Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Stubborn Spyware


  • Please log in to reply

#1
ninersfan8

ninersfan8

    Member

  • Member
  • PipPip
  • 85 posts
I ran Malwarebytes a few times and it found 7 things and says it will delete on reboot but every scan keeps finding the same 7 items. Here is the Hijack log first:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:36 PM, on 1/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\dllhost.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.omaha.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {505AEF91-6E92-400C-A02B-B4318E2F766F} - C:\WINDOWS\system32\compobjl.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe nogui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe (file missing)

--
End of file - 7458 bytes

Malwarebytes log:
Malwarebytes' Anti-Malware 1.33
Database version: 1668
Windows 5.1.2600 Service Pack 3

1/20/2009 11:03:55 PM
mbam-log-2009-01-20 (23-03-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 160084
Time elapsed: 47 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{505aef91-6e92-400c-a02b-b4318e2f766f} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{505aef91-6e92-400c-a02b-b4318e2f766f} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\compobjl.dll (Trojan.Vundo.H) -> Delete on reboot.
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#3
ninersfan8

ninersfan8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
ComboFix 09-01-21.02 - HP_Administrator 2009-01-21 21:01:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.568 [GMT -6:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))
.

2009-01-20 23:10 . 2009-01-20 23:10 <DIR> d-------- c:\program files\Trend Micro
2009-01-20 23:10 . 2009-01-20 23:10 812,344 --a------ C:\HJTInstall.exe
2009-01-20 17:43 . 2009-01-20 17:43 <DIR> d-------- C:\VundoFix Backups
2009-01-20 00:52 . 2009-01-20 00:52 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Windows Desktop Search
2009-01-20 00:51 . 2009-01-20 00:51 <DIR> d-------- c:\program files\Windows Desktop Search
2009-01-20 00:51 . 2008-03-07 11:02 192,000 --------- c:\windows\system32\dllcache\offfilt.dll
2009-01-20 00:51 . 2008-03-07 11:02 98,304 --------- c:\windows\system32\dllcache\nlhtml.dll
2009-01-20 00:51 . 2008-03-07 11:02 29,696 --------- c:\windows\system32\dllcache\mimefilt.dll
2009-01-20 00:50 . 2009-01-20 00:51 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-01-20 00:49 . 2009-01-20 00:50 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-01-20 00:47 . 2008-10-16 14:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2009-01-20 00:47 . 2007-04-17 03:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-20 00:47 . 2007-03-07 23:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-20 00:47 . 2008-10-16 14:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2009-01-20 00:47 . 2008-10-16 14:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-20 00:47 . 2008-10-16 14:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2009-01-20 00:47 . 2008-10-16 14:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2009-01-20 00:47 . 2008-10-16 14:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-20 00:47 . 2008-10-16 07:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2009-01-20 00:22 . 2009-01-20 00:21 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-20 00:22 . 2009-01-20 00:21 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-19 18:07 . 2009-01-19 18:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-19 18:07 . 2009-01-19 18:07 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-01-19 18:07 . 2009-01-19 18:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-19 18:07 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-19 18:07 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-19 18:04 . 2008-04-13 18:11 21,504 --a------ c:\windows\system32\hidserv.dll
2009-01-19 18:04 . 2008-04-13 18:11 21,504 --a------ c:\windows\system32\dllcache\hidserv.dll
2009-01-19 18:04 . 2008-04-13 12:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-01-19 18:04 . 2008-04-13 12:39 14,592 --a------ c:\windows\system32\dllcache\kbdhid.sys
2009-01-19 18:03 . 2009-01-20 00:49 <DIR> d-------- c:\windows\system32\LogFiles
2009-01-19 18:03 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2009-01-19 18:03 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\dllcache\mouhid.sys
2009-01-19 18:03 . 2008-04-13 12:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-01-19 18:03 . 2008-04-13 12:45 10,368 --a------ c:\windows\system32\dllcache\hidusb.sys
2009-01-04 15:30 . 2009-01-20 00:51 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-31 08:52 . 2008-12-31 08:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-12-31 08:48 . 2008-12-31 08:48 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\WinBatch
2008-12-28 17:35 . 2008-12-28 17:35 <DIR> d-------- c:\temp\Matthew
2008-12-28 17:31 . 2008-12-28 20:09 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2008-12-28 17:17 . 2008-12-28 17:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-12-28 16:57 . 2009-01-20 00:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-26 22:09 . 2008-12-26 22:09 664 --a------ c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-20 06:21 --------- d-----w c:\program files\Java
2009-01-19 16:43 51,474 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-01-10 04:26 --------- d-----w c:\program files\DISC
2009-01-04 21:07 --------- d---a-w c:\program files\IntelliMoverDemo
2009-01-04 21:07 --------- d-----w c:\program files\GemMaster
2009-01-04 21:07 --------- d-----w c:\program files\EnglishOtto
2009-01-04 20:48 --------- d-----w c:\program files\Google
2008-12-31 14:54 --------- d-----w c:\program files\HP
2008-12-28 23:40 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-28 23:10 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-28 23:04 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-18 14:43 61,440 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2008-12-18 14:43 45,056 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2008-12-18 14:43 44,032 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2008-12-18 14:43 40,960 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2008-12-18 14:43 341,048 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2008-12-18 14:43 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2008-12-18 14:43 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2008-12-18 14:43 163,840 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2008-12-14 22:39 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-14 22:39 --------- d-----w c:\program files\Common Files\Panda Software
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-02 12:05 118,656 ----a-w c:\windows\system32\drivers\Rtnicxp.sys
2008-11-27 17:47 10,240 ----a-w c:\windows\system32\RtNicProp32.dll
2008-11-27 05:25 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\W Photo Studio Viewer
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2007-03-11 15:47 251 ----a-w c:\program files\wt3d.ini
.

((((((((((((((((((((((((((((( snapshot@2009-01-20_18.11.07.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB938127-v2-IE7\spuninst\updspapi.dll
+ 2007-08-14 00:54:10 765,952 -c----w c:\windows\ie7updates\KB938127-v2-IE7\vgx.dll
+ 2008-10-17 08:08:40 3,593,216 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
- 2006-11-02 00:31:34 315,904 ----a-w c:\windows\inf\unregmp2.exe
+ 2007-06-27 04:10:26 317,440 ----a-w c:\windows\inf\unregmp2.exe
- 2006-10-19 02:03:58 100,864 ----a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-18 07:09:22 100,864 ----a-w c:\windows\system32\dllcache\logagent.exe
- 2006-10-19 03:47:16 414,208 ----a-w c:\windows\system32\dllcache\msscp.dll
+ 2006-12-04 22:21:50 414,720 ----a-w c:\windows\system32\dllcache\msscp.dll
- 2006-11-02 00:31:34 315,904 ----a-w c:\windows\system32\dllcache\unregmp2.exe
+ 2007-06-27 04:10:26 317,440 ----a-w c:\windows\system32\dllcache\unregmp2.exe
- 2007-08-14 00:54:10 765,952 ------w c:\windows\system32\dllcache\VGX.dll
+ 2008-05-27 17:23:58 765,952 ------w c:\windows\system32\dllcache\vgx.dll
- 2006-10-19 03:47:18 222,208 ----a-w c:\windows\system32\dllcache\WMASF.dll
+ 2007-10-27 23:40:30 222,720 ----a-w c:\windows\system32\dllcache\wmasf.dll
- 2006-10-19 03:47:20 937,984 ----a-w c:\windows\system32\dllcache\WMNetMgr.dll
+ 2008-06-18 11:03:08 938,496 ----a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2006-10-19 03:47:20 10,834,432 ----a-w c:\windows\system32\dllcache\wmp.dll
+ 2007-06-12 05:51:12 10,834,944 ----a-w c:\windows\system32\dllcache\wmp.dll
- 2006-10-19 03:47:22 2,450,944 ----a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-18 11:03:14 2,458,112 ----a-w c:\windows\system32\dllcache\WMVCore.dll
- 2006-10-19 02:03:58 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-18 07:09:22 100,864 ----a-w c:\windows\system32\logagent.exe
- 2008-10-17 08:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2006-10-19 03:47:16 414,208 ----a-w c:\windows\system32\msscp.dll
+ 2006-12-04 22:21:50 414,720 ----a-w c:\windows\system32\msscp.dll
- 2006-10-19 03:47:18 222,208 ----a-w c:\windows\system32\WMASF.dll
+ 2007-10-27 23:40:30 222,720 ----a-w c:\windows\system32\wmasf.dll
- 2006-10-19 03:47:20 937,984 ----a-w c:\windows\system32\WMNetMgr.dll
+ 2008-06-18 11:03:08 938,496 ----a-w c:\windows\system32\WMNetmgr.dll
- 2006-10-19 03:47:20 10,834,432 ----a-w c:\windows\system32\wmp.dll
+ 2007-06-12 05:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
- 2006-10-19 03:47:20 295,936 ------w c:\windows\system32\wmpeffects.dll
+ 2008-06-25 00:12:58 295,936 ------w c:\windows\system32\wmpeffects.dll
- 2006-10-19 03:47:22 2,450,944 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-18 11:03:14 2,458,112 ----a-w c:\windows\system32\WMVCore.dll
+ 2009-01-21 09:08:56 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_78c.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{505AEF91-6E92-400C-A02B-B4318E2F766F}]
2004-08-10 06:00 99840 --a------ c:\windows\system32\compobjl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-02 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-20 136600]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-28 221184]
"DISCover"="c:\program files\DISC\DISCover.exe" [2007-10-30 1095256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-14 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 c:\windows\arpwrmsg.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2006-08-01 106496]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 bxdbhgeo;bxdbhgeo;c:\windows\system32\drivers\bxdbhgeo.sys [2004-08-10 23424]
S3 ComFiltr;Panda Anti-Dialer;\??\c:\windows\system32\DRIVERS\COMFiltr.sys --> c:\windows\system32\DRIVERS\COMFiltr.sys [?]
S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\PavSRK.sys --> c:\windows\system32\PavSRK.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.omaha.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-21 21:04:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-21 21:06:02
ComboFix-quarantined-files.txt 2009-01-22 03:05:19

