Jump to content

madmike283

Members
  • Posts

    10
  • Joined

  • Last visited

Everything posted by madmike283

  1. Forgot to add the attach.zip since the DDS did run properly. Anyone have a minute to check me out here? Thanks attach.zip
  2. Hey guys and gals. I had a weird email sent from my gmail today to most of my contacts. I was at work when it happened and it was only a link to a suspicious url. So I've run most of the tests in the instructions above and will post the results here. Other than the suspect email I'm not really experiencing anything abnormal that I can tell. The GMER scanner doesn't work as I get an error "G:\Windows\system32\config\system: The system cannot find the file specified". I DL'd the GMER from the first link provided and moved it to my desktop from it's original location. I also have not re-enabled Defogger yet. DDS (Ver_09-12-01.01) - NTFSX64 Run by Mike at 19:36:29.55 on Tue 01/12/2010 Internet Explorer: 8.0.7600.16385 Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4094.2841 [GMT -7:00] ============== Running Processes =============== G:\Windows\system32\wininit.exe G:\Windows\system32\lsm.exe G:\Windows\system32\svchost.exe -k DcomLaunch G:\Windows\system32\svchost.exe -k RPCSS G:\Windows\system32\atiesrxx.exe G:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted G:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted G:\Windows\system32\svchost.exe -k netsvcs G:\Windows\system32\svchost.exe -k LocalService G:\Windows\system32\svchost.exe -k NetworkService G:\Windows\system32\atieclxx.exe G:\Windows\System32\spoolsv.exe G:\Windows\system32\svchost.exe -k LocalServiceNoNetwork G:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe G:\Windows\system32\taskhost.exe G:\Windows\system32\Dwm.exe G:\Windows\system32\taskeng.exe G:\Windows\Explorer.EXE G:\PROGRA~2\AVG\AVG8\avgwdsvc.exe G:\Program Files (x86)\Bonjour\mDNSResponder.exe G:\Program Files (x86)\DU Meter\DUMeterSvc.exe G:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation G:\Program Files (x86)\FileZilla Server\FileZilla Server.exe G:\PROGRA~2\AVG\AVG8\avgrsa.exe G:\PROGRA~2\AVG\AVG8\avgnsa.exe G:\Windows\system32\svchost.exe -k imgsvc G:\PROGRA~2\AVG\AVG8\avgemc.exe G:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe G:\Program Files (x86)\AVG\AVG8\avgcsrvx.exe G:\Program Files (x86)\DU Meter\DUMeter.exe G:\Program Files\Logitech\SetPoint\SetPoint.exe G:\Program Files\Rainmeter\Rainmeter.exe G:\Program Files (x86)\AVG\AVG8\avgtray.exe G:\Program Files (x86)\PowerISO\PWRISOVM.EXE G:\Program Files (x86)\iTunes\iTunesHelper.exe G:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe G:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe G:\Program Files (x86)\Java\jre6\bin\jusched.exe G:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe G:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted G:\Windows\system32\SearchIndexer.exe G:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe G:\Program Files\Windows Media Player\wmpnetwk.exe G:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE G:\Program Files\iPod\bin\iPodService.exe G:\Windows\system32\SearchProtocolHost.exe G:\Windows\system32\SearchFilterHost.exe G:\Windows\System32\svchost.exe -k LocalServicePeerNet G:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe G:\Windows\system32\wbem\wmiprvse.exe G:\Windows\system32\taskeng.exe G:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe G:\Windows\system32\sppsvc.exe G:\Windows\System32\svchost.exe -k secsvcs G:\Users\Mike\AppData\Local\Google\Chrome\Application\chrome.exe G:\Users\Mike\AppData\Local\Google\Chrome\Application\chrome.exe G:\Windows\system32\wbem\wmiprvse.exe G:\Windows\system32\wuauclt.exe G:\Users\Mike\Desktop\dds.scr G:\Windows\system32\conhost.exe ============== Pseudo HJT Report =============== mLocal Page = g:\windows\syswow64\blank.htm mWinlogon: Userinit=userinit.exe BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - g:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - g:\program files (x86)\avg\avg8\avgssie.