Jump to content

dreamx87

Members
  • Posts

    9
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Looked at the detection logs and this is what it pulled up: Trojan Horse SHEUR2.KYD DLL registered at: c:\Systrem Volume Information\_restore{bunch of code numbers and letters}\RP13\A0009842.dll Deleted? Yes, no apparent issues, scanning the registry for related files...
  2. Thanks alot, you have been a serious help and my machine is running smoothly. Vundo has not reappeared, however there is one trojan that is still hanging around apparently. My avg catches it quick and it doesn't get time to do nothing, but the fact that it executed means that there must be some traces left of it hanging around. It was deleted automatically, and I don't have the name of it. If it reappears I will let u know the name.
  3. I took the liberty of doing some scans with SUPERAntiSpyware and MalwareByte, they both seem to give me a green light, but i am not convinced. it only takes 1 file and the whole thing could pop up on my computer again. Since prior to this the vundo seemed to be executing microsoft internet explorer to post information of my search habits, and download(?) more trojans or junk, I might block all traffic requested by internet explorer, and have that information logged for examination later. I have no sign of infection in terms of popups, etc. like I had before, but I will give it some time to demonstrate that it is fully network ready by locking the registry, and leaving the firewall open overnight once you give my HJTL the green light. dreamx87
  4. here it is. I uninstalled the Online Armor to avoid as much conflicts as possible with the combofix, it is reinstalled now, so don't mind the no firewall notice. --HJT Log Updated Thu., Jan 15, 2009-- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 00:34:48, on 1/15/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Tall Emu\Online Armor\oasrv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\alg.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Toshiba\Tvs\TvsTray.exe C:\Program Files\Synaptics\SynTP\Toshiba.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\toshiba\ivp\ism\pinger.exe C:\WINDOWS\system32\TPSBattM.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\dla\DLACTRLW.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\system32\TDispVol.exe C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Tall Emu\Online Armor\oaui.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RAMASST.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Tall Emu\Online Armor\oahlp.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [TDispVol] TDispVol.exe O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe" O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210125727101 O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\Skype4COM.dll O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- End of file - 8197 bytes --End HJT Log-- --ComboFix Log Start-- ComboFix 09-01-13.04 - Daniel Ramirez 2009-01-14 23:58:35.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.605 [GMT -5:00] Running from: c:\documents and settings\Daniel Ramirez\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Daniel Ramirez\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) * Created a new restore point FILE :: c:\windows\system32\drivers\nzhy.sys c:\windows\system32\kerojade.dll c:\windows\system32\nomadani.dll c:\windows\system32\zufajudi.dll c:\windows\Tasks\kwibhtpk.job f:\resycled\boot.com . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\VundoFix Backups c:\windows\system32\drivers\nzhy.sys c:\windows\system32\kerojade.dll c:\windows\system32\nomadani.dll c:\windows\Tasks\kwibhtpk.job . ((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 ))))))))))))))))))))))))))))))) . 2009-01-13 18:14 . 2009-01-14 00:37 250 --a------ c:\windows\gmer.ini 2009-01-13 17:02 . 2009-01-13 17:02 <DIR> d-------- c:\program files\Trend Micro 2009-01-13 15:41 . 2009-01-13 15:45 <DIR> d-------- c:\program files\Eusing Free Registry Cleaner 2009-01-13 10:52 . 2009-01-13 10:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-13 10:52 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-13 10:52 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-01-13 10:41 . 2009-01-13 10:40 410,984 --a------ c:\windows\system32\deploytk.dll 2009-01-10 13:31 . 2009-01-10 13:31 <DIR> d-------- c:\documents and settings\Daniel Ramirez\Application Data\Malwarebytes 2009-01-10 13:31 . 2009-01-10 13:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-10 00:18 . 2002-12-29 01:14 81,920 --a------ c:\windows\system32\Startup.cpl 2009-01-10 00:12 . 2009-01-10 00:13 <DIR> d-------- c:\program files\CCleaner 2009-01-10 00:10 . 2009-01-10 11:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI 2009-01-03 00:26 . 2009-01-10 00:34 <DIR> d-------- c:\program files\SUPERAntiSpyware 2009-01-03 00:26 . 2009-01-03 00:26 <DIR> d-------- c:\documents and settings\Daniel Ramirez\Application Data\SUPERAntiSpyware.com 2009-01-03 00:26 . 2009-01-03 00:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-01-03 00:25 . 2009-01-03 00:25 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2009-01-02 20:27 . 