Pre-Run: 131,835,801,600 bytes free
Post-Run: 131,823,632,384 bytes free

225 --- E O F --- 2009-01-21 09:02:25
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi again

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the bolded below into the Notepad window:


http://www.geekstogo.com/forum/add-reply-f37-to225889.html
Collect::
C:\WINDOWS\system32\compobjl.dll
File::
C:\WINDOWS\system32\compobjl.dll
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{505aef91-6e92-400c-a02b-b4318e2f766f]
[-HKEY_CLASSES_ROOT\CLSID\{505aef91-6e92-400c-a02b-b4318e2f766f]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings]
bf=-
bk=-
iu=-
mu=-



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. Next, a window will popup prompting you to "Submit Files for further analysis". Click "OK"

9. Your system's browser will automatically respond by loading the CF-Submit.htm file and open a window :
  • Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
10. Once the file has been submitted, you may DELETE both files on your desktop.

Run Malwarebytes again, and save the report

11. Post the following reports/logs into your next reply:
  • Combofix.txt
  • Malwarebytes log

  • 0

#5
ninersfan8

ninersfan8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
Combofix didnt make those 2 files when it was done scanning it seems. The zip folder or the htm file. I made that text file just as described. Here is the log files:

ComboFix 09-01-21.02 - HP_Administrator 2009-01-22 9:08:46.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.546 [GMT -6:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\compobjl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\compobjl.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))
.

2009-01-20 23:10 . 2009-01-20 23:10 <DIR> d-------- c:\program files\Trend Micro
2009-01-20 23:10 . 2009-01-20 23:10 812,344 --a------ C:\HJTInstall.exe
2009-01-20 17:43 . 2009-01-20 17:43 <DIR> d-------- C:\VundoFix Backups
2009-01-20 00:52 . 2009-01-20 00:52 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Windows Desktop Search
2009-01-20 00:51 . 2009-01-20 00:51 <DIR> d-------- c:\program files\Windows Desktop Search
2009-01-20 00:51 . 2008-03-07 11:02 192,000 --------- c:\windows\system32\dllcache\offfilt.dll
2009-01-20 00:51 . 2008-03-07 11:02 98,304 --------- c:\windows\system32\dllcache\nlhtml.dll
2009-01-20 00:51 . 2008-03-07 11:02 29,696 --------- c:\windows\system32\dllcache\mimefilt.dll
2009-01-20 00:50 . 2009-01-20 00:51 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-01-20 00:49 . 2009-01-20 00:50 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-01-20 00:47 . 2008-10-16 14:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2009-01-20 00:47 . 2007-04-17 03:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-20 00:47 . 2007-03-07 23:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-20 00:47 . 2008-10-16 14:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2009-01-20 00:47 . 2008-10-16 14:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-20 00:47 . 2008-10-16 14:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2009-01-20 00:47 . 2008-10-16 14:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2009-01-20 00:47 . 2008-10-16 14:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-20 00:47 . 2008-10-16 07:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2009-01-20 00:22 . 2009-01-20 00:21 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-20 00:22 . 2009-01-20 00:21 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-19 18:07 . 2009-01-19 18:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-19 18:07 . 2009-01-19 18:07 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-01-19 18:07 . 2009-01-19 18:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-19 18:07 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-19 18:07 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-19 18:04 . 2008-04-13 18:11 21,504 --a------ c:\windows\system32\hidserv.dll
2009-01-19 18:04 . 2008-04-13 18:11 21,504 --a------ c:\windows\system32\dllcache\hidserv.dll
2009-01-19 18:04 . 2008-04-13 12:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-01-19 18:04 . 2008-04-13 12:39 14,592 --a------ c:\windows\system32\dllcache\kbdhid.sys
2009-01-19 18:03 . 2009-01-20 00:49 <DIR> d-------- c:\windows\system32\LogFiles
2009-01-19 18:03 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2009-01-19 18:03 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\dllcache\mouhid.sys
2009-01-19 18:03 . 2008-04-13 12:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-01-19 18:03 . 2008-04-13 12:45 10,368 --a------ c:\windows\system32\dllcache\hidusb.sys
2009-01-04 15:30 . 2009-01-20 00:51 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-31 08:52 . 2008-12-31 08:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-12-31 08:48 . 2008-12-31 08:48 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\WinBatch
2008-12-28 17:35 . 2008-12-28 17:35 <DIR> d-------- c:\temp\Matthew
2008-12-28 17:31 . 2008-12-28 20:09 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2008-12-28 17:17 . 2008-12-28 17:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-12-28 16:57 . 2009-01-20 00:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-26 22:09 . 2008-12-26 22:09 664 --a------ c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-20 06:21 --------- d-----w c:\program files\Java
2009-01-19 16:43 51,474 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-01-10 04:26 --------- d-----w c:\program files\DISC
2009-01-04 21:07 --------- d---a-w c:\program files\IntelliMoverDemo
2009-01-04 21:07 --------- d-----w c:\program files\GemMaster
2009-01-04 21:07 --------- d-----w c:\program files\EnglishOtto
2009-01-04 20:48 --------- d-----w c:\program files\Google
2008-12-31 14:54 --------- d-----w c:\program files\HP
2008-12-28 23:40 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-28 23:10 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-28 23:04 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-14 22:39 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-14 22:39 --------- d-----w c:\program files\Common Files\Panda Software
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-02 12:05 118,656 ----a-w c:\windows\system32\drivers\Rtnicxp.sys
2008-11-27 05:25 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\W Photo Studio Viewer
2007-03-11 15:47 251 ----a-w c:\program files\wt3d.ini
.

((((((((((((((((((((((((((((( snapshot_2009-01-21_21.04.38.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-22 15:11:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{505AEF91-6E92-400C-A02B-B4318E2F766F}]
2004-08-10 06:00 99840 --a------ c:\windows\system32\compobjl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-02 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-20 136600]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-28 221184]
"DISCover"="c:\program files\DISC\DISCover.exe" [2007-10-30 1095256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-14 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 c:\windows\arpwrmsg.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2006-08-01 106496]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 bxdbhgeo;bxdbhgeo;c:\windows\system32\drivers\bxdbhgeo.sys [2004-08-10 23424]
S3 ComFiltr;Panda Anti-Dialer;\??\c:\windows\system32\DRIVERS\COMFiltr.sys --> c:\windows\system32\DRIVERS\COMFiltr.sys [?]
S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\PavSRK.sys --> c:\windows\system32\PavSRK.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.omaha.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 09:11:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\searchindexer.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\DISC\DiscStreamHub.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-22 9:15:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-22 15:14:46
ComboFix2.txt 2009-01-22 15:03:58
ComboFix3.txt 2009-01-22 03:06:05

Pre-Run: 131,788,324,864 bytes free
Post-Run: 131,774,570,496 bytes free

200 --- E O F --- 2009-01-21 09:02:25


Malwarebytes' Anti-Malware 1.33
Database version: 1668
Windows 5.1.2600 Service Pack 3

1/22/2009 2:02:06 PM
mbam-log-2009-01-22 (14-02-06).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 176339
Time elapsed: 53 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{505aef91-6e92-400c-a02b-b4318e2f766f} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{505aef91-6e92-400c-a02b-b4318e2f766f} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\compobjl.dll (Trojan.Vundo.H) -> Delete on reboot.
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
OK, lets grab a bigger hammer

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text bolded below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to delete:
c:\windows\system32\compobjl.dll
Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{505aef91-6e92-400c-a02b-b4318e2f766f
Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings | bf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings | bk
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings | iu
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings | mu




Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .
  • 0

#7
ninersfan8

ninersfan8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
That didn't seem to work either, looks like we got access denied on all of them:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "c:\windows\system32\compobjl.dll"
Deletion of file "c:\windows\system32\compobjl.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{505aef91-6e92-400c-a02b-b4318e2f766f" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{505aef91-6e92-400c-a02b-b4318e2f766f" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|bf"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|bf" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|bk"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|bk" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|iu"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|iu" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|mu"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|mu" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:54 PM, on 1/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\internet explorer\iexplore.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.omaha.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {505AEF91-6E92-400C-A02B-B4318E2F766F} - C:\WINDOWS\system32\compobjl.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe nogui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe (file missing)
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 7482 bytes
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Tough little file. Do you have a windows disk and are you familiar with the recovery console?
  • 0

#9
ninersfan8

ninersfan8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
Haha yes it is. And yes I do have a disk and yes I am very familier with it.
  • 0

#10
ninersfan8

ninersfan8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
sorry, double post

Edited by ninersfan8, 22 January 2009 - 06:38 PM.