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files (x86)\java\jre6\bin\jp2ssv.dll uRun: [Google Update] "g:\users\mike\appdata\local\google\update\GoogleUpdate.exe" /c uRun: [uTorrent] "g:\program files (x86)\utorrent\uTorrent.exe" uRun: [DU Meter] g:\program files (x86)\du meter\DUMeter.exe mRun: [AVG8_TRAY] g:\progra~2\avg\avg8\avgtray.exe mRun: [PWRISOVM.EXE] g:\program files (x86)\poweriso\PWRISOVM.EXE mRun: [startCCC] "g:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [QuickTime Task] "g:\program files (x86)\quicktime\QTTask.exe" -atboottime mRun: [FileZilla Server Interface] "g:\program files (x86)\filezilla server\FileZilla Server Interface.exe" mRun: [iTunesHelper] "g:\program files (x86)\itunes\iTunesHelper.exe" mRun: [Adobe Reader Speed Launcher] "g:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "g:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [sunJavaUpdateSched] "g:\program files (x86)\java\jre6\bin\jusched.exe" mRun: [Malwarebytes' Anti-Malware] "g:\program files (x86)\malwarebytes' anti-malware\mbamgui.exe" /starttray StartupFolder: g:\users\mike\appdata\roaming\micros~1\windows\startm~1\programs\startup\logite~1.lnk - g:\program files (x86)\common files\logishrd\ereg\common\eReg.exe StartupFolder: g:\progra~3\micros~1\windows\startm~1\programs\startup\logite~1.lnk - g:\program files\logitech\setpoint\SetPoint.exe StartupFolder: g:\progra~3\micros~1\windows\startm~1\programs\startup\rainme~1.lnk - g:\program files\rainmeter\Rainmeter.exe mPolicies-explorer: NoActiveDesktop = 1 (0x1) mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0) mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - g:\progra~2\micros~1\office12\EXCEL.EXE/3000 IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~2\micros~1\office12\REFIEBAR.DLL DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab TCP: {918B1D83-CF91-4E01-B0F0-DA7642C5B822} = 68.87.85.102,68.87.69.150 Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - g:\program files (x86)\avg\avg8\avgpp.dll mRun-x64: [RtHDVCpl] g:\program files\realtek\audio\hda\RAVCpl64.exe mRun-x64: [skytel] g:\program files\realtek\audio\hda\Skytel.exe mRun-x64: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE ============= SERVICES / DRIVERS =============== R1 AvgLdx64;AVG Free AVI Loader Driver x64;g:\windows\system32\drivers\avgldx64.sys [2009-7-25 427016] R1 AvgMfx64;AVG Free On-access Scanner Minifilter Driver x64;g:\windows\system32\drivers\avgmfx64.sys [2009-7-25 33416] R1 AvgTdiA;AVG Free8 Network Redirector x64;g:\windows\system32\drivers\avgtdia.sys [2009-7-25 133640] R2 AMD External Events Utility;AMD External Events Utility;g:\windows\system32\atiesrxx.exe [2009-5-16 203264] R2 avg8emc;AVG Free8 E-mail Scanner;g:\progra~2\avg\avg8\avgemc.exe [2009-7-25 908056] R2 avg8wd;AVG Free8 WatchDog;g:\progra~2\avg\avg8\avgwdsvc.exe [2009-7-25 297752] R2 DUMeterSvc;DU Meter Service;g:\program files (x86)\du meter\DUMeterSvc.exe [2009-12-29 504832] R2 MBAMService;MBAMService;g:\program files (x86)\malwarebytes' anti-malware\mbamservice.exe [2010-1-12 236368] R3 MBAMProtector;MBAMProtector;g:\windows\system32\drivers\mbam.sys [2010-1-12 22104] S2 gupdate;Google Update Service (gupdate);g:\program files (x86)\google\update\GoogleUpdate.exe [2009-8-2 133104] S3 cpuz132;cpuz132;g:\windows\system32\drivers\cpuz132_x64.sys [2009-7-25 19432] S3 pwdrvio;pwdrvio;g:\windows\system32\pwdrvio.sys [2009-12-2 19912] S3 pwdspio;pwdspio;g:\windows\system32\pwdspio.sys [2009-12-2 13264] S3 RTL8167;Realtek 8167 NT Driver;g:\windows\system32\drivers\Rt64win7.sys [2009-6-10 187392] S3 USBAAPL64;Apple Mobile USB Driver;g:\windows\system32\drivers\usbaapl64.sys [2009-8-28 49152] =============== Created Last 30 ================ 2010-01-13 02:12:24 0 ----a-w- g:\users\mike\defogger_reenable 2010-01-12 22:03:34 0 d-----w- g:\users\mike\appdata\roaming\Malwarebytes 2010-01-12 22:03:29 22104 ----a-w- g:\windows\system32\drivers\mbam.sys 