the kaspersky log
7. a new hijackthis log
8. and the answer to the startpage question.

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#9
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Well now were not doing so well. It appears after I ran superantispyware internet explorer or firefox don't seem to be working properly. I am getting a very slow connection if any at all and I can't download anything or visit any other pages other than google. I believe my internet connection is fine however as I was able to download emails using outlook express. Tryed a system restore but thats a no go for some reason, I guess because things were deleted permanetly???

Here are the logs that I have.


Explorer killed successfully
File/Folder C:\WINDOWS\system32\ljJYQIYr.dll not found.
C:\WINDOWS\system32\GPpsBcfe.ini2 moved successfully.
C:\WINDOWS\system32\cehjlnnn.ini2 moved successfully.
C:\WINDOWS\system32\AHjknnpo.ini2 moved successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F5810C17-0F3B-4E4D-B1E9-A6059FF760A1}] >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F5810C17-0F3B-4E4D-B1E9-A6059FF760A1}]\\ not found.
< HKEY_CLASSES_ROOT\CLSID\{F5810C17-0F3B-4E4D-B1E9-A6059FF760A1}] >
Registry key HKEY_CLASSES_ROOT\CLSID\{F5810C17-0F3B-4E4D-B1E9-A6059FF760A1}]\\ not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{daf4f994-d7fb-11db-a6d4-d264bf8508bd} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{daf4f994-d7fb-11db-a6d4-d264bf8508bd}\\ deleted successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\Justin\LOCALS~1\Temp\tmp194.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Justin\LOCALS~1\Temp\tmp197.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07262008_164925

Files moved on Reboot...
File C:\DOCUME~1\Justin\LOCALS~1\Temp\tmp194.tmp not found!
File C:\DOCUME~1\Justin\LOCALS~1\Temp\tmp197.tmp not found!

-------------------------------------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/26/2008 at 07:23 PM

Application Version : 4.15.1000

Core Rules Database Version : 3517
Trace Rules Database Version: 1507

Scan type : Complete Scan
Total Scan Time : 01:51:04

Memory items scanned : 364
Memory threats detected : 0
Registry items scanned : 6638
Registry threats detected : 30
File items scanned : 124520
File threats detected : 11

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_oreans32
HKLM\System\ControlSet003\Services\oreans32
HKLM\System\ControlSet003\Enum\Root\LEGACY_oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Driver
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Adware.Vundo Variant
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SECTASKMAN\GFILFQ.DLL.Q_8047A01_Q
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SECTASKMAN\ZDUTIN.DLL.Q_8047A01_Q
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1183\A0301487.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1185\A0301654.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1187\A0304814.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1187\A0304815.DLL
C:\VUNDOFIX BACKUPS\NHASIORD.DLL.BAD
C:\VUNDOFIX BACKUPS\VRXHYPEY.DLL.BAD

Trojan.Smitfraud Variant
C:\I386\VERIFIER.DLL

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1179\A0299949.ICO
  • 0

#10
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-26 20:19:54
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xB9F8E818]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xA8488930]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xA8493A80]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xB9F82A20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xA8488F20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xA84946E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xA8494440]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xB9F832A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xB9F8E910]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xA84948B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xA8488D70]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xB9F8E794]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xB9F832C8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xB9F8E866]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRenameKey [0xA8495250]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xA8494CB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xA8495080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xA8489120]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xB9F8E0B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xA8494140]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA83FDF20]