  • 0

Advertisements


#11
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
OK, Lets rename it, that way we can get a copy...maybe figure out why it wasn't deleted by 2 of our most powerful tools


boot into RC mode.
At the RC prompt, type in the following one line at a time pressing enter after each line...

CD C:\Windows\system32
REN compobjl.dll compobjl.dll.vir
EXIT




Post a hijack log after the restart
  • 0

#12
ninersfan8

ninersfan8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
It seemed to have let me rename it in recovery console. Here is a new log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:21:07 PM, on 1/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\dllhost.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.omaha.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {505AEF91-6E92-400C-A02B-B4318E2F766F} - C:\WINDOWS\system32\compobjl.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe nogui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe (file missing)
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 7382 bytes
  • 0

#13
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi again. Good work

Please rescan with Hijackthis and place a check next to the following entries:

O2 - BHO: (no name) - {505AEF91-6E92-400C-A02B-B4318E2F766F} - C:\WINDOWS\system32\compobjl.dll (file missing)

Now click "Fix Checked" and close Hijackthis

Next

Click start....run.....then type cmd, copy and paste the following line in and press enter. On your desktop a new txt file will be created, please post its contents

regedit /e c:\documents and settings\HP_Administrator\Desktop\look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings"
  • 0

#14
ninersfan8

ninersfan8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings]
"bf"=hex:9d,5d,ea,98,47,f9,a2,50,69,54,4a,1c,17,24,32,da,f3,94,44,53,ad,98,cb,\
2f,91,25,bc,c3,00,f3,6a,93,5e
"bk"=hex:a5,52,86,fa,4f,f2,a0,26,0f,2a,20,2a,57,65,6b,8b,ae,97,35,22,8f,c7,94,\
1d,d3,05,e2,9c,1f,af,43,cd,18,d0,00,79,c8,4a,66
"iu"=dword:00000019
"mu"=hex:7b,14,ae,47,e1,7a,84,3f
"vr"=dword:00000015
"cfp"=dword:0000001c
"cf0"=hex:85,12,c6,ab,53,ba,ec,69,4c,3a,24,5e,63,5d,22,d4,a3,93,7b,05,a7,9a,9b,\
6f,c6,76,e7,9c,1e,ba,37,c6,6f,df,04,78,83,3d,14,fb,cb,ba,a7,db,e3,dd,a2,0e,\
23,4f,82,fb,3e,4d,09,f0,10,a6,22,4d,c1,65,e2,51,bd,08,db,c2,04,d3,d4,22,56,\
73,62,1f,54,78,69,d1,ff,d3,14,7d,aa,90,88,3c,91,2a,db,a5,4a,a4,3b,97,2a,93,\
46,75,a1,18,08,eb,d3,f4,f2,8d,8f,f9,a5,50,73,2a,fc,eb,7a,4a,4e,ab,0a,b7,6c,\
00,81,79,f2,12,ad,0a,d1,bd,20,d9,83,6b,33,0d,72,5a,53,3f,32,cb,ee,9d,59,20,\
a3,84,c2,3d,8b,20,f8,cc,41,fa,0b,f5,3a,d1,0b,27,fa,43,16,a5,91,a8,fb,9c,9c,\
a4,b2,11,7d,48,9b,82,44,13,11,e2,16,b3,22,5f,94,38,a9,11,aa,03,c5,ae,7e,de,\
c8,7c,51,6a,1b,65,0a,6f,7b,d7,ea,d3,06,35,e1,d8,c8,2b,97,2a,b7,c8,4b,b9,68,\
9a,2a,ea,3c,2b,b7,0a,0e,eb,ca,f7,ac,c0,c1,b9,b2,52,6d,46,86,e6,60,19,43,ab,\
73,cd,32,1e,9e,2a,ee,0b
"cf1"=hex:aa,17,8c,e0,21,d9,8a,6c,5a,6b,38,00,1c,30,4b,b5,fa,96,47,32,a6,83,d2,\
2f,c4,68,f9,96,1a,b9,31,ca,70,d5,06,7a,a0,06,57,a9,b3,8d,f2,de,dc,ea,ae,4b,\
6a,57,cc,a0,61,4e,12,f1,49,f2,78,1d,9e,22,a8,4e,ef,57,bb,c5,6a,86,d5,22,56,\
73,62,1f,54,78,69,8d,af,95,58,3e,ff,c0,88,6e,c8,76,f8,9e,1a,a2,0b,f5,3a,d6,\
02,72,e6,43,12,ef,84,a8,b9,dd,df,e4,e8,0e,29,12,d8,be,77,44,08,ee,4a,f4,5b,\
25,de,62,bb,50,ab,48,d1,e1,7e,df,96,20,4a,75,7d,52,5c,62,60,dc,f6,cc,4b,39,\
fc,c4,97,69,cf,7e,e7,9c,4c,f2,65,9c,66,d4,57,7e,bc,01,56,ae,dd,e4,f3,db,88,\
b6,fe,0c,2e,10,c6,a9,2c,1b,47,e2,18,ae,31,22,a4,4c,f1,10,ac,0c,eb,c2,04,d3,\
83,73,55,62,6f,52,4e,75,3d,d7,f5,c6,1a,63,b3,ab,d5,30,98,33,a1,ce,5c,f2,5a,\
92,37,84,44,20,fd,58,00,eb,e2,f0,ff,81,8a,b8,b1,4c,42,44,83,fd,3c,12,48,ab,\
08,a2,24,5c,c7,78,e8,23
"cf2"=hex:ac,12,d8,93,7d,c7,9f,7d,51,73,65,0b,4e,23,23,de,ea,ce,1b,6a,bc,d5,86,\
6e,de,7e,e3,9a,17,ae,34,f2,54,83,53,23,e5,52,1f,a2,9e,a5,ed,87,85,b6,aa,53,\
63,7b,85,e0,28,03,51,be,0c,a2,0a,42,c7,74,f4,10,ad,08,d0,bb,52,c0,8f,71,5a,\
68,61,1c,32,34,33,cd,ec,c2,18,7b,b8,92,d4,2c,97,28,b8,f3,4b,ef,76,93,31,95,\
53,3d,d2,55,14,f0,c9,f4,f3,9d,ce,bf,a3,53,6e,42,84,af,21,15,4c,ba,1d,b3,25,\
73,d5,24,b0,1b,bc,04,87,f8,37,9a,87,2e,07,61,3b,5b,56,31,74,92,fc,96,40,6e,\
e3,c1,c7,6c,9b,76,ef,cd,1a,a5,67,c7,69,9a,6a,6d,ae,06,46,a6,8b,b2,af,d6,dc,\
da,cc,5b,7b,4b,9d,ea,37,4a,06,fd,05,af,3d,4e,c2,7b,fb,23,ad,08,d0,bb,79,d6,\