2009-01-14 20:39 <DIR> d--h----- C:\$AVG8.VAULT$ 2009-01-01 21:52 . 2009-01-01 21:52 <DIR> d-------- c:\program files\Electronic Arts 2009-01-01 21:48 . 2009-01-01 21:48 <DIR> d-------- c:\windows\Logs 2008-12-30 19:27 . 2008-12-30 19:27 <DIR> d-------- c:\documents and settings\Daniel Ramirez\Application Data\dvdcss . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-13 23:11 --------- d-----w c:\program files\Java 2009-01-13 23:03 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-01-13 22:42 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\AdobeUM 2009-01-13 04:27 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\BitTorrent 2009-01-10 17:14 --------- d--h--w c:\program files\InstallShield Installation Information 2009-01-10 17:14 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2009-01-10 04:35 --------- d-----w c:\documents and settings\All Users\Application Data\avg8 2009-01-10 04:29 --------- d-----w c:\program files\Google 2009-01-09 04:28 --------- d-----w c:\program files\Gpotato 2009-01-08 02:07 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\U3 2009-01-03 05:14 --------- d-----w c:\program files\Starcraft 2008-12-11 15:11 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2008-12-06 19:55 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\Digsby 2008-12-06 19:55 --------- d-----w c:\documents and settings\All Users\Application Data\Digsby 2008-12-05 01:09 --------- d-----w c:\program files\Digsby 2008-12-05 00:11 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\acccore 2008-12-05 00:06 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP 2008-12-05 00:05 --------- d-----w c:\program files\AIM6 2008-12-04 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\AOL 2008-12-04 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\acccore 2008-12-04 23:43 --------- d-----w c:\program files\Common Files\AOL 2008-11-27 02:16 --------- d-----w c:\program files\Alex Feinman 2008-11-25 19:59 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys 2008-11-25 19:59 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys 2008-11-25 19:59 10,520 ----a-w c:\windows\system32\avgrsstx.dll 2008-11-24 05:39 --------- d-----w c:\program files\Microsoft Silverlight 2008-11-22 00:37 --------- d-----w c:\program files\ConTEXT 2008-11-21 01:28 --------- d-----w c:\program files\Microsoft SQL Server 2008-11-21 01:24 --------- d-----w c:\program files\Microsoft Visual Studio 9.0 2008-11-20 06:30 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\Hamachi 2008-11-20 04:10 --------- d-----w c:\program files\Paint.NET 2008-11-15 14:50 --------- d-----w c:\program files\Microsoft Synchronization Services 2008-11-15 14:50 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition 2008-11-15 14:44 --------- d-----w c:\program files\Microsoft SDKs 2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll 2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-09-09 09:05 1,852,928 ----a-w c:\documents and settings\Daniel Ramirez\Neuz.exe 2008-06-27 15:56 480 ----a-w c:\documents and settings\Daniel Ramirez\Application Data\wklnhst.dat 2004-09-03 03:12 370,688 ----a-w c:\documents and settings\Daniel Ramirez\mss32.dll . ((((((((((((((((((((((((((((( snapshot@2009-01-14_11.43.34.28 ))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945] "Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728] "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336] "dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182] "THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718] "TFncKy"="TFncKy.exe" [bU] "AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe] "TPSMain"="TPSMain.exe" [2005-06-01 c:\windows\system32\TPSMain.exe] "TDispVol"="TDispVol.exe" [2005-03-11 c:\windows\system32\TDispVol.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-02-15 155648] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk] backup=c:\windows\pss\Clean Access Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] --a----t- 2008-11-18 14:21 133104 c:\documents and settings\Daniel Ramirez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2006-03-30 18:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=3 (0x3) "WLSetupSvc"=3 (0x3) "usnjsvc"=3 (0x3) "Start BT in service"=2 (0x2) "JavaQuickStarterService"=2 (0x2) "idsvc"=3 (0x3) "gusvc"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\FrostWire\\FrostWire.exe"= "c:\\Program Files\\Gpotato\\Flyff\\Updater.exe"= "c:\\Program Files\\Xfire\\xfire.exe"= "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= "c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "c:\\Soldat\\Soldat.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Microsoft Games\\ Age of Empires 3 Conquerors\\age2_x1.exe"= "c:\\Program Files\\Microsoft Games\\ Age of Empires 3 Conquerors\\empires2.exe"= "c:\\Program Files\\Hamachi\\hamachi.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\xampplite\\apache\\bin\\apache.exe"= "c:\\xampplite\\mysql\\bin\\mysqld.