Jump to content

help-trojan.vundo..i think???can't remove bad files


Recommended Posts

Thank you!!!

Scans follow: (I wasn't sure if you meant to attach them or just paste; please let me know if you want it attached.) Thank you again. I really appreciate this.

stara

DDS.txt

DDS (Ver_09-05-14.01) - NTFSx86

Run by Thomas Lake at 16:15:03.25 on Sun 06/14/2009

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.183 [GMT -4:00]

AV: CA Anti-Virus *On-access scanning enabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

============== Running Processes ===============

C:\Program Files\Common Files\Virtual Token\vtserver.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\system32\RegSrvc.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\TpShocks.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\IBMTOOLS\UTILS\ibmprc.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\WINDOWS\system32\RunDll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\1XConfig.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Thomas Lake\Desktop\dds.scr

C:\Documents and Settings\Thomas Lake\Thomas Lake.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.wappingersschools.org/

mStart Page =

uInternet Settings,ProxyServer = http=localhost:7171

uInternet Settings,ProxyOverride = *.local;<local>

BHO: : {75cd8906-8271-462c-82ac-f4d101bf2c2a} - c:\windows\system32\lypsqeo.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe" -NoStart

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [<NO NAME>] c:\documents and settings\thomas lake\.exe /i

uRun: [A00F36A4E7.exe] c:\docume~1\thomas~1\locals~1\temp\_A00F36A4E7.exe

uRun: [A00F168977.exe] c:\docume~1\thomas~1\locals~1\temp\_A00F168977.exe

uRun: [A00F1698C3.exe] c:\docume~1\thomas~1\locals~1\temp\_A00F1698C3.exe

uRun: [A00F1BC70B.exe] c:\docume~1\thomas~1\locals~1\temp\_A00F1BC70B.exe

uRun: [A00F15B947.exe] c:\docume~1\thomas~1\locals~1\temp\_A00F15B947.exe

uRun: [Thomas Lake] c:\documents and settings\thomas lake\Thomas Lake.exe /i

mRun: [s3TRAY2] S3Tray2.exe

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper

mRun: [TpShocks] TpShocks.exe

mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe

mRun: [ControlCenter] "c:\program files\ibm fingerprint software\ctlcntr.exe" /startup

mRun: [TP4EX] tp4ex.exe

mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [uC_Start] c:\program files\ibm\updater\\ucstartup.exe

mRun: [uC_SMB]

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe

mRun: [iBMPRC] c:\ibmtools\utils\ibmprc.exe

mRun: [QCTRAY] c:\program files\thinkpad\connectutilities\QCTRAY.EXE

mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE

mRun: [bMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor

mRun: [bMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE

mRun: [bMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor

mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [NAV] "c:\program files\nortoninstaller\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav\2454b0ab\16.0.0.125\inststub.exe" /relaunch /runonce /media "d:\SETUP.EXE" /NOPROMPT

mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"

mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"

dRun: [<NO NAME>] c:\documents and settings\thomas lake\.exe /i

dRun: [sYS32DLL] SYS32DLL

dRun: [Diagnostic Manager] c:\windows\temp\2063829159.exe

dRun: [svc] c:\program files\thunmail\testabd.exe

dRun: [sYSDLL] SYSDLL

dRun: [shv] c:\program files\micphone\antit.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

dPolicies-explorer: NoFolderOptions = 1 (0x1)

dPolicies-system: DisableRegistryTools = 1 (0x1)

IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

LSP: c:\windows\system32\VetRedir.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

Notify: AtiExtEvent - Ati2evxx.dll

Notify: psfus - c:\program files\ibm fingerprint software\psfus.dll

Notify: QConGina - QConGina.dll

Notify: rjzbvpks - lypsqeo.dll

AppInit_DLLs: c:\windows\system32\gevumabo.dll ,c:\progra~1\thunmail\testabd.dll,c:\progra~1\micphone\antit.dll