---- Kernel code sections - GMER 1.0.14 ----

? srescan.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.rsrc C:\WINDOWS\system32\winlogon.exe[596] C:\WINDOWS\system32\winlogon.exe section is executable [0x01076000, 0x9789, 0x60000060]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2396] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 00AD5415 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2396] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 00C6C510 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2396] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 00C6C491 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2396] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 00C6C4D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2396] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 00C6C3D9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2396] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 00C6C413 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2396] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 00C6C54B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2396] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 00C6C44D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetPixel] [66039C25] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!SetPixel] [66039C8A] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [66039462] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [660394B9] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6603945C] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [6603954D] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetWindowPos] [66603F82] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetWindowRect] [66603FB5] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetWindowLongW] [66603EA3] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DeferWindowPos] [66603E28] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetWindowPlacement] [66603F30] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!MoveWindow] [66603F52] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [660394F2] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [660394B9] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [66039462] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [66039462] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [660394B9] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6603945C] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [660394B9] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [66039462] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [660394F2] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [6603954D] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowLongA] [66603E7C] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowLongW] [66603EA3] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DeferWindowPos] [66603E28] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowPos] [66603F82] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetWindowRect] [66603FB5] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [66039462] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [660394B9] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6603945C] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!SetWindowLongW] [66603EA3] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetWindowRect] [66603FB5] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\system32\wscntfy.exe[376] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!MoveWindow] [66603F52] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [66039462] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [660394B9] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [660394B9] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [66039462] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6603945C] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [660394B9] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [66039462] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [660394F2] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [6603954D] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowLongA] [66603E7C] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowLongW] [66603EA3] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DeferWindowPos] [66603E28] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowPos] [66603F82] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetWindowRect] [66603FB5] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcW] [66604121] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcA] [666040F4] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetPixel] [66039C25] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!SetPixel] [66039C8A] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [66039462] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [660394B9] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6603945C] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [6603954D] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetWindowPos] [66603F82] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetWindowRect] [66603FB5] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetWindowLongW] [66603EA3] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DeferWindowPos] [66603E28] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetWindowPlacement] [66603F30] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!MoveWindow] [66603F52] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [660394F2] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!CallWindowProcW] [66604121] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [66039462] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [660394B9] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6603945C] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CallWindowProcW] [66604121] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!SetWindowLongW] [66603EA3] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetWindowRect] [66603FB5] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[712] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!MoveWindow] [66603F52] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [66039462] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [660394B9] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [66039462] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [66039462] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [660394B9] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [66039462] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [660394B9] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6603945C] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CallWindowProcW] [66604121] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!SetWindowLongW] [66603EA3] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetWindowRect] [66603FB5] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!MoveWindow] [66603F52] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetPixel] [66039C25] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!SetPixel] [66039C8A] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [66039462] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [660394B9] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6603945C] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [6603954D] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetWindowPos] [66603F82] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetWindowRect] [66603FB5] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetWindowLongW] [66603EA3] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DeferWindowPos] [66603E28] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetWindowPlacement] [66603F30] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!MoveWindow] [66603F52] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [660394F2] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!CallWindowProcW] [66604121] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6603945C] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [660394B9] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [66039462] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [660394F2] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [6603954D] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowLongA] [66603E7C] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowLongW] [66603EA3] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DeferWindowPos] [66603E28] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowPos] [66603F82] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetWindowRect] [66603FB5] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcW] [66604121] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcA] [666040F4] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] [660394B9] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExA] [6603945C] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [66039462] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll (WindowBlinds (32 bit XP)/Stardock Corporation)
IAT C:\WINDOWS\System32\svchost.exe[956] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!SetWindowPos] [66603F82] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll (WindowBlinds Helper DLL/Stardock.Net, Inc)
IAT C:&
  • 0

Advertisements


#11
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Ok sorry for the last posts, I was a little distraught about not having any internet! I fixed it it I think, it seems I had more or got more of that vundo virus since that is what the malawarebytes scan said that I ran. Included is that log and a new HJT log. Sorry again if I am making things more difficult on myself/you. (also I am currently updating kaspersky as it will probably take me until morning) cheers

--------------------------------------------
Malwarebytes' Anti-Malware 1.23
Database version: 993
Windows 5.1.2600 Service Pack 2

12:01:19 AM 7/27/2008
mbam-log-7-27-2008 (00-01-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 150882
Time elapsed: 1 hour(s), 8 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1178\A0299926.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1179\A0299944.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1183\A0301488.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1183\A0301497.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1185\A0301655.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1185\A0301657.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1187\A0304812.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1187\A0304813.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\efcBspPG.dll.q_804C403_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\jtlumwen.dll.q_8043E01_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\nnnljhec.dll.q_804C403_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\opnnkjHA.dll.q_804C003_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\ljJYQIYr.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\mlJCRjJA.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.

-----------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:11 AM, on 7/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nextpimp.com/?rtp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {F5810C17-0F3B-4E4D-B1E9-A6059FF760A1} - C:\WINDOWS\system32\ljJYQIYr.dll (file missing)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.../InSPECS3_0.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AD9C5E6-77E4-48EB-9170-FE1C2DB80ADD}: NameServer = 204.87.167.251 205.242.230.2
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8375 bytes
  • 0

#12
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Ok sorry for the last posts, I was a littl distraught about not having any internet ie more problems! I fixed it it I think, it seems I had more or got more of that vundo virus thingy since that is what the malawarebytes scan said. Included is that log and a new HJT log. Sorry again if I am making things more difficult on myself/you. (also I am currently updating kaspersky as it will probably take me until morning) cheers

--------------------------------------------
Malwarebytes' Anti-Malware 1.23
Database version: 993
Windows 5.1.2600 Service Pack 2

12:01:19 AM 7/27/2008
mbam-log-7-27-2008 (00-01-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 150882
Time elapsed: 1 hour(s), 8 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1178\A0299926.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1179\A0299944.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1183\A0301488.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1183\A0301497.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1185\A0301655.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1185\A0301657.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1187\A0304812.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1187\A0304813.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\efcBspPG.dll.q_804C403_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\jtlumwen.dll.q_8043E01_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\nnnljhec.dll.q_804C403_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\opnnkjHA.dll.q_804C003_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\ljJYQIYr.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\mlJCRjJA.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.

-----------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:11 AM, on 7/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nextpimp.com/?rtp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {F5810C17-0F3B-4E4D-B1E9-A6059FF760A1} - C:\WINDOWS\system32\ljJYQIYr.dll (file missing)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.../InSPECS3_0.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AD9C5E6-77E4-48EB-9170-FE1C2DB80ADD}: NameServer = 204.87.167.251 205.242.230.2
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8375 bytes
  • 0

#13
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
KASPERSKY ONLINE SCANNER REPORT
Sunday, July 27, 2008 10:29:29 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/07/2008
Kaspersky Anti-Virus database records: 1013803


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics
Total number of scanned objects 129970
Number of viruses found 3
Number of infected objects 2
Number of suspicious objects 9
Duration of the scan process 02:25:44

Infected Object Name Virus Name Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\Justin\LOCALS~1\Temp\DRDld\mbam-setup.exe Infected: not-a-virus:FraudTool.Win32.SpyNoMore.g skipped

C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\Justin\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped

C:\Documents and Settings\Justin\Application Data\Microsoft\Word\AutoRecovery save of Document1.asd Object is locked skipped

C:\Documents and Settings\Justin\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date 4 Nov 2007 20:00:54 -0000]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Justin\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date 4 Nov 2007 20:00:54 -0000]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Justin\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date 4 Nov 2007 20:00:54 -0000]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Justin\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date 4 Nov 2007 20:00:54 -0000]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Justin\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member" ][Date 15 Jun 2008 06:48:10 -0000]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Justin\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member" ][Date 15 Jun 2008 06:48:10 -0000]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Justin\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member" ][Date 15 Jun 2008 06:48:10 -0000]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Justin\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member" ][Date 15 Jun 2008 06:48:10 -0000]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Justin\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx MailMSOutlook5: suspicious - 8 skipped

C:\Documents and Settings\Justin\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\History\History.IE5\MSHist012008072720080728\index.dat Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\Temp\tmp206.tmp Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\Temp\tmp209.tmp Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\Temp\tmp28F.tmp Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\Temp\tmp292.tmp Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\Temp\~DF3925.tmp Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\Temp\~DFC341.tmp Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Justin\ntuser.dat Object is locked skipped

C:\Documents and Settings\Justin\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Justin\UserData\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1182\A0301044.exe Infected: Backdoor.Win32.VB.eab skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1192\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINDOWS\SB633D7EA.tmp Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.
  • 0

#14
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
ok, it looks like the vundo got back on, so lets take an alternative route.

in this post we will update your java (vundo can exploit outdated versions) and run a different tool.


====STEP 1====
Clearing the Java cache:
there is a nice set of instructions http://www.java.com/.../5000020300.xml

  • Click Start > Control Panel.
  • Double-click the Java icon in the control panel and then the Java Control Panel will appear.
  • Click Settings under Temporary Internet Files and the Temporary Files Settings dialog box appears.
  • Click Delete Files and the Delete Temporary Files dialog box appears.
  • Make sure all three boxes are ticked: Downloaded Applets, Downloaded Applications and Other Files and then Click OK on Delete Temporary Files window. Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click OK on Temporary Files Settings window.
Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u7-windows-i586-p.exe and select "Run as an Administrator.")

====STEP 2====
if you have already downloaded combofix then could you delete the current version of combofix you have and then follow these instructions:

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. (All the instructions for installing the Recovery Console are in the above link, but for more information on the Windows XP Recovery Console read http://support.micro...com/kb/314058.)

