Jump to content

Trojan.vundo.h removal


Recommended Posts

I have pick up the Trojan.vundo.h and need help the remove this.

The latest Malware log and HJT logs are pasted below.

Malwarebytes' Anti-Malware 1.41

Database version: 3081

Windows 5.1.2600 Service Pack 3

11/2/2009 6:35:38 AM

mbam-log-2009-11-02 (06-35-38).txt

Scan type: Quick Scan

Objects scanned: 111189

Time elapsed: 11 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 6

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\mhlvcaeu.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bbde5300-5c14-4ff4-94f7-55ebe0632d85} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\txiqdeed (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{bbde5300-5c14-4ff4-94f7-55ebe0632d85} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{024a10b8-0442-4b73-98ad-3cbc810cde21} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{024a10b8-0442-4b73-98ad-3cbc810cde21} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{024a10b8-0442-4b73-98ad-3cbc810cde21} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\cmtvuso.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\mhlvcaeu.dll (Trojan.Vundo.H) -> Delete on reboot.

HJT log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:44:46 PM, on 11/2/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AntiFreeze\AntiFreeze.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\CyberDefender\AntiSpyware\cdas5a.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.

*

* If you make changes to this file while the browser is running,

* the changes will be overwritten when the browser exits.

*

* To make a manual change to preferences, you can visit the URL about:config

* For more information, see http://www.mozilla.org/unix/customizing.html#prefs

*/

user_pref("browser.activation.checkedNNFlag", true);

user_pref("browser.bookmarks.added_static_root", true);

user_pref("browser.cache.check_doc_frequency", 1);

user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\TUCKERS\\APPLICATION DATA\\Mozilla\\Profiles\\default\\x3bgmjgg.slt");

user_pref("browser.display.screen_resolution", 96);

user_pref("browser.download.dir", "C:\\Documents and Settings\\TuckerS\\Desktop");

user_pref("browser.download.progressDnldDialog.keepAlive", false);

user_pref("browser.download.save_converter_index", 0);

user_pref("browser.downloadmanager.behavior", 1);

user_pref("browser.open.dir", "C:\\Document

N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.

*

* If you make changes to this file while the browser is running,

* the changes will be overwritten when the browser exits.

*

* To make a manual change to preferences, you can visit the URL about:config

* For more information, see http://www.mozilla.org/unix/customizing.html#prefs

*/

user_pref("browser.activation.checkedNNFlag", true);

user_pref("browser.bookmarks.added_static_root", true);

user_pref("browser.cache.check_doc_frequency", 1);

user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\TUCKERS\\APPLICATION DATA\\Mozilla\\Profiles\\default\\x3bgmjgg.slt");

user_pref("browser.display.screen_resolution", 96);

user_pref("browser.download.dir", "C:\\Documents and Settings\\TuckerS\\Desktop");

user_pref("browser.download.progressDnldDialog.keepAlive", false);

user_pref("browser.download.save_converter_index", 0);

user_pref("browser.downloadmanager.behavior", 1);

user_pref("browser.open.dir", "C:\\Document

O2 - BHO: (no name) - {024A10B8-0442-4B73-98AD-3CBC810CDE21} - C:\WINDOWS\system32\mhlvcaeu.dll

O2 - BHO: (no name) - {BBDE5300-5C14-4FF4-94F7-55EBE0632D85} - c:\windows\system32\cmtvuso.dll

O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\TuckerS\Local Settings\Application Data\CyberDefender\cdmyidd.dll

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [AntiFreeze] C:\Program Files\AntiFreeze\AntiFreeze.exe /splash

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdas5a.exe" /minimize

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1250953988269

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1255958757408

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = col.missouri.edu

O17 - HKLM\Software\..\Telephony: DomainName = col.missouri.edu

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = col.missouri.edu

O20 - Winlogon Notify: txiqdeed - C:\WINDOWS\SYSTEM32\cmtvuso.dll

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--

End of file - 6984 bytes

Link to post
Share on other sites

Here is the combo fix log.

ComboFix 09-11-02.05 - TuckerS 11/03/2009 11:18.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1006.399 [GMT -5:00]

Running from: c:\documents and settings\TuckerS\My Documents\Downloads\ComboFix.exe

AV: CyberDefender Internet Security *On-access scanning enabled* (Updated) {7E92415B-FE9C-4227-86F2-C10203493A87}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\TuckerS\nah_log.dat

c:\program files\Mozilla Firefox\componentes

c:\program files\Mozilla Firefox\componentes\browser.xpt

c:\program files\Mozilla Firefox\componentes\chemdraw90.xpt

c:\program files\Mozilla Firefox\componentes\compreg.dat

c:\program files\Mozilla Firefox\componentes\flashplayer.xpt

c:\program files\Mozilla Firefox\componentes\GoogleDesktopMozilla.dll

c:\program files\Mozilla Firefox\componentes\GoogleDesktopMozillaStub.js

c:\program files\Mozilla Firefox\componentes\GoogleDesktopMozillaStub.xpt

c:\program files\Mozilla Firefox\componentes\jar50.dll

c:\program files\Mozilla Firefox\componentes\jsconsole-clhandler.js

c:\program files\Mozilla Firefox\componentes\jsd3250.dll

c:\program files\Mozilla Firefox\componentes\npSfAppM.xpt

c:\program files\Mozilla Firefox\componentes\nsCloseAllWindows.js

c:\program files\Mozilla Firefox\componentes\nsDictionary.js

c:\program files\Mozilla Firefox\componentes\nsExtensionManager.js

c:\program files\Mozilla Firefox\componentes\nsHelperAppDlg.js

c:\program files\Mozilla Firefox\componentes\nsIQTScriptablePlugin.xpt

c:\program files\Mozilla Firefox\componentes\nsProxyAutoConfig.js

c:\program files\Mozilla Firefox\componentes\nsSetDefaultBrowser.js

c:\program files\Mozilla Firefox\componentes\nsSidebar.js

c:\program files\Mozilla Firefox\componentes\nsUpdateService.js

c:\program files\Mozilla Firefox\componentes\nsXmlRpcClient.js

c:\program files\Mozilla Firefox\componentes\xpinstal.dll

c:\windows\system32\cmtvuso.dll

c:\windows\system32\drivers\giyyciag.sys

c:\windows\system32\drivers\nizgmbcx.sys

c:\windows\system32\gldsfnb.dll

c:\windows\system32\mhlvcaeu.dll

----- BITS: Possible infected sites -----

hxxp://wsus-b.iats.missouri.edu

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_CTQNDCHD

-------\Legacy_NIZGMBCX

-------\Legacy_TDSSSERV.SYS

-------\Service_ctqndchd

-------\Service_nizgmbcx

((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))

.

2009-11-02 02:44 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-02 02:44 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-02 02:44 . 2009-11-02 02:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-22 19:49 . 2009-10-23 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-10-22 18:39 . 2009-10-22 18:39 -------- d-----w- c:\program files\AntiFreeze

2009-10-22 17:02 . 2009-10-22 18:25 -------- d-----w- c:\windows\LMI8.tmp

2009-10-22 16:56 . 2009-10-22 16:56 -------- d-----w- c:\documents and settings\TuckerS\Local Settings\Application Data\CyberDefender

2009-10-22 16:53 . 2009-10-22 16:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS

2009-10-22 16:53 . 2009-10-22 17:43 -------- d-----w- c:\windows\LMI3.tmp

2009-10-22 13:07 . 2009-10-22 13:06 67424 ----a-w- c:\windows\system32\drivers\CDAVFS.sys

2009-10-22 13:07 . 2009-10-26 12:32 -------- d-----w- c:\program files\CyberDefender

2009-10-22 01:49 . 2009-10-22 01:49 -------- d-----w- c:\documents and settings\TuckerS\Application Data\OverDrive

2009-10-22 01:41 . 2009-10-22 01:41 -------- d-----w- c:\program files\OverDrive Media Console

2009-10-19 14:14 . 2009-10-19 14:14 -------- d-----w- c:\documents and settings\TuckerS\log

2009-10-17 21:19 . 2009-10-31 21:44 -------- d-----w- c:\documents and settings\TuckerS\Application Data\Move Networks

2009-10-08 00:56 . 2008-04-14 10:41 28160 -c--a-w- c:\windows\system32\dllcache\irmon.dll

2009-10-08 00:56 . 2008-04-14 10:41 28160 ----a-w- c:\windows\system32\irmon.dll

2009-10-08 00:56 . 2008-04-14 10:42 151552 -c--a-w- c:\windows\system32\dllcache\irftp.exe

2009-10-08 00:56 . 2008-04-14 10:42 151552 ----a-w- c:\windows\system32\irftp.exe

2009-10-08 00:56 . 2008-04-14 10:42 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll

2009-10-08 00:56 . 2008-04-14 10:42 8192 ----a-w- c:\windows\system32\wshirda.dll

2009-10-08 00:55 . 2009-11-03 16:28 1660 ----a-w- c:\windows\bthservsdp.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-02 15:30 . 2005-12-25 16:21 -------- d-----w- c:\program files\Documents To Go

2009-10-26 02:39 . 2005-12-25 15:45 -------- d-----w- c:\program files\Palm

2009-10-21 00:03 . 2009-08-17 02:01 -------- d-----w- c:\program files\Trend Micro

2009-10-20 01:44 . 2009-09-29 14:00 -------- d-----w- c:\documents and settings\TuckerS\Application Data\HPAppData

2009-10-15 13:20 . 2009-09-18 13:17 10752 ----a-w- c:\windows\DCEBoot.exe

2009-10-08 18:57 . 2007-10-09 19:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2009-10-08 18:57 . 2002-08-29 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2009-10-08 18:56 . 2002-08-29 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2009-10-05 14:58 . 2005-08-26 19:44 -------- d-----w- c:\program files\Google

2009-09-29 21:16 . 2009-09-17 11:57 -------- d-----w- c:\documents and settings\TuckerS\Application Data\GARMIN

2009-09-27 18:05 . 2009-09-27 18:05 -------- d-----w- c:\documents and settings\TuckerS\Application Data\HP

2009-09-22 02:44 . 2009-09-22 02:43 -------- d-----w- c:\documents and settings\TuckerS\Application Data\HpUpdate

2009-09-22 02:44 . 2009-09-21 01:07 -------- d-----w- c:\program files\HP

2009-09-21 02:41 . 2009-09-21 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG

2009-09-21 02:38 . 2009-09-21 02:10 186577 ----a-w- c:\windows\hpwins23.dat

2009-09-21 02:26 . 2009-09-21 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant

2009-09-21 02:22 . 2009-09-21 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\HP

2009-09-21 02:16 . 2009-09-21 02:16 -------- d-----w- c:\program files\Common Files\HP

2009-09-21 02:16 . 2009-09-21 02:16 -------- d-----w- c:\program files\Hewlett-Packard

2009-09-21 01:09 . 2009-09-21 01:09 -------- d-----w- c:\program files\Common Files\Hewlett-Packard

2009-09-19 02:50 . 2009-09-19 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\GARMIN

2009-09-19 02:22 . 2009-09-19 01:21 -------- d-----w- c:\documents and settings\TuckerS\Application Data\Download Manager

2009-09-18 11:48 . 2005-08-25 18:47 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-09-18 11:28 . 2005-08-25 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-09-18 02:58 . 2008-06-14 02:38 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-17 11:56 . 2009-09-17 11:56 -------- d-----w- c:\program files\Garmin GPS Plugin

2009-09-17 11:56 . 2009-09-17 11:56 -------- d-----w- c:\program files\DIFX

2009-09-17 11:56 . 2009-09-17 11:56 -------- d-----w- c:\program files\Garmin

2009-09-11 14:18 . 2004-08-04 06:56 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2004-08-04 06:56 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 08:08 . 2004-08-04 06:56 916480 ----a-w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2004-08-04 06:56 247326 ----a-w- c:\windows\system32\strmdll.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\TuckerS\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2009-10-22 3962184]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]

[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]

[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]

[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AntiFreeze"="c:\program files\AntiFreeze\AntiFreeze.exe" [2007-12-16 139776]

"CyberDefender Early Detection Center"="c:\program files\CyberDefender\AntiSpyware\cdas5a.exe" [2009-10-26 738632]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2005-06-01 03:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Calendar Sync.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk

backup=c:\windows\pss\Google Calendar Sync.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ose"=3 (0x3)

"MDM"=2 (0x2)

"MBAMService"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

"IntuitUpdateService"=2 (0x2)

"idsvc"=3 (0x3)

"IDriverT"=3 (0x3)

"gusvc"=3 (0x3)

"GoogleDesktopManager-061008-081103"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"c:\\Program Files\\Palm\\Hotsync.exe"=

"c:\\WINDOWS\\system32\\searchprotocolhost.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=

"c:\\Program Files\\PIXELA\\ImageMixer3\\HDDCameraMonitor.exe"=

"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\jucheck.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\CyberDefender\\AntiSpyware\\cdas5a.exe"=

R1 crlscsi;crlscsi;c:\windows\system32\drivers\crlscsi.sys [11/3/2005 9:43 AM 6144]

R2 HPFECP11;HPFECP11;c:\windows\system32\drivers\HPFecp11.sys [9/18/2005 12:38 PM 52800]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/1/2009 9:44 PM 269648]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/1/2009 9:44 PM 19160]

S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [10/22/2009 8:07 AM 67424]

S3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [6/1/2008 7:54 PM 428160]

S4 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/26/2005 2:44 PM 29744]

S4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [1/29/2009 12:11 AM 13088]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2009-11-03 c:\windows\Tasks\Malwarebytes' Scheduled Scan for TuckerS.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-11-02 19:53]

2009-11-03 c:\windows\Tasks\Malwarebytes' Scheduled Update for TuckerS.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-11-02 19:53]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

FF - ProfilePath - c:\documents and settings\TuckerS\Application Data\Mozilla\Firefox\Profiles\cs1x58uq.default\

FF - plugin: c:\documents and settings\TuckerS\Application Data\Move Networks\plugins\npqmp071503000010.dll

FF - plugin: c:\documents and settings\TuckerS\Application Data\Move Networks\plugins\npqmp071701000002.dll

FF - plugin: c:\documents and settings\TuckerS\Application Data\Mozilla\Firefox\Profiles\cs1x58uq.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCDP32.DLL

FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npSfAppM.dll

FF - HiddenExtension: XUL Cache: {4C1A913D-3BAE-48B6-9225-AF554D907B1F} - c:\documents and settings\TuckerS\Local Settings\Application Data\{4C1A913D-3BAE-48B6-9225-AF554D907B1F}

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

.

- - - - ORPHANS REMOVED - - - -

BHO-{024A10B8-0442-4B73-98AD-3CBC810CDE21} - c:\windows\system32\mhlvcaeu.dll

Toolbar-Locked - (no file)

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-03 11:31

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AntiFreeze = c:\program files\AntiFreeze\AntiFreeze.exe /splash???????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]

"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]

"ImagePath"="-"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1684)

c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(1928)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\brss01a.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\SearchIndexer.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\HP\Digital Imaging\bin\hpqbam08.exe

.

**************************************************************************

.

Completion time: 2009-11-03 11:44 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-03 16:43

Pre-Run: 9,018,302,464 bytes free

Post-Run: 8,883,077,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.