LSA: Notification Packages = scecli pwdmon c:\windows\system32\gevumabo.dll

============= SERVICES / DRIVERS ===============

R0 fazpbtpj;fazpbtpj;c:\windows\system32\drivers\fazpbtpj.sys [1980-1-1 23424]

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-2-7 59520]

R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-2-7 11520]

R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-2-7 2432]

R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-2-7 4608]

R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2005-2-7 16384]

R1 vet-filt;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-6-9 26352]

R1 vet-rec;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-6-9 21104]

R1 vetefile;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-6-9 879760]

R1 vetfddnt;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-6-9 21488]

R1 vetmonnt;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-6-9 32240]

R2 caisafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2009-6-9 144696]

R2 ccschedulersvc;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2009-6-9 128240]

R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-9-23 64256]

R2 vetmsgnt;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2009-6-9 296176]

R3 veteboot;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-6-9 108288]

S0 qofhev;qofhev;c:\windows\system32\drivers\mkoxr.sys --> c:\windows\system32\drivers\mkoxr.sys [?]

S1 ethoydxs;ethoydxs;c:\windows\system32\drivers\ethoydxs.sys [2009-6-5 136192]

S2 bevtservice;bevtservice;c:\windows\system32\bevtservice.exe -k netsvcs --> c:\windows\system32\bEvtService.exe -k netsvcs [?]

S2 eylqmu;eylqmu;c:\windows\system32\drivers\zxsdko.sys --> c:\windows\system32\drivers\zxsdko.sys [?]

S3 isadisk;isadisk;c:\windows\system32\isadisk.sys [1980-1-1 2304]

S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-2-7 12288]

S3 sndintd;sndintd;c:\windows\system32\sndintd.sys [1980-1-1 2304]

=============== Created Last 30 ================

2009-06-13 22:16 61,440 a------- c:\windows\system32\drivers\isoyb.sys

2009-06-13 18:20 <DIR> --d----- c:\program files\Trend Micro

2009-06-12 22:10 <DIR> --d----- C:\VundoFix Backups

2009-06-12 19:19 61,440 a------- c:\windows\system32\drivers\qklwyx.sys

2009-06-11 21:45 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-10 21:49 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-06-09 18:26 250,544 a------- c:\windows\system32\KeyHelp.ocx

