Jump to content

abcdefgh

Members
 View Profile  See their activity

  • Posts

    6

  • Joined

  • Last visited

Reputation

0 Neutral
  1. abcdefgh
    Hi Mieke, Thank you for helping me with this problem. I have been monitoring my PC for the last couple of days and it appears to be clean. Hats off to you for the work you do on this forum! Thanks
  2. abcdefgh
    Hi, I am not sure my PC is completely clean yet. I ran Symantec Antivirus and deleted the files it found. The next run came back clean. However, when I ran MBAM as a different user, it found more infected registry entries. Do I need to run MBAM as all the users on this machine? I am including several MBAM logs in chronologic order. The first one taken on 4/25 at 1:42pm is clean, the second one at 4/26 2:30am is not clean. The third one at 4/26 7:57am is clean again. Thanks Malwarebytes' Anti-Malware 1.36 Database version: 2037 Windows 5.1.2600 Service Pack 3 4/25/2009 1:42:13 PM mbam-log-2009-04-25 (13-42-13).txt Scan type: Full Scan (C:\|) Objects scanned: 249614 Time elapsed: 59 minute(s), 34 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Malwarebytes' Anti-Malware 1.36 Database version: 2037 Windows 5.1.2600 Service Pack 3 4/26/2009 2:30:44 AM mbam-log-2009-04-26 (02-30-44).txt Scan type: Full Scan (C:\|) Objects scanned: 210780 Time elapsed: 42 minute(s), 20 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 4 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm63bc45a8 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liditulule (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\608f7634 (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Malwarebytes' Anti-Malware 1.36 Database version: 2037 Windows 5.1.2600 Service Pack 3 4/26/2009 7:57:49 AM mbam-log-2009-04-26 (07-57-49).txt Scan type: Full Scan (C:\|) Objects scanned: 210504 Time elapsed: 44 minute(s), 50 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  3. abcdefgh
    I uninstalled Combofix and reran MBAM. It came back clean! Is there anything else I need to run to confirm that my PC is clean? Thanks for your help. Malwarebytes' Anti-Malware 1.36 Database version: 2037 Windows 5.1.2600 Service Pack 3 4/25/2009 1:42:13 PM mbam-log-2009-04-25 (13-42-13).txt Scan type: Full Scan (C:\|) Objects scanned: 249614 Time elapsed: 59 minute(s), 34 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  4. abcdefgh
    Hi, I am unable to remove Trojan.Vundo in spite of repeated runs of MBAM. I am including the latest MBAM and HJT logs. Please advise on how to proceed next. Thanks Malwarebytes' Anti-Malware 1.36 Database version: 2037 Windows 5.1.2600 Service Pack 3 4/24/2009 8:29:21 PM mbam-log-2009-04-24 (20-29-21).txt Scan type: Full Scan (C:\|) Objects scanned: 249869 Time elapsed: 1 hour(s), 3 minute(s), 59 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gikosiha.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000126.exe (Trojan.Vundo) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:38:25 PM, on 4/24/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CDBurnerXP\NMSAccessU.exe C:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Dell Support Center\gs_agent\dsc.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe C:\WINDOWS\system32\wscript.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: OrbThis - {0BF88E98-7ADC-44d6-8242-0BF87CD1BC14} - C:\Program Files\ORB Networks\OrbThis for IE\OrbIE.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe O23 - Service: OrbMediaService - Orb Networks - C:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 12107 bytes
  5. abcdefgh