94,7a,62,6a,7f,0c,1c,38,35,d0,f8,d3,2a,78,a7,99,c2,30,89,34,8a,cc,5b,e5,74,\
9a,30,93,40,2a,fc,44,0f,f0,d0,db,f3,97,9e,bb,a9,4d,7b,55,aa,ed,3c,18,51,ac,\
1b,b5,76,47,cb,7b,f6,1a
"cf3"=hex:ac,47,d9,ad,64,d2,85,6b,4d,5b,6d,5c,5c,66,75,8e,ac,94,4e,22,fb,c3,95,\
6b,d3,73,e4,9c,1a,ba,32,cd,6d,d3,1b,7b,bd,05,52,ac,8c,b3,a4,dc,da,e4,f4,42,\
42,05,d6,be,6e,4e,13,ea,47,fe,64,22,a4,65,e3,11,b8,0e,da,aa,33,97,9d,6c,47,\
74,25,5d,13,0b,27,dc,f2,ce,13,61,ba,d9,c2,33,92,67,ad,dc,57,e4,35,cd,23,bb,\
57,2c,e2,5e,03,f1,ca,a9,ed,9d,8d,aa,e8,5b,72,4b,d6,be,6e,4e,13,ea,47,fe,64,\
22,a4,65,e3,11,b8,0e,da,aa,33,97,9d,6c,47,74,25,5d,13,0b,2f,cf,e8,91,1b,60,\
be,8d,88,3b,92,2b,f6,d4,5d,ee,75,cc,6c,9a,6a,26,fe,41,50,f2,d1,f7,ec,c1,95,\
a5,a5,42,30,43,9a,e3,6e,46,06,e6,4b,f2,6f,16,9c,1a,8c,0d,bb,09,d0,a6,62,d2,\
db,3f,45,74,6f,1c,5d,65,3b,e3,f7,d7,00,39,a3,98,c8,2e,d0,23,ba,c3,0e,ec,75,\
86,2d,d4,04,32,d2,5e,16,e9,88,ea,f9,81,9f,f9,bd,4d,7d,5a,d8,eb,22,1b,06,ee,\
5e,fe,63,1a,97,2e,b4,72
"cf4"=hex:d4,15,d3,a1,68,de,8a,7a,03,27,6d,1c,17,24,75,8d,e3,fb,1f,7f,b8,c1,cb,\
30,8a,22,f8,cb,42,fb,26,84,2d,9e,45,7c,bc,4a,3a,f6,ce,f1,a0,82,81,a3,a3,11,\
65,55,95,f2,60,13,4a,b3,5e,f6,76,16,9b,22,bf,46,ec,6a,bc,bd,6b,d9,80,76,52,\
62,2b,4f,15,24,3f,cc,ad,95,0b,53,a7,87,d0,69,93,28,a2,df,00,f3,6a,93,7e,9c,\
45,36,fd,04,54,e2,e2,ee,e6,99,d8,ba,a9,4b,6e,09,8d,fd,2d,0a,08,bb,12,ab,76,\
1e,8e,2e,b3,4a,e7,5e,84,c2,04,c5,83,71,58,6e,7a,0a,53,77,3d,cc,e7,d4,45,3d,\
b3,ab,cf,2f,88,71,bb,c0,5e,fc,28,9b,32,8b,16,34,fd,4e,15,ac,8c,fa,ca,86,9e,\
a1,f0,52,71,57,9d,a1,35,05,45,a2,50,a3,3a,43,8e,26,a6,46,eb,52,8f,f6,3c,ba,\
ec,6d,5b,69,70,06,02,32,7b,9f,e5,d4,0f,7c,fd,c5,db,03,97,37,a0,99,43,f8,76,\
8c,70,83,5a,23,ae,4c,15,e6,cd,b4,a4,92,b2,be,b6,49,28,4a,99,ff,3d,59,5d,ad,\
1d,ba,78,4b,c2,7b,a6,4e
"cf5"=hex:fe,5e,83,fa,37,8e,d4,12,34,75,73,01,08,3e,2a,da,a3,87,0d,7c,b7,84,95,\
6d,83,1b,bf,df,58,a1,6b,90,30,94,18,2b,e2,5b,46,e4,cd,fe,e5,dc,dc,aa,9a,56,\
6e,51,c0,e2,21,19,55,f1,05,b5,35,52,80,73,ea,13,fe,56,96,f6,3b,82,df,26,0c,\
0a,1c,1d,0b,39,20,d6,f2,c2,4b,2f,b5,84,df,2c,cd,75,ab,f3,47,e7,70,c9,33,88,\
58,23,a0,53,0a,f3,9e,fc,e5,96,9d,e4,f4,42,42,4e,86,f9,78,1a,49,b1,12,e9,2d,\
5d,cd,6a,a8,1b,b2,0b,96,fe,2e,8e,d3,2a,07,3e,24,62,64,25,23,d1,f8,ce,1a,6a,\
f3,d7,dd,2c,87,34,e5,9d,53,cb,6f,8f,28,d1,5b,20,e0,5b,48,fb,d2,eb,b6,94,9d,\
ae,b5,0c,2c,5a,aa,e6,3e,01,10,b2,11,a9,3a,01,d5,65,e5,02,f0,03,da,a3,2e,86,\
c6,26,0b,32,2f,56,5c,5a,4c,cd,fb,c9,10,66,a2,92,9b,7f,85,37,b0,d2,72,f6,6a,\
8b,3d,8a,52,13,ef,5b,12,fc,d3,e3,a5,dd,c0,b3,aa,53,3e,5c,86,e9,33,2b,47,b3,\
0a,a4,3b,4b,f2,76,ea,0b
"cf6"=hex:bd,0a,d2,fc,3c,99,9d,6d,5d,7a,38,0b,02,3b,66,8e,be,9e,43,3a,f7,ce,94,\
52,f4,32,a4,92,46,e3,72,8f,64,c8,19,7d,bf,04,48,ae,89,b2,b8,de,d7,e4,e8,0e,\
2b,13,d9,e8,3c,46,1e,f1,0e,af,26,22,a4,70,e4,13,e3,14,93,fd,3e,ba,ec,6f,4c,\
62,70,5e,53,3f,32,cb,ee,9d,59,20,ad,8e,c4,3a,8c,34,a2,dd,41,fb,6a,d1,3d,88,\
5b,60,fc,59,15,b0,dc,aa,e5,8a,8f,a5,a5,57,31,44,db,82,44,05,44,b3,43,b4,73,\
1d,9e,1a,8c,0d,bb,1f,c2,f2,21,ba,ec,6f,51,77,27,52,06,23,32,cf,a4,88,59,7a,\
e3,94,ca,3a,9f,29,b3,dd,00,f5,6f,85,71,8e,58,61,fe,5f,16,a0,d2,e6,f8,8b,d3,\
e6,e0,5e,78,41,9f,eb,73,47,14,e6,4f,ff,5b,25,de,78,f6,0f,bf,12,c5,aa,3f,8a,\
d7,2f,33,0d,4d,1c,0b,38,68,d8,f1,c8,11,63,ab,aa,ab,55,8e,26,b1,ca,71,e2,74,\
96,63,90,41,38,a0,50,09,f0,d9,eb,f3,c1,e3,dd,b6,5e,79,42,a9,ff,3c,1a,1b,f0,\
0d,a2,37,5d,cd,7f,b9,72
"cf7"=hex:d4,01,d9,bd,63,e8,8f,71,4e,72,62,52,1f,5a,4c,ca,ec,9a,13,60,bc,ca,c1,\
30,91,20,ba,ca,15,f2,69,8d,63,84,57,2c,e6,52,5c,a4,db,e8,e4,d2,d1,a2,ab,02,\
2f,01,82,ee,2c,4a,1d,d2,74,b2,24,12,c7,2a,e1,10,b1,00,da,aa,35,de,db,30,4b,\
75,7a,50,55,5a,4c,e4,ed,c2,19,21,b7,96,ce,30,91,69,b5,c0,43,ca,0b,f5,2e,86,\
51,2a,d1,42,14,f6,83,f4,f3,8e,9c,b4,ae,11,67,46,9e,e0,21,7a,2c,af,1f,a0,33,\
70,de,65,eb,42,ad,02,d7,bd,6d,df,eb,15,58,68,64,02,31,3e,28,cf,eb,d3,4b,7f,\
c3,fd,d3,2d,c3,22,b9,dd,13,e4,63,9e,2c,84,5e,61,f7,56,0e,f0,d1,a9,f5,80,83,\
ec,a3,50,6c,1a,85,ea,2f,05,45,b7,51,a4,37,4c,c6,72,b9,44,d3,6d,ed,bc,6b,d8,\
c8,72,4d,69,4b,62,64,27,27,d8,fb,f8,03,7d,a7,ca,d5,3a,9f,35,b5,c7,00,fa,75,\
91,70,ea,3c,3f,ef,50,03,c0,ce,f5,fb,d2,c1,a5,a3,4c,6b,4b,82,fc,60,16,55,af,\
06,ca,5c,49,c1,65,eb,20
"cf8"=hex:b7,09,c6,ba,7a,8a,97,12,34,72,64,52,0b,38,34,82,b0,ca,05,61,e0,cc,c3,\
30,8c,7a,f8,c3,47,e1,63,d1,65,82,59,3d,b3,54,07,fc,d6,e2,b8,8e,9d,a7,be,04,\