2010-01-12 22:03:29 0 d-----w- g:\programdata\Malwarebytes 2010-01-12 22:03:28 0 d-----w- g:\program files (x86)\Malwarebytes' Anti-Malware 2010-01-07 03:58:56 1908 ----a-w- g:\windows\diagwrn.xml 2010-01-07 03:58:56 1908 ----a-w- g:\windows\diagerr.xml 2009-12-30 05:14:08 719 ----a-w- g:\windows\pwcmdlist.bak 2009-12-30 05:05:29 0 d-----w- g:\program files (x86)\DU Meter 2009-12-30 04:58:09 0 d-----w- g:\programdata\Hagel Technologies ==================== Find3M ==================== 2009-12-01 05:00:51 11030 ----a-w- g:\windows\syswow64\SpoonUninstall-dBpoweramp DSP Effects.dat 2009-12-01 05:00:49 3494576 ----a-w- g:\windows\syswow64\SpoonUninstall.exe 2009-12-01 05:00:49 15613 ----a-w- g:\windows\syswow64\SpoonUninstall-dBpoweramp Music Converter.dat 2009-11-29 19:57:13 0 ---ha-w- g:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf 2009-11-19 07:22:46 64512 ----a-w- g:\windows\syswow64\msfeedsbs.dll 2009-11-19 07:22:46 5958656 ----a-w- g:\windows\syswow64\mshtml.dll 2009-11-06 23:33:02 514048 ----a-w- g:\windows\system32\pwNative.exe 2009-11-04 18:47:32 19912 ----a-w- g:\windows\system32\pwdrvio.sys 2009-11-04 18:47:30 13264 ----a-w- g:\windows\system32\pwdspio.sys 2009-11-03 03:42:06 226688 ------w- g:\windows\system32\MpSigStub.exe 2009-10-29 07:48:16 2048 ----a-w- g:\windows\system32\tzres.dll 2009-10-29 07:22:37 2048 ----a-w- g:\windows\syswow64\tzres.dll 2009-10-29 03:14:51 2995 ----a-w- g:\windows\syswow64\SpoonUninstall-dBpoweramp FLAC Codec.dat 2009-07-14 05:37:38 31548 ----a-w- g:\windows\inf\perflib\0409\perfd.dat 2009-07-14 05:37:38 31548 ----a-w- g:\windows\inf\perflib\0409\perfc.dat 2009-07-14 05:37:38 291294 ----a-w- g:\windows\inf\perflib\0409\perfi.dat 2009-07-14 05:37:38 291294 ----a-w- g:\windows\inf\perflib\0409\perfh.dat 2009-07-14 04:54:24 174 --sha-w- g:\program files\desktop.ini 2009-07-14 04:54:24 174 --sha-w- g:\program files (x86)\desktop.ini 2009-07-14 01:00:34 291294 ----a-w- g:\windows\inf\perflib\0000\perfi.dat 2009-07-14 01:00:34 291294 ----a-w- g:\windows\inf\perflib\0000\perfh.dat 2009-07-14 01:00:32 31548 ----a-w- g:\windows\inf\perflib\0000\perfd.dat 2009-07-14 01:00:32 31548 ----a-w- g:\windows\inf\perflib\0000\perfc.dat 2009-06-10 20:44:08 9633792 --sha-r- g:\windows\fonts\StaticCache.dat 2009-07-25 17:12:13 245760 --sha-w- g:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat 2009-07-14 04:55:03 16384 --sha-w- g:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\index.dat 2009-07-14 04:55:03 32768 --sha-w- g:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 2009-07-14 04:55:03 16384 --sha-w- g:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\index.dat 2009-07-14 01:39:53 398848 --sha-w- g:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe 2009-07-14 01:14:45 396800 --sha-w- g:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe ============= FINISH: 19:37:06.29 ===============
  3. Thanks for your help. I was really wanting to avoid a re-image, but oh well. I guess I'll start organizing what I need to save off of here. Thanks again and you guys provide a great service for us! Mike
  4. Nope, I still get the warning from ComboFix that my anti-virus is still running. The system tray icon is gone, but it must still be running in the background or something. Any recommendations? Thanks again for the assistance.
  5. Wait, maybe it did disable. I tried disabling the it in the startup section of the Sys Config Monitor. It seems to not be running now. Let me try ComboFix now.
  6. Thanks for the reply. I was about to run ComboFix but I can't seem to disable my McAfee anti-virus. I errantly tried to start ComboFix anyway and it warned me that it was still running. So I just restarted my computer. It's McAfee Virus Scan Enterprise and it seems that maybe they set it up so that it takes Administrator privileges to disable it. I'm I stuck, or might there be a way around this? I suppose I may need to start saving stuff off of this thing so that they can re-image it?
