Content Top
DAL Computer Help » Internet Security Help » Spyware, Adware, Viruses and HijackThis Logs » Vundo Trojan

Recommended Fix

Click here to fix Windows Errors and Optimize Windows Performance

Need Computer Help?
Register Now for FREE

Vundo Trojan

Reply
Page 1 of 2 1 2
Thread Tools
Spyware, Adware, Viruses and HijackThis Logs
  #1 (permalink)  
Old 02-11-2007, 05:45 AM
Junior Member
D-A-L Newbie
  
Join Date: Nov 2006
Posts: 21
gr8fldad Is a beginner here at D-A-L
Vundo Trojan
Looks like I got it, at least according to Mcaffee. Can't seem to get rid of it.
Here's my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:22 AM, on 11/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {9ECB0138-A7B2-4B4B-B690-085B77BED5AA} - C:\WINDOWS\System32\tustq.dll (file missing)
O2 - BHO: (no name) - {B16EE9E5-852A-4FFA-B9B4-E1BB1B63C0CC} - C:\WINDOWS\System32\msrepl40p.dll
O2 - BHO: (no name) - {D2FD5F8D-7716-453D-B69D-F5062FC26681} - c:\windows\system32\ilsk.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINDOWS\System32\mljkifd.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: http://www.ticketmaster.com
O15 - Trusted Zone: *.westlaw.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbi...3/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124288862560
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbi...20/McGDMgr.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O20 - Winlogon Notify: hpghulnk - C:\WINDOWS\SYSTEM32\ilsk.dll
O20 - Winlogon Notify: mljkifd - C:\WINDOWS\SYSTEM32\mljkifd.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6202 bytes


And here's my uninstall list:

Ad-Aware SE Personal
Adobe Acrobat Reader 3.0
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
Adobe® Photoshop® Album Starter Edition 3.0
AIM 6.0
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Deskbar
AOL Instant Messenger
AOL Toolbar 2.0
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
Apple Software Update
CCleaner (remove only)
Dell ResourceCD
DivX
DivX Converter
DivX Player
DivX Web Player
Easy CD Creator 5 Basic
ESPN RunTime
HaxFix 4.29
Hijackthis 1.99.1
HijackThis 2.0.2
HP DeskJet 895C Series (Remove only)
Internet Explorer Q903235
iTunes
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
LimeWire PRO 4.10.9
Macromedia Shockwave Player
McAfee SecurityCenter
McAfee VirusScan
Metric Conversion Calculator
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Office PowerPoint Viewer 2003
Microsoft Word 2000 SR-1
Microsoft Works 2001 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Music Rescue 3.1.1
Musicnotes Player V1.22.2
NVIDIA Drivers
OpenMG Limited Patch 4.1-05-14-24-01
OpenMG Secure Module 4.1.00
Photodex Presenter
PSP Video 9 1.74
Pure Networks Port Magic
Quicken 2003 Deluxe
QuickTime
RealPlayer
RTC Client API v1.2
Spelling Dictionaries For Adobe Reader Package
Spybot - Search & Destroy 1.4
Viewpoint Media Player
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB822603
Windows XP Uninstall
WinZip Self-Extractor

Hope you guys/gals can help. Brutally frustrating...
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 02-11-2007, 06:09 AM
Neal's Avatar
Senior Member
  
Join Date: Sep 2005
Posts: 5,524
Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!
Re: Vundo Trojan
Welcome and yep you got it!



Please go to hijackthis.exe and right click on it and then click on rename and rename it to foolyou.exe, press enter
and post a new log from the newly renamed hijackthis.exe. Sometimes malware hides from hijackthis.exe.


Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.



1. Download this file - COMBOFIX
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


Post a new hijackthis log also please.
__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 02-11-2007, 02:01 PM
Junior Member
D-A-L Newbie
  
Join Date: Nov 2006
Posts: 21
gr8fldad Is a beginner here at D-A-L
Re: Vundo Trojan
Here'sthe renamed foolyou.exe log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:31 AM, on 11/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {9ECB0138-A7B2-4B4B-B690-085B77BED5AA} - C:\WINDOWS\System32\tustq.dll (file missing)
O2 - BHO: (no name) - {B16EE9E5-852A-4FFA-B9B4-E1BB1B63C0CC} - C:\WINDOWS\System32\msrepl40p.dll
O2 - BHO: (no name) - {D2FD5F8D-7716-453D-B69D-F5062FC26681} - c:\windows\system32\ilsk.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINDOWS\System32\mljkifd.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: http://www.ticketmaster.com
O15 - Trusted Zone: *.westlaw.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbi...3/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124288862560
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbi...20/McGDMgr.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O20 - Winlogon Notify: hpghulnk - C:\WINDOWS\SYSTEM32\ilsk.dll
O20 - Winlogon Notify: mljkifd - C:\WINDOWS\SYSTEM32\mljkifd.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6136 bytes