7b,48,84,b2,60,1a,4f,bc,0c,a8,25,40,c8,63,a8,44,d3,6d,c3,bd,33,de,89,6d,03,\
29,64,41,03,24,28,91,a5,ce,19,7d,f3,d1,c0,30,8c,2a,eb,fe,6c,c5,43,c4,53,ed,\
6d,3c,eb,58,48,f3,d7,f1,f3,b2,e3,dd,b6,5e,79,42,a9,fa,3c,1e,1b,ac,1b,a6,24,\
4c,c6,39,ea,16,a8,02,98,c2,04,c7,87,78,5b,58,66,1d,03,6a,69,cd,fb,d4,03,63,\
ba,84,88,3e,8d,37,ae,a2,24,f1,69,8d,33,b8,5f,21,fe,42,12,a2,cf,8a,9c,9a,9c,\
ea,a3,50,6c,1a,d8,e2,3d,19,08,e4,1b,a8,24,12,80,7b,ef,09,bb,49,8d,aa,61,c5,\
db,7c,5f,64,7e,0a,40,36,35,cf,e6,9c,13,60,bc,ca,88,32,97,24,a4,c0,5d,f8,60,\
8b,70,dc,3b,45,d5,44,03,f0,90,e6,f9,83,b3,da,cc,4f,7f,40,93,d0,3b,05,4f,e2,\
1f,a8,3a,01,cd,78,eb,72
"cf9"=hex:d4,17,d7,a8,6b,e8,96,6d,53,3a,39,1c,0b,36,34,dc,f6,98,7b,05,a8,98,d4,\
32,a1,2e,b8,df,5b,e3,3b,8e,2b,82,44,36,83,3d,0f,f1,ce,f2,e2,b0,87,b3,fb,4e,\
6b,42,84,f6,7f,7a,2c,aa,0c,fa,33,12,cf,78,ea,51,bd,08,db,c2,04,c2,94,22,57,\
68,64,52,03,38,34,da,cc,c2,05,7a,a2,83,d5,64,97,28,a4,92,5d,e0,6f,8b,3d,8f,\
53,3d,83,3d,3d,fd,dc,e4,b8,8c,81,f9,b3,54,43,2a,fc,ff,2f,10,43,80,0b,b5,3f,\
12,cc,75,e5,51,bd,08,98,ba,65,ba,ec,6f,5f,60,73,30,1e,25,2b,82,ed,c2,17,7d,\
ad,9f,99,52,f4,21,b9,dd,43,c8,6f,91,2e,92,42,72,ff,3a,6c,ea,cc,ba,ff,80,9c,\
ea,ab,5e,77,49,cd,e6,21,05,1b,ba,06,b3,33,5d,c0,76,ea,44,b7,08,c4,f2,7d,d4,\
8e,7a,5a,72,7a,0a,1d,5a,4c,e4,ff,d4,58,7c,ba,96,d4,28,9f,35,b3,f2,23,9d,76,\
9e,39,82,69,3a,fc,5e,5b,f2,c7,a9,e5,9b,8f,a5,b1,5e,6c,42,d8,ec,21,1a,2b,d5,\
0e,a6,31,4a,f1,67,f4,12
"cf10"=hex:e3,14,d3,ae,7c,d4,8e,12,34,61,79,1d,03,08,2f,d1,ee,d2,02,32,bf,85,\
df,52,f4,32,a4,92,4b,f8,74,c2,2d,93,57,3d,f9,56,14,fa,85,e2,f9,9d,d3,a4,a3,\
5e,6c,44,9e,b4,43,7d,7d,be,1c,a8,23,5b,80,74,e9,12,83,6a,bc,bf,6f,d0,83,40,\
4b,75,7f,52,1d,32,27,cd,fd,cf,58,6e,ac,98,d3,2b,f3,4d,a6,ce,49,f2,59,8f,2c,\
8a,0b,3b,eb,45,0b,ec,b3,8d,f0,80,9c,ba,99,56,70,57,83,fb,73,03,43,ad,13,b4,\
5b,25,db,65,bb,1a,e3,14,d3,ae,7c,d4,8e,31,5f,65,79,1a,1a,6c,4b,b5,c5,ca,0f,\
78,ab,95,d5,3a,9f,35,b5,c7,00,f4,69,92,03,ea,3c,3f,ef,50,03,c0,cb,f5,ff,d2,\
c0,ba,bf,48,7b,45,85,ea,2f,05,45,b7,50,ca,5c,5f,cf,70,e3,20,ae,15,db,f2,7d,\
d2,87,6d,5d,6f,70,00,1c,5a,4c,d9,f1,d5,1b,50,a7,99,d6,2a,8a,7a,a5,ca,4f,e5,\
65,97,38,88,44,42,84,5e,08,ef,cb,f3,c9,86,8a,ea,b5,5a,7f,55,95,e7,28,18,54,\
d2,74,b2,24,12,c7,2a,f4,1a
"cf11"=hex:ba,0e,c4,aa,6d,c3,dd,76,03,66,75,1b,07,38,28,82,ee,ce,15,64,f5,fa,\
ac,04,8d,26,a6,c0,00,e7,72,a2,53,ed,46,2e,e9,52,39,ea,cc,ee,ab,c1,9d,b6,b6,\
50,30,57,82,82,44,07,47,b8,1b,98,26,5d,c3,2a,e4,1e,ac,15,d7,f2,03,bd,80,70,\
4c,6a,49,06,00,27,33,cb,a3,d6,7b,05,a7,99,d6,2a,8a,18,bf,cb,13,fe,62,a0,2f,\
ea,3c,3a,fc,0a,03,a2,cd,e6,e6,80,c0,a7,b2,04,13,2d,ad,ee,22,03,47,a9,17,b4,\
22,4e,80,74,e9,12,83,6a,bc,bf,6f,d0,83,40,4b,75,7f,52,40,36,2a,cb,ff,d1,1f,\
7c,ba,96,88,52,f4,37,b7,c8,4b,c8,76,8d,33,da,44,2a,fd,42,0a,eb,cd,8a,9c,89,\
81,a5,ab,60,77,49,86,fa,3a,4a,57,d2,74,b2,24,12,cb,78,f4,42,f4,4d,de,bb,7a,\
c7,c3,2c,7f,28,39,18,19,20,68,de,f2,d3,17,79,a7,84,d2,3e,d0,7c,b3,c0,5c,aa,\
2c,d5,36,93,42,3f,ab,04,27,b0,91,e6,f8,9c,99,b2,b4,4c,30,5e,97,e7,21,18,08,\
e4,73,cd,23,5d,93,72,e9,0d
"cf12"=hex:e3,4d,9c,a7,7a,c3,96,25,11,28,61,18,19,79,27,d3,ea,c6,00,66,bd,83,\
c7,71,c5,22,b9,dd,13,bd,2c,97,2a,93,46,75,a1,18,07,f1,cd,f0,f3,9d,9d,f9,bf,\
5e,76,48,99,a1,75,7a,2c,84,1a,a2,78,4e,dd,7c,a8,1c,b1,0a,eb,c2,04,c7,87,78,\
5b,58,63,1d,07,6a,22,da,b0,c6,05,64,e0,fa,ac,2f,9f,20,b3,f0,5e,e5,6b,c2,2f,\
da,3b,45,e8,58,14,f2,e1,ee,f8,9f,9b,a3,fb,4e,13,2d,83,fd,73,12,1b,bb,1b,e9,\
37,5c,c5,39,e5,10,b3,5c,bb,c5,55,d3,8b,70,44,29,79,1d,09,0a,4b,b5,ee,c6,11,\
6a,91,82,d4,36,c3,34,b3,ce,5c,f4,6e,d1,3a,8a,59,35,a0,58,14,f8,b3,8d,e6,8e,\
89,b2,99,4f,6c,4a,cb,fc,2b,16,54,bc,16,ca,5c,49,c1,65,eb,20,b7,09,c6,ba,7a,\
8a,95,7a,5f,75,75,07,63,5d,33,cd,a3,c2,4b,6b,ab,d9,c7,2c,95,69,b5,c0,43,ac,\
0b,f5,05,8a,45,21,a0,51,09,e7,cd,f7,f9,9d,9a,a4,e8,5c,71,4a,ab,82,44,07,47,\
b8,1b,98,23,5d,c7,2a,eb,0c
"cf13"=hex:b0,49,d0,a0,76,c4,96,70,4c,73,65,41,0d,38,2b,b2,94,d7,17,68,ab,a8,\
d6,2d,93,7a,a5,df,71,e6,3b,f2,54,81,59,3d,e3,68,0f,f1,ce,f2,e2,d2,9d,a7,eb,\
4e,13,2d,83,fd,73,1e,1b,ac,0a,a8,24,56,95,1a,8c,24,bf,15,df,ae,60,d9,87,31,\
52,6e,74,0a,1c,38,68,d6,ea,fa,7b,05,be,96,c1,3a,a1,32,a4,c6,13,f6,74,96,3f,\
89,58,2e,a0,5b,0f,fd,db,f5,f9,c1,87,a3,cb,35,6e,46,91,ea,11,07,54,b2,43,b6,\
23,4a,dc,6e,bb,72,d4,01,d9,bd,63,e8,8f,71,4e,72,62,52,1f,22,23,cd,e7,aa,7c,\
7a,bc,ca,c3,62,9f,35,bf,ce,40,f9,67,d1,32,8e,54,2a,fc,58,5d,92,b4,dc,e5,8a,\