  7. Here are the logs from Panda and HJT. Thanks for any help guys and gals. ;******************************************************************************* ******************************************************************************** * ******************* ANALYSIS: 2009-01-01 14:50:28 PROTECTIONS: 1 MALWARE: 2 SUSPECTS: 0 ;******************************************************************************* ******************************************************************************** * ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================ = =================== McAfee VirusScan Enterprise 8.5.0.781 No Yes ;=============================================================================== ================================================================================ = =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================ = =================== 00000002 Virus 101 Virus/Trojan No 1 Yes No C:\TShelpCD\GCC\How to Add a User to a GCC.pdf 00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\michmorgan\Cookies\michmorgan@com[1].txt ;=============================================================================== ================================================================================ = =================== SUSPECTS Sent Location Q ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== VULNERABILITIES Id Severity Description Q ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:54:43 PM, on 1/1/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Tyco Safety Products\Security Service\FirstService.exe C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\stsystra.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Apoint\HidFind.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\NoteWhen\notewhen.exe C:\Program Files\Cisco Systems\VPN Client\vpngui.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://simplexgrinnell.ia/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://simplexgrinnell.ia R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SimplexGrinnell R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy1:9998;http=proxy1:9998;https=proxy1:9998 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ia;*.simplexnet.com;*.simplexgrinnell.net;10.*;*.dev;;E171593*;<local> O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show O4 - Startup: NoteWhen.lnk = C:\Program Files\NoteWhen\notewhen.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://simplexgrinnell.ia O15 - Trusted Zone: http://ebsintf.ace.ia O15 - Trusted Zone: http://ebsperf.ace.ia O15 - Trusted Zone: http://ebsprod.ace.ia O15 - Trusted Zone: http://ebsuat.ace.ia O15 - Trusted Zone: http://prod.ace.ia O15 - ESC Trusted Zone: http://runonce.msn.com O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM) O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188222972937 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188222964937 O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.fallingrocktaphouse.com/cam/AxisCamControl.ocx O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://centra.tyco-training.com/SiteRoots/...aDownloader.cab O16 - DPF: {EF40FB0A-F7D0-4971-8221-1EB2C81178D8} - http://www.flashpointsoftware.com/InstallShield/setup.cab O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://bbi.simplexgrinnell.ia/ikcntrls.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sg.sgna.simplexgrinnell.net O17 - HKLM\Software\..\Telephony: DomainName = sg.sgna.simplexgrinnell.net O17 - HKLM\System\CCS\Services\Tcpip\..\{B32F7A81-937B-467A-A90B-07682EF76889}: Domain = sg.sgna.simplexgrinnell.net O17 - HKLM\System\CCS\Services\Tcpip\..\{B32F7A81-937B-467A-A90B-07682EF76889}: NameServer = 10.36.17.50,10.36.102.143 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sg.sgna.simplexgrinnell.net O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sg.sgna.simplexgrinnell.net,sgna.simplexgrinnell.net,simplexgrinnell.net O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sg.sgna.simplexgrinnell.net,sgna.simplexgrinnell.net,simplexgrinnell.net O20 - AppInit_DLLs: ffyhah.dll O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe O23 - Service: minhunk20x6 - Tyco Safety Products - C:\Program Files\Tyco Safety Products\Security Service\FirstService.exe O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 9831 bytes
  8. Sorry, I added the wrong log file. This is the one that was after I tried repairing the found infections... Malwarebytes' Anti-Malware 1.31 Database version: 1589 Windows 5.1.2600 Service Pack 2 1/1/2009 1:27:07 PM mbam-log-2009-01-01 (13-27-07).txt Scan type: Quick Scan Objects scanned: 56612 Time elapsed: 6 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 7 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\ffyhah.dll (Trojan.Vundo) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{49ccc55d-fb75-4b43-bbf0-75cbb7d1975f} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{49ccc55d-fb75-4b43-bbf0-75cbb7d1975f} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{49ccc55d-fb75-4b43-bbf0-75cbb7d1975f} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\ffyhah.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\ftiltaoq.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\pmnljJbx.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\qoMeCUMC.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
  9. I've got this bug on my work laptop. I've read through the threads here and thought I'd do the scans as described in the Pre-HJT instructions thread. I'm running the Panda scan right now, but thought I'd go ahead and post the MBAM log... Malwarebytes' Anti-Malware 1.31 Database version: 1589 Windows 5.1.2600 Service Pack 2 1/1/2009 1:27:03 PM mbam-log-2009-01-01 (13-26-55).txt Scan type: Quick Scan Objects scanned: 56612 Time elapsed: 6 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 7 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\ffyhah.dll (Trojan.Vundo) -> No action taken. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{49ccc55d-fb75-4b43-bbf0-75cbb7d1975f} (Trojan.Vundo) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{49ccc55d-fb75-4b43-bbf0-75cbb7d1975f} (Trojan.Vundo) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{49ccc55d-fb75-4b43-bbf0-75cbb7d1975f} (Trojan.Vundo) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\ffyhah.dll (Trojan.Vundo) -> No action taken. C:\WINDOWS\system32\ftiltaoq.dll (Trojan.Vundo) -> No action taken. C:\WINDOWS\system32\pmnljJbx.dll (Trojan.Vundo) -> No action taken. C:\WINDOWS\system32\qoMeCUMC.dll (Trojan.Vundo) -> No action taken.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.