I'll be back with a new post with the vundo contents log.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 02-11-2007, 02:35 PM
Junior Member
D-A-L Newbie
  
Join Date: Nov 2006
Posts: 21
gr8fldad Is a beginner here at D-A-L
Re: Vundo Trojan
Here's the hijackthis log after running vundofix:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:56 AM, on 11/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {9ECB0138-A7B2-4B4B-B690-085B77BED5AA} - C:\WINDOWS\System32\tustq.dll (file missing)
O2 - BHO: (no name) - {B16EE9E5-852A-4FFA-B9B4-E1BB1B63C0CC} - C:\WINDOWS\System32\msrepl40p.dll
O2 - BHO: (no name) - {D2FD5F8D-7716-453D-B69D-F5062FC26681} - c:\windows\system32\ilsk.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: http://www.ticketmaster.com
O15 - Trusted Zone: *.westlaw.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbi...3/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124288862560
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbi...20/McGDMgr.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O20 - Winlogon Notify: hpghulnk - C:\WINDOWS\SYSTEM32\ilsk.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5990 bytes

At first, some files couldn't be removed, but it didn't seem to have the same problem after running vundofix after reboot.

I don't know how to get the contents of the vundofix.txt.

I also don't recall ever seeing the F2 and 020 in prior hijackthis logs.

I'll do combofix next and will post the log.

Thanks again for your help...
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 02-11-2007, 02:54 PM
Junior Member
D-A-L Newbie
  
Join Date: Nov 2006
Posts: 21
gr8fldad Is a beginner here at D-A-L
Re: Vundo Trojan
System had difficulty rebooting after combofix. Had to select "start computer with last settings that worked" in order to start it up. It wouldn't in normal start up mode.

Here's the combofix log:


ComboFix 07-11-01.1 - Windows User 2007-11-02 9:38:02.1 - FAT32x86
Running from: C:\Documents and Settings\Windows User\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\Home\Start Menu\Programs\Startup\TA_Start.lnk
C:\Documents and Settings\Home\Start Menu\Programs\Startup\think-adz.lnk
C:\Documents and Settings\Windows User\Application Data\install.dat
C:\Documents and Settings\Windows User\err.log
C:\Program Files\mediapipe
C:\Program Files\Microsoft Security Adviser
C:\Program Files\winmsg
C:\Program Files\winmsg\sb_bar.css
C:\Program Files\winmsg\sb_bar.htm
C:\Program Files\winmsg\sb_ep.htm
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bass.exe
C:\temp\brr
C:\Temp\fCOe
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\temp\iee
C:\WINDOWS\start.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\drivers\lsisrmki.dat
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\spywarewarning.mht
C:\WINDOWS\system32\twinlmds.exe
C:\WINDOWS\system32\twinlmdt.exe
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\system32\drivers\snkwevbj.dat . . . . failed to delete
C:\WINDOWS\system32\ilsk.dll . . . . failed to delete
C:\WINDOWS\system32\ilsk.dll.bak . . . . failed to delete
C:\WINDOWS\system32\msrepl40p.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FCQWHXIK
-------\LEGACY_FOPN
-------\LEGACY_ICF
-------\LEGACY_NOITTUKV
-------\LEGACY_RUNTIME
-------\fcqwhxik
-------\ICF
-------\noittukv
-------\runtime


((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 )))))))))))))))))))))))))))))))
.