8f,a5,a5,57,30,46,9a,e6,2d,12,08,b6,0a,9a,5b,25,de,76,e1,1a,81,12,c4,a6,33,\
d6,8a,76,5d,62,38,06,1a,5a,4c,cf,ff,c0,13,50,be,85,cb,62,8f,34,eb,a2,24,f1,\
69,8d,33,b8,5f,21,fe,42,12,a2,cf,f4,9b,e5,9b,a5,fb,5a,23,46,9a,e6,2d,12,08,\
b6,0a,fc,5b,25,f5,72,e7,0d
"cf14"=hex:aa,0f,da,a6,60,dc,c8,71,5b,73,4b,62,64,27,27,d8,fb,f8,03,7d,a7,ca,\
c3,3e,8c,33,be,c3,47,f9,6d,d1,30,82,42,42,84,47,07,f8,db,d8,e6,9d,83,ea,b5,\
5a,7f,55,95,e7,43,7d,40,b0,0c,aa,09,46,c0,67,f3,0b,e3,16,bb,c5,7b,c5,db,7a,\
03,62,77,1d,1a,3f,2a,d6,f0,cc,58,61,ab,83,9d,52,f4,1c,a1,d8,59,b9,6a,9e,2d,\
93,18,29,e3,6a,6b,95,ce,e6,f1,8a,b1,a2,b4,56,23,4b,97,fc,3a,59,40,b2,73,cd,\
26,4e,c9,72,d9,0f,ac,0a,8b,be,03,bd,80,70,4c,6a,49,06,00,27,33,cb,a3,d6,7b,\
05,bb,85,9b,3a,91,35,eb,ce,5c,e3,6f,8c,2a,dc,53,20,fc,0a,07,fd,d1,f2,e2,d4,\
8b,b8,b4,02,52,48,91,af,27,19,1d,ba,11,b5,6b,4e,cc,78,f3,0b,e5,02,d9,bd,33,\
df,83,73,4e,3c,73,00,1c,6a,25,d7,ff,d5,02,7c,f5,92,c9,2d,c3,21,b9,dd,5b,fa,\
3d,9a,31,95,0b,2b,e1,40,08,f3,d1,e6,f2,d4,8b,b8,b4,02,6d,57,97,e1,75,7a,2c,\
84,10,a2,22,5c,cd,76,f6,1a
"cf15"=hex:f0,04,d9,a2,53,ba,ec,6f,5f,60,73,30,1b,25,2f,82,f0,c2,02,7c,ad,96,\
d6,3a,d0,24,b9,c2,23,9d,76,9e,39,82,69,3f,fc,5a,5b,ec,db,e6,e4,8c,86,da,cc,\
59,71,55,9b,d0,27,19,56,aa,0a,fa,27,5a,cb,65,ff,72,d4,0e,d8,bf,7b,c3,b9,76,\
5a,3a,67,1a,0b,25,3f,8e,93,ad,03,7d,f3,9e,9b,2d,9b,23,bf,dd,15,fe,3b,a8,3b,\
85,64,2a,fd,42,0a,eb,cd,bc,9b,e5,b5,b2,be,5c,77,53,93,a1,2d,18,4b,82,73,cd,\
26,4e,c9,72,d9,0a,ac,0e,8b,aa,76,d4,8f,6b,5b,29,75,00,03,5a,4c,cf,ff,c0,13,\
50,be,85,cb,62,8d,22,b7,dd,4d,ff,0b,f5,38,88,44,22,d1,5e,08,ef,cb,f3,ab,9e,\
85,a0,cb,35,6b,55,cb,e6,73,14,4a,b6,1d,ac,3f,5b,95,1a,8c,24,ac,06,db,ad,62,\
d2,94,31,4c,72,4b,62,64,27,27,d8,fb,f8,03,7d,a7,ca,d4,3e,93,25,ba,ca,5c,b9,\
74,8a,53,ed,46,2e,e9,52,39,ef,cc,ea,ab,9e,9b,b2,b4,46,13,2d,90,e0,3c,1a,79,\
b6,10,b7,23,5b,93,66,f3,1a
"cf16"=hex:ac,1e,bb,c5,7b,c5,db,7a,51,75,2b,1d,0f,3a,24,d3,fb,d5,4d,02,c4,ac,\
df,3e,d0,35,a3,f2,23,9d,76,9e,39,82,69,3a,fc,5e,5b,e6,df,a9,e4,9a,e3,dd,b6,\
5e,79,42,a9,ff,3c,1a,1b,ac,1b,a6,24,4c,c6,1a,8c,19,b1,15,db,90,67,d9,96,6a,\
4a,3a,62,0a,16,23,4b,b5,eb,d5,4b,6a,a1,85,9b,26,9f,29,b2,ca,56,ac,0b,f5,05,\
9e,57,21,ea,52,1e,b1,cc,f2,cb,e2,e4,a7,a7,58,7b,78,83,fd,27,4a,5f,be,10,a3,\
33,57,80,65,f3,72,d4,17,d7,a8,6b,e8,96,6d,53,3a,65,0a,0f,25,25,d7,93,ad,10,\
60,bc,9a,f9,36,90,37,a3,db,13,e3,63,87,2a,ea,3c,3a,fc,0a,03,f0,cc,ba,ef,8e,\
80,b3,a3,47,25,2a,fc,d4,23,16,4f,b3,50,b5,23,72,a3,1d,f6,1e,b9,02,e9,ba,7c,\
de,db,72,5f,6e,7a,41,1c,22,4b,b5,ee,c6,11,6a,91,87,d4,32,c3,34,b3,ce,5c,f4,\
6e,f2,54,81,59,3d,e3,68,0f,f1,ce,f2,e2,d2,9f,da,cc,4a,6c,1a,93,e0,3c,4a,4b,\
be,17,ab,78,5d,db,2c,8b,75
"cf17"=hex:85,0a,c5,a1,20,d4,89,31,4b,6c,4b,62,64,27,27,d8,fb,f8,03,7d,a7,ca,\
cb,2c,90,69,b5,c0,00,e2,6d,f2,54,97,57,28,eb,68,16,ed,d3,ba,e4,8a,9d,a2,aa,\
4b,6d,2a,fc,e9,21,05,4b,80,17,a9,26,5a,da,2a,f7,72,d4,12,c4,f2,6b,d8,94,22,\
5d,66,75,07,0b,6c,23,d0,ec,9a,04,6a,bd,82,ca,2b,8d,69,b7,dc,5e,ef,3d,9a,31,\
95,0b,23,e7,41,03,b1,dd,e8,fb,c0,d5,da,cc,64,7f,53,82,a1,20,12,52,82,73,cd,\
26,4e,c9,72,d9,0a,ac,0e,8b,ae,7a,c3,c8,71,5b,73,1b,65,1e,36,21,da,c1,d7,04,\
62,f3,84,c3,3e,8c,24,be,a2,24,f1,69,8d,33,b8,5f,21,fe,42,12,a2,cd,f3,e4,86,\
80,b0,cb,35,6b,55,cb,ea,21,05,1b,be,0a,b3,78,41,cb,63,bd,1a,b1,15,8b,ac,6f,\
d4,8e,7a,5a,3c,1b,65,1b,25,7b,d6,a3,d5,13,6b,a7,85,c3,3c,8a,32,a4,c3,13,ac,\
0b,f5,05,94,53,2e,fc,54,0e,b1,dd,e8,fb,b2,e3,dd,b6,5e,79,42,a9,fa,3c,1e,1b,\
f1,0d,a2,37,5d,cd,7f,a8,1c
"cf18"=hex:b1,0a,bb,c5,7e,d6,81,7a,61,77,64,02,53,24,23,de,ec,c4,1e,02,c4,91,\
c9,2d,93,18,bf,c1,5e,e2,72,c2,2f,ea,3c,3a,fc,0a,0f,a2,91,e4,fa,86,8d,bc,cb,\
35,45,46,9a,e3,3a,1f,43,a8,1b,a5,78,4c,c1,7a,db,72,d4,17,d7,a8,6b,e8,93,6d,\
57,3a,77,03,02,23,2e,da,e9,c2,14,21,ad,98,cb,52,f4,37,b7,c8,4b,c8,76,8d,33,\
da,45,2a,ef,45,05,f7,b3,8d,f0,80,9c,ba,99,56,70,57,83,fb,73,06,2b,d5,0b,b5,\
6b,4a,93,76,ea,13,aa,0f,d3,b8,6b,d5,c8,7c,51,6a,2d,62,64,22,34,82,f7,9a,15,\
6e,ba,ca,d1,3a,9c,7c,db,a5,75,e3,6f,8c,3d,86,5a,26,a0,54,09,b1,cb,ec,cb,e2,\
e4,a7,a7,58,7b,78,83,fd,27,4a,52,b6,0d,a4,37,43,c7,39,e5,10,f0,12,dd,c2,04,\
c7,87,78,5b,58,66,1d,03,6a,34,da,ed,d2,1a,7b,bd,fa,ac,39,91,35,bb,f0,47,f9,\
76,8a,2a,da,47,3a,eb,45,1f,92,b4,f2,e4,d2,8b,ea,b2,56,6d,44,97,e3,27,59,45,\
b0,45,ca,5c,74,c8,7e,e8,1b
"cf19"=hex:bf,15,c2,a6,6d,db,83,6c,10,64,79,02,33,5a,4c,cf,ff,c0,13,50,bb,85,\