    Here is combofix logfile. Please advise on how to proceed next. Thanks! ComboFix 09-04-24.01 - MyAdmin 04/24/2009 6:18.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.461 [GMT -7:00] Running from: c:\documents and settings\MyAdmin\Desktop\jkhfjhfj.exe AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\bszip.dll c:\windows\system32\egerupok.ini c:\windows\system32\gatubayu.exe c:\windows\system32\gikosiha.exe c:\windows\system32\powenewe.dll . ((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-4-24 ))))))))))))))))))))))))))))))) . 2009-04-24 13:25 . 2009-04-24 13:25 -------- d-----w C:\46e2902d284d208225d34e96a23f78 2009-04-24 12:51 . 2009-04-24 12:52 -------- d-----w C:\rainbow 2009-04-24 07:43 . 2009-04-24 07:43 -------- d-----w C:\lasrliglarjajbkj 2009-04-23 01:34 . 2009-04-23 01:34 -------- d-----w C:\VundoFix Backups 2009-04-22 14:22 . 2009-04-22 14:22 -------- d-----w c:\program files\CCleaner 2009-04-22 01:40 . 2009-04-22 06:29 -------- d-----w c:\program files\Windows Live Safety Center 2009-04-21 14:54 . 2009-04-21 14:54 -------- d-----w c:\documents and settings\All Users\Application Data\Gtek 2009-04-21 12:52 . 2009-04-21 12:52 2713 --sh--w c:\windows\system32\rejipupo.exe 2009-04-21 05:25 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll 2009-04-21 05:25 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll 2009-04-21 05:25 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe 2009-04-21 05:25 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe 2009-04-21 05:25 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll 2009-04-21 05:25 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll 2009-04-21 05:25 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll 2009-04-21 05:25 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll 2009-04-21 05:25 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-21 05:25 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-21 05:24 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-21 05:24 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe 2009-04-20 18:51 . 2009-04-20 18:51 2713 --sh--w c:\windows\system32\fidiwumu.exe 2009-04-18 12:49 . 2009-04-18 12:49 2713 --sh--w c:\windows\system32\gigayaye.exe 2009-04-16 06:47 . 2009-04-16 06:47 2713 --sh--w c:\windows\system32\lofuyifa.exe 2009-04-14 15:12 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb 2009-04-14 15:08 . 2009-04-22 01:36 -------- d-----w c:\documents and settings\MyAdmin\Application Data\HPAppData 2009-04-14 15:07 . 2009-04-14 15:07 -------- d-----w c:\documents and settings\MyAdmin\Local Settings\Application Data\BVRP Software 2009-04-14 15:07 . 2009-04-14 15:07 69224 ----a-w c:\documents and settings\MyAdmin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-14 03:33 . 2009-04-14 03:33 -------- d-----w C:\OrbSecure 2009-04-13 13:10 . 2009-04-13 13:10 -------- d-----w c:\documents and settings\MyAdmin\Application Data\Malwarebytes 2009-04-13 13:10 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-13 13:09 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-13 13:09 . 2009-04-13 13:09 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-13 13:09 . 2009-04-15 00:45 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-13 13:07 . 2009-04-13 13:07 -------- d-----w c:\documents and settings\MyAdmin\Local Settings\Application Data\Mozilla 2009-04-13 06:45 . 2009-04-22 09:14 -------- d-----w c:\documents and settings\All Users\Application Data\sonusoya 2009-04-13 02:09 . 2007-09-10 05:01 -------- d-----w c:\documents and settings\MyAdmin\Local Settings\Application Data\Adobe 2009-04-13 02:09 . 2005-03-10 19:54 -------- d-----w c:\documents and settings\MyAdmin\Application Data\Sonic 2009-04-13 02:09 . 2005-03-10 19:48 -------- d-----w c:\documents and settings\MyAdmin\Application Data\Jasc Software Inc 2009-04-13 02:09 . 2005-03-10 19:43 -------- d-----w c:\documents and settings\MyAdmin\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030} 2009-04-13 02:09 . 2009-04-22 14:43 -------- d-----w c:\documents and settings\MyAdmin 2009-04-12 19:51 . 2009-04-12 19:51 -------- d-----w c:\documents and settings\All Users\Application Data\WEBREG 2009-04-12 19:41 . 2001-08-17 20:53 6784 ----a-w c:\windows\system32\drivers\serscan.sys 2009-04-12 19:41 . 2001-08-17 20:53 6784 ----a-w c:\windows\system32\dllcache\serscan.sys 2009-04-12 19:40 . 2008-04-16 04:05 16496 ----a-r c:\windows\system32\drivers\HPZipr12.sys 2009-04-12 19:40 . 2008-04-16 04:05 49920 ----a-r c:\windows\system32\drivers\HPZid412.sys 2009-04-12 19:39 . 2008-06-07 03:49 118272 ----a-w c:\windows\system32\hpz3l692.dll 2009-04-12 19:39 . 2008-04-16 04:05 271704 ----a-r c:\windows\system32\hpzids01.dll 2009-04-12 19:39 . 2008-04-16 04:05 21568 ----a-r c:\windows\system32\drivers\HPZius12.sys 2009-04-12 19:38 . 2008-04-16 04:05 372736 ----a-r c:\windows\system32\hppldcoi.dll 2009-04-12 19:38 . 2008-04-16 04:05 309760 ----a-r c:\windows\system32\difxapi.dll 2009-04-12 19:38 . 2008-04-16 04:05 729088 ----a-r c:\windows\system32\hposwia_p01a.dll 2009-04-12 19:38 . 2008-04-16 04:05 974848 ----a-r c:\windows\system32\hpost_p01a.dll 2009-04-12 19:38 . 2008-02-28 10:08 303104 ----a-r c:\windows\system32\hposc_p01a.dll 2009-04-12 19:25 . 2009-04-12 19:27 -------- d-----w c:\documents and settings\All Users\Application Data\HP 2009-04-12 19:25 . 2009-04-12 19:25 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant 2009-04-12 19:24 . 2009-04-12 19:24 -------- d-----w c:\program files\Hewlett-Packard 2009-04-12 19:24 . 2009-04-12 19:24 -------- d-----w c:\program files\Common Files\Hewlett-Packard 2009-04-12 19:23 . 2009-04-12 19:23 -------- d-----w c:\program files\Common Files\HP 2009-04-12 19:16 . 2009-04-12 19:50 -------- d-----w c:\program files\HP 2009-04-12 19:14 . 2009-04-12 19:50 166130 ----a-w c:\windows\hpoins30.dat 2009-04-12 19:14 . 2008-06-18 06:22 844 ------w c:\windows\hpomdl30.dat 2009-04-10 23:34 . 2009-04-10 23:34 -------- d-----w c:\program files\iPod 2009-04-10 23:33 . 2009-04-10 23:34 -------- d-----w c:\program files\iTunes 2009-04-10 23:33 . 2009-04-10 23:34 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-04-10 22:50 . 2009-04-10 22:50 -------- d-----w c:\program files\Bonjour 2009-04-10 22:35 . 2009-04-10 22:35 -------- d-----w c:\documents and settings\All Users\Application Data\TVU Networks 2009-04-10 22:34 . 2009-04-10 22:34 -------- d-----w c:\program files\TVUPlayer 2009-04-10 22:31 . 2009-04-10 23:28 -------- d-----w c:\program files\SopCast 2009-04-07 04:15 . 2009-04-07 04:15 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\SupportSoft 2009-04-04 13:43 . 2009-04-04 23:52 -------- d-----w c:\documents and settings\All Users\Application Data\OrbNetworks 2009-04-04 07:24 . 2009-04-04 07:24 -------- d-----w C:\VJVod_Cache 2009-04-04 05:33 . 2009-04-04 05:33 -------- d-----w c:\documents and settings\Kishore\LocalLow 2009-04-04 05:24 . 2009-04-04 05:24 -------- d-----w c:\windows\system32\Nagasoft 2009-04-04 04:19 . 2009-04-04 04:26 -------- d-----w c:\program files\Orb Networks 2009-04-03 03:31 . 2009-04-03 03:31 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0 2009-04-02 02:27 . 2009-04-02 02:27 -------- d-----w c:\windows\system32\scripting 2009-04-02 02:27 . 2009-04-02 02:27 -------- d-----w c:\windows\l2schemas 2009-04-02 02:27 . 2009-04-02 02:27 -------- d-----w c:\windows\system32\en 2009-04-02 02:27 . 2009-04-02 02:27 -------- d-----w c:\windows\system32\bits 2009-04-02 02:24 . 2009-04-02 02:28 -------- d-----w c:\windows\ServicePackFiles 2009-03-26 18:07 . 2009-03-26 18:07 59904 ----a-w c:\windows\system32\zlib1.dll 2009-03-26 18:03 . 2009-03-26 18:03 286720 ----a-w c:\windows\system32\libcurl.dll 2009-03-26 18:03 . 2009-03-26 18:03 196608 ----a-w c:\windows\system32\ssleay32.dll 2009-03-26 18:03 . 2009-03-26 18:03 1028096 ----a-w c:\windows\system32\libeay32.dll 2009-03-26 18:03 . 2009-03-26 18:03 143360 ----a-w c:\windows\system32\libexpatw.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-24 13:24 . 2005-03-10 19:38 1742 ----a-w C:\SMax.log 2009-04-24 13:22 . 2009-01-09 11:38 -------- d-----w c:\program files\Symantec AntiVirus 2009-04-23 02:34 . 2009-04-23 01:34 160 ----a-w C:\VundoFix.txt 2009-04-22 14:14 . 2009-01-22 14:14 52224 --sha-w c:\windows\SYSTEM32\nanulote.exe 2009-04-22 01:35 . 2009-01-22 01:35 51200 --sha-w c:\windows\SYSTEM32\suwumuwo.exe 2009-04-22 01:34 . 2006-08-26 15:54 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2009-04-13 02:13 . 2009-04-13 02:10 -------- d-----w c:\documents and settings\MyAdmin\Application Data\GTek 2009-04-12 20:00 . 2006-10-20 15:54 268 ---ha-w C:\sqmdata11.sqm 2009-04-12 20:00 . 2006-10-20 15:54 244 ---ha-w C:\sqmnoopt19.sqm 2009-04-12 20:00 . 2006-10-19 01:38 268 ---ha-w C:\sqmdata10.sqm 2009-04-12 20:00 . 2006-10-19 01:38 244 ---ha-w C:\sqmnoopt18.sqm 2009-04-12 19:58 . 2006-10-12 10:07 232 ---ha-w C:\sqmdata09.sqm 2009-04-12 19:58 . 2006-10-12 10:07 244 ---ha-w C:\sqmnoopt17.sqm 2009-04-12 19:25 . 2006-10-12 10:07 232 ---ha-w C:\sqmdata08.sqm 2009-04-12 19:25 . 2006-10-12 10:06 244 ---ha-w C:\sqmnoopt16.sqm 2009-04-12 18:45 . 2006-10-08 14:10 244 ---ha-w C:\sqmnoopt15.sqm 2009-04-12 18:45 . 2006-10-08 14:10 232 ---ha-w C:\sqmdata07.sqm 2009-04-10 23:34 . 2007-08-04 04:28 -------- d-----w c:\program files\Common Files\Apple 2009-04-10 23:31 . 2006-08-30 15:04 -------- d-----w c:\program files\QuickTime 2009-04-10 22:55 . 2008-09-17 14:56 -------- d-----w c:\program files\Safari 2009-04-05 14:36 . 2006-10-01 23:15 232 ---ha-w C:\sqmdata06.sqm 2009-04-05 14:36 . 2006-10-01 23:15 244 ---ha-w C:\sqmnoopt14.sqm 2009-04-05 03:21 . 2006-09-14 10:06 244 ---ha-w C:\sqmnoopt13.sqm 2009-04-05 03:21 . 2006-09-14 10:06 232 ---ha-w C:\sqmdata05.sqm 2009-04-05 02:56 . 2006-09-12 02:57 232 ---ha-w C:\sqmdata04.sqm 2009-04-05 02:56 . 2006-09-12 02:57 244 ---ha-w C:\sqmnoopt12.sqm 2009-04-05 00:04 . 2006-09-02 15:31 244 ---ha-w C:\sqmnoopt11.sqm 2009-04-05 00:04 . 2006-09-02 15:31 232 ---ha-w C:\sqmdata03.sqm 2009-04-04 23:45 . 2005-08-08 01:41 -------- d-----w c:\program files\MSN Messenger 2009-04-03 03:30 . 2005-03-10 19:52 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit 2009-04-03 03:30 . 2005-03-10 19:53 -------- d-----w c:\program files\Common Files\Intuit 2009-04-03 03:28 . 2006-02-06 15:55 -------- d-----w c:\program files\TurboTax 2009-04-02 10:05 . 2006-09-02 14:52 268 ---ha-w C:\sqmdata02.sqm 2009-04-02 10:05 . 2006-09-02 14:52 244 ---ha-w C:\sqmnoopt10.sqm 2009-04-02 10:05 . 2006-08-22 10:07 268 ---ha-w C:\sqmdata01.sqm 2009-04-02 10:05 . 2006-08-22 10:07 244 ---ha-w C:\sqmnoopt09.sqm 2009-04-02 02:31 . 2004-08-11 23:25 87755 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat 2009-04-02 02:22 . 2004-08-04 11:00 250048 --sha-r C:\NTLDR 2009-03-22 19:57 . 2006-08-09 10:05 268 ---ha-w C:\sqmdata00.sqm 2009-03-22 19:57 . 2006-08-09 10:05 244 ---ha-w C:\sqmnoopt08.sqm 2009-03-22 19:56 . 2006-11-07 04:00 268 ---ha-w C:\sqmdata19.sqm 2009-03-22 19:56 . 2006-07-08 15:37 244 ---ha-w C:\sqmnoopt07.sqm 2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\SYSTEM32\DLLCACHE\kernel32.dll 2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-11 10:05 . 2006-11-07 03:59 268 ---ha-w C:\sqmdata18.sqm 2009-03-11 10:05 . 2006-07-01 02:33 244 ---ha-w C:\sqmnoopt06.sqm 2009-03-06 14:48 . 2006-11-07 03:49 268 ---ha-w C:\sqmdata17.sqm 2009-03-06 14:48 . 2006-07-01 02:29 244 ---ha-w C:\sqmnoopt05.sqm 2009-03-06 14:22 . 2004-08-04 11:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll 2009-03-06 04:11 . 2006-10-29 23:00 268 ---ha-w C:\sqmdata16.sqm 2009-03-06 04:11 . 2006-06-28 10:05 244 ---ha-w C:\sqmnoopt04.sqm 2009-03-06 04:11 . 2006-10-29 17:52 268 ---ha-w C:\sqmdata15.sqm 2009-03-06 04:11 . 2006-06-28 10:05 244 ---ha-w C:\sqmnoopt03.sqm 2009-03-03 20:57 . 2006-10-29 17:43 268 ---ha-w C:\sqmdata14.sqm 2009-03-03 20:57 . 2006-06-18 10:07 244 ---ha-w C:\sqmnoopt02.sqm 2009-03-03 16:28 . 2006-10-29 17:42 268 ---ha-w C:\sqmdata13.sqm 2009-03-03 16:28 . 2006-06-17 19:47 244 ---ha-w C:\sqmnoopt01.sqm 2009-03-03 02:45 . 2006-10-20 15:54 268 ---ha-w C:\sqmdata12.sqm 2009-03-03 02:45 . 2006-05-14 03:12 244 ---ha-w C:\sqmnoopt00.sqm 2009-03-03 00:18 . 2006-05-10 05:23 826368 ----a-w c:\windows\SYSTEM32\DLLCACHE\wininet.dll 2009-03-03 00:18 . 2004-08-04 11:00 826368 ----a-w c:\windows\SYSTEM32\wininet.dll 2009-02-28 04:54 . 2006-10-17 20:04 636072 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe 2009-02-26 11:07 . 2008-12-13 23:43 -------- d-----w c:\program files\Microsoft Silverlight 2009-02-20 10:20 . 2007-05-08 23:03 13824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe 2009-02-20 10:20 . 2006-10-17 20:00 70656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe 2009-02-20 05:14 . 2006-10-17 19:23 161792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll 2009-02-09 12:10 . 2004-08-04 11:00 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll 2009-02-09 12:10 . 2004-08-04 11:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll 2009-02-09 12:10 . 2004-08-04 11:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll 2009-02-09 12:10 . 2004-08-04 11:00 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll 2009-02-09 11:13 . 2008-10-15 10:19 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys 2009-02-09 11:13 . 2004-08-04 11:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys 2009-02-08 02:02 . 2008-10-15 10:19 2066048 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe 2009-02-06 11:11 . 2004-08-04 11:00 110592 ----a-w c:\windows\SYSTEM32\services.exe 2009-02-06 11:08 . 2008-10-15 10:19 2189056 ------w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe 2009-02-06 11:06 . 2008-10-15 10:19 2145280 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe 2009-02-06 11:06 . 1980-01-01 06:00 2145280 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe 2009-02-06 10:39 . 2004-08-04 11:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe 2009-02-06 10:32 . 2008-10-15 10:19 2023936 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe 2009-02-06 10:32 . 1980-01-01 06:00 2023936 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe 2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\DLLCACHE\secur32.dll 2009-02-03 19:59 . 2004-08-04 11:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll 2009-01-11 00:09 . 2008-07-20 19:19 256 -c--a-w c:\documents and settings\Kishore\pool.bin 2008-11-05 22:52 . 2008-11-05 18:51 219480 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2008-11-03 23:46 . 2005-10-13 00:34 68448 -c--a-w c:\documents and settings\Aparna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2008-12-16 21:2005-09-28 01:05 41:14 . c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-30 52840] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920] "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave"= serwvdrv.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "MpfService"=2 (0x2) "McTskshd.exe"=2 (0x2) "McShield"=2 (0x2) "McDetect.exe"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"= "c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"= "c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"= "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"= "c:\\Program Files\\SightSpeed\\SightSpeed.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Documents and Settings\\Aparna\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"= "c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"= "c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"= "c:\\Program Files\\Orb Networks\\Orb\\bin\\xmltv.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\msncall.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "427:UDP"= 427:UDP:SLP_Port(427) R2 vvdsvc;VJVodServices;c:\windows\System32\svchost.exe [2008-04-14 14336] R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-16 29744] R3 VICAMUSB;3Com HomeConnect USB Camera;c:\windows\system32\drivers\vicamusb.sys [1999-10-12 38548] S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088] S2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-10-08 116664] S2 ViCAM;ViCAM; [x] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-16 101936] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] vvdsvc REG_MULTI_SZ vvdsvc HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2009-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34] 2009-04-21 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20] 2009-04-24 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-19 12:00] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com mStart Page = hxxp://www.yahoo.com IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx IE: {{0BF88E98-7ADC-44d6-8242-0BF87CD1BC14} - {A6125182-0570-4C84-BE88-61190C09112D} - c:\program files\ORB Networks\OrbThis for IE\OrbIE.dll FF - ProfilePath - c:\documents and settings\MyAdmin\Application Data\Mozilla\Firefox\Profiles\meheo36r.default\ FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-24 06:25 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(148) c:\windows\system32\WPDShServiceObj.dll c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\SYSTEM32\ati2evxx.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe c:\program files\Microsoft LifeCam\MSCamS32.exe c:\program files\CDBurnerXP\NMSAccessU.exe c:\program files\Orb Networks\Orb\bin\OrbMediaService.exe c:\program files\Orb Networks\Orb\bin\OrbTray.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\windows\SYSTEM32\wscntfy.exe c:\program files\iPod\bin\iPodService.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe c:\program files\HP\Digital Imaging\bin\hpqbam08.exe c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe c:\program files\Java\jre1.6.0_05\bin\jucheck.exe . ************************************************************************** . Completion time: 2009-04-24 6:29 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-24 13:29 Pre-Run: 61,439,328,256 bytes free Post-Run: 62,068,240,384 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 369 --- E O F --- 2009-04-24 13:29
  6. abcdefgh
    Hi, I am unable to get rid of Trojan Vundo no matter how many times I run malwarebytes and reboot. I also ran an AntiRootkit program following advice on another post in this forum. My logs are listed below. Thank-you for taking a look! Malwarebytes' Anti-Malware 1.36 Database version: 1975 Windows 5.1.2600 Service Pack 3 4/22/2009 7:41:09 AM mbam-log-2009-04-22 (07-41-09).txt Scan type: Quick Scan Objects scanned: 125775 Time elapsed: 10 minute(s), 25 second(s) Memory Processes Infected: 0 Memory Modules Infected: 2 Registry Keys Infected: 7 Registry Values Infected: 5 Registry Data Items Infected: 4 Folders Infected: 0 Files Infected: 9 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\SYSTEM32\godamuwe.dll (Trojan.Vundo.H) -> Delete on reboot. c:\WINDOWS\SYSTEM32\gadagore.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f3d1f2f8-0091-45c4-ba25-8f25e1abe416} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{f3d1f2f8-0091-45c4-ba25-8f25e1abe416} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f3d1f2f8-0091-45c4-ba25-8f25e1abe416} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\608f7634 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liditulule (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm63bc45a8 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\godamuwe.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\godamuwe.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\gadagore.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\SYSTEM32\lelimafu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\ufamilel.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\vebikosi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\isokibev.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\firovopa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. c:\WINDOWS\SYSTEM32\gadagore.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\SYSTEM32\buzalevu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\godamuwe.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\SYSTEM32\sumonibe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. Malwarebytes' Anti-Malware 1.36 Database version: 1975 Windows 5.1.2600 Service Pack 3 4/22/2009 8:03:22 AM mbam-log-2009-04-22 (08-03-22).txt Scan type: Quick Scan Objects scanned: 125697 Time elapsed: 9 minute(s), 54 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 4 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liditulule (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm63bc45a8 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) GMER 1.0.15.14966 - http://www.gmer.net Rootkit scan 2009-04-24 00:04:08 Windows 5.1.2600 Service Pack 3 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Fastfat \Fat F647CD20 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ C:\WINDOWS\system32\dsdmo.dll Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ThreadingModel Both Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\ProgID@ Microsoft.DirectSoundCaptureAecDMO.1 Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\VersionIndependentProgID@ Microsoft.DirectSoundCaptureAecDMO Reg HKLM\SOFTWARE\Classes\CLSID\{EA07B874-F404-0975-0E56-7458120EC520}\Implemented Categories\{000C0118-0000-0000-C000-000000000046} Reg HKLM\SOFTWARE\Classes\CLSID\{EA07B874-F404-0975-0E56-7458120EC520}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}@ Reg HKLM\SOFTWARE\Classes\CLSID\{EA07B874-F404-0975-0E56-7458120EC520}\InprocHandler32@ ole32.dll Reg HKLM\SOFTWARE\Classes\CLSID\{EA07B874-F404-0975-0E56-7458120EC520}\LocalServer32@ C:\PROGRA~1\MICROS~4\Office\GRAPH9.EXE /automation Reg HKLM\SOFTWARE\Classes\CLSID\{EA07B874-F404-0975-0E56-7458120EC520}\LocalServer32@LocalServer32 4FC!!gxsf(Ng]qF`H{LsGRAPHFiles>!mT]jI{jf(=1&L[-81-] /automation? Reg HKLM\SOFTWARE\Classes\CLSID\{EA07B874-F404-0975-0E56-7458120EC520}\ProgID@ MSGraph.Application.8 Reg HKLM\SOFTWARE\Classes\CLSID\{EA07B874-F404-0975-0E56-7458120EC520}\VersionIndependentProgID@ MSGraph.Application ---- EOF - GMER 1.0.15 ----
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.