2007-11-02 09:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-02 00:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-01 19:17 410,899 ---hs---- C:\WINDOWS\SYSTEM32\bbbeg.bak2
2007-10-31 09:28 408,654 ---hs---- C:\WINDOWS\SYSTEM32\bbbeg.bak1
2007-10-30 09:29 408,654 ---hs---- C:\WINDOWS\SYSTEM32\twycf.bak1
2007-10-30 09:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\Mz17r
2007-10-30 09:24 507,217 --a------ C:\Temp\ocli.exe
2007-10-30 09:23 <DIR> d-------- C:\Temp\mZOr
2007-10-28 23:18 238,112 --a------ C:\Temp\cilo.exe
2007-10-27 10:36 <DIR> d-------- C:\WINDOWS\259682D2C528479CBEA06F793E73B99F.TMP
2007-10-24 20:38 <DIR> d-------- C:\Temp\Tmp___21564
2007-10-24 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-10-24 20:23 <DIR> d-------- C:\VundoFix Backups
2007-10-24 20:21 <DIR> d-------- C:\Temp\Tmp___18292
2007-10-24 17:58 <DIR> dr-h----- C:\$VAULT$.AVG
2007-10-24 17:53 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\AVG7
2007-10-24 17:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-24 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-19 18:45 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll
2007-10-19 18:45 9,336 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
2007-10-19 18:29 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\BitTorrent
2007-10-19 00:48 <DIR> d-------- C:\Program Files\Photodex Presenter
2007-10-19 00:25 144 --ahs---- C:\WINDOWS\SYSTEM32\777197797.dat
2007-10-15 23:38 741,632 --a------ C:\WINDOWS\SYSTEM32\wmrmfhnx.dat
2007-10-15 23:38 246,545 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll
2007-10-15 23:38 118,528 --a------ C:\WINDOWS\SYSTEM32\fkyedvcq.dat
2007-10-15 23:38 41,728 --a------ C:\WINDOWS\SYSTEM32\gegwioew.dat
2007-10-15 23:38 35,584 --a------ C:\WINDOWS\SYSTEM32\kngkujmi.dat
2007-10-15 23:38 35,072 --a------ C:\WINDOWS\SYSTEM32\zpcjpsfs.dat
2007-10-15 23:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\AppCert
2007-10-15 23:33 82,432 --a------ C:\WINDOWS\SYSTEM32\ilsk.dll
2007-10-15 23:33 81,920 --a------ C:\WINDOWS\SYSTEM32\ilsk(2).dll
2007-10-15 23:33 18,688 C:\WINDOWS\SYSTEM32\DRIVERS\snkwevbj.dat
2007-10-15 23:33 16,896 --a------ C:\WINDOWS\SYSTEM32\p1h87d1fdmkc.exe
2007-10-15 23:32 119,552 --a------ C:\WINDOWS\SYSTEM32\msrepl40p.dll
2007-10-15 23:32 107,893 --a------ C:\WINDOWS\SYSTEM32\msrepl40p(2).dll
2007-10-09 00:00 49,664 --a------ C:\WINDOWS\SYSTEM32\icf.exe
2007-10-08 09:53 <DIR> d--hs---- C:\FOUND.064

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-09-24 05:39 --------- d-----w C:\Documents and Settings\Home\Application Data\acccore
2007-09-18 02:31 --------- d-----w C:\Documents and Settings\Windows User\Application Data\Netscape
2007-09-11 21:00 --------- d-----w C:\Documents and Settings\Windows User\Application Data\Apple
2007-09-02 23:05 32,392 ----a-w C:\Documents and Settings\Windows User\Application Data\GDIPFONTCACHEV1.DAT
2007-08-08 05:31 6,421 --sh--w C:\WINDOWS\SYSTEM32\cfiii.bak1
2003-11-29 20:37 271 --sh--w C:\Program Files\desktop.ini
2003-11-29 20:37 23,357 ---h--w C:\Program Files\folder.htt
2007-06-23 06:01:32 1,870,520 --sh--w C:\WINDOWS\SYSTEM32\onqss.bak2
2007-06-23 02:23:54 1,870,520 --sh--w C:\WINDOWS\SYSTEM32\onqss.bak1
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ECB0138-A7B2-4B4B-B690-085B77BED5AA}]
C:\WINDOWS\System32\tustq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B16EE9E5-852A-4FFA-B9B4-E1BB1B63C0CC}]
2003-07-16 20:36 119552 --a------ C:\WINDOWS\System32\msrepl40p.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2FD5F8D-7716-453D-B69D-F5062FC26681}]
2007-10-27 01:14 82432 --a------ c:\windows\system32\ilsk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdl r.exe" [2003-08-08 18:02]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 21:50]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent .exe" [2003-08-27 11:00]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupda te.exe" [2003-08-21 18:10]
"HostManager"="C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe" [2007-04-12 17:23]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-08 15:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hpghulnk]
ilsk.dll 2007-10-27 01:14 82432 C:\WINDOWS\SYSTEM32\ilsk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Notification Packages"= :\WINDOWS\System32\srrst