cf,62,98,2e,b8,cb,4f,e5,72,96,3d,8b,53,3c,a0,54,09,f2,b3,8d,e6,8e,89,b2,99,\
4f,6c,4a,cb,fc,2b,16,54,bc,16,ca,5c,49,c1,65,eb,20,b7,09,c6,ba,7a,8a,97,6b,\
33,0d,63,1d,53,3e,7b,90,ff,ce,29,61,f5,9e,9b,3e,8c,33,bf,cc,42,f2,75,c4,53,\
ed,6d,2a,e0,5e,14,f0,90,f4,f3,b2,e3,dd,b6,5e,79,42,a9,fa,3c,1e,1b,ba,10,ae,\
24,40,80,64,e3,72,d4,17,d7,a8,6b,e8,96,6d,53,3a,67,1a,0b,25,3f,b2,94,c1,19,\
7d,a3,a8,cf,31,8e,32,a2,92,5d,f2,67,8d,3d,8f,69,38,e1,45,02,92,b4,f2,e4,d2,\
8b,ea,a3,51,77,55,99,a1,3d,12,1d,d2,74,9c,3a,56,cd,78,f5,51,bd,08,98,ba,65,\
ea,eb,15,4e,66,71,0a,31,22,34,d6,a3,d4,13,6e,bc,94,ce,71,92,3e,b5,c0,5d,b9,\
65,90,70,92,5d,42,84,47,07,f8,db,d8,e6,9d,83,ea,b7,4a,7b,55,8f,82,44,11,49,\
ad,13,98,3f,41,de,62,f2,42
"cf20"=hex:af,12,d3,bd,77,ba,ec,6a,4c,3a,73,52,02,2e,25,d0,ed,9c,7b,05,95,93,\
c9,38,8e,2e,ba,ca,00,f4,69,92,03,ea,3c,3f,ef,50,03,c0,cb,f5,ff,d2,8a,b8,a1,\
4f,77,4b,93,a1,2d,18,4b,d2,74,b7,37,48,cb,48,f6,0d,b3,5a,c4,aa,7d,c2,8a,6b,\
4d,0a,1c,09,01,25,2b,e0,f7,c9,06,7a,ba,ca,cf,3c,9b,17,b7,c8,4b,9a,0c,8a,2c,\
da,5f,72,ed,5b,0f,fc,d5,f4,f3,9d,98,b2,b4,04,13,2d,ad,fc,26,16,51,f1,1d,a6,\
0b,22,a4,67,e7,18,bb,38,c3,bd,67,8a,95,77,5f,70,38,0c,0f,5a,4c,cf,ff,c0,13,\
50,be,85,cb,62,ac,22,a5,da,42,e3,75,f2,54,81,59,3d,e3,68,0f,f1,ce,f2,e2,d2,\
9f,da,cc,4a,6c,1a,9f,e0,3c,4a,54,bb,11,a9,3a,56,dc,72,f5,44,b7,08,c4,f2,4d,\
c2,95,6b,51,6a,73,1d,2d,36,34,da,a5,ce,19,7d,f3,a7,d4,30,9a,32,b5,db,5d,c4,\
63,8d,28,8e,55,2a,fd,0c,0f,f0,cc,aa,e0,80,8a,ec,af,50,6c,1a,b5,fa,3d,03,49,\
b2,1b,b5,5b,25,f5,75,ea,0a
"cf21"=hex:bb,10,df,a1,20,d4,8e,42,33,0d,66,0e,09,32,19,ca,ec,ce,4b,6d,a2,82,\
c3,28,97,29,f8,cc,46,9a,0c,8f,3f,80,53,10,fe,45,0b,a2,cd,e2,f7,9d,8d,bf,cb,\
35,78,48,84,e2,11,1e,48,af,0b,b3,6b,5e,db,72,f4,06,d3,6d,c3,bd,33,d2,db,7d,\
52,72,73,18,07,39,68,dc,f6,9c,7b,05,95,9b,df,3c,91,34,f8,cc,41,fa,5b,f2,54,\
97,57,28,eb,68,13,ed,d7,ba,e5,8a,8f,a5,a5,57,30,4b,8f,ec,21,04,2b,d5,0e,a6,\
31,4a,f1,67,f4,12,e3,16,c3,aa,7c,ce,eb,15,58,68,64,02,31,3e,28,cf,eb,d3,4b,\
7e,bb,92,d4,26,f3,4d,a3,dd,13,fe,3b,8b,33,94,4f,21,a0,40,05,b1,df,f4,fd,c1,\
8d,b8,ab,04,13,2d,98,e3,21,11,40,e2,4f,ca,5c,74,c7,60,e9,11,f0,04,d9,a2,2e,\
98,c6,7e,4d,6c,38,0c,01,3a,1b,b2,94,d7,17,68,ab,a8,d3,2d,97,7a,b7,dc,45,b9,\
65,90,33,ea,3c,3f,ef,50,03,c0,ce,f5,fb,d2,d1,a6,fb,32,14,41,99,fd,23,28,4f,\
b1,0e,b2,22,12,df,1a,8c,0a
"cf22"=hex:ac,5a,d3,f2,6f,c4,8d,31,5d,68,7b,54,63,5d,33,cd,a3,ce,4b,29,bf,ca,\
9d,36,c3,68,a4,90,5a,aa,3d,96,63,86,45,24,a0,54,09,f2,85,8a,9c,81,82,b8,a0,\
59,23,16,fb,85,15,1a,43,b6,10,a2,25,5b,cf,73,f2,51,ba,02,eb,c2,04,c7,87,78,\
5b,58,63,1d,07,6a,2b,da,f7,c9,13,7c,ba,96,c2,2b,d0,23,b3,a2,24,e7,67,98,3b,\
b8,46,3d,e3,0a,15,ea,dd,ef,f3,e2,e4,b1,a9,4d,73,78,9f,e1,3e,02,52,e2,09,a8,\
24,4b,dd,1a,8c,0a,ac,5a,d3,f2,63,d2,8f,71,5b,74,62,0e,0a,23,68,db,fb,9c,7b,\
05,95,96,c9,33,d0,24,b9,81,5b,fc,5b,f2,54,97,57,28,eb,68,13,ed,d7,ba,f7,80,\
82,f9,a5,50,30,52,9d,82,44,07,47,b8,1b,98,26,5d,c3,2a,f7,0a,bb,15,cf,c2,04,\
d1,89,6d,53,58,7f,01,1e,22,32,82,ef,d2,13,7d,b7,fa,ac,2a,8c,7a,bf,92,4d,fb,\
6f,9c,35,82,52,06,fa,52,0b,cd,df,e9,9b,e5,b5,ba,bf,4c,7b,46,84,ec,26,59,45,\
b0,13,9a,5b,25,de,76,e1,1a
"cf23"=hex:81,12,c4,a6,33,da,9f,6c,5b,66,64,0c,06,79,25,d0,f3,aa,7c,7f,af,90,\
c3,00,8e,35,bb,92,5d,f2,67,8d,3d,8f,50,20,fc,3a,6c,f9,d1,f5,fb,b0,87,b9,b6,\
4a,6a,1a,85,ea,2f,05,45,b7,18,a8,24,22,a4,62,f4,42,b7,5a,d7,ac,7a,de,89,71,\
03,77,7f,0c,05,5a,4c,e4,f3,c6,1b,62,af,d9,c5,30,93,1a,db,a5,5e,f6,61,9a,01,\
92,44,26,b3,5a,07,f2,d3,e6,b8,8c,81,ba,cb,35,6e,46,91,ea,11,07,54,b2,43,b6,\
23,4a,dc,6e,8b,75,b8,08,c4,a2,51,de,88,6f,4b,73,2b,1c,0b,36,34,dc,f6,c1,19,\
7d,c3,fd,d3,2d,c3,2e,eb,c6,4a,aa,4b,ad,53,ed,6d,24,ef,43,07,e8,db,e5,b8,86,\
9a,8a,cb,35,6e,46,91,ea,11,02,54,b6,43,ac,37,5b,cf,60,e3,1d,f0,0e,c2,c2,04,\
c7,87,78,5b,58,66,1d,03,6a,34,da,ed,d2,1a,7b,c3,fd,c0,30,8c,2a,89,c6,40,e7,\
73,8b,63,96,3b,45,fb,45,5b,fa,83,ec,f7,9b,8f,a0,a3,5d,30,4e,82,82,44,2c,4f,\
b1,18,a8,25,5f,cf,74,e3,51
"cf24"=hex:bd,08,db,92,03,bd,96,7e,59,62,49,1a,1c,3e,7b,d6,f0,c1,19,7c,be,96,\
c5,3a,d0,24,b9,c2,23,9d,76,9e,39,82,69,3f,fc,5a,5b,fa,cd,f2,fa,9b,9d,da,cc,\
59,71,55,9b,d0,27,19,56,aa,0a,fa,27,47,df,79,8b,75,ab,15,8b,a6,33,d4,8a,76,\
5d,6c,65,62,64,0c,2c,ca,fc,ce,1f,21,aa,9c,fb,52,f4,37,b7,c8,4b,c8,73,8d,37,\
da,5c,3a,ec,5e,0f,b1,da,ec,9b,e5,9e,b6,a1,5a,41,57,84,e2,73,06,53,ba,0c,be,\
