Jump to content

Help needed! I think I Trojan:Win32/Vundo.gen!R may be my root cause!

lowpost99

By lowpost99
in Resolved Malware Removal Logs

 Share

Recommended Posts

lowpost99

lowpost99

Posted
Posted

I downloaded a DVD trancoder/burner util from usenet(bad) and I got a warning about Trojan:Win32/Vundo.gen!R from Windows Defender. I canceled the install to be safe, ran it again to see if same warning would come back and got none. Proceeded with the install and issues have begun. (worse even) Apparently my luck may have run out as I began to get AV's on exe's associated with my malware products, my video driver blue screened the box, my DVD burner writes data, but doesn't read the same discs that my DVD player sees fine. by the computer see as blank and needing formatting.

Hope there's still help for me yet, Thanks in advance, let me know if any additional data/information is needed,

lowpost99

Here is my MBAM:

Malwarebytes' Anti-Malware 1.28

Database version: 1200

Windows 6.0.6001 Service Pack 1

9/24/2008 12:25:04 PM

mbam-log-2008-09-24 (12-25-04).txt

Scan type: Quick Scan

Objects scanned: 48888

Time elapsed: 1 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here's the Panda Scan,

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-09-24 12:22:14

PROTECTIONS: 1

MALWARE: 37

SUSPECTS: 5

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Windows Defender 1.1.3903.0 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00095508 Adware/nCase Adware No 0 Yes No H:\Utils\Serials\Keygens\sims\file3.zip[Run.exe]

00095508 Adware/nCase Adware No 0 Yes No H:\Utils\Serials\Keygens\sims\file6.zip[Run.exe]

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@trafficmp[2].txt

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@casalemedia[2].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@doubleclick[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@atdmt[2].txt

00139535 Application/Processor HackTools No 0 Yes No H:\Utils\smitRem.exe[smitRem/Process.exe]

00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@tradedoubler[2].txt

00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@247realmedia[2].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@fastclick[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@tribalfusion[1].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@mediaplex[1].txt

00145758 Cookie/Mysearch TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\lowpost@mysearch[1].txt

00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@linksynergy[1].txt

00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@clickbank[1].txt

00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@findwhat[1].txt

00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@www.myaffiliateprogram[1].txt

00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@xiti[1].txt

00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@azjmp[2].txt

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@statcounter[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@ad.yieldmanager[1].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@apmebf[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@advertising[1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@ads.pointroll[1].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@realmedia[2].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@questionmarket[2].txt

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@zedo[2].txt

00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@bluestreak[1].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@adrevolver[2].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@go[1].txt

00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@ehg-dig.hitbox[1].txt

00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@citi.bridgetrack[1].txt

00505668 Application/MyWebSearch HackTools Yes 0 Yes No C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Users\lowpost\AppData\Roaming\Microsoft\Windows\Cookies\Low\lowpost@enhance[2].txt

01891534 Generic Malware Virus/Trojan No 0 No No H:\Utils\DVD Burning\Apollo.DVD.Creator.v3.6.0.WinALL.Cracked-CzW\CzW.rar[Crack\Apollo DVD Creator.exe]

01891534 Generic Malware Virus/Trojan No 0 Yes No H:\Utils\DVD Burning\Apollo.DVD.Creator.v3.6.0.WinALL.Cracked-CzW\CzW\Crack\Apollo DVD Creator.exe

02935399 Adware/Zango Adware No 0 Yes No H:\Grabit Files\NZBs\Setup.exe

03398240 Adware/AntiSpywareMaster Adware No 0 Yes No C:\Users\lowpost\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3Y23EKCG\data[1].htm

03398240 Adware/AntiSpywareMaster Adware No 0 Yes No C:\Users\lowpost\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5CIN8MJI\data[1].htm

03398240 Adware/AntiSpywareMaster Adware No 0 Yes No C:\Users\lowpost\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W3TS19IJ\data[1].htm

03738695 Generic Malware Virus/Trojan No 0 Yes No H:\Utils\DVD Burning\CDRApps\Ahead Nero8\keygen.exe

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location �z�D��

;===============================================================================

================================================================================

=

===================

No H:\Utils\DVD Burning\Aone\Aone.Movie.DVD.Maker.v1.6.6\Aone.Movie.DVD.Maker.v1.6.6\keygen\keygen.exe �z�D��

No H:\Utils\DVD Burning\Aone\Aone.Ultra.DVD.Creator.v1.6.8\Aone.Ultra.DVD.Creator.v1.6.8\keygen\keygen.exe

No H:\Utils\Serials\Cracks\PCMark2002_build_100_by_KaliM.zip[PCMark.exe] �z�D��

No H:\Utils\Serials\Cracks\WinRAR_Univesal_Crack_All_Version_3[1].xx.zip[winrar3uni_crk.exe] �z�D��

No H:\Utils\Serials\Keygens\nav2004keygen.zip[keygen.exe] �z�D��

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description �z�D��

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Here is the HJ log:

Logfile of HijackThis v1.99.1

Scan saved at 10:36:40 AM, on 9/24/2008

Platform: Unknown Windows (WinNT 6.00.1905 SP1)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

C:\Windows\System32\CtHelper.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

D:\Program Files\Creative\Creative Media Lite\CTZDetec.exe

C:\Windows\ehome\ehtray.exe

E:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\Brother\Brmfcmon\BrMfimon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\ieuser.exe

C:\Program Files\Internet Explorer\iexplore.exe

H:\Utils\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll

O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL

O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [AsioReg] REGSVR32 /S CTASIO.DLL

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini

O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

O4 - HKCU\..\Run: [CTZDetec.exe] d:\Program Files\Creative\Creative Media Lite\CTZDetec.exe

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "E:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O13 - Gopher Prefix:

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E31D8696-EC81-4C7B-9741-4CF7D135D866}: NameServer = 68.87.68.162,68.87.74.162

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe

O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)

O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

Link to post
Share on other sites
lowpost99

lowpost99

Posted
  • Author
Posted

Thanks JeanInMontana,

Here's the new HJ from the installed version,

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:24:01 PM, on 9/24/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

C:\Windows\System32\CtHelper.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

D:\Program Files\Creative\Creative Media Lite\CTZDetec.exe

C:\Windows\ehome\ehtray.exe

E:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Windows\System32\rundll32.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Brother\Brmfcmon\BrMfimon.exe

D:\Program Files\DVDFab Platinum 4\DVDFabPlatinum.exe

C:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll

O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL

O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [AsioReg] REGSVR32 /S CTASIO.DLL

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini

O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

O4 - HKCU\..\Run: [CTZDetec.exe] d:\Program Files\Creative\Creative Media Lite\CTZDetec.exe

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "E:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O13 - Gopher Prefix:

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E31D8696-EC81-4C7B-9741-4CF7D135D866}: NameServer = 68.87.68.162,68.87.74.162

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--

End of file - 7285 bytes

And the updated MBAM as well. Did not report anything... the last two times the first time I told it & S&D to remove all selected items.

Malwarebytes' Anti-Malware 1.28

Database version: 1200

Windows 6.0.6001 Service Pack 1

9/24/2008 5:28:37 PM

mbam-log-2008-09-24 (17-28-37).txt

Scan type: Quick Scan

Objects scanned: 48936

Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites
lowpost99

lowpost99

Posted
  • Author
Posted
Hi lowpost99 and welcome to Malwarebytes. Please get this version HiJack This! Install it to Program files, update MBAM, run a quick scan, post the MBAM log and then a new HJT log from the new version.

Thanks JeanInMontana,

Here's the new HJ from the installed version,

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:24:01 PM, on 9/24/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

C:\Windows\System32\CtHelper.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

D:\Program Files\Creative\Creative Media Lite\CTZDetec.exe

C:\Windows\ehome\ehtray.exe

E:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Windows\System32\rundll32.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Brother\Brmfcmon\BrMfimon.exe

D:\Program Files\DVDFab Platinum 4\DVDFabPlatinum.exe

C:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll

O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL

O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [AsioReg] REGSVR32 /S CTASIO.DLL

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini

O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

O4 - HKCU\..\Run: [CTZDetec.exe] d:\Program Files\Creative\Creative Media Lite\CTZDetec.exe

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "E:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O13 - Gopher Prefix:

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E31D8696-EC81-4C7B-9741-4CF7D135D866}: NameServer = 68.87.68.162,68.87.74.162

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--

End of file - 7285 bytes

And the updated MBAM as well. Did not report anything... the last two times the first time I told it & S&D to remove all selected items.

Malwarebytes' Anti-Malware 1.28

Database version: 1200

Windows 6.0.6001 Service Pack 1

9/24/2008 5:28:37 PM

mbam-log-2008-09-24 (17-28-37).txt

Scan type: Quick Scan

Objects scanned: 48936

Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites
JeanInMontana

JeanInMontana

Posted
Posted

Yesterday morning the DB for MBAM was 1202 so at 5PM you show 1200? You didn't update or we have a problem.

O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL

O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL

O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

Those are all Ask Jeeves a borderline item, if you installed it by choice fine, otherwise, I would get rid of it.

Please update MBAM and run a quick scan, post the log. Are you having symptoms?

Ahhh I see you like to steal.

H:\Utils\DVD Burning\CDRApps\Ahead Nero8\keygen.exe

H:\Utils\DVD Burning\Aone\Aone.Movie.DVD.Maker.v1.6.6\Aone.Movie.DVD.Maker.v1.6.6\keygen\keygen.exe �z�D��

H:\Utils\DVD Burning\Aone\Aone.Ultra.DVD.Creator.v1.6.8\Aone.Ultra.DVD.Creator.v1.6.8\keygen\keygen.exe

H:\Utils\Serials\Cracks\PCMark2002_build_100_by_KaliM.zip[PCMark.exe] �z�D��

H:\Utils\Serials\Cracks\WinRAR_Univesal_Crack_All_Version_3[1].xx.zip[winrar3uni_crk.exe] �z�D��

H:\Utils\Serials\Keygens\nav2004keygen.zip[keygen.exe] <======= That's against the law! All of those are ripped off stolen programs and you got just what you deserved for stealing. We're done here.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.