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MySoftware InterCom.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MySoftware InterCom.lnk
backup=C:\WINDOWS\pss\MySoftware InterCom.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windows User^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Windows User\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windows User^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Windows User\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windows User^Start Menu^Programs^Startup^w32.exe]
path=C:\Documents and Settings\Windows User\Start Menu\Programs\Startup\w32.exe
backup=C:\WINDOWS\pss\w32.exeStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aDs8RWimT]
msrcsp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltPayments]
"C:\Program Files\AltPayments\AltPayments.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\America Online 9.0\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdater]
"C:\Program Files\AutoUpdate\AutoUpdate.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Belt]
C:\WINDOWS\Belt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
"C:\Program Files\BitTorrent_DNA\dna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C5OT6]
C:\WINDOWS\renvsyu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]
"C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleanUp]
C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]
"C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.ex e"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eepaasj]
C:\WINDOWS\System32\kydvsz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\System32\twinlmds.exe CHD003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\filit]
C:\foobar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fwzcpfbbvjix]
C:\WINDOWS\System32\kydvsz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Instant Access]
rundll32.exe EGDHTML_1030.dll,InstantAccess

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"C:\Program Files\Internet Optimizer\optimize.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]
C:\Program Files\ISTsvc\istsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jgn]
C:\WINDOWS\jgn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kydvsz]
c:\windows\system32\kydvsz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaPipe P2P Loader]
"C:\Program Files\p2pnetworks\mpp2pl.exe" /H

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update 64 BIT]
wininit32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msci]
C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\200543017055_mc info.exe /insfin

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mslagent]
C:\WINDOWS\mslagent\mslagent_.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxswkabdbc]
C:\WINDOWS\System32\kydvsz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDrv]
C:\WINDOWS\System32\NDrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
"C:\Program Files\Outerinfo\Outerinfo.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
"C:\Program Files\Outerinfo\OuterinfoUpdate.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p1h87d1fdmkc]
C:\WINDOWS\system32\p1h87d1fdmkc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rm3U36O]
msu2disp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
snd332.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sais]
c:\program files\180solutions\sais.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
"C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\secure]
C:\WINDOWS\System32\Ooaqaq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snd332]
C:\WINDOWS\snd332.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System service76]
C:\WINDOWS\\\etb\\pokapoka76.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
SysTray.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysUpd]
C:\WINDOWS\sysupd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
C:\PROGRA~1\Toolbar\TBPS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
"c:\documents and settings\windows user\local settings\temp\fsg_tmp\ginst_001.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
C:\Program Files\Common files\updater\wupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas7cw]
"C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\version]
C:\WINDOWS\System32\Togkio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" /disabled

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VWuRFDf]
C:\WINDOWS\spfkowpu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
wjview /cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winad]
C:\WINDOWS\Web\Wallpaper\winad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winad Client]
C:\Program Files\Winad Client\Winad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free]
"C:\Program Files\WinAntiSpyware 2007\was7.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
C:\winstall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo Messenger]
NETSTATT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
c:\program files\zango\zango.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Hidserv"=Hidserv.exe run

R0 noittukv;noittukv;C:\WINDOWS\System32\drivers\snkw evbj.dat
R1 cdudf;cdudf;C:\WINDOWS\System32\drivers\cdudf.sys
R1 cmosa;cmosa;C:\WINDOWS\System32\drivers\cmosa.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\ oreans32.sys
R1 UdfReadr;UdfReadr;C:\WINDOWS\System32\drivers\UdfR eadr.sys
R2 HPFECP15;HPFECP15;C:\WINDOWS\System32\drivers\HPFE CP15.SYS
R3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiF iltr.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
"C:\WINDOWS\System32\rundll32.exe" "C:\PROGRA~1\MESSEN~1\msgsc.dll",ShowIconsUser
.
Contents of the 'Scheduled Tasks' folder
"2007-08-05 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-11-02 14:22:02 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
"2007-11-02 14:46:12 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (FAMILY-Windows User).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-11-02 14:31:22 C:\WINDOWS\Tasks\McAfee.com Update Check (FAMILY-Windows User).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-11-02 07:00:02 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2007-08-24 19:51:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-02 14:47:02 C:\WINDOWS\Tasks\McAfee.com Update Check (FAMILY-Home).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-11-02 14:39:02 C:\WINDOWS\Tasks\McAfee.com Update Check (FAMILY-Michael).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
.
************************************************** ************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 09:46:45
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-11-02 9:48:20 - machine was rebooted
.
--- E O F ---

Hijackthis log after combofix run:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:52 AM, on 11/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {9ECB0138-A7B2-4B4B-B690-085B77BED5AA} - C:\WINDOWS\System32\tustq.dll (file missing)
O2 - BHO: (no name) - {B16EE9E5-852A-4FFA-B9B4-E1BB1B63C0CC} - C:\WINDOWS\System32\msrepl40p.dll
O2 - BHO: (no name) - {D2FD5F8D-7716-453D-B69D-F5062FC26681} - c:\windows\system32\ilsk.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: http://www.ticketmaster.com
O15 - Trusted Zone: *.westlaw.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbi...3/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124288862560
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbi...20/McGDMgr.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O20 - Winlogon Notify: hpghulnk - C:\WINDOWS\SYSTEM32\ilsk.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6028 bytes


That F2 I mentioned earlier now gone. Interesting...

