DaveC 376

Members

View Profile See their activity

Posts
7
Joined
March 15, 2009
Last visited
March 22, 2009

Reputation

0 Neutral

Trojan.Vundo.H - MBAM cant remove - Please Help!

DaveC 376 replied to DaveC 376's topic in Resolved Malware Removal Logs

Evening and thanks again, here are the Combofix and HJT logs. ComboFix 09-03-22.01 - D&A 2009-03-22 21:25:09.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2859 [GMT 0:00] Running from: c:\documents and settings\D&A\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\D&A\Desktop\CFScript.txt AV: avast! antivirus 4.8.1335 [VPS 090321-0] *On-access scanning disabled* (Updated) FW: Online Armor Firewall *disabled* * Created a new restore point FILE :: c:\windows\system32\drivers\lffycjtc.sys c:\windows\system32\yriqdux.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\D&A\Cookies\OFLMC.PEG c:\documents and settings\D&A\Cookies\OUOIA.IPV c:\windows\system32\drivers\lffycjtc.sys c:\windows\system32\yriqdux.dll . ---- Previous Run ------- . C:\-1058818287 c:\windows\system32\drivers\c8485a2.sys c:\windows\Tasks\At1.job c:\windows\system32\yriqdux.dll . . . . failed to delete . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_c8485a2 -------\Legacy_lffycjtc -------\Service_lffycjtc ((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 ))))))))))))))))))))))))))))))) . 2009-03-19 06:31 . 2003-03-18 20:20 1,060,864 --a------ c:\windows\system32\MFC71.dll 2009-03-19 06:30 . 2009-03-19 06:30 <DIR> d-------- c:\program files\Alwil Software 2009-03-15 14:14 . 2009-03-15 14:14 <DIR> d-------- c:\program files\Trend Micro 2009-03-15 13:52 . 2009-03-15 13:52 <DIR> d-------- c:\program files\Tall Emu 2009-03-15 13:52 . 2009-03-22 21:34 <DIR> d-------- c:\documents and settings\D&A\Application Data\OnlineArmor 2009-03-15 13:52 . 2009-03-15 13:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\OnlineArmor 2009-03-15 13:52 . 2008-12-13 02:26 178,376 --a------ c:\windows\system32\drivers\OADriver.sys 2009-03-15 13:52 . 2008-12-13 02:26 30,920 --a------ c:\windows\system32\drivers\OAmon.sys 2009-03-15 13:52 . 2008-12-13 02:26 28,872 --a------ c:\windows\system32\drivers\OAnet.sys 2009-03-15 03:00 . 2009-03-15 03:00 <DIR> d-------- c:\documents and settings\D&A\DoctorWeb 2009-03-15 01:52 . 2009-03-15 01:53 <DIR> d-------- C:\MGtools 2009-03-15 01:52 . 2009-03-15 01:53 51,060 --a------ C:\MGlogs.zip 2009-03-15 01:45 . 2009-03-15 01:45 1,339,834 --a------ C:\MGtools.exe 2009-03-15 01:18 . 2009-03-15 01:18 <DIR> d-------- c:\program files\Java 2009-03-15 01:18 . 2009-03-15 01:18 410,984 --a------ c:\windows\system32\deploytk.dll 2009-03-15 01:18 . 2009-03-15 01:18 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-03-14 23:32 . 2009-03-14 23:32 <DIR> d-------- c:\documents and settings\D&A\Application Data\aAvgApi 2009-03-14 08:28 . 2009-03-09 12:49 15,688 --a------ c:\windows\system32\lsdelete.exe 2009-03-14 07:55 . 2009-03-14 07:55 <DIR> d-------- c:\program files\mp3DirectCut 2009-03-13 11:40 . 2009-03-13 11:42 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-03-13 11:40 . 2009-03-13 11:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-03-12 09:52 . 2009-03-12 09:52 <DIR> d-------- c:\documents and settings\D&A\Application Data\Malwarebytes 2009-03-11 11:06 . 2009-03-11 11:06 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2009-03-11 10:54 . 2009-03-11 10:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-11 10:54 . 2009-03-11 10:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-11 10:54 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-11 10:54 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-03-11 07:53 . 2009-03-11 07:53 <DIR> d-------- c:\documents and settings\D&A\Application Data\dcumwcsi 2009-03-11 07:34 . 2009-03-11 07:34 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\dcumwcsi 2009-03-09 15:23 . 2009-03-09 15:23 22,540 --a------ c:\windows\system32\AAWService_2009_03_09_15_23_54.dmp 2009-03-09 15:19 . 2009-03-09 15:19 <DIR> d-------- c:\program files\CCleaner 2009-03-09 12:49 . 2009-03-09 12:49 64,160 --a------ c:\windows\system32\drivers\Lbd.sys 2009-03-09 12:46 . 2009-03-09 12:46 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800} 2009-03-09 10:11 . 2009-03-09 10:11 <DIR> d-------- c:\documents and settings\Administrator\Application Data\CyberScrub 2009-03-09 09:59 . 2009-03-18 22:40 <DIR> d-------- c:\documents and settings\Administrator 2009-02-27 07:23 . 2009-03-11 11:06 <DIR> d-------- c:\program files\SUPERAntiSpyware 2009-02-27 07:23 . 2009-02-27 07:23 <DIR> d-------- c:\documents and settings\D&A\Application Data\SUPERAntiSpyware.com 2009-02-27 07:23 . 2009-02-27 07:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-02-25 07:05 . 2009-01-09 19:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-22 21:10 --------- d-----w c:\documents and settings\D&A\Application Data\uTorrent 2009-03-22 14:42 --------- d-----w c:\documents and settings\D&A\Application Data\HPAppData 2009-03-15 21:27 --------- d-----w c:\program files\Common Files\Adobe 2009-03-09 12:46 --------- d-----w c:\program files\Lavasoft 2009-03-09 12:46 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft 2009-03-09 08:26 --------- d-----w c:\program files\Trials 2 Second Edition 2009-02-02 16:13 --------- d-----w c:\program files\Bonjour 2009-01-31 22:02 --------- d-----w c:\documents and settings\NetworkService\Application Data\DivX 2009-01-23 12:55 --------- d-----w c:\program files\Valve 2009-01-17 17:40 47,360 ----a-w c:\documents and settings\D&A\Application Data\pcouffin.sys 2009-01-06 21:35 26,072 ----a-w c:\documents and settings\D&A\Application Data\GDIPFONTCACHEV1.DAT 2008-11-20 17:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008112020081121\index.dat . ((((((((((((((((((((((((((((( SnapShot@2009-03-18_22.48.37.93 ))))))))))))))))))))))))))))))))))))))))) . + 2009-02-05 21:11:35 1,256,296 ----a-w c:\windows\system32\aswBoot.exe + 2009-02-05 21:04:45 97,480 ----a-w c:\windows\system32\AvastSS.scr + 2009-02-05 21:05:11 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys + 2009-02-05 21:07:12 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys + 2009-02-05 21:08:19 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys + 2009-02-05 21:08:10 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys + 2009-02-05 21:06:10 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys + 2009-02-05 21:07:23 114,768 ----a-w c:\windows\system32\drivers\aswSP.sys + 2009-02-05 21:06:20 51,376 ----a-w c:\windows\system32\drivers\aswTdi.sys + 2009-03-22 21:29:34 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4e0.dat + 2009-03-22 21:29:35 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_a8.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-12-13 6223048] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^D&A^Start Menu^Programs^Startup^Kremlin Sentry.lnk] path=c:\documents and settings\D&A\Start Menu\Programs\Startup\Kremlin Sentry.lnk backup=c:\windows\pss\Kremlin Sentry.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch] --a------ 2009-03-09 12:48 515416 c:\program files\Lavasoft\Ad-Aware\AAWTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] --a------ 2006-11-13 13:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] --a------ 2007-04-20 13:57 162584 c:\windows\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2007-10-14 21:17 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] --a------ 2007-04-20 13:57 142104 c:\windows\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] --a------ 2007-04-20 13:57 138008 c:\windows\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Privacy Suite RiskMonitor] --a------ 2007-11-22 10:53 1777296 c:\program files\CyberScrub Privacy Suite\CSRiskMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2009-01-23 13:06 1410296 c:\program files\Valve\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] --a------ 2009-02-17 11:43 1830128 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] --a------ 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] -ra------ 2007-01-30 18:54 16116224 c:\windows\RTHDCPL.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] -ra------ 2006-05-16 18:04 2879488 c:\windows\SkyTel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "aawservice"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Oxford University Press\\Twenty First Century Science\\content\\start_t.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Common Files\\Mozilla Shared\\firefox.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-09 64160] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-19 114768] R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-03-15 178376] R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-03-15 30920] R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-03-15 28872] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-19 20560] R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2009-03-15 1402568] R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\CBG54.SYS [2005-11-01 372480] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120] S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2009-03-15 3321032] S3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [2006-10-19 303616] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs ceagovhn . Contents of the 'Scheduled Tasks' folder 2009-03-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:48] 2009-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\D&A\Application Data\Mozilla\Firefox\Profiles\phaju8ts.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-22 21:34:56 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(880) c:\program files\SUPERAntiSpyware\SASWINLO.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\progra~1\MICROS~4\rapimgr.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-03-22 21:37:12 - machine was rebooted [D&A] ComboFix-quarantined-files.txt 2009-03-22 21:37:10 ComboFix2.txt 2009-03-18 22:49:16 ComboFix3.txt 2009-03-14 23:24:38 Pre-Run: 48,711,852,032 bytes free Post-Run: 48,712,216,576 bytes free 249 --- E O F --- 2009-02-25 07:31:55 HJT Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:40:09, on 22/03/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Tall Emu\Online Armor\oacat.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Media Player\WMPNetwk.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227040515671 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230643681234 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\ O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\ -- End of file - 7137 bytes
- March 22, 2009
- 13 replies
Trojan.Vundo.H - MBAM cant remove - Please Help!

DaveC 376 replied to DaveC 376's topic in Resolved Malware Removal Logs

Just re run DDS and here are the logs DDS.TXT DDS (Ver_09-03-16.01) - NTFSx86 Run by D&A at 22:46:05.31 on 2009-03-20 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2810 [GMT 0:00] AV: avast! antivirus 4.8.1335 [VPS 090320-0] *On-access scanning enabled* (Updated) FW: Online Armor Firewall *enabled* ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Tall Emu\Online Armor\oasrv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe -k HPService C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Tall Emu\Online Armor\oacat.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Tall Emu\Online Armor\oaui.exe C:\Program Files\Windows Media Player\WMPNetwk.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\WINDOWS\System32\alg.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\Program Files\Tall Emu\Online Armor\oahlp.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Documents and Settings\D&A\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: {4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} - c:\windows\system32\yriqdux.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe" mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227040515671 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230643681234 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll Notify: hmbdkint - yriqdux.dll Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\d&a\applic~1\mozilla\firefox\profiles\phaju8ts.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-9 64160] R0 lffycjtc;lffycjtc;c:\windows\system32\drivers\lffycjtc.sys [2004-8-4 23424] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-19 114768] R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-3-15 178376] R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-3-15 30920] R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-3-15 28872] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-19 20560] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-19 138680] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951120] R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-3-15 1402568] R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-3-15 3321032] R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-19 254040] R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-19 352920] R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\CBG54.SYS [2005-11-1 372480] S3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [2006-10-19 303616] S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408] =============== Created Last 30 ================ 2009-03-19 19:05 389,120 a------- c:\windows\system32\CF6364.exe 2009-03-19 19:05 <DIR> --d----- C:\ComboFix 2009-03-19 18:55 <DIR> a-dshr-- C:\autorun.inf 2009-03-19 06:31 1,060,864 a------- c:\windows\system32\MFC71.dll 2009-03-15 14:14 <DIR> --d----- c:\program files\Trend Micro 2009-03-15 13:52 <DIR> --d----- c:\docume~1\d&a\applic~1\OnlineArmor 2009-03-15 13:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OnlineArmor 2009-03-15 13:52 178,376 a------- c:\windows\system32\drivers\OADriver.sys 2009-03-15 13:52 30,920 a------- c:\windows\system32\drivers\OAmon.sys 2009-03-15 13:52 28,872 a------- c:\windows\system32\drivers\OAnet.sys 2009-03-15 13:52 <DIR> --d----- c:\program files\Tall Emu 2009-03-15 03:00 <DIR> --d----- c:\documents and settings\d&a\DoctorWeb 2009-03-15 01:52 51,060 a------- C:\MGlogs.zip 2009-03-15 01:52 <DIR> --d----- C:\MGtools 2009-03-15 01:45 1,339,834 a------- C:\MGtools.exe 2009-03-15 01:18 410,984 a------- c:\windows\system32\deploytk.dll 2009-03-15 01:18 73,728 a------- c:\windows\system32\javacpl.cpl 2009-03-14 23:32 <DIR> --d----- c:\docume~1\d&a\applic~1\aAvgApi 2009-03-14 23:18 <DIR> a-dshr-- C:\cmdcons 2009-03-14 23:16 161,792 a------- c:\windows\SWREG.exe 2009-03-14 23:16 98,816 a------- c:\windows\sed.exe 2009-03-14 08:28 15,688 a------- c:\windows\system32\lsdelete.exe 2009-03-14 07:55 <DIR> --d----- c:\program files\mp3DirectCut 2009-03-13 11:40 <DIR> --d----- c:\program files\Spybot - Search & Destroy 2009-03-13 11:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2009-03-12 09:52 <DIR> --d----- c:\docume~1\d&a\applic~1\Malwarebytes 2009-03-11 11:06 <DIR> --d----- c:\program files\common files\Wise Installation Wizard 2009-03-11 10:54 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-03-11 10:54 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-11 10:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-03-11 10:54 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-03-11 07:53 <DIR> --d----- c:\docume~1\d&a\applic~1\dcumwcsi 2009-03-09 15:23 22,540 a------- c:\windows\system32\AAWService_2009_03_09_15_23_54.dmp 2009-03-09 15:19 <DIR> --d----- c:\program files\CCleaner 2009-03-09 12:49 64,160 a------- c:\windows\system32\drivers\Lbd.sys 2009-03-09 12:46 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800} 2009-02-27 07:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2009-02-27 07:23 <DIR> --d----- c:\program files\SUPERAntiSpyware 2009-02-27 07:23 <DIR> --d----- c:\docume~1\d&a\applic~1\SUPERAntiSpyware.com 2009-02-25 07:05 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat 2009-02-21 19:48 <DIR> --d----- c:\windows\Downloaded Installations 2009-02-21 19:40 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys 2009-02-21 19:40 15,104 a------- c:\windows\system32\drivers\usbscan.sys 2009-02-21 19:40 5,632 a------- c:\windows\system32\ptpusb.dll 2009-02-21 19:40 159,232 a------- c:\windows\system32\ptpusd.dll ==================== Find3M ==================== 2009-01-17 17:40 47,360 a------- c:\docume~1\d&a\applic~1\pcouffin.sys 2009-01-06 21:35 26,072 a------- c:\docume~1\d&a\applic~1\GDIPFONTCACHEV1.DAT 2008-12-20 23:15 826,368 a------- c:\windows\system32\wininet.dll 2006-06-23 14:48 32,768 a------- c:\windows\inf\UpdateUSB.exe 2008-11-20 17:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112020081121\index.dat ============= FINISH: 22:47:54.87 =============== ATTACH.TXT UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-03-16.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume1 Install Date: 2008-11-17 11:31:50 System Uptime: 2009-03-20 22:11:17 (0 hours ago) Motherboard: ASUSTeK Computer INC. | | P5K-VM Processor: Intel Pentium III Xeon processor | LGA775 | 2999/333mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 149 GiB total, 46.909 GiB free. D: is CDROM () E: is Removable F: is Removable G: is Removable H: is Removable ==== Disabled Device Manager Items ============= Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: Device ID: ACPI\ATK0110\1010110 Manufacturer: Name: PNP Device ID: ACPI\ATK0110\1010110 Service: Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F} Description: Photosmart C4380 series Device ID: ROOT\IMAGE\0000 Manufacturer: HP Name: HP Photosmart C4380 PNP Device ID: ROOT\IMAGE\0000 Service: StillCam Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318} Description: Photosmart C4380 series Device ID: ROOT\MULTIFUNCTION\0000 Manufacturer: HP Name: Photosmart C4380 series PNP Device ID: ROOT\MULTIFUNCTION\0000 Service: ==== System Restore Points =================== RP1: 2009-03-14 22:43:41 - System Checkpoint RP2: 2009-03-14 22:45:42 - Removed AVG 8.0 RP3: 2009-03-14 22:50:17 - Removed AVG 8.0 RP4: 2009-03-14 23:16:59 - ComboFix created restore point RP5: 2009-03-14 23:28:41 - Installed AVG Free 8.0 RP6: 2009-03-15 01:18:33 - Installed Java 6 Update 12 RP7: 2009-03-15 11:13:06 - Avg8 Update RP8: 2009-03-16 18:04:37 - System Checkpoint RP9: 2009-03-17 20:36:08 - System Checkpoint RP10: 2009-03-18 21:24:09 - System Checkpoint RP11: 2009-03-18 22:40:13 - Removed AVG Free 8.5 RP12: 2009-03-18 22:40:53 - Installed AVG Free 8.5 RP13: 2009-03-18 22:45:56 - ComboFix created restore point RP14: 2009-03-19 19:05:42 - ComboFix created restore point ==== Installed Programs ====================== 32 Bit HP CIO Components Installer Acrobat.com Ad-Aware Adobe AIR Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 9.1 Apple Mobile Device Support Apple Software Update AutoUpdate avast! Antivirus Avi2Dvd 0.4.5 beta AviSynth 2.5 Bonjour CCleaner (remove only) ConvertXtoDVD 2.2.3.258h Counter-Strike: Source CyberScrub
- March 20, 2009
- 13 replies
Trojan.Vundo.H - MBAM cant remove - Please Help!

DaveC 376 replied to DaveC 376's topic in Resolved Malware Removal Logs

Wow! gmer ran way quicker than expected! here is the log... Thanks again GMER 1.0.15.14939 - http://www.gmer.net Rootkit scan 2009-03-20 07:02:43 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwEnumerateKey [0xA818EE20] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwEnumerateValueKey [0xA818EE50] ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd) Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd) Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd) Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd) ---- EOF - GMER 1.0.15 ----
- March 20, 2009
- 13 replies
Trojan.Vundo.H - MBAM cant remove - Please Help!

DaveC 376 replied to DaveC 376's topic in Resolved Malware Removal Logs

Morning Had a chance to try some of this before work so here are the 2 DDS logs, the second said to zip up instead of posting so I have posted it AND attached as a rar (couldnt find zip....) If gmer takes more than 2 mins I will have to wait till later/tomorrow due to work but really appreciate the work and help. hanks again Dave DDS.txt DDS (Ver_09-03-16.01) - NTFSx86 Run by D&A at 6:55:35.07 on 2009-03-20 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2887 [GMT 0:00] AV: avast! antivirus 4.8.1335 [VPS 090319-0] *On-access scanning enabled* (Updated) FW: Online Armor Firewall *enabled* ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Tall Emu\Online Armor\oasrv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe -k HPService C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Tall Emu\Online Armor\oacat.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Windows Media Player\WMPNetwk.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\alg.exe C:\Documents and Settings\D&A\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: {4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} - c:\windows\system32\yriqdux.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File ATTACH.TXT UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-03-16.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume1 Install Date: 2008-11-17 11:31:50 System Uptime: 2009-03-20 06:31:15 (0 hours ago) Motherboard: ASUSTeK Computer INC. | | P5K-VM Processor: Intel Pentium III Xeon processor | LGA775 | 2999/333mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 149 GiB total, 46.912 GiB free. D: is CDROM () E: is Removable F: is Removable G: is Removable H: is Removable ==== Disabled Device Manager Items ============= Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: Device ID: ACPI\ATK0110\1010110 Manufacturer: Name: PNP Device ID: ACPI\ATK0110\1010110 Service: Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F} Description: Photosmart C4380 series Device ID: ROOT\IMAGE\0000 Manufacturer: HP Name: HP Photosmart C4380 PNP Device ID: ROOT\IMAGE\0000 Service: StillCam Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318} Description: Photosmart C4380 series Device ID: ROOT\MULTIFUNCTION\0000 Manufacturer: HP
- March 20, 2009
- 13 replies
Trojan.Vundo.H - MBAM cant remove - Please Help!

DaveC 376 replied to DaveC 376's topic in Resolved Malware Removal Logs

Thanks again for the help, just to avoid confusion I was finding that Combofix kept detecting AVG running even though I thought I had it off so only way I had round that was to uninstall it. However Avast is now on as per your recommendation. The requested scan reports are listed below but quick summary is VirusTotal found nothing in either file and ComboFix was denied access to yriqdux.dll Thanks again and will be keeping an eye out for your reply Cheers Dave COMBO FIX RESULT Combofix did not leave a result at C:\combofix.txt all I could find was at C:\combofix\combofix.txt posted below (properties showed it created today at 1907 hours (12 mins ago by my clock) ComboFix 09-03-18.01 - D&A 2009-03-19 19:06:03.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2876 [GMT 0:00] Running from: C:\Documents and Settings\D&A\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\D&A\Desktop\CFScript.txt AV: avast! antivirus 4.8.1335 [VPS 090319-0] *On-access scanning disabled* (Updated) FW: Online Armor Firewall *disabled* * Created a new restore point FILE :: C:\-1058818287 c:\windows\system32\drivers\c8485a2.sys c:\windows\system32\yriqdux.dll c:\windows\Tasks\At1.job . HIJACK THIS LOG Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:20, on 2009-03-19 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Tall Emu\Online Armor\oasrv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Tall Emu\Online Armor\oacat.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Media Player\WMPNetwk.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Tall Emu\Online Armor\oaui.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Tall Emu\Online Armor\oahlp.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} - c:\windows\system32\yriqdux.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227040515671 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230643681234 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: hmbdkint - C:\WINDOWS\SYSTEM32\yriqdux.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\ O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\ -- End of file - 7348 bytes VIRUSTOTAL RESULT FOR inetcomm.dll File inetcomm.dll_ received on 03.19.2009 19:44:18 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/39 (0%) Loading server information... Your file is queued in position: 1. Estimated start time is between 42 and 60 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.0.0.101 2009.03.19 - AhnLab-V3 5.0.0.2 2009.03.19 - AntiVir 7.9.0.120 2009.03.19 - Authentium 5.1.2.4 2009.03.19 - Avast 4.8.1335.0 2009.03.19 - AVG 8.5.0.283 2009.03.19 - BitDefender 7.2 2009.03.19 - CAT-QuickHeal 10.00 2009.03.19 - ClamAV 0.94.1 2009.03.19 - Comodo 1066 2009.03.18 - DrWeb 4.44.0.09170 2009.03.19 - eSafe 7.0.17.0 2009.03.19 - eTrust-Vet 31.6.6388 2009.03.09 - F-Prot 4.4.4.56 2009.03.19 - F-Secure 8.0.14470.0 2009.03.19 - Fortinet 3.117.0.0 2009.03.19 - GData 19 2009.03.19 - Ikarus T3.1.1.48.0 2009.03.19 - K7AntiVirus 7.10.676 2009.03.19 - Kaspersky 7.0.0.125 2009.03.19 - McAfee 5558 2009.03.19 - McAfee+Artemis 5558 2009.03.19 - McAfee-GW-Edition 6.7.6 2009.03.19 - Microsoft 1.4502 2009.03.19 - NOD32 3948 2009.03.19 - Norman 6.00.06 2009.03.19 - nProtect 2009.1.8.0 2009.03.19 - Panda 10.0.0.10 2009.03.19 - PCTools 4.4.2.0 2009.03.19 - Prevx1 V2 2009.03.19 - Rising 21.21.32.00 2009.03.19 - Sophos 4.39.0 2009.03.19 - Sunbelt 3.2.1858.2 2009.03.19 - Symantec 1.4.4.12 2009.03.19 - TheHacker 6.3.3.0.285 2009.03.19 - TrendMicro 8.700.0.1004 2009.03.19 - VBA32 3.12.10.1 2009.03.18 - ViRobot 2009.3.19.1656 2009.03.19 - VirusBuster 4.6.5.0 2009.03.19 - Additional information File size: 691712 bytes MD5...: 1853ef92e14e84ea982abe9156ce14ef SHA1..: 9d63827db26c82fc8d52f6a48b255adc2b25dd95 SHA256: d3cfe197a7748cea5fa8f62daa038c7abe6a2cabd891c8d439431cb79fddf941 SHA512: 0566d7f5b9a3b5e4ad5cfc349511c1d6f9e59217f5ff52f6b525a2dc20d66383 02d2fca6404ced8927a7eb9e1a398a30a49f5a43d224f0a7fc2cbe946e971855 ssdeep: 12288:cYdboQWdzQiFlkSyEivQX7mQDMbvfCi8pagSx9H++cu:XIdzQGlkSyEEmm QojfCi8pagmHF PEiD..: - TrID..: File type identification DirectShow filter (43.0%) Windows OCX File (26.3%) Win64 Executable Generic (18.2%) Win32 Executable MS Visual C++ (generic) (8.0%) Win32 Executable Generic (1.8%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x23c56 timedatestamp.....: 0x47ffb63a (Fri Apr 11 19:04:26 2008) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x99510 0x99600 6.61 d75dfdbe8f881c3366129cb2e74be468 .data 0x9b000 0x5e58 0x3000 3.72 0c7884d3962d831eb661eec99b9d029f .rsrc 0xa1000 0x3900 0x3a00 5.62 45344bbc4597ad4bd17a4eb6253f65ab .reloc 0xa5000 0x8894 0x8a00 6.26 6ee9bc95f470d43fc62e03f266eccd0f ( 9 imports ) > MSOERT2.dll: SetWindowLongPtrAthW, FBuildTempPathW, WriteStreamToFileW, IUnknownList_CreateInstance, IVoidPtrList_CreateInstance, IsPlatformWinNT, CreateLogFile, StrTokEx, StrToUintA, PszScanToWhiteA, HrCreatePhonebookEntry, HrEditPhonebookEntry, HrFillRasCombo, FIsSpaceA, UpdateRebarBandColors, LoadMappedToolbarBitmap, HrCreateTridentMenu, HrCheckTridentMenu, CreateInfoWindow, HrIStreamWToBSTR, FreeTempFileList, FIsHTMLFileW, HrIsStreamUnicode, GetHtmlCharset, HrBSTRToLPSZ, HrGetElementImpl, HrSetDirtyFlagImpl, GetExePath, AppendTempFileList, fGetBrowserUrlEncoding, WriteStreamToFile, HrGetBodyElement, HrGetStyleSheet, CreateDataObject, CenterDialog, ReplaceCharsW, IsValidFileIfFileUrlW, MessageBoxInstW, HrIStreamToBSTR, FInitializeRichEdit, GetRichEdClassStringW, SetFontOnRichEd, RicheditStreamIn, HrLPSZToBSTR, HrStreamToByte, HrLPSZCPToBSTR, RicheditStreamOut, PszFromANSIStreamA, StrToUintW, ChConvertFromHex, PVGetMsgParam, HrGetMsgParam, HrGetCertificateParam, UnlocStrEqNW, UlStripWhitespace, FIsEmptyA, PszSkipWhiteW, HrCopyStreamToByte, PszToUnicode, PszToANSI, CchFileTimeToDateTimeW, CchFileTimeToDateTimeSz, CreateEnumFormatEtc, StripCRLF, HrCopyLockBytesToStream, HrGetStreamPos, OpenFileStreamW, BrowseForFolderW, OpenFileStream, PszSkipWhiteA, HrRewindStream, PszDupW, PszAllocW, FIsEmptyW, PszAllocA, HrCopyStreamCBEndOnCRLF, CreateTempFileStream, HrStreamSeekSet, HrSafeGetStreamSize, IsDigit, HrCopyStream, HrCopyStreamCB, CleanupFileNameInPlaceA, PszDupA, CleanupFileNameInPlaceW, HrDecodeObject, PVDecodeObject, IsUpper, HrStreamSeekCur, HrIndexOfMonth, HrIndexOfWeek, HrFindInetTimeZone, PszDayFromIndex, PszMonthFromIndex, PszScanToCharA, CryptFreeFunc, CryptAllocFunc, SzGetCertificateEmailAddress, PVGetCertificateParam, FMissingCert, HrGetStreamSize, DeleteTempFileOnShutdownEx, CreateTempFile, WriteStreamToFileHandle, ReplaceChars, OpenFileStreamShareW, MessageBoxInst > KERNEL32.dll: GetWindowsDirectoryA, QueryPerformanceCounter, GetCurrentProcessId, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, ReleaseSemaphore, CreateSemaphoreA, GetEnvironmentVariableA, VirtualProtect, SetStdHandle, LCMapStringW, LCMapStringA, VirtualQuery, InterlockedExchange, RtlUnwind, GetStringTypeW, GetStringTypeA, SetFilePointer, GetCPInfo, GetOEMCP, UnhandledExceptionFilter, HeapReAlloc, WriteFile, HeapCreate, HeapDestroy, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetStartupInfoA, GetFileType, GetStdHandle, SetHandleCount, TlsAlloc, TlsGetValue, TlsFree, ExitProcess, HeapAlloc, HeapFree, GetCommandLineA, TlsSetValue, DeleteFileW, GetFileSize, FormatMessageA, InterlockedDecrement, InterlockedIncrement, InterlockedCompareExchange, lstrcpynA, InitializeCriticalSection, DeleteCriticalSection, LeaveCriticalSection, FreeLibrary, EnterCriticalSection, DisableThreadLibraryCalls, MultiByteToWideChar, GetModuleFileNameA, lstrcmpiA, lstrlenA, IsDBCSLeadByteEx, lstrlenW, lstrcmpA, GetSystemTimeAsFileTime, SystemTimeToFileTime, GetSystemTime, GetLastError, GetTimeZoneInformation, GetLocalTime, FileTimeToSystemTime, FileTimeToLocalFileTime, SetLastError, VirtualFree, VirtualAlloc, WideCharToMultiByte, CloseHandle, GetModuleHandleA, GlobalFree, GlobalUnlock, GlobalLock, GlobalSize, GetACP, GetTickCount, LocalFree, LocalAlloc, lstrcmpiW, lstrcmpW, IsDBCSLeadByte, GetCurrentThreadId, IsValidCodePage, GetProcAddress, LoadLibraryA, GetSystemInfo, LoadLibraryExA, ExpandEnvironmentStringsA, GetSystemDefaultLCID, RtlMoveMemory, MulDiv, SizeofResource, LockResource, LoadResource, FindResourceA, GetVersionExA, DeleteFileA, CopyFileA, FlushFileBuffers, FreeResource, GlobalAlloc, GetLocaleInfoA, CreateDirectoryA, GetUserDefaultLangID, GetSystemDefaultLangID, SetErrorMode, Sleep, CompareFileTime, SetEvent, ResetEvent, WaitForSingleObject, CreateThread, CreateEventA, TerminateThread > ole32.dll: CoUninitialize, ReleaseStgMedium, CoTaskMemFree, IIDFromString, OleDestroyMenuDescriptor, OleRun, CoCreateInstance, CreateBindCtx, CreateStreamOnHGlobal, GetHGlobalFromStream, StringFromGUID2, PropVariantClear, CoCreateGuid, CoTaskMemRealloc, CLSIDFromString, CoGetMalloc, CoInitializeEx > USER32.dll: WinHelpA, GetAsyncKeyState, InsertMenuItemA, GetMenuItemCount, GetMenuItemInfoA, DrawIconEx, DestroyIcon, LoadIconA, CopyIcon, SystemParametersInfoA, PeekMessageA, GetWindowThreadProcessId, DialogBoxParamA, SetForegroundWindow, CreateWindowExA, CharNextExA, CreateDialogParamA, RegisterWindowMessageA, SetDlgItemTextA, IsCharAlphaNumericA, IsCharAlphaA, CharNextA, GetClassInfoA, RegisterClassA, RemovePropA, MoveWindow, SetPropA, MapWindowPoints, GetMenuStringA, SetWindowTextA, CheckMenuRadioItem, GetWindow, TranslateMessage, DispatchMessageA, GetDlgCtrlID, GetPropA, CallWindowProcA, CreatePopupMenu, MessageBeep, InflateRect, IsChild, AppendMenuA, CheckMenuItem, PostMessageA, GetCapture, SetCursor, GetWindowTextLengthA, GetWindowTextA, KillTimer, SetTimer, LoadAcceleratorsA, BeginPaint, GetSystemMetrics, GetSysColor, DrawEdge, EndPaint, LoadStringW, DrawTextExW, GetSysColorBrush, FillRect, ClientToScreen, InvalidateRect, GetFocus, CopyRect, IsWindowVisible, ShowWindow, GetDlgItem, EnableWindow, IsDlgButtonChecked, EndDialog, CheckRadioButton, EnumChildWindows, GetKeyboardLayoutList, LoadMenuA, GetSubMenu, GetClassInfoExA, LoadCursorA, RegisterClassExA, CreateWindowExW, SetWindowLongA, GetWindowLongA, DefWindowProcA, GetDC, ReleaseDC, GetClientRect, SetFocus, SetWindowPos, RemoveMenu, EnableMenuItem, GetWindowRect, GetParent, TrackPopupMenu, DestroyMenu, GetKeyState, SendMessageW, SendMessageA, DestroyWindow, IsWindow, LoadStringA, SendDlgItemMessageA, CharUpperA, CharLowerA, RegisterClipboardFormatA, CharPrevExA > ADVAPI32.dll: RegQueryValueExA, RegOpenKeyExA, CryptReleaseContext, CryptGetProvParam, CryptAcquireContextA, CryptSetProvParam, RegEnumKeyExA, RegQueryInfoKeyA, RegEnumValueA, RegSetValueExA, RegCreateKeyExA, CryptGenRandom, RegCloseKey > GDI32.dll: SelectObject, GetObjectA, GetTextMetricsA, DeleteObject, DeleteDC, ExtTextOutA, RestoreDC, BitBlt, SetTextColor, SetBkColor, SetBkMode, CreateCompatibleBitmap, SaveDC, CreateCompatibleDC, GetStockObject, PatBlt, GetTextExtentPoint32A, CreateDIBitmap, GetDeviceCaps, Ellipse, Rectangle, CreateSolidBrush, EnumFontFamiliesExA, CreateFontIndirectA, TranslateCharsetInfo > SHELL32.dll: ShellExecuteA > SHLWAPI.dll: -, -, -, -, AssocQueryKeyW, PathQuoteSpacesW, PathFileExistsW, PathIsDirectoryW, PathRemoveFileSpecW, PathIsContentTypeW, PathRemoveFileSpecA, PathAddBackslashA, StrChrIA, SHQueryValueExA, UrlCombineW, PathFileExistsA, StrPBrkW, PathFindFileNameA, StrCpyW, StrCatW, StrChrA, StrChrW, StrToIntW, StrCmpNW, SHRegGetBoolUSValueA, -, StrStrIA, StrDupA, StrDupW, StrFormatByteSizeW, StrCatBuffW, PathStripPathW, PathCompactPathExW, StrCmpNA, StrCpyNW, StrCmpNIW, -, UrlIsW, UrlUnescapeA, StrCmpW, StrCmpIW, StrStrW, StrStrIW, StrStrA, PathFindFileNameW, PathFindExtensionW, wnsprintfW, PathFindExtensionA, StrCmpNIA, wnsprintfA, StrToIntA, StrCatBuffA, UrlGetPartW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, PathCreateFromUrlA, -, PathAppendW, SHAutoComplete, - > OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, - ( 107 exports ) CreateIMAPTransport, CreateIMAPTransport2, CreateNNTPTransport, CreatePOP3Transport, CreateRASTransport, CreateRangeList, CreateSMTPTransport, DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer, EssContentHintDecodeEx, EssContentHintEncodeEx, EssKeyExchPreferenceDecodeEx, EssKeyExchPreferenceEncodeEx, EssMLHistoryDecodeEx, EssMLHistoryEncodeEx, EssReceiptDecodeEx, EssReceiptEncodeEx, EssReceiptRequestDecodeEx, EssReceiptRequestEncodeEx, EssSecurityLabelDecodeEx, EssSecurityLabelEncodeEx, EssSignCertificateDecodeEx, EssSignCertificateEncodeEx, GetDllMajorVersion, HrAthGetFileName, HrAthGetFileNameW, HrAttachDataFromBodyPart, HrAttachDataFromFile, HrDoAttachmentVerb, HrFreeAttachData, HrGetAttachIcon, HrGetAttachIconByFile, HrGetDisplayNameWithSizeForFile, HrGetLastOpenFileDirectory, HrGetLastOpenFileDirectoryW, HrSaveAttachToFile, HrSaveAttachmentAs, MimeEditCreateMimeDocument, MimeEditDocumentFromStream, MimeEditGetBackgroundImageUrl, MimeEditIsSafeToRun, MimeEditViewSource, MimeGetAddressFormatW, MimeOleAlgNameFromSMimeCap, MimeOleAlgStrengthFromSMimeCap, MimeOleClearDirtyTree, MimeOleConvertEnrichedToHTML, MimeOleCreateBody, MimeOleCreateByteStream, MimeOleCreateHashTable, MimeOleCreateHeaderTable, MimeOleCreateMessage, MimeOleCreateMessageParts, MimeOleCreatePropertySet, MimeOleCreateSecurity, MimeOleCreateVirtualStream, MimeOleDecodeHeader, MimeOleEncodeHeader, MimeOleFileTimeToInetDate, MimeOleFindCharset, MimeOleGenerateCID, MimeOleGenerateFileName, MimeOleGenerateMID, MimeOleGetAllocator, MimeOleGetBodyPropA, MimeOleGetBodyPropW, MimeOleGetCertsFromThumbprints, MimeOleGetCharsetInfo, MimeOleGetCodePageCharset, MimeOleGetCodePageInfo, MimeOleGetContentTypeExt, MimeOleGetDefaultCharset, MimeOleGetExtContentType, MimeOleGetFileExtension, MimeOleGetFileInfo, MimeOleGetFileInfoW, MimeOleGetInternat, MimeOleGetPropA, MimeOleGetPropW, MimeOleGetPropertySchema, MimeOleGetRelatedSection, MimeOleInetDateToFileTime, MimeOleObjectFromMoniker, MimeOleOpenFileStream, MimeOleParseMhtmlUrl, MimeOleParseRfc822Address, MimeOleParseRfc822AddressW, MimeOleSMimeCapAddCert, MimeOleSMimeCapAddSMimeCap, MimeOleSMimeCapGetEncAlg, MimeOleSMimeCapGetHashAlg, MimeOleSMimeCapInit, MimeOleSMimeCapRelease, MimeOleSMimeCapsFromDlg, MimeOleSMimeCapsFull, MimeOleSMimeCapsToDlg, MimeOleSetBodyPropA, MimeOleSetBodyPropW, MimeOleSetCompatMode, MimeOleSetDefaultCharset, MimeOleSetPropA, MimeOleSetPropW, MimeOleStripHeaders, MimeOleUnEscapeStringInPlace, RichMimeEdit_CreateInstance VIRUSTOTAL RESULT FOR lffycjtc.sys File lffycjtc.sys received on 03.19.2009 19:38:59 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/38 (0%) Loading server information... Your file is queued in position: 4. Estimated start time is between 63 and 90 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.0.0.101 2009.03.19 - AhnLab-V3 5.0.0.2 2009.03.19 - AntiVir 7.9.0.120 2009.03.19 - Authentium 5.1.2.4 2009.03.19 - Avast 4.8.1335.0 2009.03.19 - AVG 8.5.0.283 2009.03.19 - BitDefender 7.2 2009.03.19 - CAT-QuickHeal 10.00 2009.03.19 - ClamAV 0.94.1 2009.03.19 - Comodo 1066 2009.03.18 - DrWeb 4.44.0.09170 2009.03.19 - eSafe 7.0.17.0 2009.03.19 - eTrust-Vet 31.6.6388 2009.03.09 - F-Prot 4.4.4.56 2009.03.19 - F-Secure 8.0.14470.0 2009.03.19 - Fortinet 3.117.0.0 2009.03.19 - GData 19 2009.03.19 - Ikarus T3.1.1.48.0 2009.03.19 - K7AntiVirus 7.10.676 2009.03.19 - Kaspersky 7.0.0.125 2009.03.19 - McAfee 5558 2009.03.19 - McAfee+Artemis 5558 2009.03.19 - McAfee-GW-Edition 6.7.6 2009.03.19 - Microsoft 1.4502 2009.03.19 - NOD32 3948 2009.03.19 - Norman 6.00.06 2009.03.19 - nProtect 2009.1.8.0 2009.03.19 - Panda 10.0.0.10 2009.03.19 - Prevx1 V2 2009.03.19 - Rising 21.21.32.00 2009.03.19 - Sophos 4.39.0 2009.03.19 - Sunbelt 3.2.1858.2 2009.03.19 - Symantec 1.4.4.12 2009.03.19 - TheHacker 6.3.3.0.285 2009.03.19 - TrendMicro 8.700.0.1004 2009.03.19 - VBA32 3.12.10.1 2009.03.18 - ViRobot 2009.3.19.1656 2009.03.19 - VirusBuster 4.6.5.0 2009.03.19 - Additional information File size: 23424 bytes MD5...: 5118a24a6af29642c72ae14c58772775 SHA1..: 3221d4a23992bf001fc96e646f419d180c6f1b29 SHA256: 1c841036d2513c789185e3550e1786834c2e5771d497d9f6300e45ee1524b865 SHA512: 8718f4b59741010480552c3aa191168a32f354566070b3ea302f340d601f33d4 f5cea0541472d33e8bae943cfac6038cff205b969abb012eec7f4ff4d6c40271 ssdeep: 384:c8Lb5xdIswCKA98X43QtuCZVNbIcP3WJcwWjcAdyEmnmWaODX5rcJ9naUBDv 6ILj:5pNSoADTjOelmnmWRDSJ9aUN62aZfKf PEiD..: - TrID..: File type identification Generic Win/DOS Executable (49.9%) DOS Executable Generic (49.8%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x27c7 timedatestamp.....: 0x48025771 (Sun Apr 13 18:56:49 2008) machinetype.......: 0x14c (I386) ( 7 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x300 0x2300 0x2300 6.89 b547eafda0719b700355c348c9850988 .rdata 0x2600 0xe1 0x100 3.33 1ce6ee7b8767a76a9725a4d7609b2c12 .data 0x2700 0x20 0x80 0.38 0c41a08c90a7d5e81bf065649ebabedc INIT 0x2780 0x45c 0x480 5.26 9b29b76abd6b8499ea13f475a3b7ceb4 .byfo 0x2c00 0x2980 0x2980 7.74 a7e7f0dbadc4ddc94bc8af9ea0a89d36 .rsrc 0x5580 0x3e8 0x400 3.39 57e24e21fe9a929280d91b3e81c1a23c .reloc 0x5980 0x1ce 0x200 5.04 709f3b9076f654b5acd6a8e26de7b74e ( 4 imports ) > ntoskrnl.exe: InterlockedDecrement, InterlockedIncrement, ExFreePool, IoFreeMdl, IoAllocateMdl, IoCancelIrp, memmove, ExAllocatePoolWithTag, KeSetEvent, IoAllocateIrp, MmBuildMdlForNonPagedPool, MmMapLockedPages, KeTickCount, KeInitializeEvent, KeInitializeTimer, KeInitializeDpc, KeSetTimer, IoQueueWorkItem, IoAllocateWorkItem, IofCallDriver, KeWaitForSingleObject, IoFreeIrp, IoFreeWorkItem, KeInitializeSpinLock > HAL.dll: KfRaiseIrql, KfAcquireSpinLock, KeGetCurrentIrql, KfReleaseSpinLock, KfLowerIrql > USBD.SYS: USBD_CreateConfigurationRequestEx, USBD_ParseConfigurationDescriptor > RNDISMPX.SYS: RndisMInitializeWrapperEx, RndisMSendCompleteEx, RndisMIndicateReceiveEx ( 0 exports )
- March 19, 2009
- 13 replies
Trojan.Vundo.H - MBAM cant remove - Please Help!

DaveC 376 replied to DaveC 376's topic in Resolved Malware Removal Logs

Thanks for replying, much appreciated. Here are the ComboFix and HJT logs as requested..... COMBO FIX ComboFix 09-03-18.01 - D&A 2009-03-18 22:46:14.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2919 [GMT 0:00] Running from: c:\documents and settings\D&A\Desktop\ComboFix.exe FW: Online Armor Firewall *disabled* * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . I:\AutoRun.inf . ((((((((((((((((((((((((( Files Created from 2009-02-18 to 2009-03-18 ))))))))))))))))))))))))))))))) . 2009-03-15 14:14 . 2009-03-15 14:14 <DIR> d-------- c:\program files\Trend Micro 2009-03-15 13:52 . 2009-03-15 13:52 <DIR> d-------- c:\program files\Tall Emu 2009-03-15 13:52 . 2009-03-18 22:44 <DIR> d-------- c:\documents and settings\D&A\Application Data\OnlineArmor 2009-03-15 13:52 . 2009-03-15 13:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\OnlineArmor 2009-03-15 13:52 . 2008-12-13 02:26 178,376 --a------ c:\windows\system32\drivers\OADriver.sys 2009-03-15 13:52 . 2008-12-13 02:26 30,920 --a------ c:\windows\system32\drivers\OAmon.sys 2009-03-15 13:52 . 2008-12-13 02:26 28,872 --a------ c:\windows\system32\drivers\OAnet.sys 2009-03-15 03:00 . 2009-03-15 03:00 <DIR> d-------- c:\documents and settings\D&A\DoctorWeb 2009-03-15 01:52 . 2009-03-15 01:53 <DIR> d-------- C:\MGtools 2009-03-15 01:52 . 2009-03-15 01:53 51,060 --a------ C:\MGlogs.zip 2009-03-15 01:45 . 2009-03-15 01:45 1,339,834 --a------ C:\MGtools.exe 2009-03-15 01:18 . 2009-03-15 01:18 <DIR> d-------- c:\program files\Java 2009-03-15 01:18 . 2009-03-15 01:18 410,984 --a------ c:\windows\system32\deploytk.dll 2009-03-15 01:18 . 2009-03-15 01:18 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-03-14 23:32 . 2009-03-14 23:32 <DIR> d-------- c:\documents and settings\D&A\Application Data\aAvgApi 2009-03-14 08:28 . 2009-03-09 12:49 15,688 --a------ c:\windows\system32\lsdelete.exe 2009-03-14 07:55 . 2009-03-14 07:55 <DIR> d-------- c:\program files\mp3DirectCut 2009-03-13 11:40 . 2009-03-13 11:42 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-03-13 11:40 . 2009-03-13 11:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-03-12 09:52 . 2009-03-12 09:52 <DIR> d-------- c:\documents and settings\D&A\Application Data\Malwarebytes 2009-03-11 11:06 . 2009-03-11 11:06 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2009-03-11 10:54 . 2009-03-11 10:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-11 10:54 . 2009-03-11 10:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-11 10:54 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-11 10:54 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-03-11 07:53 . 2009-03-11 07:53 <DIR> d-------- c:\documents and settings\D&A\Application Data\dcumwcsi 2009-03-11 07:34 . 2009-03-11 07:34 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\dcumwcsi 2009-03-09 15:23 . 2009-03-09 15:23 22,540 --a------ c:\windows\system32\AAWService_2009_03_09_15_23_54.dmp 2009-03-09 15:19 . 2009-03-09 15:19 <DIR> d-------- c:\program files\CCleaner 2009-03-09 12:49 . 2009-03-09 12:49 64,160 --a------ c:\windows\system32\drivers\Lbd.sys 2009-03-09 12:46 . 2009-03-09 12:46 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800} 2009-03-09 10:11 . 2009-03-09 10:11 <DIR> d-------- c:\documents and settings\Administrator\Application Data\CyberScrub 2009-03-09 09:59 . 2009-03-18 22:40 <DIR> d-------- c:\documents and settings\Administrator 2009-03-07 21:40 . 2009-03-07 21:40 2 --a------ C:\-1058818287 2009-03-07 21:40 . 2009-03-09 09:50 0 --a------ c:\windows\system32\drivers\c8485a2.sys 2009-02-27 07:23 . 2009-03-11 11:06 <DIR> d-------- c:\program files\SUPERAntiSpyware 2009-02-27 07:23 . 2009-02-27 07:23 <DIR> d-------- c:\documents and settings\D&A\Application Data\SUPERAntiSpyware.com 2009-02-27 07:23 . 2009-02-27 07:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-02-25 07:05 . 2009-01-09 19:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat 2009-02-21 19:48 . 2009-02-21 19:48 <DIR> d-------- c:\windows\Downloaded Installations 2009-02-21 19:40 . 2008-04-14 00:12 159,232 --a------ c:\windows\system32\ptpusd.dll 2009-02-21 19:40 . 2008-04-13 18:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys 2009-02-21 19:40 . 2008-04-13 18:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys 2009-02-21 19:40 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-18 22:39 --------- d-----w c:\documents and settings\D&A\Application Data\HPAppData 2009-03-15 21:27 --------- d-----w c:\program files\Common Files\Adobe 2009-03-15 01:36 --------- d-----w c:\documents and settings\D&A\Application Data\uTorrent 2009-03-09 12:46 --------- d-----w c:\program files\Lavasoft 2009-03-09 12:46 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft 2009-03-09 08:26 --------- d-----w c:\program files\Trials 2 Second Edition 2009-02-02 16:13 --------- d-----w c:\program files\Bonjour 2009-01-31 22:02 --------- d-----w c:\documents and settings\NetworkService\Application Data\DivX 2009-01-23 12:55 --------- d-----w c:\program files\Valve 2009-01-18 15:02 --------- d-----w c:\documents and settings\D&A\Application Data\Ahead 2009-01-18 14:53 --------- d-----w c:\documents and settings\D&A\Application Data\Vso 2009-01-18 14:21 --------- d-----w c:\program files\Common Files\Ahead 2009-01-18 14:21 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead 2009-01-17 17:40 47,360 ----a-w c:\documents and settings\D&A\Application Data\pcouffin.sys 2009-01-06 21:35 26,072 ----a-w c:\documents and settings\D&A\Application Data\GDIPFONTCACHEV1.DAT 2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll 2008-12-18 22:07 3,532 ----a-w C:\drmHeader.bin 2006-06-23 14:48 32,768 ----a-w c:\windows\inf\UpdateUSB.exe 2008-11-20 17:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008112020081121\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4a0736bd-3d9d-4d40-86c5-bdf063ab24fe}] 2004-08-04 12:00 104448 --a------ c:\windows\system32\yriqdux.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-12-13 6223048] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hmbdkint] 2004-08-04 12:00 104448 c:\windows\system32\yriqdux.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^D&A^Start Menu^Programs^Startup^Kremlin Sentry.lnk] path=c:\documents and settings\D&A\Start Menu\Programs\Startup\Kremlin Sentry.lnk backup=c:\windows\pss\Kremlin Sentry.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch] --a------ 2009-03-09 12:48 515416 c:\program files\Lavasoft\Ad-Aware\AAWTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] --a------ 2006-11-13 13:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] --a------ 2007-04-20 13:57 162584 c:\windows\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2007-10-14 21:17 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] --a------ 2007-04-20 13:57 142104 c:\windows\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] --a------ 2007-04-20 13:57 138008 c:\windows\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Privacy Suite RiskMonitor] --a------ 2007-11-22 10:53 1777296 c:\program files\CyberScrub Privacy Suite\CSRiskMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2009-01-23 13:06 1410296 c:\program files\Valve\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] --a------ 2009-02-17 11:43 1830128 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] --a------ 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] -ra------ 2005-05-03 18:43 69632 c:\windows\Alcmtr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] -ra------ 2007-01-30 18:54 16116224 c:\windows\RTHDCPL.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] -ra------ 2006-05-16 18:04 2879488 c:\windows\SkyTel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "aawservice"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Oxford University Press\\Twenty First Century Science\\content\\start_t.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Common Files\\Mozilla Shared\\firefox.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-09 64160] R0 lffycjtc;lffycjtc;c:\windows\system32\drivers\lffycjtc.sys [2004-08-04 23424] R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-03-15 178376] R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-03-15 30920] R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-03-15 28872] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024] R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2009-03-15 1402568] R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\CBG54.SYS [2005-11-01 372480] S1 c8485a2;c8485a2;c:\windows\system32\drivers\c8485a2.sys [2009-03-07 0] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120] S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2009-03-15 3321032] S3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [2006-10-19 303616] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs ceagovhn [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{517c1dcf-c9da-11dd-b64c-0016017de508}] \Shell\AutoRun\command - I:\RavMon.exe \Shell\explore\Command - I:\RavMon.exe -e \Shell\open\Command - I:\RavMon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52885827-db46-11dd-b677-0016017de508}] \Shell\AutoRun\command - I:\RavMon.exe \Shell\explore\Command - I:\RavMon.exe -e \Shell\open\Command - I:\RavMon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a072178c-b686-11dd-b612-00173fd36e63}] \Shell\AutoRun\command - I:\RavMon.exe \Shell\explore\Command - I:\RavMon.exe -e \Shell\open\Command - I:\RavMon.exe . Contents of the 'Scheduled Tasks' folder 2009-03-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:48] 2009-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-03-14 c:\windows\Tasks\At1.job - c:\windows\system32\yriqdux.dll [2004-08-04 12:00] . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\D&A\Application Data\Mozilla\Firefox\Profiles\phaju8ts.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-18 22:48:17 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(864) c:\program files\SUPERAntiSpyware\SASWINLO.dll . Completion time: 2009-03-18 22:49:15 ComboFix-quarantined-files.txt 2009-03-18 22:49:10 ComboFix2.txt 2009-03-14 23:24:38 Pre-Run: 48,306,036,736 bytes free Post-Run: 50,547,736,576 bytes free 226 --- E O F --- 2009-02-25 07:31:55 HIJACK THIS Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:52:32, on 18/03/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Tall Emu\Online Armor\oacat.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: (no name) - {4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} - c:\windows\system32\yriqdux.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227040515671 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230643681234 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: hmbdkint - C:\WINDOWS\SYSTEM32\yriqdux.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\ O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\ -- End of file - 6190 bytes
- March 18, 2009
- 13 replies
Trojan.Vundo.H - MBAM cant remove - Please Help!

DaveC 376 posted a topic in Resolved Malware Removal Logs

Afternoon, Is there anyone who can help me please? I am having trouble getting rid of Trojan.Vundo.H The only program that seems to even find it is MBAM finding it in C:\Windows\System32\yriqdux.dll and three registry entries that refer to it. Unfortunately even after restart (whether into Safe Mode or normal) the files are still there, I have tried CCleaner, Cyberscrub and MBAMs File Assassin but all to no avail. Looking on the Symantec website they only have a remaoval tool for Trojan.Vundo and Trojan.Vundo.B but this finds no trace of the 'H' variant. Looking through previous post I have downloaded latest versions of Firefox, MBAM, SuperAntiSpyware, AVG, AdAware and gotten rid of anything such as uTorrent etc prior to running MABM and Hijack This. In anticipation I have also readied Here are the logs and BIG BIG thanks in advance for any helpand/or advice. Cheers Dave MBAM Log (Quick Scan but a full scan about an hour earlier showe same four results) Malwarebytes' Anti-Malware 1.34 Database version: 1851 Windows 5.1.2600 Service Pack 3 15/03/2009 13:46:56 mbam-log-2009-03-15 (13-46-56).txt Scan type: Quick Scan Objects scanned: 66835 Time elapsed: 2 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hmbdkint (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} (Trojan.Vundo.H) -> Delete on reboot. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\yriqdux.dll (Trojan.Vundo.H) -> Delete on reboot. HIJACK THIS LOG Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:15:19, on 15/03/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Tall Emu\Online Armor\oasrv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Media Player\WMPNetwk.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Tall Emu\Online Armor\oaui.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Tall Emu\Online Armor\oahlp.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} - c:\windows\system32\yriqdux.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe" O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227040515671 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230643681234 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O20 - Winlogon Notify: hmbdkint - C:\WINDOWS\SYSTEM32\yriqdux.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\ O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\ -- End of file - 6829 bytes
- March 15, 2009
- 13 replies

Sign In

DaveC 376

Posts

Joined

Last visited

Reputation

Trojan.Vundo.H - MBAM cant remove - Please Help!

Trojan.Vundo.H - MBAM cant remove - Please Help!

Trojan.Vundo.H - MBAM cant remove - Please Help!

Trojan.Vundo.H - MBAM cant remove - Please Help!

Trojan.Vundo.H - MBAM cant remove - Please Help!

Trojan.Vundo.H - MBAM cant remove - Please Help!

Trojan.Vundo.H - MBAM cant remove - Please Help!

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information