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#15
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Cleared and reinstalled Java just fine. Also from previous post nextpimp.com is NOT a valid hompage/startpage.

Combofix log and HJT log to follow.


---------------------------------------------------------------------------------------------------
ComboFix 08-07-27.2 - Justin 2008-07-27 15:36:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2607 [GMT -5:00]
Running from: C:\Documents and Settings\Justin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Justin\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\as.txt
C:\Documents and Settings\Justin\Application Data\Install.dat
C:\Documents and Settings\Justin\Application Data\macromedia\Flash Player\#SharedObjects\5LC2WA6U\interclick.com
C:\Documents and Settings\Justin\Application Data\macromedia\Flash Player\#SharedObjects\5LC2WA6U\interclick.com\ud.sol
C:\Documents and Settings\Justin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Justin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\temp\17o7
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cehjlnnn.ini
C:\WINDOWS\system32\components
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\GPpsBcfe.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\newmultj.ini
C:\WINDOWS\system32\paars.ini
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\piaqhonq.ini
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\tmp60.tmp
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EXAMPLE
-------\Legacy_NPF
-------\Legacy_WINCOM32
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-06-27 to 2008-07-27 )))))))))))))))))))))))))))))))
.

2008-07-27 15:26 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-27 15:25 . 2008-07-27 15:26 <DIR> d-------- C:\Program Files\Java
2008-07-27 15:25 . 2008-07-27 15:25 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-27 00:42 . 2008-07-27 00:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-27 00:42 . 2008-07-27 00:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-26 20:09 . 2008-07-26 20:09 250 --a------ C:\WINDOWS\gmer.ini
2008-07-26 17:03 . 2008-07-26 17:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-26 17:03 . 2008-07-26 17:03 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\SUPERAntiSpyware.com
2008-07-26 17:03 . 2008-07-26 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-26 01:08 . 2008-07-26 01:08 <DIR> d-------- C:\Deckard
2008-07-26 00:50 . 2008-07-26 00:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 00:50 . 2008-07-26 00:50 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\Malwarebytes
2008-07-26 00:50 . 2008-07-26 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 00:50 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-26 00:50 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-26 00:15 . 2008-07-26 00:15 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-25 23:57 . 2008-07-25 23:57 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-07-25 23:49 . 2008-07-27 00:01 <DIR> d-------- C:\VundoFix Backups
2008-07-25 23:38 . 2008-07-25 23:38 <DIR> d-------- C:\_OTMoveIt
2008-07-24 21:25 . 2008-07-24 21:25 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\MailFrontier
2008-07-24 21:21 . 2008-07-24 21:21 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-07-24 21:21 . 2008-07-25 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-24 21:21 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-07-24 21:20 . 2008-07-24 21:20 <DIR> d-------- C:\Program Files\Zone Labs
2008-07-24 21:18 . 2008-07-24 21:18 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\Media Player Classic
2008-07-24 19:01 . 2008-07-26 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-24 18:21 . 2008-07-24 18:21 <DIR> d-------- C:\Documents and Settings\Justin\DoctorWeb
2008-07-24 17:49 . 2008-04-28 12:29 805,400 -ra------ C:\WINDOWS\system32\tmpB.tmp
2008-07-24 17:47 . 2008-04-28 12:29 805,400 -ra------ C:\WINDOWS\system32\tmp5.tmp
2008-07-24 17:47 . 2008-04-28 12:29 805,400 -ra------ C:\WINDOWS\system32\tmp4.tmp
2008-07-24 17:44 . 2008-07-24 17:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-23 21:41 . 2008-07-23 21:41 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-23 00:16 . 2008-07-23 07:41 2,336 --ahs---- C:\WINDOWS\system32\AHjknnpo.ini
2008-07-03 17:45 . 2008-07-03 17:45 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\Ubisoft
2008-07-02 07:46 . 2008-07-02 07:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-07-01 23:11 . 2008-07-01 23:11 <DIR> d-------- C:\Program Files\Ubisoft
2008-06-29 12:23 . 2008-06-29 13:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NexonUS
2008-06-28 22:05 . 2008-07-20 22:36 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-06-28 22:05 . 2008-07-20 22:41 <DIR> d-------- C:\Program Files\Avi2Dvd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-27 20:41 65,060 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-27 20:41 5,811,488 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-27 15:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-27 05:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-26 22:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-26 15:03 --------- d-----w C:\Program Files\EVGA Precision
2008-07-25 01:49 --------- d-----w C:\Documents and Settings\Justin\Application Data\AVG7
2008-07-24 22:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-24 22:34 --------- d-----w C:\Documents and Settings\Justin\Application Data\AdobeUM
2008-07-23 22:34 --------- d-----w C:\Documents and Settings\Justin\Application Data\U3
2008-07-22 03:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-06 03:29 --------- d-----w C:\Program Files\Steam
2008-06-21 01:45 --------- d-----w C:\Documents and Settings\Justin\Application Data\Bioshock
2008-06-20 04:52 --------- d--h--w C:\Program Files\eMule
2008-06-20 03:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Codemasters
2008-06-13 03:04 --------- d-----w C:\Program Files\LucasArts
2008-06-10 03:38 --------- d-----w C:\Program Files\OpenAL
2008-06-02 22:30 --------- d-----w C:\Program Files\Electronic Arts
2008-06-02 22:30 --------- d-----w C:\Program Files\AGEIA Technologies
2008-03-23 22:08 22,328 ----a-w C:\Documents and Settings\Justin\Application Data\PnkBstrK.sys
2005-09-03 21:50 56 --sha-r C:\WINDOWS\system32\1FAE532A1C.sys
2007-06-21 05:10 5 --sha-w C:\WINDOWS\system32\ceaaeefdfa1_g.dll
2007-06-21 05:18 23 --sha-w C:\WINDOWS\system32\eaedbaccbb0_r.dll
2005-09-03 21:50 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-11 05:25 49,440 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