Let me know your thoughts. Thanks.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 02-11-2007, 10:39 PM
Neal's Avatar
Senior Member
  
Join Date: Sep 2005
Posts: 5,524
Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!
Re: Vundo Trojan
That is a very infected computer, I hope it will recover from infection.


Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to your desktop.
Close out of that and now you should have a backup copy of your registry which looks like


Open notepad(Not WordPad) and copy/paste the text in the quotebox below into it:Not the word quote


Quote:
File::
C:\WINDOWS\SYSTEM32\bbbeg.bak2
C:\WINDOWS\SYSTEM32\bbbeg.bak1
C:\WINDOWS\SYSTEM32\twycf.bak1
C:\Temp\ocli.exe
C:\Temp\cilo.exe
C:\WINDOWS\259682D2C528479CBEA06F793E73B99F.TMP
C:\WINDOWS\SYSTEM32\wmrmfhnx.dat
C:\WINDOWS\SYSTEM32\777197797.dat
C:\WINDOWS\SYSTEM32\fkyedvcq.dat
C:\WINDOWS\SYSTEM32\gegwioew.dat
C:\WINDOWS\SYSTEM32\kngkujmi.dat
C:\WINDOWS\SYSTEM32\zpcjpsfs.dat
C:\WINDOWS\SYSTEM32\DRIVERS\snkwevbj.dat
C:\WINDOWS\SYSTEM32\p1h87d1fdmkc.exe
C:\WINDOWS\SYSTEM32\msrepl40p.dll
C:\WINDOWS\SYSTEM32\msrepl40p(2).dll
C:\FOUND.064
C:\WINDOWS\SYSTEM32\cfiii.bak1
C:\WINDOWS\SYSTEM32\onqss.bak2
C:\WINDOWS\SYSTEM32\onqss.bak1

Folder::
C:\Temp\Tmp___21564
C:\VundoFix Backups
C:\Temp\Tmp___18292

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ECB0138-A7B2-4B4B-B690-085B77BED5AA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B16EE9E5-852A-4FFA-B9B4-E1BB1B63C0CC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2FD5F8D-7716-453D-B69D-F5062FC26681}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hpghulnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eepaasj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\filit]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fwzcpfbbvjix]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kydvsz]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaPipe P2P Loader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msci]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mslagent]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxswkabdbc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDrv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p1h87d1fdmkc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rm3U36O]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sais]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snd332]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas7cw]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\version]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VWuRFDf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winad]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winad Client]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]



Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.






This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.



what is this folder: something from work possibly

C:\WINDOWS\SYSTEM32\Mz17r - find and post what is inside please.
C:\Temp\mZOr



Also...



Open Hijackthis.

Click the "Open the Misc Tools" section Button.

Click the "Open Uninstall Manager" Button.

Click the "Save list..." Button.

Save it to your desktop. Copy and paste the contents into your reply.
__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Last edited by Neal; 03-11-2007 at 08:55 PM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 03-11-2007, 09:47 PM
Junior Member
D-A-L Newbie
  
Join Date: Nov 2006
Posts: 21
gr8fldad Is a beginner here at D-A-L
Re: Vundo Trojan
Don't give up on me yet...
Think of it as a bit more challenging than some of your easier fixes...

Here's the combofix:

ComboFix 07-11-01.1 - Windows User 2007-11-03 16:13:52.2 - FAT32x86
Running from: C:\Documents and Settings\Windows User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Windows User\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\FOUND.064
C:\Temp\cilo.exe
C:\Temp\ocli.exe
C:\WINDOWS\259682D2C528479CBEA06F793E73B99F.TMP
C:\WINDOWS\SYSTEM32\777197797.dat
C:\WINDOWS\SYSTEM32\bbbeg.bak1
C:\WINDOWS\SYSTEM32\bbbeg.bak2
C:\WINDOWS\SYSTEM32\cfiii.bak1
C:\WINDOWS\SYSTEM32\DRIVERS\snkwevbj.dat
C:\WINDOWS\SYSTEM32\fkyedvcq.dat
C:\WINDOWS\SYSTEM32\gegwioew.dat
C:\WINDOWS\SYSTEM32\kngkujmi.dat
C:\WINDOWS\SYSTEM32\msrepl40p(2).dll
C:\WINDOWS\SYSTEM32\msrepl40p.dll
C:\WINDOWS\SYSTEM32\onqss.bak1
C:\WINDOWS\SYSTEM32\onqss.bak2
C:\WINDOWS\SYSTEM32\p1h87d1fdmkc.exe
C:\WINDOWS\SYSTEM32\twycf.bak1
C:\WINDOWS\SYSTEM32\wmrmfhnx.dat
C:\WINDOWS\SYSTEM32\zpcjpsfs.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\cilo.exe
C:\Temp\ocli.exe
C:\Temp\Tmp___18292
C:\Temp\Tmp___18292\CSICore.dll
C:\Temp\Tmp___18292\CSIGUI.dll
C:\Temp\Tmp___18292\PrevxCSI.exe
C:\Temp\Tmp___21564
C:\Temp\Tmp___21564\CSICore.dll
C:\Temp\Tmp___21564\CSIGUI.dll
C:\Temp\Tmp___21564\PrevxCSI.exe
C:\VundoFix Backups
C:\VundoFix Backups\qtsut.bak1.bad
C:\VundoFix Backups\qtsut.bak2.bad
C:\VundoFix Backups\qtsut.ini.bad
C:\VundoFix Backups\qtsut.ini2.bad
C:\VundoFix Backups\qtsut.tmp.bad
C:\WINDOWS\SYSTEM32\777197797.dat
C:\WINDOWS\SYSTEM32\bbbeg.bak1
C:\WINDOWS\SYSTEM32\bbbeg.bak2
C:\WINDOWS\SYSTEM32\cfiii.bak1
C:\WINDOWS\system32\drivers\lsisrmki.dat
C:\WINDOWS\SYSTEM32\fkyedvcq.dat
C:\WINDOWS\SYSTEM32\gegwioew.dat
C:\WINDOWS\SYSTEM32\kngkujmi.dat
C:\WINDOWS\SYSTEM32\msrepl40p(2).dll
C:\WINDOWS\SYSTEM32\onqss.bak1
C:\WINDOWS\SYSTEM32\onqss.bak2
C:\WINDOWS\SYSTEM32\p1h87d1fdmkc.exe
C:\WINDOWS\SYSTEM32\twycf.bak1
C:\WINDOWS\SYSTEM32\wmrmfhnx.dat
C:\WINDOWS\SYSTEM32\zpcjpsfs.dat
C:\WINDOWS\SYSTEM32\DRIVERS\snkwevbj.dat . . . . failed to delete
C:\WINDOWS\system32\ilsk.dll . . . . failed to delete
C:\WINDOWS\system32\ilsk.dll.bak . . . . failed to delete
C:\WINDOWS\system32\msrepl40p.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FCQWHXIK
-------\LEGACY_FOPN
-------\LEGACY_ICF
-------\LEGACY_NOITTUKV
-------\LEGACY_RUNTIME
-------\fcqwhxik
-------\noittukv


((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-02 09:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-02 00:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-30 09:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\Mz17r
2007-10-30 09:23 <DIR> d-------- C:\Temp\mZOr
2007-10-27 10:36 <DIR> d-------- C:\WINDOWS\259682D2C528479CBEA06F793E73B99F.TMP
2007-10-24 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-10-24 17:58 <DIR> dr-h----- C:\$VAULT$.AVG
2007-10-24 17:53 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\AVG7
2007-10-24 17:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-24 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-19 18:45 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll
2007-10-19 18:45 9,336 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
2007-10-19 18:29 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\BitTorrent
2007-10-19 00:48 <DIR> d-------- C:\Program Files\Photodex Presenter
2007-10-15 23:38 246,545 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll
2007-10-15 23:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\AppCert
2007-10-15 23:33 82,432 --a------ C:\WINDOWS\SYSTEM32\ilsk.dll
2007-10-15 23:33 81,920 --a------ C:\WINDOWS\SYSTEM32\ilsk(2).dll
2007-10-15 23:33 18,688 C:\WINDOWS\SYSTEM32\DRIVERS\snkwevbj.dat
2007-10-15 23:32 119,552 --a------ C:\WINDOWS\SYSTEM32\msrepl40p.dll
2007-10-09 00:00 49,664 --a------ C:\WINDOWS\SYSTEM32\icf.exe
2007-10-08 09:53 <DIR> d--hs---- C:\FOUND.064