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-25 97928] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408] R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-25 875288] R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-25 231704] R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-25 76040] S3 dump_wmimmc;dump_wmimmc; [x] S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2008-05-07 2385896] S4 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-12-27 51816] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78bc8eda-1c3e-11dd-a875-00130272ec4c}] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78bc8edb-1c3e-11dd-a875-00130272ec4c}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f: \Shell\Open\command - f:\resycled\boot.com f: [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f8e3e0d-bb7f-11dd-a8e1-001167c2a86b}] \Shell\AutoRun\command - e:\wd_windows_tools\setup.exe . Contents of the 'Scheduled Tasks' folder 2009-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436485955-983440248-2884829265-1005.job - c:\documents and settings\Daniel Ramirez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-18 14:21] . - - - - ORPHANS REMOVED - - - - ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Daniel Ramirez\Application Data\Mozilla\Firefox\Profiles\umctl307.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - plugin: c:\documents and settings\Daniel Ramirez\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Picasa2\npPicasa2.dll FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-15 00:01:15 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2009-01-15 0:02:40 ComboFix-quarantined-files.txt 2009-01-15 05:02:37 ComboFix2.txt 2009-01-14 17:28:13 ComboFix3.txt 2009-01-14 16:45:21 Pre-Run: 80,749,903,872 bytes free Post-Run: 80,748,851,200 bytes free 232 --- E O F --- 2008-12-19 08:01:41
  5. Ok, I followed the steps you requested. The first time through my online armor firewall gave a gazillion warnings, so I rebooted to safe mode and preformed the scan there. It deleted alot of things, and after the scan it rebooted itself and tried to save a log, but recieved and "access denied" error, and did not save a log. So I ran it again and this is what i got. Don't know why it couldn't save the first log. ComboFix 09-01-13.04 - Daniel Ramirez 2009-01-14 12:21:03.4 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.809 [GMT -5:00] Running from: c:\documents and settings\Daniel Ramirez\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) FW: Online Armor Firewall *enabled* --Start Log-- . ((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 ))))))))))))))))))))))))))))))) . 2009-01-14 01:15 . 2009-01-14 01:15 <DIR> d-------- c:\program files\Tall Emu 2009-01-14 01:15 . 2009-01-14 12:05 <DIR> d-------- c:\documents and settings\Daniel Ramirez\Application Data\OnlineArmor 2009-01-14 01:15 . 2009-01-14 01:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\OnlineArmor 2009-01-14 01:15 . 2008-12-13 02:26 178,376 --a------ c:\windows\system32\drivers\OADriver.sys 2009-01-14 01:15 . 2008-12-13 02:26 30,920 --a------ c:\windows\system32\drivers\OAmon.sys 2009-01-14 01:15 . 2008-12-13 02:26 28,872 --a------ c:\windows\system32\drivers\OAnet.sys 2009-01-13 18:14 . 2009-01-14 00:37 250 --a------ c:\windows\gmer.ini 2009-01-13 17:02 . 2009-01-13 17:02 <DIR> d-------- c:\program files\Trend Micro 2009-01-13 15:41 . 2009-01-13 15:45 <DIR> d-------- c:\program files\Eusing Free Registry Cleaner 2009-01-13 13:47 . 2009-01-13 13:47 61,440 --a------ c:\windows\system32\drivers\nzhy.sys 2009-01-13 10:52 . 2009-01-13 10:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-13 10:52 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-13 10:52 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-01-13 10:41 . 2009-01-13 10:40 410,984 --a------ c:\windows\system32\deploytk.dll 2009-01-10 15:24 . 2009-01-10 15:24 <DIR> d-------- C:\VundoFix Backups 2009-01-10 13:31 . 2009-01-10 13:31 <DIR> d-------- c:\documents and settings\Daniel Ramirez\Application Data\Malwarebytes 2009-01-10 13:31 . 2009-01-10 13:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-10 00:18 . 2002-12-29 01:14 81,920 --a------ c:\windows\system32\Startup.cpl 2009-01-10 00:12 . 2009-01-10 00:13 <DIR> d-------- c:\program files\CCleaner 2009-01-10 00:10 . 2009-01-10 11:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI 2009-01-03 00:26 . 2009-01-10 00:34 <DIR> d-------- c:\program files\SUPERAntiSpyware 2009-01-03 00:26 . 2009-01-03 00:26 <DIR> d-------- c:\documents and settings\Daniel Ramirez\Application Data\SUPERAntiSpyware.com 2009-01-03 00:26 . 2009-01-03 00:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-01-03 00:25 . 2009-01-03 00:25 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2009-01-02 20:27 . 2009-01-13 12:32 <DIR> d--h----- C:\$AVG8.VAULT$ 2009-01-01 21:52 . 2009-01-01 21:52 <DIR> d-------- c:\program files\Electronic Arts 2009-01-01 21:48 . 2009-01-01 21:48 <DIR> d-------- c:\windows\Logs 2008-12-30 19:27 . 2008-12-30 19:27 <DIR> d-------- c:\documents and settings\Daniel Ramirez\Application Data\dvdcss . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-13 23:11 --------- d-----w c:\program files\Java 2009-01-13 23:03 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-01-13 22:42 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\AdobeUM 2009-01-13 04:27 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\BitTorrent 2009-01-10 17:14 --------- d--h--w c:\program files\InstallShield Installation Information 2009-01-10 17:14 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2009-01-10 04:35 --------- d-----w c:\documents and settings\All Users\Application Data\avg8 2009-01-10 04:29 --------- d-----w c:\program files\Google 2009-01-09 04:28 --------- d-----w c:\program files\Gpotato 2009-01-08 02:07 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\U3 2009-01-03 05:14 --------- d-----w c:\program files\Starcraft 2008-12-11 15:11 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2008-12-06 19:55 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\Digsby 2008-12-06 19:55 --------- d-----w c:\documents and settings\All Users\Application Data\Digsby 2008-12-05 01:09 --------- d-----w c:\program files\Digsby 2008-12-05 00:11 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\acccore 2008-12-05 00:06 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP 2008-12-05 00:05 --------- d-----w c:\program files\AIM6 2008-12-04 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\AOL 2008-12-04 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\acccore 2008-12-04 23:43 --------- d-----w c:\program files\Common Files\AOL 2008-11-27 02:16 --------- d-----w c:\program files\Alex Feinman 2008-11-25 19:59 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys 2008-11-25 19:59 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys 2008-11-25 19:59 10,520 ----a-w c:\windows\system32\avgrsstx.dll 2008-11-24 05:39 --------- d-----w c:\program files\Microsoft Silverlight 2008-11-22 00:37 --------- d-----w c:\program files\ConTEXT 2008-11-21 01:28 --------- d-----w c:\program files\Microsoft SQL Server 2008-11-21 01:24 --------- d-----w c:\program files\Microsoft Visual Studio 9.0 2008-11-20 06:30 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\Hamachi 2008-11-20 04:10 --------- d-----w c:\program files\Paint.NET 2008-11-15 14:50 --------- d-----w c:\program files\Microsoft Synchronization Services 2008-11-15 14:50 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition 2008-11-15 14:44 --------- d-----w c:\program files\Microsoft SDKs 2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll 2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-09-09 09:05 1,852,928 ----a-w c:\documents and settings\Daniel Ramirez\Neuz.exe 2008-06-27 15:56 480 ----a-w c:\documents and settings\Daniel Ramirez\Application Data\wklnhst.dat 2004-09-03 03:12 370,688 ----a-w c:\documents and settings\Daniel Ramirez\mss32.dll 1601-01-01 00:12 62,464 --sha-w c:\windows\system32\kerojade.dll 1601-01-01 00:12 62,464 --sha-w c:\windows\system32\nomadani.dll 1601-01-01 00:12 69,120 --sha-w c:\windows\system32\zufajudi.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945] "Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728] "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336] "@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-12-13 6223048] "dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182] "THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718] "TFncKy"="TFncKy.exe" [bU] "AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe] "TPSMain"="TPSMain.exe" [2005-06-01 c:\windows\system32\TPSMain.exe] "TDispVol"="TDispVol.exe" [2005-03-11 c:\windows\system32\TDispVol.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-02-15 155648] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2008-12-13 886984] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk] backup=c:\windows\pss\Clean Access Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] --a----t- 2008-11-18 14:21 133104 c:\documents and settings\Daniel Ramirez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2006-03-30 18:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=3 (0x3) "WLSetupSvc"=3 (0x3) "usnjsvc"=3 (0x3) "Start BT in service"=2 (0x2) "JavaQuickStarterService"=2 (0x2) "idsvc"=3 (0x3) "gusvc"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\FrostWire\\FrostWire.exe"= "c:\\Program Files\\Gpotato\\Flyff\\Updater.exe"= "c:\\Program Files\\Xfire\\xfire.exe"= "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= "c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "c:\\Soldat\\Soldat.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Microsoft Games\\ Age of Empires 3 Conquerors\\age2_x1.exe"= "c:\\Program Files\\Microsoft Games\\ Age of Empires 3 Conquerors\\empires2.exe"= "c:\\Program Files\\Hamachi\\hamachi.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\xampplite\\apache\\bin\\apache.exe"= "c:\\xampplite\\mysql\\bin\\mysqld.exe"= S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-25 97928] S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-01-14 178376] S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-01-14 30920] S1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-01-14 28872] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408] S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2008-05-07 2385896] S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-25 875288] S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-25 231704] S4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-25 76040] S4 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2009-01-14 1402568] S4 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-12-27 51816] S4 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2009-01-14 3321032] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78bc8eda-1c3e-11dd-a875-00130272ec4c}] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78bc8edb-1c3e-11dd-a875-00130272ec4c}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f: \Shell\Open\command - f:\resycled\boot.com f: [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f8e3e0d-bb7f-11dd-a8e1-001167c2a86b}] \Shell\AutoRun\command - e:\wd_windows_tools\setup.exe . Contents of the 'Scheduled Tasks' folder 2009-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436485955-983440248-2884829265-1005.job - c:\documents and settings\Daniel Ramirez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-18 14:21] 2009-01-14 c:\windows\Tasks\kwibhtpk.job - c:\windows\SYSTEM32\rundll32.exe [2008-04-13 19:12] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Daniel Ramirez\Application Data\Mozilla\Firefox\Profiles\umctl307.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - plugin: c:\documents and settings\Daniel Ramirez\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Picasa2\npPicasa2.dll FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-14 12:25:15 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2009-01-14 12:28:12 ComboFix-quarantined-files.txt 2009-01-14 17:28:10 ComboFix2.txt 2009-01-14 16:45:21 Pre-Run: 81,834,303,488 bytes free Post-Run: 81,815,052,288 bytes free 231 --- E O F --- 2008-12-19 08:01:41 --End Log-- Waiting on more instructions, blocking all network traffic and locking registry again. dreamx87
  6. Malwarebytes' Anti-Malware 1.32 Database version: 1648 Windows 5.1.2600 Service Pack 3 1/14/2009 1:55:12 AM mbam-log-2009-01-14 (01-55-12).txt Scan type: Full Scan (C:\|) Objects scanned: 158895 Time elapsed: 1 hour(s), 1 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  7. In few words, what is left seems to be adware, and it also appears that this vundo is tracking my google searches and uploading it to some server. T.T I am being watched O.o.
  8. I am starting to get an updated one for you now, as i have been on the network a bit since this is my only computer at this time, I need to get all the information viable before i take it off the network for repairs. on the side note, I noticed that it has been telling my browser to go to this address: I am leaving the address broken so people do not click on it by mistake, but if you want to know the full one, maybe it could give you an idea of what we are dealing with. <remove link> It has been Identified as Vundo.H, that is as much as i can give you until the new log comes out.
  9. hello, I am new to the forums, but not new to computers. I have used several programs to detect and remove all the spam that this trojan threw on my computer before hand including SUPERAntiSpyware 4.24, Malwarebytes. I am currently running the maching with the registry locked to prevent it from being modified. It appears most of Vundo has been removed, but there appear to be some things I still have not been able to remove. Here is the HJT log: --Start Log-- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:09:24, on 1/13/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe C:\WINDOWS\system32\svchost.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\dllhost.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TDispVol.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Toshiba\Tvs\TvsTray.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\Synaptics\SynTP\Toshiba.exe C:\WINDOWS\system32\dla\DLACTRLW.exe C:\toshiba\ivp\ism\pinger.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Documents and Settings\Daniel Ramirez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RAMASST.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Documents and Settings\Daniel Ramirez\Desktop\QuickLock.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file) O2 - BHO: (no name) - {ae2d9208-55f6-4d6b-88ae-b5b7b940bcae} - (no file) O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [TDispVol] TDispVol.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Daniel Ramirez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210125727101 O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\Skype4COM.dll O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\zufusade.dll c:\windows\system32\hatutiza.dll c:\windows\system32\yovinumo.dll c:\windows\system32\tadeyike.dll oxjyuz.dll swkxyn.dll c:\windows\system32\ruvoziyi.dll //* This is the problem, i remove it but it keeps resurfacing. O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- End of file - 9983 bytes I haven't figured out much about the Highjack.Regedit except that its a registry key that keeps resurfacing, so I assume that it is the Vundo, or whatever keeps resurfacing it that puts this registry key back in. Thanks for the help in advance. Dreamx87
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.