2009-06-09 18:26 <DIR> --d----- c:\program files\common files\Scanner

2009-06-09 18:25 879,760 a------- c:\windows\system32\drivers\vetefile.sys

2009-06-09 18:25 111,856 a------- c:\windows\system32\isafprod.dll

2009-06-09 18:25 108,288 a------- c:\windows\system32\drivers\veteboot.sys

2009-06-09 18:25 99,568 a------- c:\windows\system32\isafeif.dll

2009-06-09 18:25 83,256 a------- c:\windows\system32\vetredir.dll

2009-06-09 18:25 32,240 a------- c:\windows\system32\drivers\vetmonnt.sys

2009-06-09 18:25 26,352 a------- c:\windows\system32\drivers\vet-filt.sys

2009-06-09 18:25 21,488 a------- c:\windows\system32\drivers\vetfddnt.sys

2009-06-09 18:25 21,104 a------- c:\windows\system32\drivers\vet-rec.sys

2009-06-09 18:24 111,856 a------- c:\windows\system32\wbem\canvprov.dll

2009-06-09 18:24 6,552 a------- c:\windows\system32\wbem\canvprov.mof

2009-06-09 18:24 <DIR> --d----- c:\program files\CA

2009-06-08 21:36 437,248 a------- c:\windows\system32\Installer.exe

2009-06-08 21:36 258,048 a------- c:\windows\system32\wscsvc32.exe

2009-06-08 21:36 82,432 a------- c:\windows\system32\resdll.dll

2009-06-06 21:43 0 a------- c:\windows\system32\34.tmp

2009-06-06 21:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CA

2009-06-06 16:13 <DIR> --dshr-- c:\program files\MicPhone

2009-06-06 16:13 67,584 a------- c:\windows\system32\A0.tmp

2009-06-06 16:13 152,576 a------- c:\windows\system32\9F.tmp

2009-06-06 16:13 80 a------- c:\windows\system32\9D.tmp

2009-06-05 21:17 67,584 a------- c:\windows\system32\36.tmp

2009-06-05 21:17 153,088 a------- c:\windows\system32\35.tmp

2009-06-05 21:16 120 a------- c:\windows\system32\2A.tmp

2009-06-05 21:10 67,584 a------- c:\windows\system32\33.tmp

2009-06-05 21:10 153,088 a------- c:\windows\system32\32.tmp

2009-06-05 20:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Protexis

2009-06-05 20:45 67,584 a------- c:\windows\system32\31.tmp

2009-06-05 20:45 152,064 a------- c:\windows\system32\2F.tmp

2009-06-05 20:44 120 a------- c:\windows\system32\26.tmp

2009-06-05 15:43 67,584 a------- c:\windows\system32\2E.tmp

2009-06-05 15:43 153,088 a------- c:\windows\system32\2C.tmp

2009-06-05 15:43 80 a------- c:\windows\system32\2B.tmp

2009-06-05 15:23 67,584 a------- c:\windows\system32\29.tmp

2009-06-05 15:23 153,088 a------- c:\windows\system32\28.tmp

2009-06-05 15:23 80 a------- c:\windows\system32\27.tmp

2009-06-05 15:17 136,192 a------- c:\windows\system32\drivers\ethoydxs.sys

2009-06-05 15:17 67,584 a------- c:\windows\system32\25.tmp

2009-06-05 15:17 153,088 a------- c:\windows\system32\24.tmp

2009-06-05 15:16 80 a------- c:\windows\system32\23.tmp

2009-06-05 14:45 136,192 a------- c:\windows\system32\drivers\wanatw4.sys

2009-05-25 11:50 1 a------- c:\windows\system32\20.tmp

2009-05-25 11:49 84 a------- c:\windows\system32\1F.tmp

2009-05-25 11:05 <DIR> --d----- c:\windows\system32\LogFiles

2009-05-25 10:09 29,184 a------- c:\windows\system32\jhxm32.dll

2009-05-25 09:17 <DIR> --d----- c:\windows\system32\sysloc

2009-05-24 18:58 41,240 ----h--- c:\documents and settings\thomas lake\Thomas Lake.exe