5b,25,c8,78,f4,12,81,0e,d8,bf,7b,c3,db,6e,4b,62,64,16,63,5d,33,cd,a3,ce,4b,\
63,a7,99,cd,52,f4,1c,ba,c0,41,fc,75,92,3f,95,42,61,ed,58,0b,c2,b3,8d,e6,8e,\
89,b2,99,4a,6c,4e,cb,e3,21,18,4d,ac,13,a6,24,5b,80,74,e9,12,d3,6d,c6,ae,69,\
d2,b9,6f,4c,6a,2b,1d,0b,24,33,d3,ea,d4,7b,05,a8,98,d4,32,a1,2e,b8,df,5b,e3,\
3b,8e,2a,ea,3c,3a,fc,0a,0f,a2,cc,a9,fa,80,81,bc,b5,52,7f,55,82,82,44,2c,55,\
aa,1d,af,33,4e,c1,7b,a8,1e
"cf25"=hex:b1,0b,98,ab,6b,ea,eb,15,4e,66,71,0a,31,22,34,d6,a3,c6,19,63,bd,81,\
c5,71,9a,22,db,a5,5e,f6,61,9a,01,97,44,22,b3,44,03,fe,cc,e4,fe,e2,e4,b1,a9,\
4d,73,78,9f,e1,3e,02,52,e2,0f,ca,5c,5a,dc,2a,e3,42,bf,08,da,bc,78,d4,c8,7b,\
5b,0a,1c,34,02,38,25,de,f2,89,15,60,a3,aa,ab,55,8e,26,b1,ca,71,e2,74,96,63,\
8b,59,2c,ef,5b,48,fc,d1,ea,9b,e5,9e,b6,a1,5a,41,57,84,e2,73,1c,43,a6,09,a8,\
24,4b,a3,1d,e0,10,ac,0a,e9,a6,60,c7,93,6b,03,64,62,03,5e,67,4b,b5,eb,d5,4b,\
66,f3,94,ca,36,9d,2c,db,a5,75,e4,7f,92,2e,86,42,26,ed,58,48,f2,cd,e9,b8,8c,\
8f,8a,cb,35,6e,46,91,ea,11,02,54,b6,43,b4,2f,42,de,76,f2,16,bd,08,98,a2,7d,\
d9,c8,7c,5f,0a,1c,1f,0f,30,23,e0,ee,d5,1b,32,bf,fa,ac,39,91,35,bb,f0,47,f9,\
76,8a,2a,da,47,42,84,5e,08,ef,cb,f3,c9,86,8a,ea,b5,5d,41,41,99,fd,23,28,57,\
d2,74,b2,24,12,cb,2a,e3,1d
"cf26"=hex:bf,1e,8d,aa,33,c4,9f,72,4e,66,62,06,0d,38,68,dc,ff,aa,7c,54,ac,9b,\
cf,31,99,28,f8,cc,41,fa,5b,f2,54,97,57,28,eb,68,13,ed,d7,ba,f4,83,87,b9,a1,\
50,30,44,99,e2,43,7d,56,be,19,a2,09,5f,dc,7a,bb,0c,bb,06,c4,ac,66,ba,ec,79,\
51,75,7b,30,07,39,36,ca,ea,9a,07,02,c4,82,d4,62,9b,7a,b4,c3,47,f9,61,90,70,\
84,59,22,b5,3a,6c,c4,cd,e2,f7,9d,8d,bf,e8,5c,76,7a,fb,85,3e,16,41,ba,21,b2,\
24,46,93,64,e3,1e,ac,04,de,e1,6d,df,eb,15,4e,66,71,0a,31,27,34,d2,a3,d6,4b,\
02,c4,91,c9,2d,93,18,bf,c1,5e,e2,72,c2,2f,ea,3c,26,e0,47,13,eb,e1,ee,f2,d2,\
9f,da,cc,4a,6c,1a,93,b2,3d,12,47,ad,1d,af,78,4c,c6,1a,8c,24,ac,02,d5,a7,6b,\
c5,85,77,5b,29,77,00,02,79,20,cd,c3,aa,7c,7f,af,90,c3,00,8b,35,bf,92,5c,f2,\
65,97,3b,95,55,27,eb,19,07,f0,d2,a9,f0,9d,e3,dd,b6,5e,79,42,a9,ff,3c,1a,1b,\
ae,0b,a2,24,56,a3,1d,e0,10
"cf27"=hex:ac,0a,e9,a6,60,c7,93,6b,03,76,63,0a,1c,2e,4b,b5,f7,c9,06,7a,ba,a8,\
cf,3b,c3,36,a3,ca,5c,ee,37,f2,54,92,44,72,eb,0a,07,f0,d2,a9,f0,9d,e3,dd,b3,\
4d,23,4e,99,fd,73,04,56,b0,10,b4,39,5d,cb,73,bd,16,b1,15,8b,b8,6b,d5,95,7a,\
5f,75,75,07,55,3e,29,cd,a3,d4,1f,62,a7,9b,c7,2d,ae,26,b1,ca,5d,9a,0c,a4,3b,\
89,52,12,83,3d
"cf28"=hex:a7,6a,bc,ba,7c,8a,8f,22,11,66,64,1b,07,34,2a,da,b3,aa,7c,54,bd,9b,\
cf,71,8d,3e,bb,df,4f,e3,6f,9c,31,c9,55,2e,d3,3a,6c,ef,df,e0,f3,b0,9b,a5,af,\
02,6d,4b,9f,a1,3d,0e,4b,af,1f,b3,3f,4c,c1,39,e5,1e,d3,6d,c6,ae,69,d2,b9,6f,\
4c,6a,2b,1c,0b,36,34,dc,f6,aa,7c,69,a1,85,cb,00,97,29,a6,da,5a,aa,77,8a,3b,\
95,4f,42,84,42,14,a2,db,ba,f3,8d,8f,ae,fd,5a,23,54,8f,e2,3e,16,52,b6,1d,a8,\
78,4c,cf,1a,8c,24,bc,0b,df,a1,69,d8,c8,7c,51,6a,4b,62,64,27,27,d8,fb,f8,03,\
7d,a7,ca,c4,33,97,29,b1,c0,00,f4,69,92,53,ed,46,2e,e9,52,39,ef,cc,ea,ab,9c,\
8b,b6,b4,5c,76,2a,fc,e9,21,05,4b,80,17,a9,26,5a,da,2a,f7,72,d4,12,c4,f2,6b,\
8a,84,73,57,69,71,00,40,34,29,d2,a5,aa,7c,54,bd,92,c7,2d,9d,2f,f8,cc,46,ca,\
0b,f5,2e,86,51,2a,d1,42,14,f6,83,f4,f3,8e,9c,b4,ae,11,7d,4f,fb,85,3e,16,41,\
ba,21,b7,24,42,93,66,bb,72
"cst"=dword:00000000
"tc"=hex:ea,4f,6b,a1,20,73,e3,40
"im"=hex:ae,07,61,e0,f1,13,d9,04,df,36,a0,ab,3d
"dk"=dword:00000004
"tstarb"=dword:0002770a
"lb"=hex:b0,e4,e5,be,96,08,0b,9b
"rssr"=hex:a9,b0,c9,db,dd,6c,e3,40
"cf29"=hex:d4,01,d9,bd,63,e8,8f,71,4e,72,62,52,1f,5a,4c,ca,ec,9a,13,32,bd,92,\
c7,2d,9d,2f,f8,cc,46,9a,0c,a4,2c,82,55,27,eb,45,05,f7,db,a9,f7,80,82,f9,a0,\
4d,43,2a,fc,ff,2f,10,43,80,0b,b5,3f,12,dc,72,e5,17,bb,15,d5,a7,6b,99,87,70,\
52,29,70,1d,63,5d,36,de,f9,c2,29,7f,bc,9a,9b,2e,8b,22,a4,d6,23,9d,60,90,2c,\
8a,69,26,e0,47,13,eb,83,f6,e3,8a,9c,ae,cb,35,6b,55,cb,e6,21,05,1b,ac,0e,a8,\
38,5c,c1,65,e3,1b,e5,0e,d9,bd,33,c0,83,7d,4d,62,77,1d,0d,3f,7d,b2,94,fc,13,\
61,aa,aa,ab,55
"tbi1"=hex:ea,5a,2c,8b,72,6f,e3,40
"ctpp1"=hex:46,fa,78,a1,20,73,e3,40
"tbic1"=hex:9a,99,99,99,99,99,b9,3f
"ctpp2"=hex:0e,69,19,8f,6f,6f,e3,40
  • 0

#15
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Could you run Malwarebytes one more time, I have a feeling it can't deal with the registry portions, possibly due to permission issues. We may have to restore them. The popups should have gone. It should clear the vundo file easily now as its harmless
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP