Jump to content

Infected with: Vundo and Highjack.Regedit


Recommended Posts

hello,

I am new to the forums, but not new to computers. I have used several programs to detect and remove all the spam that this trojan threw on my computer before hand including SUPERAntiSpyware 4.24, Malwarebytes. I am currently running the maching with the registry locked to prevent it from being modified. It appears most of Vundo has been removed, but there appear to be some things I still have not been able to remove. Here is the HJT log:

--Start Log--

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:09:24, on 1/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

C:\WINDOWS\system32\svchost.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\WINDOWS\system32\TDispVol.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\Synaptics\SynTP\Toshiba.exe

C:\WINDOWS\system32\dla\DLACTRLW.exe

C:\toshiba\ivp\ism\pinger.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Documents and Settings\Daniel Ramirez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\RAMASST.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Documents and Settings\Daniel Ramirez\Desktop\QuickLock.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O2 - BHO: (no name) - {ae2d9208-55f6-4d6b-88ae-b5b7b940bcae} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [TDispVol] TDispVol.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Daniel Ramirez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210125727101

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\Skype4COM.dll

O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\zufusade.dll c:\windows\system32\hatutiza.dll c:\windows\system32\yovinumo.dll c:\windows\system32\tadeyike.dll oxjyuz.dll swkxyn.dll c:\windows\system32\ruvoziyi.dll //* This is the problem, i remove it but it keeps resurfacing.

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--

End of file - 9983 bytes

I haven't figured out much about the Highjack.Regedit except that its a registry key that keeps resurfacing, so I assume that it is the Vundo, or whatever keeps resurfacing it that puts this registry key back in.

Thanks for the help in advance.

Dreamx87

Link to post
Share on other sites
I need the Malwarebytes log please.

I am starting to get an updated one for you now, as i have been on the network a bit since this is my only computer at this time, I need to get all the information viable before i take it off the network for repairs.

on the side note, I noticed that it has been telling my browser to go to this address: I am leaving the address broken so people do not click on it by mistake, but if you want to know the full one, maybe it could give you an idea of what we are dealing with.

<remove link>

It has been Identified as Vundo.H, that is as much as i can give you until the new log comes out.

Link to post
Share on other sites
istake, but if you want to know the full one, maybe it could give you an idea of what we are dealing with.

<removed link>

It has been Identified as Vundo.H, that is as much as i can give you until the new log comes out.

In few words, what is left seems to be adware, and it also appears that this vundo is tracking my google searches and uploading it to some server. T.T I am being watched O.o.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.32

Database version: 1648

Windows 5.1.2600 Service Pack 3

1/14/2009 1:55:12 AM

mbam-log-2009-01-14 (01-55-12).txt

Scan type: Full Scan (C:\|)

Objects scanned: 158895

Time elapsed: 1 hour(s), 1 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

I've removed the links, don't want anyone else to get infected. :)

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Link to post
Share on other sites
I've removed the links, don't want anyone else to get infected. :)

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Ok, I followed the steps you requested. The first time through my online armor firewall gave a gazillion warnings, so I rebooted to safe mode and preformed the scan there. It deleted alot of things, and after the scan it rebooted itself and tried to save a log, but recieved and "access denied" error, and did not save a log. So I ran it again and this is what i got. Don't know why it couldn't save the first log.

ComboFix 09-01-13.04 - Daniel Ramirez 2009-01-14 12:21:03.4 - NTFSx86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.809 [GMT -5:00]

Running from: c:\documents and settings\Daniel Ramirez\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

FW: Online Armor Firewall *enabled*

--Start Log--

.

((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))

.

2009-01-14 01:15 . 2009-01-14 01:15 <DIR> d-------- c:\program files\Tall Emu

2009-01-14 01:15 . 2009-01-14 12:05 <DIR> d-------- c:\documents and settings\Daniel Ramirez\Application Data\OnlineArmor

2009-01-14 01:15 . 2009-01-14 01:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\OnlineArmor

2009-01-14 01:15 . 2008-12-13 02:26 178,376 --a------ c:\windows\system32\drivers\OADriver.sys

2009-01-14 01:15 . 2008-12-13 02:26 30,920 --a------ c:\windows\system32\drivers\OAmon.sys

2009-01-14 01:15 . 2008-12-13 02:26 28,872 --a------ c:\windows\system32\drivers\OAnet.sys

2009-01-13 18:14 . 2009-01-14 00:37 250 --a------ c:\windows\gmer.ini

2009-01-13 17:02 . 2009-01-13 17:02 <DIR> d-------- c:\program files\Trend Micro

2009-01-13 15:41 . 2009-01-13 15:45 <DIR> d-------- c:\program files\Eusing Free Registry Cleaner

2009-01-13 13:47 . 2009-01-13 13:47 61,440 --a------ c:\windows\system32\drivers\nzhy.sys

2009-01-13 10:52 . 2009-01-13 10:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-13 10:52 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-13 10:52 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-13 10:41 . 2009-01-13 10:40 410,984 --a------ c:\windows\system32\deploytk.dll

2009-01-10 15:24 . 2009-01-10 15:24 <DIR> d-------- C:\VundoFix Backups

2009-01-10 13:31 . 2009-01-10 13:31 <DIR> d-------- c:\documents and settings\Daniel Ramirez\Application Data\Malwarebytes

2009-01-10 13:31 . 2009-01-10 13:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-10 00:18 . 2002-12-29 01:14 81,920 --a------ c:\windows\system32\Startup.cpl

2009-01-10 00:12 . 2009-01-10 00:13 <DIR> d-------- c:\program files\CCleaner

2009-01-10 00:10 . 2009-01-10 11:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI

2009-01-03 00:26 . 2009-01-10 00:34 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-01-03 00:26 . 2009-01-03 00:26 <DIR> d-------- c:\documents and settings\Daniel Ramirez\Application Data\SUPERAntiSpyware.com

2009-01-03 00:26 . 2009-01-03 00:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-03 00:25 . 2009-01-03 00:25 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-01-02 20:27 . 2009-01-13 12:32 <DIR> d--h----- C:\$AVG8.VAULT$

2009-01-01 21:52 . 2009-01-01 21:52 <DIR> d-------- c:\program files\Electronic Arts

2009-01-01 21:48 . 2009-01-01 21:48 <DIR> d-------- c:\windows\Logs

2008-12-30 19:27 . 2008-12-30 19:27 <DIR> d-------- c:\documents and settings\Daniel Ramirez\Application Data\dvdcss

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-13 23:11 --------- d-----w c:\program files\Java

2009-01-13 23:03 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-01-13 22:42 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\AdobeUM

2009-01-13 04:27 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\BitTorrent

2009-01-10 17:14 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-10 17:14 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2009-01-10 04:35 --------- d-----w c:\documents and settings\All Users\Application Data\avg8

2009-01-10 04:29 --------- d-----w c:\program files\Google

2009-01-09 04:28 --------- d-----w c:\program files\Gpotato

2009-01-08 02:07 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\U3

2009-01-03 05:14 --------- d-----w c:\program files\Starcraft

2008-12-11 15:11 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2008-12-06 19:55 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\Digsby

2008-12-06 19:55 --------- d-----w c:\documents and settings\All Users\Application Data\Digsby

2008-12-05 01:09 --------- d-----w c:\program files\Digsby

2008-12-05 00:11 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\acccore

2008-12-05 00:06 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP

2008-12-05 00:05 --------- d-----w c:\program files\AIM6

2008-12-04 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\AOL

2008-12-04 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\acccore

2008-12-04 23:43 --------- d-----w c:\program files\Common Files\AOL

2008-11-27 02:16 --------- d-----w c:\program files\Alex Feinman

2008-11-25 19:59 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys

2008-11-25 19:59 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys

2008-11-25 19:59 10,520 ----a-w c:\windows\system32\avgrsstx.dll

2008-11-24 05:39 --------- d-----w c:\program files\Microsoft Silverlight

2008-11-22 00:37 --------- d-----w c:\program files\ConTEXT

2008-11-21 01:28 --------- d-----w c:\program files\Microsoft SQL Server

2008-11-21 01:24 --------- d-----w c:\program files\Microsoft Visual Studio 9.0

2008-11-20 06:30 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\Hamachi

2008-11-20 04:10 --------- d-----w c:\program files\Paint.NET

2008-11-15 14:50 --------- d-----w c:\program files\Microsoft Synchronization Services

2008-11-15 14:50 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition

2008-11-15 14:44 --------- d-----w c:\program files\Microsoft SDKs

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll

2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-09-09 09:05 1,852,928 ----a-w c:\documents and settings\Daniel Ramirez\Neuz.exe

2008-06-27 15:56 480 ----a-w c:\documents and settings\Daniel Ramirez\Application Data\wklnhst.dat

2004-09-03 03:12 370,688 ----a-w c:\documents and settings\Daniel Ramirez\mss32.dll

1601-01-01 00:12 62,464 --sha-w c:\windows\system32\kerojade.dll

1601-01-01 00:12 62,464 --sha-w c:\windows\system32\nomadani.dll

1601-01-01 00:12 69,120 --sha-w c:\windows\system32\zufajudi.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]

"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]

"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]

"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-12-13 6223048]

"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]

"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]

"TFncKy"="TFncKy.exe" [bU]

"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe]

"TPSMain"="TPSMain.exe" [2005-06-01 c:\windows\system32\TPSMain.exe]

"TDispVol"="TDispVol.exe" [2005-03-11 c:\windows\system32\TDispVol.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-02-15 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2008-12-13 886984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]

backup=c:\windows\pss\Clean Access Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2008-11-18 14:21 133104 c:\documents and settings\Daniel Ramirez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

-ra------ 2006-03-30 18:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"WLSetupSvc"=3 (0x3)

"usnjsvc"=3 (0x3)

"Start BT in service"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

"idsvc"=3 (0x3)

"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=

"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\Gpotato\\Flyff\\Updater.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

"c:\\Soldat\\Soldat.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Microsoft Games\\ Age of Empires 3 Conquerors\\age2_x1.exe"=

"c:\\Program Files\\Microsoft Games\\ Age of Empires 3 Conquerors\\empires2.exe"=

"c:\\Program Files\\Hamachi\\hamachi.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\xampplite\\apache\\bin\\apache.exe"=

"c:\\xampplite\\mysql\\bin\\mysqld.exe"=

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-25 97928]

S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-01-14 178376]

S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-01-14 30920]

S1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-01-14 28872]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2008-05-07 2385896]

S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-25 875288]

S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-25 231704]

S4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-25 76040]

S4 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2009-01-14 1402568]

S4 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-12-27 51816]

S4 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2009-01-14 3321032]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78bc8eda-1c3e-11dd-a875-00130272ec4c}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78bc8edb-1c3e-11dd-a875-00130272ec4c}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f:

\Shell\Open\command - f:\resycled\boot.com f:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f8e3e0d-bb7f-11dd-a8e1-001167c2a86b}]

\Shell\AutoRun\command - e:\wd_windows_tools\setup.exe

.

Contents of the 'Scheduled Tasks' folder

2009-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436485955-983440248-2884829265-1005.job

- c:\documents and settings\Daniel Ramirez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-18 14:21]

2009-01-14 c:\windows\Tasks\kwibhtpk.job

- c:\windows\SYSTEM32\rundll32.exe [2008-04-13 19:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Daniel Ramirez\Application Data\Mozilla\Firefox\Profiles\umctl307.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - plugin: c:\documents and settings\Daniel Ramirez\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Picasa2\npPicasa2.dll

FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-14 12:25:15

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-01-14 12:28:12

ComboFix-quarantined-files.txt 2009-01-14 17:28:10

ComboFix2.txt 2009-01-14 16:45:21

Pre-Run: 81,834,303,488 bytes free

Post-Run: 81,815,052,288 bytes free

231 --- E O F --- 2008-12-19 08:01:41

--End Log--

Waiting on more instructions, blocking all network traffic and locking registry again.

dreamx87

Link to post
Share on other sites

Please preform these steps in normal mode.

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\system32\drivers\nzhy.sys

c:\windows\system32\kerojade.dll

c:\windows\system32\nomadani.dll

c:\windows\system32\zufajudi.dll

f:\resycled\boot.com

c:\windows\Tasks\kwibhtpk.job

Folder::

C:\VundoFix Backups

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites
Please preform these steps in normal mode.

1. Please open Notepad

  • Click Start , then Run

  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt

  • A new HijackThis log.

here it is. I uninstalled the Online Armor to avoid as much conflicts as possible with the combofix, it is reinstalled now, so don't mind the no firewall notice.

--HJT Log Updated Thu., Jan 15, 2009--

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:34:48, on 1/15/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Tall Emu\Online Armor\oasrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\Synaptics\SynTP\Toshiba.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\toshiba\ivp\ism\pinger.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\dla\DLACTRLW.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\TDispVol.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Tall Emu\Online Armor\oaui.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\RAMASST.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Tall Emu\Online Armor\oahlp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [TDispVol] TDispVol.exe

O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210125727101

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\Skype4COM.dll

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--

End of file - 8197 bytes

--End HJT Log--

--ComboFix Log Start--

ComboFix 09-01-13.04 - Daniel Ramirez 2009-01-14 23:58:35.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.605 [GMT -5:00]

Running from: c:\documents and settings\Daniel Ramirez\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Daniel Ramirez\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

* Created a new restore point

FILE ::

c:\windows\system32\drivers\nzhy.sys

c:\windows\system32\kerojade.dll

c:\windows\system32\nomadani.dll

c:\windows\system32\zufajudi.dll

c:\windows\Tasks\kwibhtpk.job

f:\resycled\boot.com

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\VundoFix Backups

c:\windows\system32\drivers\nzhy.sys

c:\windows\system32\kerojade.dll

c:\windows\system32\nomadani.dll

c:\windows\Tasks\kwibhtpk.job

.

((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))

.

2009-01-13 18:14 . 2009-01-14 00:37 250 --a------ c:\windows\gmer.ini

2009-01-13 17:02 . 2009-01-13 17:02 <DIR> d-------- c:\program files\Trend Micro

2009-01-13 15:41 . 2009-01-13 15:45 <DIR> d-------- c:\program files\Eusing Free Registry Cleaner

2009-01-13 10:52 . 2009-01-13 10:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-13 10:52 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-13 10:52 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-13 10:41 . 2009-01-13 10:40 410,984 --a------ c:\windows\system32\deploytk.dll

2009-01-10 13:31 . 2009-01-10 13:31 <DIR> d-------- c:\documents and settings\Daniel Ramirez\Application Data\Malwarebytes

2009-01-10 13:31 . 2009-01-10 13:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-10 00:18 . 2002-12-29 01:14 81,920 --a------ c:\windows\system32\Startup.cpl

2009-01-10 00:12 . 2009-01-10 00:13 <DIR> d-------- c:\program files\CCleaner

2009-01-10 00:10 . 2009-01-10 11:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI

2009-01-03 00:26 . 2009-01-10 00:34 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-01-03 00:26 . 2009-01-03 00:26 <DIR> d-------- c:\documents and settings\Daniel Ramirez\Application Data\SUPERAntiSpyware.com

2009-01-03 00:26 . 2009-01-03 00:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-03 00:25 . 2009-01-03 00:25 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-01-02 20:27 . 2009-01-14 20:39 <DIR> d--h----- C:\$AVG8.VAULT$

2009-01-01 21:52 . 2009-01-01 21:52 <DIR> d-------- c:\program files\Electronic Arts

2009-01-01 21:48 . 2009-01-01 21:48 <DIR> d-------- c:\windows\Logs

2008-12-30 19:27 . 2008-12-30 19:27 <DIR> d-------- c:\documents and settings\Daniel Ramirez\Application Data\dvdcss

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-13 23:11 --------- d-----w c:\program files\Java

2009-01-13 23:03 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-01-13 22:42 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\AdobeUM

2009-01-13 04:27 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\BitTorrent

2009-01-10 17:14 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-10 17:14 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2009-01-10 04:35 --------- d-----w c:\documents and settings\All Users\Application Data\avg8

2009-01-10 04:29 --------- d-----w c:\program files\Google

2009-01-09 04:28 --------- d-----w c:\program files\Gpotato

2009-01-08 02:07 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\U3

2009-01-03 05:14 --------- d-----w c:\program files\Starcraft

2008-12-11 15:11 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2008-12-06 19:55 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\Digsby

2008-12-06 19:55 --------- d-----w c:\documents and settings\All Users\Application Data\Digsby

2008-12-05 01:09 --------- d-----w c:\program files\Digsby

2008-12-05 00:11 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\acccore

2008-12-05 00:06 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP

2008-12-05 00:05 --------- d-----w c:\program files\AIM6

2008-12-04 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\AOL

2008-12-04 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\acccore

2008-12-04 23:43 --------- d-----w c:\program files\Common Files\AOL

2008-11-27 02:16 --------- d-----w c:\program files\Alex Feinman

2008-11-25 19:59 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys

2008-11-25 19:59 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys

2008-11-25 19:59 10,520 ----a-w c:\windows\system32\avgrsstx.dll

2008-11-24 05:39 --------- d-----w c:\program files\Microsoft Silverlight

2008-11-22 00:37 --------- d-----w c:\program files\ConTEXT

2008-11-21 01:28 --------- d-----w c:\program files\Microsoft SQL Server

2008-11-21 01:24 --------- d-----w c:\program files\Microsoft Visual Studio 9.0

2008-11-20 06:30 --------- d-----w c:\documents and settings\Daniel Ramirez\Application Data\Hamachi

2008-11-20 04:10 --------- d-----w c:\program files\Paint.NET

2008-11-15 14:50 --------- d-----w c:\program files\Microsoft Synchronization Services

2008-11-15 14:50 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition

2008-11-15 14:44 --------- d-----w c:\program files\Microsoft SDKs

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll

2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-09-09 09:05 1,852,928 ----a-w c:\documents and settings\Daniel Ramirez\Neuz.exe

2008-06-27 15:56 480 ----a-w c:\documents and settings\Daniel Ramirez\Application Data\wklnhst.dat

2004-09-03 03:12 370,688 ----a-w c:\documents and settings\Daniel Ramirez\mss32.dll

.

((((((((((((((((((((((((((((( snapshot@2009-01-14_11.43.34.28 )))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]

"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]

"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]

"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]

"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]

"TFncKy"="TFncKy.exe" [bU]

"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe]

"TPSMain"="TPSMain.exe" [2005-06-01 c:\windows\system32\TPSMain.exe]

"TDispVol"="TDispVol.exe" [2005-03-11 c:\windows\system32\TDispVol.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-02-15 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]

backup=c:\windows\pss\Clean Access Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2008-11-18 14:21 133104 c:\documents and settings\Daniel Ramirez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

-ra------ 2006-03-30 18:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"WLSetupSvc"=3 (0x3)

"usnjsvc"=3 (0x3)

"Start BT in service"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

"idsvc"=3 (0x3)

"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=

"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\Gpotato\\Flyff\\Updater.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

"c:\\Soldat\\Soldat.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Microsoft Games\\ Age of Empires 3 Conquerors\\age2_x1.exe"=

"c:\\Program Files\\Microsoft Games\\ Age of Empires 3 Conquerors\\empires2.exe"=

"c:\\Program Files\\Hamachi\\hamachi.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\xampplite\\apache\\bin\\apache.exe"=

"c:\\xampplite\\mysql\\bin\\mysqld.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-25 97928]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-25 875288]

R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-25 231704]

R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-25 76040]

S3 dump_wmimmc;dump_wmimmc; [x]

S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2008-05-07 2385896]

S4 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-12-27 51816]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78bc8eda-1c3e-11dd-a875-00130272ec4c}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78bc8edb-1c3e-11dd-a875-00130272ec4c}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f:

\Shell\Open\command - f:\resycled\boot.com f:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f8e3e0d-bb7f-11dd-a8e1-001167c2a86b}]

\Shell\AutoRun\command - e:\wd_windows_tools\setup.exe

.

Contents of the 'Scheduled Tasks' folder

2009-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436485955-983440248-2884829265-1005.job

- c:\documents and settings\Daniel Ramirez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-18 14:21]

.

- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Daniel Ramirez\Application Data\Mozilla\Firefox\Profiles\umctl307.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - plugin: c:\documents and settings\Daniel Ramirez\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Picasa2\npPicasa2.dll

FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-15 00:01:15

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-01-15 0:02:40

ComboFix-quarantined-files.txt 2009-01-15 05:02:37

ComboFix2.txt 2009-01-14 17:28:13

ComboFix3.txt 2009-01-14 16:45:21

Pre-Run: 80,749,903,872 bytes free

Post-Run: 80,748,851,200 bytes free

232 --- E O F --- 2008-12-19 08:01:41

Link to post
Share on other sites

I took the liberty of doing some scans with SUPERAntiSpyware and MalwareByte, they both seem to give me a green light, but i am not convinced. it only takes 1 file and the whole thing could pop up on my computer again. Since prior to this the vundo seemed to be executing microsoft internet explorer to post information of my search habits, and download(?) more trojans or junk, I might block all traffic requested by internet explorer, and have that information logged for examination later. I have no sign of infection in terms of popups, etc. like I had before, but I will give it some time to demonstrate that it is fully network ready by locking the registry, and leaving the firewall open overnight once you give my HJTL the green light.

dreamx87

Link to post
Share on other sites
You look clean now.

Go start -> run and type in combofix /u to remove Combofix.

Are you still having any problems?

Thanks alot, you have been a serious help and my machine is running smoothly. Vundo has not reappeared, however there is one trojan that is still hanging around apparently. My avg catches it quick and it doesn't get time to do nothing, but the fact that it executed means that there must be some traces left of it hanging around. It was deleted automatically, and I don't have the name of it. If it reappears I will let u know the name.

Link to post
Share on other sites
Thanks alot, you have been a serious help and my machine is running smoothly. Vundo has not reappeared, however there is one trojan that is still hanging around apparently. My avg catches it quick and it doesn't get time to do nothing, but the fact that it executed means that there must be some traces left of it hanging around. It was deleted automatically, and I don't have the name of it. If it reappears I will let u know the name.

Looked at the detection logs and this is what it pulled up:

Trojan Horse SHEUR2.KYD

DLL registered at:

c:\Systrem Volume Information\_restore{bunch of code numbers and letters}\RP13\A0009842.dll

Deleted? Yes, no apparent issues, scanning the registry for related files...

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.