2009-05-24 18:58 70,144 a------- c:\windows\system32\22.tmp

2009-05-24 18:54 120 a------- c:\windows\system32\1E.tmp

2009-05-24 14:28 107,852 a------- c:\windows\system32\drivers\5df2a0c3.sys

2009-05-24 14:28 22,528 a------- C:\orrx.exe

2009-05-24 14:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\94932966

2009-05-24 14:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\14922974

2009-05-24 14:26 29,696 a------- C:\bpyphcxc.exe

2009-05-24 14:21 1 a------- c:\windows\system32\1C.tmp

2009-05-24 14:21 84 a------- c:\windows\system32\1B.tmp

2009-05-24 11:31 0 a------- c:\windows\system32\1A.tmp

2009-05-22 10:57 70,144 a------- c:\windows\system32\1D.tmp

2009-05-22 10:56 120 a------- c:\windows\system32\19.tmp

2009-05-22 09:18 70,144 a------- c:\windows\system32\30.tmp

2009-05-22 09:18 120 a------- c:\windows\system32\2D.tmp

2009-05-22 08:10 <DIR> --d----- c:\windows\system32\3361

2009-05-22 08:10 108,336 a------- c:\windows\system32\MSWINSCK.OCX

2009-05-22 08:10 <DIR> --d----- c:\windows\dhcp

2009-05-17 10:40 0 a------- c:\windows\system32\18.tmp

2009-05-17 10:40 1 a------- c:\windows\system32\14.tmp

2009-05-16 19:03 94,208 a------- c:\windows\system32\13.tmp

2009-05-16 19:03 1 a------- c:\windows\system32\12.tmp

2009-05-16 17:27 94,208 a------- c:\windows\system32\17.tmp

2009-05-16 17:27 1 a------- c:\windows\system32\16.tmp

2009-05-16 17:27 84 a------- c:\windows\system32\15.tmp

==================== Find3M ====================

2009-06-14 16:15 107,772 a------- c:\windows\system32\drivers\f8863985.sys

2009-06-14 16:15 107,772 a------- c:\windows\system32\drivers\c4b9cc21.sys

2009-06-14 16:15 107,772 a------- c:\windows\system32\drivers\5e07aa2b.sys

2009-06-14 16:15 107,772 a------- c:\windows\system32\drivers\2b791b1c.sys

2009-06-14 16:15 104,444 a------- c:\windows\system32\drivers\cfa50922.sys

2009-05-25 11:42 159 a------- C:\xcrashdump.dat

2009-05-24 18:50 90,112 a------- c:\windows\DUMP57c0.tmp

2009-05-24 18:49 90,112 a------- c:\windows\DUMP58c4.tmp

2009-05-24 18:47 90,112 a------- c:\windows\DUMP57ba.tmp

2009-05-24 18:46 90,112 a------- c:\windows\DUMP57b9.tmp

2009-05-24 18:45 90,112 a------- c:\windows\DUMP56c7.tmp

2009-05-24 18:44 90,112 a------- c:\windows\DUMP57b3.tmp

2009-05-24 18:43 90,112 a------- c:\windows\DUMP5806.tmp

2009-05-24 18:41 90,112 a------- c:\windows\DUMP5811.tmp

2009-05-24 18:40 90,112 a------- c:\windows\DUMP587f.tmp

2009-05-24 18:39 90,112 a------- c:\windows\DUMP577f.tmp

2009-05-24 18:38 90,112 a------- c:\windows\DUMP5842.tmp

2009-05-24 18:37 90,112 a------- c:\windows\DUMP5c47.tmp

2009-05-24 18:35 90,112 a------- c:\windows\DUMP566c.tmp

2009-05-24 18:34 90,112 a------- c:\windows\DUMP5958.tmp

2009-05-24 18:33 90,112 a------- c:\windows\DUMP5890.tmp

2009-05-24 18:32 90,112 a------- c:\windows\DUMP5bbb.tmp

2009-05-24 18:30 90,112 a------- c:\windows\DUMP5da6.tmp

2009-05-24 18:29 90,112 a------- c:\windows\DUMP57f4.tmp

2009-05-24 18:28 90,112 a------- c:\windows\DUMP58d7.tmp

2009-05-24 18:27 90,112 a------- c:\windows\DUMP56f7.tmp

2009-05-24 18:26 90,112 a------- c:\windows\DUMP57bf.tmp

2009-05-24 18:24 90,112 a------- c:\windows\DUMP561a.tmp

2009-05-24 18:23 90,112 a------- c:\windows\DUMP5790.tmp

2009-05-24 18:22 90,112 a------- c:\windows\DUMP57b8.tmp

2009-05-24 18:21 90,112 a------- c:\windows\DUMP5928.tmp

2009-05-24 18:20 90,112 a------- c:\windows\DUMP587e.tmp

2009-05-24 18:18 90,112 a------- c:\windows\DUMP564b.tmp

2009-05-24 18:17 90,112 a------- c:\windows\DUMP577e.tmp

2009-05-24 18:16 90,112 a------- c:\windows\DUMP58ba.tmp

2009-05-24 18:15 90,112 a------- c:\windows\DUMP57b2.tmp

2009-05-24 18:14 90,112 a------- c:\windows\DUMP5752.tmp

2009-05-24 18:12 90,112 a------- c:\windows\DUMP5872.tmp

2009-05-24 18:11 90,112 a------- c:\windows\DUMP57e0.tmp

2009-05-24 18:10 90,112 a------- c:\windows\DUMP594e.tmp

2009-05-24 18:09 90,112 a------- c:\windows\DUMP57f3.tmp

2009-05-24 18:08 90,112 a------- c:\windows\DUMP586c.tmp

2009-05-24 18:06 90,112 a------- c:\windows\DUMP57b1.tmp

2009-05-24 18:05 90,112 a------- c:\windows\DUMP58cd.tmp

2009-05-24 18:04 90,112 a------- c:\windows\DUMP5676.tmp

2009-05-24 18:03 90,112 a------- c:\windows\DUMP57b7.tmp

2009-05-24 18:02 90,112 a------- c:\windows\DUMP5810.tmp

2009-05-24 18:00 90,112 a------- c:\windows\DUMP56b1.tmp

2009-05-24 17:59 90,112 a------- c:\windows\DUMP57b0.tmp

2009-05-24 17:58 90,112 a------- c:\windows\DUMP57fb.tmp

2009-05-24 17:57 90,112 a------- c:\windows\DUMP569d.tmp

2009-05-24 17:56 90,112 a------- c:\windows\DUMP569c.tmp

2009-05-24 17:54 90,112 a------- c:\windows\DUMP57e8.tmp

2009-05-24 17:53 90,112 a------- c:\windows\DUMP5675.tmp

2009-05-24 17:52 90,112 a------- c:\windows\DUMP56c6.tmp

2009-05-24 17:51 90,112 a------- c:\windows\DUMP56bb.tmp

2009-05-24 17:50 90,112 a------- c:\windows\DUMP581b.tmp

2009-05-24 17:48 90,112 a------- c:\windows\DUMP58b9.tmp

2009-05-24 17:47 90,112 a------- c:\windows\DUMP5638.tmp

2009-05-24 17:46 90,112 a------- c:\windows\DUMP57be.tmp

2009-05-24 17:45 90,112 a------- c:\windows\DUMP584a.tmp

2009-05-24 17:44 90,112 a------- c:\windows\DUMP5841.tmp

2009-05-24 17:41 90,112 a------- c:\windows\DUMP562f.tmp

2009-05-24 17:40 90,112 a------- c:\windows\DUMP581a.tmp

2009-05-24 17:39 90,112 a------- c:\windows\DUMP5819.tmp

2009-05-24 17:38 90,112 a------- c:\windows\DUMP5797.tmp

2009-05-24 17:36 90,112 a------- c:\windows\DUMP5b7f.tmp

2009-05-24 17:35 90,112 a------- c:\windows\DUMP56d8.tmp

2009-05-24 17:34 90,112 a------- c:\windows\DUMP57fa.tmp

2009-05-24 17:33 90,112 a------- c:\windows\DUMP5908.tmp

2009-05-24 17:32 90,112 a------- c:\windows\DUMP5a53.tmp

2009-05-24 17:30 90,112 a------- c:\windows\DUMP5bb3.tmp

2009-05-24 17:29 90,112 a------- c:\windows\DUMP5840.tmp

2009-05-24 17:28 90,112 a------- c:\windows\DUMP5927.tmp

2009-05-24 17:27 90,112 a------- c:\windows\DUMP5837.tmp

2009-05-24 17:25 90,112 a------- c:\windows\DUMP57df.tmp

2009-05-24 17:24 90,112 a------- c:\windows\DUMP580f.tmp

2009-05-24 17:23 90,112 a------- c:\windows\DUMP56c5.tmp

2009-05-24 17:22 90,112 a------- c:\windows\DUMP57b6.tmp

2009-05-24 17:21 90,112 a------- c:\windows\DUMP57f2.tmp

2009-05-24 17:19 90,112 a------- c:\windows\DUMP57ca.tmp

2009-05-24 17:18 90,112 a------- c:\windows\DUMP56a6.tmp

2009-05-24 17:17 90,112 a------- c:\windows\DUMP57c9.tmp

2009-05-24 17:16 90,112 a------- c:\windows\DUMP5854.tmp

2009-05-24 17:15 90,112 a------- c:\windows\DUMP562e.tmp

2009-05-24 17:13 90,112 a------- c:\windows\DUMP577d.tmp

2009-05-24 17:12 90,112 a------- c:\windows\DUMP578f.tmp

2009-05-24 17:11 90,112 a------- c:\windows\DUMP5658.tmp

2009-05-24 17:10 90,112 a------- c:\windows\DUMP56ce.tmp

2009-05-24 17:09 90,112 a------- c:\windows\DUMP56f6.tmp

2009-05-24 17:07 90,112 a------- c:\windows\DUMP58fe.tmp

2009-05-24 17:06 90,112 a------- c:\windows\DUMP57af.tmp

2009-05-24 17:05 90,112 a------- c:\windows\DUMP5931.tmp

2009-05-24 17:04 90,112 a------- c:\windows\DUMP577c.tmp

2009-05-24 17:03 90,112 a------- c:\windows\DUMP5749.tmp

2009-05-24 17:01 90,112 a------- c:\windows\DUMP56ec.tmp

2009-05-24 17:00 90,112 a------- c:\windows\DUMP5619.tmp

2009-05-24 16:59 90,112 a------- c:\windows\DUMP5784.tmp

2009-05-24 16:58 90,112 a------- c:\windows\DUMP5783.tmp

2009-05-24 16:57:09 A------- 90,112 c:\windows\DUMP5926.tmp

2008-12-27 18:34 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122720081228\index.dat

============= FINISH: 16:15:43.31 ===============

ATTACH.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 2/12/2005 4:12:24 AM

System Uptime: 6/14/2009 4:06:54 PM (0 hours ago)

Motherboard: IBM | | 2373K1U

Processor: Intel® Pentium® M processor 1.70GHz | None | 1694/400mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 33 GiB total, 6.978 GiB free.

D: is CDROM ()

E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Access IBM

Access IBM Message Center

Adobe Download Manager 2.0 (Remove Only)

Adobe Flash Player 10 ActiveX

Adobe Reader 6.0

America Online (Choose which version to remove)

Apple Mobile Device Support

Apple Software Update

ATI - Software Uninstall Utility

ATI Control Panel

ATI Display Driver

ATI HYDRAVISION

Atmel Tpm Install 2.1.1.01

AutoUpdate

Bonjour

CA Anti-Virus

CA Internet Security Suite

CA Pest Patrol Realtime Protection

DivX Codec

DivX Player

Free YouTube to iPod Converter version 3.1

Google Update Helper

Google Updater

Hotfix for Windows XP (KB952287)

IBM 32-bit Runtime Environment for Java 2, v1.4.1

IBM Access Connections

IBM Active Protection System

IBM DLA

IBM fingerprint software 4.5.3

IBM Integrated 56K Modem

IBM Rescue and Recovery with Rapid Restore

IBM Themes

IBM ThinkPad Battery MaxiMiser and Power Management Features

IBM ThinkPad Configuration

IBM ThinkPad EasyEject Utility

IBM ThinkPad Keyboard Customizer Utility

IBM ThinkPad Power Management Driver

IBM ThinkPad Presentation Director

IBM ThinkPad UltraNav Driver

IBM ThinkPad UltraNav Wizard

IBM ThinkVantage Technologies Welcome Message

IBM TrackPoint Accessibility Features

IBM Update Connector

Intel® PRO Network Adapters and Drivers

Intel® Sebring API

InterVideo AVControlSDK

InterVideo DeviceService

InterVideo WinDVD

iPod for Windows 2006-06-28

iTunes

Java 6 Update 5

LightScribe 1.4.124.1

Malwarebytes' Anti-Malware

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office 2003 Web Components

Microsoft Office Basic Edition 2003

Microsoft Office Converter Pack

Microsoft Office XP Web Components

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft XML Parser

MobileMe Control Panel

Move Networks Media Player for Internet Explorer

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 Parser and SDK

PC-Doctor for Windows

Pure Networks Port Magic

QuickTime

RealPlayer Basic

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Media Encoder (KB954156)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB911565)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB961373)

ThinkPad FullScreen Magnifier

ThinkPad Software Installer

Uninstall 1.0.0.1

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Viewpoint Media Player

Wallpapers

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Internet Explorer 7

Windows Media Encoder 9 Series

Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

6/9/2009 9:45:48 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .

6/9/2009 9:45:48 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\RarSFX0\basic\setup.exe. Reference error message: The operation completed successfully. .

6/9/2009 9:45:48 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.

6/9/2009 9:17:49 AM, error: System Error [1003] - Error code 100000d1, parameter1 e1f18000, parameter2 00000002, parameter3 00000000, parameter4 ed9d2b00.

6/9/2009 5:29:49 PM, error: System Error [1003] - Error code 100000d1, parameter1 e1f04000, parameter2 00000002, parameter3 00000000, parameter4 ed9d2b00.

6/9/2009 5:14:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eectrl

6/9/2009 5:14:06 PM, error: Service Control Manager [7023] - The 6to4 service terminated with the following error: The specified module could not be found.

6/9/2009 5:14:06 PM, error: Service Control Manager [7003] - The DHCP Client service depends on the following nonexistent service: dhcpsrv

6/9/2009 5:14:06 PM, error: Service Control Manager [7000] - The Ulead Burning Helper service failed to start due to the following error: The system cannot find the file specified.

6/9/2009 5:14:06 PM, error: Service Control Manager [7000] - The Task Scheduler service failed to start due to the following error: The system cannot find the file specified.

6/9/2009 5:14:06 PM, error: Service Control Manager [7000] - The eylqmu service failed to start due to the following error: The system cannot find the file specified.

6/9/2009 4:57:43 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

6/9/2009 11:37:08 AM, error: System Error [1003] - Error code 100000d1, parameter1 e1f0a000, parameter2 00000002, parameter3 00000000, parameter4 ed9d2b00.

6/9/2009 10:06:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ANC eectrl Fips IBMTPCHK intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ShockMgr Smapint Tcpip TDSMAPI TPHKDRV TPPWR TSMAPIP vet-filt vet-rec vetefile vetmonnt

6/9/2009 10:06:57 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.

6/9/2009 10:06:57 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

6/9/2009 10:06:57 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

6/9/2009 10:06:57 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

6/9/2009 10:06:57 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

6/8/2009 9:55:38 PM, error: HTTP [15005] - Unable to bind to the underlying transport for 0.0.0.0:2869. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine. The data field contains the error number.

6/8/2009 9:33:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

6/8/2009 9:32:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

6/8/2009 9:30:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

6/8/2009 9:26:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service PPCtlPriv with arguments "" in order to run the server: {F974178A-A284-440A-BEFC-5B0D11BCDB68}

6/8/2009 9:26:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service CaCCProvSP with arguments "" in order to run the server: {AACF4A1C-BC69-4359-9518-DF3F77E462BF}

6/8/2009 9:23:52 PM, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service CaCCProvSP with arguments "" in order to run the server: {AACF4A1C-BC69-4359-9518-DF3F77E462BF}

6/8/2009 9:23:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service iPod Service with arguments "-Service" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

6/8/2009 9:22:14 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ANC eectrl Fips IBMTPCHK intelppm ShockMgr Smapint TDSMAPI TPHKDRV TPPWR TSMAPIP vet-filt vet-rec vetefile vetmonnt

6/8/2009 10:28:37 PM, error: System Error [1003] - Error code 100000d1, parameter1 e1f1a000, parameter2 00000002, parameter3 00000000, parameter4 ed9d2b00.

6/7/2009 8:23:33 PM, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service iPod Service with arguments "-Service" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

6/7/2009 4:53:59 AM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.

6/13/2009 5:13:40 PM, error: System Error [1003] - Error code 100000d1, parameter1 e2016000, parameter2 00000002, parameter3 00000000, parameter4 ed8ceb00.

6/13/2009 10:19:30 PM, error: Service Control Manager [7000] - The silcmlni service failed to start due to the following error: A device attached to the system is not functioning.

6/12/2009 7:22:41 PM, error: Service Control Manager [7000] - The rwdixi service failed to start due to the following error: A device attached to the system is not functioning.

6/11/2009 10:47:40 PM, error: Service Control Manager [7034] - The avast!antivirus service terminated unexpectedly. It has done this 1 time(s).

6/11/2009 10:47:40 PM, error: Service Control Manager [7031] - The Windows Network Data Management System Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

==== End Of File ===========================

Link to post
Share on other sites

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

before you save it, please name it fun.exe. Afterwards, make sure its saved to your Desktop!!!!

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Link to post
Share on other sites

Hi,

I cannot connect to the internet so I can't save combofix to my desktop. I tried to transfer it via flash drive, but it wouldn't work. It erased it right off the flash drive.

Can you please advise as to how I can run combofix without internet connection?

Thank you for all of your help.

Link to post
Share on other sites

According to the requested logs, I see your infected with Virut (polymorphic) file infector trojan. Virut infects all .exe, .scr and possibly htm, html, asp, and php files. You can get more info on virut ISO Recorder can do this too.

Here is a great tutorial on burning an ISO image here.

Setting your BIOS to boot from a CD may be required, go here for instructions.

Once Kaspersky Rescue Disk is burned successfully, reboot your computer, press any key to boot from cd and the following will appear.

dosbootscreen.png

Hit Enter to start booting from Kaspersky Rescue Disk.

Please pick your appropriate language and hit Enter

Kaspersky AntiVirus 2009 will appear, do not start a scan yet!!!!

kav2009.png

  • Click the Update tab, then on the Update now button.
  • When the update is complete, click on the Settings button.
  • Under Scan, set Security level to High and On Detection to Disinfection.
  • Under Threats and exclusions, click the Setttings, tab, and ensure everything is checked.
  • Click Apply then OK to return to the program.
  • Click the Scan tab.
  1. The scan can take a long time, so please be patient and allow it to run to completion.
  • When the scan has completed, click the Reports button.
  • Save the report to your C: drive as KAV2008.txt.
  • Now reboot your computer and remove the CD and log into Windows.
  • Navigate to your C:\ drive, and post the KAV2009.txt as an attachment in your next reply.
  • Any questions please post and i will reply as soon as possible. Thanks
Link to post
Share on other sites

Hi,

I'm having trouble getting kaspesky on a disc. This is what is says at kaspersky.com regarding the resuce disk program:

Dear User,

We are sorry to inform you that the Rescue Disk image is not currently available for download.

We recommend using the BartPE-based recovery disk.

We apologize for the inconvenience.

Sincerely,

Kaspersky Lab

here is where I read this: http://www.kaspersky.com/rescuedisk

Please advise. Thank you!

Link to post
Share on other sites

Hi,

I saved combofix as winlogon.exe on my usb drive but when I try to run it on the infected computer I get an error message that says something like "alert...it is not safe to continue...the contents may be comprimised...download a fresh copy...note: you may be infected by virut."

I get this error message everytime I try to run it from the usb. I also tried running it from a disc and got the same message. This happened a few days ago when I tried combofix too.

Anything else I can try?

By the way, I appreciate your help and patience.

Thanks.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.