------- Sigcheck -------

2007-04-07 10:04 503808 a65c0f33bfb77e85f16a171f41e9165a C:\WINDOWS\system32\winlogon.exe
2004-08-04 05:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 08:50 139264]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-29 02:44 579072]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43 57344]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-29 02:44 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk.disabled [2007-01-07 18:38:46 1808]
HP Image Zone Fast Start.lnk.disabled [2007-01-07 18:40:21 798]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"NoSMHelp"= 01000000
"NoLogoff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-12-14 01:10 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-01-08 01:38 1266936 c:\Program Files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" /startup
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"DMXLauncher"=C:\Program Files\Dell\Media Experience\DMXLauncher.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"mm_server"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_server.exe"
"nwiz"=nwiz.exe /install
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"PhilipsRemote"="C:\Program Files\Musicmatch\Musicmatch Jukebox\PhilipsRemote.exe"
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"HPHUPD08"=C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\eMule\\em.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XI\\RpcSandraSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XI\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13360:TCP"= 13360:TCP:BitComet 13360 TCP
"13360:UDP"= 13360:UDP:BitComet 13360 UDP
"13038:TCP"= 13038:TCP:BitComet 13038 TCP
"13038:UDP"= 13038:UDP:BitComet 13038 UDP

R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\pstrip.sys [2006-09-30 04:35]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-03-30 01:00]
.
Contents of the 'Scheduled Tasks' folder
2008-07-27 C:\WINDOWS\Tasks\User_Feed_Synchronization-{743C1170-7DBC-43BA-A4D3-84FD6221DAC9}.job - C:\Program Files\Internet Explorer??Justin?"Updates out-of-date system feeds.??? []
.
- - - - ORPHANS REMOVED - - - -

BHO-{F5810C17-0F3B-4E4D-B1E9-A6059FF760A1} - C:\WINDOWS\system32\ljJYQIYr.dll
Notify-WgaLogon - (no file)
MSConfigStartUp-NVIDIA nTune - C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKLM-Main,Start Page = hxxp://www.nextpimp.com/?rtp
R0 -: HKLM-Main,Search Bar =
O8 -: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 -: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 -: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O16 -: {38F5F92F-BD40-40DF-A569-6C1FCB638190} - hxxp://www.powerleap.com/cab_files/InSPECS3_0.cab
C:\WINDOWS\Downloaded Program Files\InSPECS3_0.inf
C:\WINDOWS\InSPECS3_0.ocx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 15:42:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-27 15:46:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-27 20:46:29

Pre-Run: 23,881,113,600 bytes free
Post-Run: 23,790,563,328 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

267


-------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:02 PM, on 7/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nextpimp.com/?rtp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.../InSPECS3_0.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AD9C5E6-77E4-48EB-9170-FE1C2DB80ADD}: NameServer = 204.87.167.251 205.242.230.2
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7872 bytes
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP