abcdefgh
Members-
Posts
6 -
Joined
-
Last visited
Reputation
0 Neutral-
Hi Mieke, Thank you for helping me with this problem. I have been monitoring my PC for the last couple of days and it appears to be clean. Hats off to you for the work you do on this forum! Thanks
-
Hi, I am not sure my PC is completely clean yet. I ran Symantec Antivirus and deleted the files it found. The next run came back clean. However, when I ran MBAM as a different user, it found more infected registry entries. Do I need to run MBAM as all the users on this machine? I am including several MBAM logs in chronologic order. The first one taken on 4/25 at 1:42pm is clean, the second one at 4/26 2:30am is not clean. The third one at 4/26 7:57am is clean again. Thanks Malwarebytes' Anti-Malware 1.36 Database version: 2037 Windows 5.1.2600 Service Pack 3 4/25/2009 1:42:13 PM mbam-log-2009-04-25 (13-42-13).txt Scan type: Full Scan (C:\|) Objects scanned: 249614 Time elapsed: 59 minute(s), 34 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Malwarebytes' Anti-Malware 1.36 Database version: 2037 Windows 5.1.2600 Service Pack 3 4/26/2009 2:30:44 AM mbam-log-2009-04-26 (02-30-44).txt Scan type: Full Scan (C:\|) Objects scanned: 210780 Time elapsed: 42 minute(s), 20 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 4 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm63bc45a8 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liditulule (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\608f7634 (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Malwarebytes' Anti-Malware 1.36 Database version: 2037 Windows 5.1.2600 Service Pack 3 4/26/2009 7:57:49 AM mbam-log-2009-04-26 (07-57-49).txt Scan type: Full Scan (C:\|) Objects scanned: 210504 Time elapsed: 44 minute(s), 50 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
-
I uninstalled Combofix and reran MBAM. It came back clean! Is there anything else I need to run to confirm that my PC is clean? Thanks for your help. Malwarebytes' Anti-Malware 1.36 Database version: 2037 Windows 5.1.2600 Service Pack 3 4/25/2009 1:42:13 PM mbam-log-2009-04-25 (13-42-13).txt Scan type: Full Scan (C:\|) Objects scanned: 249614 Time elapsed: 59 minute(s), 34 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
-
Hi, I am unable to remove Trojan.Vundo in spite of repeated runs of MBAM. I am including the latest MBAM and HJT logs. Please advise on how to proceed next. Thanks Malwarebytes' Anti-Malware 1.36 Database version: 2037 Windows 5.1.2600 Service Pack 3 4/24/2009 8:29:21 PM mbam-log-2009-04-24 (20-29-21).txt Scan type: Full Scan (C:\|) Objects scanned: 249869 Time elapsed: 1 hour(s), 3 minute(s), 59 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gikosiha.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000126.exe (Trojan.Vundo) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:38:25 PM, on 4/24/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CDBurnerXP\NMSAccessU.exe C:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Dell Support Center\gs_agent\dsc.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe C:\WINDOWS\system32\wscript.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: OrbThis - {0BF88E98-7ADC-44d6-8242-0BF87CD1BC14} - C:\Program Files\ORB Networks\OrbThis for IE\OrbIE.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe O23 - Service: OrbMediaService - Orb Networks - C:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 12107 bytes
-
Here is combofix logfile. Please advise on how to proceed next. Thanks! ComboFix 09-04-24.01 - MyAdmin 04/24/2009 6:18.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.461 [GMT -7:00] Running from: c:\documents and settings\MyAdmin\Desktop\jkhfjhfj.exe AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\bszip.dll c:\windows\system32\egerupok.ini c:\windows\system32\gatubayu.exe c:\windows\system32\gikosiha.exe c:\windows\system32\powenewe.dll . ((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-4-24 ))))))))))))))))))))))))))))))) . 2009-04-24 13:25 . 2009-04-24 13:25 -------- d-----w C:\46e2902d284d208225d34e96a23f78 2009-04-24 12:51 . 2009-04-24 12:52 -------- d-----w C:\rainbow 2009-04-24 07:43 . 2009-04-24 07:43 -------- d-----w C:\lasrliglarjajbkj 2009-04-23 01:34 . 2009-04-23 01:34 -------- d-----w C:\VundoFix Backups 2009-04-22 14:22 . 2009-04-22 14:22 -------- d-----w c:\program files\CCleaner 2009-04-22 01:40 . 2009-04-22 06:29 -------- d-----w c:\program files\Windows Live Safety Center 2009-04-21 14:54 . 2009-04-21 14:54 -------- d-----w c:\documents and settings\All Users\Application Data\Gtek 2009-04-21 12:52 . 2009-04-21 12:52 2713 --sh--w c:\windows\system32\rejipupo.exe 2009-04-21 05:25 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll 2009-04-21 05:25 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll 2009-04-21 05:25 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe 2009-04-21 05:25 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe 2009-04-21 05:25 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll 2009-04-21 05:25 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll 2009-04-21 05:25 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll 2009-04-21 05:25 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll 2009-04-21 05:25 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-21 05:25 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-21 05:24 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-21 05:24 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe 2009-04-20 18:51 . 2009-04-20 18:51 2713 --sh--w c:\windows\system32\fidiwumu.exe 2009-04-18 12:49 . 2009-04-18 12:49 2713 --sh--w c:\windows\system32\gigayaye.exe 2009-04-16 06:47 . 2009-04-16 06:47 2713 --sh--w c:\windows\system32\lofuyifa.exe 2009-04-14 15:12 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb 2009-04-14 15:08 . 2009-04-22 01:36 -------- d-----w c:\documents and settings\MyAdmin\Application Data\HPAppData 2009-04-14 15:07 . 2009-04-14 15:07 -------- d-----w c:\documents and settings\MyAdmin\Local Settings\Application Data\BVRP Software 2009-04-14 15:07 . 2009-04-14 15:07 69224 ----a-w c:\documents and settings\MyAdmin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-14 03:33 . 2009-04-14 03:33 -------- d-----w C:\OrbSecure 2009-04-13 13:10 . 2009-04-13 13:10 -------- d-----w c:\documents and settings\MyAdmin\Application Data\Malwarebytes 2009-04-13 13:10 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-13 13:09 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-13 13:09 . 2009-04-13 13:09 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-13 13:09 . 2009-04-15 00:45 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-13 13:07 . 2009-04-13 13:07 -------- d-----w c:\documents and settings\MyAdmin\Local Settings\Application Data\Mozilla 2009-04-13 06:45 . 2009-04-22 09:14 -------- d-----w c:\documents and settings\All Users\Application Data\sonusoya 2009-04-13 02:09 . 2007-09-10 05:01 -------- d-----w c:\documents and settings\MyAdmin\Local Settings\Application Data\Adobe 2009-04-13 02:09 . 2005-03-10 19:54 -------- d-----w c:\documents and settings\MyAdmin\Application Data\Sonic 2009-04-13 02:09 . 2005-03-10 19:48 -------- d-----w c:\documents and settings\MyAdmin\Application Data\Jasc Software Inc 2009-04-13 02:09 . 2005-03-10 19:43 -------- d-----w c:\documents and settings\MyAdmin\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030} 2009-04-13 02:09 . 2009-04-22 14:43 -------- d-----w c:\documents and settings\MyAdmin 2009-04-12 19:51 . 2009-04-12 19:51 -------- d-----w c:\documents and settings\All Users\Application Data\WEBREG 2009-04-12 19:41 . 2001-08-17 20:53 6784 ----a-w c:\windows\system32\drivers\serscan.sys 2009-04-12 19:41 . 2001-08-17 20:53 6784 ----a-w c:\windows\system32\dllcache\serscan.sys 2009-04-12 19:40 . 2008-04-16 04:05 16496 ----a-r c:\windows\system32\drivers\HPZipr12.sys 2009-04-12 19:40 . 2008-04-16 04:05 49920 ----a-r c:\windows\system32\drivers\HPZid412.sys 2009-04-12 19:39 . 2008-06-07 03:49 118272 ----a-w c:\windows\system32\hpz3l692.dll 2009-04-12 19:39 . 2008-04-16 04:05 271704 ----a-r c:\windows\system32\hpzids01.dll 2009-04-12 19:39 . 2008-04-16 04:05 21568 ----a-r c:\windows\system32\drivers\HPZius12.sys 2009-04-12 19:38 . 2008-04-16 04:05 372736 ----a-r c:\windows\system32\hppldcoi.dll 2009-04-12 19:38 . 2008-04-16 04:05 309760 ----a-r c:\windows\system32\difxapi.dll 2009-04-12 19:38 . 2008-04-16 04:05 729088 ----a-r c:\windows\system32\hposwia_p01a.dll 2009-04-12 19:38 . 2008-04-16 04:05 974848 ----a-r c:\windows\system32\hpost_p01a.dll 2009-04-12 19:38 . 2008-02-28 10:08 303104 ----a-r c:\windows\system32\hposc_p01a.dll 2009-04-12 19:25 . 2009-04-12 19:27 -------- d-----w c:\documents and settings\All Users\Application Data\HP 2009-04-12 19:25 . 2009-04-12 19:25 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant 2009-04-12 19:24 . 2009-04-12 19:24 -------- d-----w c:\program files\Hewlett-Packard 2009-04-12 19:24 . 2009-04-12 19:24 -------- d-----w c:\program files\Common Files\Hewlett-Packard 2009-04-12 19:23 . 2009-04-12 19:23 -------- d-----w c:\program files\Common Files\HP 2009-04-12 19:16 . 2009-04-12 19:50 -------- d-----w c:\program files\HP 2009-04-12 19:14 . 2009-04-12 19:50 166130 ----a-w c:\windows\hpoins30.dat 2009-04-12 19:14 . 2008-06-18 06:22 844 ------w c:\windows\hpomdl30.dat 2009-04-10 23:34 . 2009-04-10 23:34 -------- d-----w c:\program files\iPod 2009-04-10 23:33 . 2009-04-10 23:34 -------- d-----w c:\program files\iTunes 2009-04-10 23:33 . 2009-04-10 23:34 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-04-10 22:50 . 2009-04-10 22:50 -------- d-----w c:\program files\Bonjour 2009-04-10 22:35 . 2009-04-10 22:35 -------- d-----w c:\documents and settings\All Users\Application Data\TVU Networks 2009-04-10 22:34 . 2009-04-10 22:34 -------- d-----w c:\program files\TVUPlayer 2009-04-10 22:31 . 2009-04-10 23:28 -------- d-----w c:\program files\SopCast 2009-04-07 04:15 . 2009-04-07 04:15 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\SupportSoft 2009-04-04 13:43 . 2009-04-04 23:52 -------- d-----w c:\documents and settings\All Users\Application Data\OrbNetworks 2009-04-04 07:24 . 2009-04-04 07:24 -------- d-----w C:\VJVod_Cache 2009-04-04 05:33 . 2009-04-04 05:33 -------- d-----w c:\documents and settings\Kishore\LocalLow 2009-04-04 05:24 . 2009-04-04 05:24 -------- d-----w c:\windows\system32\Nagasoft 2009-04-04 04:19 . 2009-04-04 04:26 -------- d-----w c:\program files\Orb Networks 2009-04-03 03:31 . 2009-04-03 03:31 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0 2009-04-02 02:27 . 2009-04-02 02:27 -------- d-----w c:\windows\system32\scripting 2009-04-02 02:27 . 2009-04-02 02:27 -------- d-----w c:\windows\l2schemas 2009-04-02 02:27 . 2009-04-02 02:27 -------- d-----w c:\windows\system32\en 2009-04-02 02:27 . 2009-04-02 02:27 -------- d-----w c:\windows\system32\bits 2009-04-02 02:24 . 2009-04-02 02:28 -------- d-----w c:\windows\ServicePackFiles 2009-03-26 18:07 . 2009-03-26 18:07 59904 ----a-w c:\windows\system32\zlib1.dll 2009-03-26 18:03 . 2009-03-26 18:03 286720 ----a-w c:\windows\system32\libcurl.dll 2009-03-26 18:03 . 2009-03-26 18:03 196608 ----a-w c:\windows\system32\ssleay32.dll 2009-03-26 18:03 . 2009-03-26 18:03 1028096 ----a-w c:\windows\system32\libeay32.dll 2009-03-26 18:03 . 2009-03-26 18:03 143360 ----a-w c:\windows\system32\libexpatw.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-24 13:24 . 2005-03-10 19:38 1742 ----a-w C:\SMax.log 2009-04-24 13:22 . 2009-01-09 11:38 -------- d-----w c:\program files\Symantec AntiVirus 2009-04-23 02:34 . 2009-04-23 01:34 160 ----a-w C:\VundoFix.txt 2009-04-22 14:14 . 2009-01-22 14:14 52224 --sha-w c:\windows\SYSTEM32\nanulote.exe 2009-04-22 01:35 . 2009-01-22 01:35 51200 --sha-w c:\windows\SYSTEM32\suwumuwo.exe 2009-04-22 01:34 . 2006-08-26 15:54 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2009-04-13 02:13 . 2009-04-13 02:10 -------- d-----w c:\documents and settings\MyAdmin\Application Data\GTek 2009-04-12 20:00 . 2006-10-20 15:54 268 ---ha-w C:\sqmdata11.sqm 2009-04-12 20:00 . 2006-10-20 15:54 244 ---ha-w C:\sqmnoopt19.sqm 2009-04-12 20:00 . 2006-10-19 01:38 268 ---ha-w C:\sqmdata10.sqm 2009-04-12 20:00 . 2006-10-19 01:38 244 ---ha-w C:\sqmnoopt18.sqm 2009-04-12 19:58 . 2006-10-12 10:07 232 ---ha-w C:\sqmdata09.sqm 2009-04-12 19:58 . 2006-10-12 10:07 244 ---ha-w C:\sqmnoopt17.sqm 2009-04-12 19:25 . 2006-10-12 10:07 232 ---ha-w C:\sqmdata08.sqm 2009-04-12 19:25 . 2006-10-12 10:06 244 ---ha-w C:\sqmnoopt16.sqm 2009-04-12 18:45 . 2006-10-08 14:10 244 ---ha-w C:\sqmnoopt15.sqm 2009-04-12 18:45 . 2006-10-08 14:10 232 ---ha-w C:\sqmdata07.sqm 2009-04-10 23:34 . 2007-08-04 04:28 -------- d-----w c:\program files\Common Files\Apple 2009-04-10 23:31 . 2006-08-30 15:04 -------- d-----w c:\program files\QuickTime 2009-04-10 22:55 . 2008-09-17 14:56 -------- d-----w c:\program files\Safari 2009-04-05 14:36 . 2006-10-01 23:15 232 ---ha-w C:\sqmdata06.sqm 2009-04-05 14:36 . 2006-10-01 23:15 244 ---ha-w C:\sqmnoopt14.sqm 2009-04-05 03:21 . 2006-09-14 10:06 244 ---ha-w C:\sqmnoopt13.sqm 2009-04-05 03:21 . 2006-09-14 10:06 232 ---ha-w C:\sqmdata05.sqm 2009-04-05 02:56 . 2006-09-12 02:57 232 ---ha-w C:\sqmdata04.sqm 2009-04-05 02:56 . 2006-09-12 02:57 244 ---ha-w C:\sqmnoopt12.sqm 2009-04-05 00:04 . 2006-09-02 15:31 244 ---ha-w C:\sqmnoopt11.sqm 2009-04-05 00:04 . 2006-09-02 15:31 232 ---ha-w C:\sqmdata03.sqm 2009-04-04 23:45 . 2005-08-08 01:41 -------- d-----w c:\program files\MSN Messenger 2009-04-03 03:30 . 2005-03-10 19:52 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit 2009-04-03 03:30 . 2005-03-10 19:53 -------- d-----w c:\program files\Common Files\Intuit 2009-04-03 03:28 . 2006-02-06 15:55 -------- d-----w c:\program files\TurboTax 2009-04-02 10:05 . 2006-09-02 14:52 268 ---ha-w C:\sqmdata02.sqm 2009-04-02 10:05 . 2006-09-02 14:52 244 ---ha-w C:\sqmnoopt10.sqm 2009-04-02 10:05 . 2006-08-22 10:07 268 ---ha-w C:\sqmdata01.sqm 2009-04-02 10:05 . 2006-08-22 10:07 244 ---ha-w C:\sqmnoopt09.sqm 2009-04-02 02:31 . 2004-08-11 23:25 87755 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat 2009-04-02 02:22 . 2004-08-04 11:00 250048 --sha-r C:\NTLDR 2009-03-22 19:57 . 2006-08-09 10:05 268 ---ha-w C:\sqmdata00.sqm 2009-03-22 19:57 . 2006-08-09 10:05 244 ---ha-w C:\sqmnoopt08.sqm 2009-03-22 19:56 . 2006-11-07 04:00 268 ---ha-w C:\sqmdata19.sqm 2009-03-22 19:56 . 2006-07-08 15:37 244 ---ha-w C:\sqmnoopt07.sqm 2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\SYSTEM32\DLLCACHE\kernel32.dll 2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-11 10:05 . 2006-11-07 03:59 268 ---ha-w C:\sqmdata18.sqm 2009-03-11 10:05 . 2006-07-01 02:33 244 ---ha-w C:\sqmnoopt06.sqm 2009-03-06 14:48 . 2006-11-07 03:49 268 ---ha-w C:\sqmdata17.sqm 2009-03-06 14:48 . 2006-07-01 02:29 244 ---ha-w C:\sqmnoopt05.sqm 2009-03-06 14:22 . 2004-08-04 11:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll 2009-03-06 04:11 . 2006-10-29 23:00 268 ---ha-w C:\sqmdata16.sqm 2009-03-06 04:11 . 2006-06-28 10:05 244 ---ha-w C:\sqmnoopt04.sqm 2009-03-06 04:11 . 2006-10-29 17:52 268 ---ha-w C:\sqmdata15.sqm 2009-03-06 04:11 . 2006-06-28 10:05 244 ---ha-w C:\sqmnoopt03.sqm 2009-03-03 20:57 . 2006-10-29 17:43 268 ---ha-w C:\sqmdata14.sqm 2009-03-03 20:57 . 2006-06-18 10:07 244 ---ha-w C:\sqmnoopt02.sqm 2009-03-03 16:28 . 2006-10-29 17:42 268 ---ha-w C:\sqmdata13.sqm 2009-03-03 16:28 . 2006-06-17 19:47 244 ---ha-w C:\sqmnoopt01.sqm 2009-03-03 02:45 . 2006-10-20 15:54 268 ---ha-w C:\sqmdata12.sqm 2009-03-03 02:45 . 2006-05-14 03:12 244 ---ha-w C:\sqmnoopt00.sqm 2009-03-03 00:18 . 2006-05-10 05:23 826368 ----a-w c:\windows\SYSTEM32\DLLCACHE\wininet.dll 2009-03-03 00:18 . 2004-08-04 11:00 826368 ----a-w c:\windows\SYSTEM32\wininet.dll 2009-02-28 04:54 . 2006-10-17 20:04 636072 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe 2009-02-26 11:07 . 2008-12-13 23:43 -------- d-----w c:\program files\Microsoft Silverlight 2009-02-20 10:20 . 2007-05-08 23:03 13824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe 2009-02-20 10:20 . 2006-10-17 20:00 70656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe 2009-02-20 05:14 . 2006-10-17 19:23 161792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll 2009-02-09 12:10 . 2004-08-04 11:00 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll 2009-02-09 12:10 . 2004-08-04 11:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll 2009-02-09 12:10 . 2004-08-04 11:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll 2009-02-09 12:10 . 2004-08-04 11:00 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll 2009-02-09 11:13 . 2008-10-15 10:19 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys 2009-02-09 11:13 . 2004-08-04 11:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys 2009-02-08 02:02 . 2008-10-15 10:19 2066048 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe 2009-02-06 11:11 . 2004-08-04 11:00 110592 ----a-w c:\windows\SYSTEM32\services.exe 2009-02-06 11:08 . 2008-10-15 10:19 2189056 ------w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe 2009-02-06 11:06 . 2008-10-15 10:19 2145280 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe 2009-02-06 11:06 . 1980-01-01 06:00 2145280 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe 2009-02-06 10:39 . 2004-08-04 11:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe 2009-02-06 10:32 . 2008-10-15 10:19 2023936 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe 2009-02-06 10:32 . 1980-01-01 06:00 2023936 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe 2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\DLLCACHE\secur32.dll 2009-02-03 19:59 . 2004-08-04 11:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll 2009-01-11 00:09 . 2008-07-20 19:19 256 -c--a-w c:\documents and settings\Kishore\pool.bin 2008-11-05 22:52 . 2008-11-05 18:51 219480 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2008-11-03 23:46 . 2005-10-13 00:34 68448 -c--a-w c:\documents and settings\Aparna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2008-12-16 21:2005-09-28 01:05 41:14 . c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-30 52840] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920] "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave"= serwvdrv.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "MpfService"=2 (0x2) "McTskshd.exe"=2 (0x2) "McShield"=2 (0x2) "McDetect.exe"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"= "c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"= "c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"= "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"= "c:\\Program Files\\SightSpeed\\SightSpeed.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Documents and Settings\\Aparna\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"= "c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"= "c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"= "c:\\Program Files\\Orb Networks\\Orb\\bin\\xmltv.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\msncall.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "427:UDP"= 427:UDP:SLP_Port(427) R2 vvdsvc;VJVodServices;c:\windows\System32\svchost.exe [2008-04-14 14336] R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-16 29744] R3 VICAMUSB;3Com HomeConnect USB Camera;c:\windows\system32\drivers\vicamusb.sys [1999-10-12 38548] S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088] S2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-10-08 116664] S2 ViCAM;ViCAM; [x] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-16 101936] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] vvdsvc REG_MULTI_SZ vvdsvc HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2009-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34] 2009-04-21 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20] 2009-04-24 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-19 12:00] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com mStart Page = hxxp://www.yahoo.com IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx IE: {{0BF88E98-7ADC-44d6-8242-0BF87CD1BC14} - {A6125182-0570-4C84-BE88-61190C09112D} - c:\program files\ORB Networks\OrbThis for IE\OrbIE.dll FF - ProfilePath - c:\documents and settings\MyAdmin\Application Data\Mozilla\Firefox\Profiles\meheo36r.default\ FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-24 06:25 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(148) c:\windows\system32\WPDShServiceObj.dll c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\SYSTEM32\ati2evxx.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe c:\program files\Microsoft LifeCam\MSCamS32.exe c:\program files\CDBurnerXP\NMSAccessU.exe c:\program files\Orb Networks\Orb\bin\OrbMediaService.exe c:\program files\Orb Networks\Orb\bin\OrbTray.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\windows\SYSTEM32\wscntfy.exe c:\program files\iPod\bin\iPodService.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe c:\program files\HP\Digital Imaging\bin\hpqbam08.exe c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe c:\program files\Java\jre1.6.0_05\bin\jucheck.exe . ************************************************************************** . Completion time: 2009-04-24 6:29 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-24 13:29 Pre-Run: 61,439,328,256 bytes free Post-Run: 62,068,240,384 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 369 --- E O F --- 2009-04-24 13:29
-
Hi, I am unable to get rid of Trojan Vundo no matter how many times I run malwarebytes and reboot. I also ran an AntiRootkit program following advice on another post in this forum. My logs are listed below. Thank-you for taking a look! Malwarebytes' Anti-Malware 1.36 Database version: 1975 Windows 5.1.2600 Service Pack 3 4/22/2009 7:41:09 AM mbam-log-2009-04-22 (07-41-09).txt Scan type: Quick Scan Objects scanned: 125775 Time elapsed: 10 minute(s), 25 second(s) Memory Processes Infected: 0 Memory Modules Infected: 2 Registry Keys Infected: 7 Registry Values Infected: 5 Registry Data Items Infected: 4 Folders Infected: 0 Files Infected: 9 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\SYSTEM32\godamuwe.dll (Trojan.Vundo.H) -> Delete on reboot. c:\WINDOWS\SYSTEM32\gadagore.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f3d1f2f8-0091-45c4-ba25-8f25e1abe416} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{f3d1f2f8-0091-45c4-ba25-8f25e1abe416} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f3d1f2f8-0091-45c4-ba25-8f25e1abe416} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\608f7634 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liditulule (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm63bc45a8 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\godamuwe.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\godamuwe.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\gadagore.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\SYSTEM32\lelimafu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\ufamilel.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\vebikosi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\isokibev.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\firovopa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. c:\WINDOWS\SYSTEM32\gadagore.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\SYSTEM32\buzalevu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\godamuwe.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\SYSTEM32\sumonibe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. Malwarebytes' Anti-Malware 1.36 Database version: 1975 Windows 5.1.2600 Service Pack 3 4/22/2009 8:03:22 AM mbam-log-2009-04-22 (08-03-22).txt Scan type: Quick Scan Objects scanned: 125697 Time elapsed: 9 minute(s), 54 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 4 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liditulule (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm63bc45a8 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) GMER 1.0.15.14966 - http://www.gmer.net Rootkit scan 2009-04-24 00:04:08 Windows 5.1.2600 Service Pack 3 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Fastfat \Fat F647CD20 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ C:\WINDOWS\system32\dsdmo.dll Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ThreadingModel Both Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\ProgID@ Microsoft.DirectSoundCaptureAecDMO.1 Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\VersionIndependentProgID@ Microsoft.DirectSoundCaptureAecDMO Reg HKLM\SOFTWARE\Classes\CLSID\{EA07B874-F404-0975-0E56-7458120EC520}\Implemented Categories\{000C0118-0000-0000-C000-000000000046} Reg HKLM\SOFTWARE\Classes\CLSID\{EA07B874-F404-0975-0E56-7458120EC520}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}@ Reg HKLM\SOFTWARE\Classes\CLSID\{EA07B874-F404-0975-0E56-7458120EC520}\InprocHandler32@ ole32.dll Reg HKLM\SOFTWARE\Classes\CLSID\{EA07B874-F404-0975-0E56-7458120EC520}\LocalServer32@ C:\PROGRA~1\MICROS~4\Office\GRAPH9.EXE /automation Reg HKLM\SOFTWARE\Classes\CLSID\{EA07B874-F404-0975-0E56-7458120EC520}\LocalServer32@LocalServer32 4FC!!gxsf(Ng]qF`H{LsGRAPHFiles>!mT]jI{jf(=1&L[-81-] /automation? Reg HKLM\SOFTWARE\Classes\CLSID\{EA07B874-F404-0975-0E56-7458120EC520}\ProgID@ MSGraph.Application.8 Reg HKLM\SOFTWARE\Classes\CLSID\{EA07B874-F404-0975-0E56-7458120EC520}\VersionIndependentProgID@ MSGraph.Application ---- EOF - GMER 1.0.15 ----