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-09-24 05:39 --------- d-----w C:\Documents and Settings\Home\Application Data\acccore
2007-09-18 02:31 --------- d-----w C:\Documents and Settings\Windows User\Application Data\Netscape
2007-09-11 21:00 --------- d-----w C:\Documents and Settings\Windows User\Application Data\Apple
2007-09-02 23:05 32,392 ----a-w C:\Documents and Settings\Windows User\Application Data\GDIPFONTCACHEV1.DAT
2003-11-29 20:37 271 --sh--w C:\Program Files\desktop.ini
2003-11-29 20:37 23,357 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot@2007-11-02_ 9.47.28.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-02 14:44:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\i ndex.dat
+ 2007-11-03 2112 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\i ndex.dat
- 2007-11-02 14:44:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-03 2112 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-02 14:44:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-03 2112 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-11-02 14:37:52 385,024 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.da t
+ 2007-11-03 21:13:38 385,024 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.da t
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B16EE9E5-852A-4FFA-B9B4-E1BB1B63C0CC}]
2003-07-16 20:36 119552 --a------ C:\WINDOWS\System32\msrepl40p.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2FD5F8D-7716-453D-B69D-F5062FC26681}]
2007-10-27 01:14 82432 --a------ c:\windows\system32\ilsk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdl r.exe" [2003-08-08 18:02]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 21:50]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent .exe" [2003-08-27 11:00]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupda te.exe" [2003-08-21 18:10]
"HostManager"="C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe" [2007-04-12 17:23]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-08 15:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hpghulnk]
ilsk.dll 2007-10-27 01:14 82432 C:\WINDOWS\SYSTEM32\ilsk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Notification Packages"= :\WINDOWS\System32\srrst

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MySoftware InterCom.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MySoftware InterCom.lnk
backup=C:\WINDOWS\pss\MySoftware InterCom.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windows User^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Windows User\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windows User^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Windows User\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windows User^Start Menu^Programs^Startup^w32.exe]
path=C:\Documents and Settings\Windows User\Start Menu\Programs\Startup\w32.exe
backup=C:\WINDOWS\pss\w32.exeStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aDs8RWimT]
msrcsp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltPayments]
"C:\Program Files\AltPayments\AltPayments.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\America Online 9.0\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdater]
"C:\Program Files\AutoUpdate\AutoUpdate.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Belt]
C:\WINDOWS\Belt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
"C:\Program Files\BitTorrent_DNA\dna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C5OT6]
C:\WINDOWS\renvsyu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]
"C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleanUp]
C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\System32\twinlmds.exe CHD003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Instant Access]
rundll32.exe EGDHTML_1030.dll,InstantAccess

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"C:\Program Files\Internet Optimizer\optimize.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jgn]
C:\WINDOWS\jgn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update 64 BIT]
wininit32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
snd332.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\secure]
C:\WINDOWS\System32\Ooaqaq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System service76]
C:\WINDOWS\\\etb\\pokapoka76.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
SysTray.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysUpd]
C:\WINDOWS\sysupd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
C:\PROGRA~1\Toolbar\TBPS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
"c:\documents and settings\windows user\local settings\temp\fsg_tmp\ginst_001.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
C:\Program Files\Common files\updater\wupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" /disabled

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo Messenger]
NETSTATT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Hidserv"=Hidserv.exe run

R0 noittukv;noittukv;C:\WINDOWS\System32\drivers\snkw evbj.dat
R1 cdudf;cdudf;C:\WINDOWS\System32\drivers\cdudf.sys
R1 cmosa;cmosa;C:\WINDOWS\System32\drivers\cmosa.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\ oreans32.sys
R1 UdfReadr;UdfReadr;C:\WINDOWS\System32\drivers\UdfR eadr.sys
R2 fcqwhxik;Terminal Device Controller;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 HPFECP15;HPFECP15;C:\WINDOWS\System32\drivers\HPFE CP15.SYS
R3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiF iltr.sys
S4 InstallTest;InstallTest;"C:\Program Files\Digital Design Ltd\Metric Conversion Calculator\InstallTest.exe" /test
S4 Metric Conversion Calculator Installer;Metric Conversion Calculator Installer;"C:\Program Files\Digital Design Ltd\Metric Conversion Calculator\MCCINST.EXE" /update


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
"C:\WINDOWS\System32\rundll32.exe" "C:\PROGRA~1\MESSEN~1\msgsc.dll",ShowIconsUser
.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 19:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-11-03 21:02:04 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
"2007-11-03 21:23:16 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (FAMILY-Windows User).job"
"2007-11-03 17:27:20 C:\WINDOWS\Tasks\McAfee.com Update Check (FAMILY-Windows User).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-11-03 07:00:02 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2007-11-02 19:51:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-03 21:22:02 C:\WINDOWS\Tasks\McAfee.com Update Check (FAMILY-Home).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-11-03 21:24:02 C:\WINDOWS\Tasks\McAfee.com Update Check (FAMILY-Michael).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
.
************************************************** ************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 16:23:45
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-11-03 16:25:13 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-02 09:48
.
--- E O F ---

Again, I had to go to Last Known Good Configuraiton to start up after combofix ran. Also, I noticed Copying Permissions Was Not Successful and Reason:Unknown Error in one of the last Combofix boxes.

More funfacts: Computer actually doesn't run that bad overall, but problems with Internet I think due to Vundo. McAfee keeps coming up with:
C:\SystemVolume Information\_restore{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP26\A0006668.dll and then lists Vundo.dll as the virus. McAfee then lists 2 more which appear identical except with the last part A000669.dll and A0006673.dll. The 4th finding by McAfee is C:\VundoFixBackups|mljkfd.dll.bad. I quarrantine these files each time.


The folder you listed- C:\windows\system32\Mz17r and the mZOr are unknown to me and most likely don't belong. I wouldn't do my work on this computer since it's shared by 2 teenage sons.

Listed below is the hijack this request:
Ad-Aware SE Personal
Adobe Acrobat Reader 3.0
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
Adobe® Photoshop® Album Starter Edition 3.0
AIM 6.0
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Deskbar
AOL Instant Messenger
AOL Toolbar 2.0
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
Apple Software Update
CCleaner (remove only)
Dell ResourceCD
DivX
DivX Converter
DivX Player
DivX Web Player
Easy CD Creator 5 Basic
ESPN RunTime
HaxFix 4.29
Hijackthis 1.99.1
HijackThis 2.0.2
HP DeskJet 895C Series (Remove only)
Internet Explorer Q903235
iTunes
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
LimeWire PRO 4.10.9
Macromedia Shockwave Player
McAfee SecurityCenter
McAfee VirusScan
Metric Conversion Calculator
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Office PowerPoint Viewer 2003
Microsoft Word 2000 SR-1
Microsoft Works 2001 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Music Rescue 3.1.1
Musicnotes Player V1.22.2
NVIDIA Drivers
OpenMG Limited Patch 4.1-05-14-24-01
OpenMG Secure Module 4.1.00
Photodex Presenter
PSP Video 9 1.74
Pure Networks Port Magic
Quicken 2003 Deluxe
QuickTime
RealPlayer
RTC Client API v1.2
Spelling Dictionaries For Adobe Reader Package
Spybot - Search & Destroy 1.4
Viewpoint Media Player
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB822603
Windows XP Uninstall
WinZip Self-Extractor


Finally, I still get a popup on the task bar which appears only for 4-5 seconds usually around startup time and it then disappears. I think it's one of those sites to click on claiming it found a virus on the computer and if you click on it, it will take you to a site (illegitimate) so you can remove the virus.

McAfee Virusscan window also keeps popping up saying Potential Worm Activity Detected since "5 emails have been sent within the last 30 seconds". Of course, I'm not sending the emails and I hit Stop this email each time. Sometimes the window will pop up 3-5 times in a row.

Just trying to let you know everything, so hopefully something will click on how to resolve the headache. Thanks again.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #8 (permalink)  
Old 03-11-2007, 11:24 PM
Neal's Avatar
Senior Member
  
Join Date: Sep 2005
Posts: 5,524
Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!
Re: Vundo Trojan
don't worry about the vundo stuff mcafee is finding it is easily taken care of later as it is in backup folder of vundofix and system restore.


print these instructions or save as a text document(desktop) useing notepad


There are more serious issues at hand I'm afraid, I need you to do two scans, one is an online scanner, the other needs to be downloaded and installed then ran.


And this...



Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\SYSTEM32\DRIVERS\snkwevbj.dat
    C:\WINDOWS\system32\ilsk.dll
    C:\WINDOWS\system32\ilsk.dll.bak
    C:\WINDOWS\system32\msrepl40p.dll

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




* Click here to use the F-Secure Online Scanner
  • Then click the Start Scanning button below.
  • You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and copy and paste what's present under results in your next reply.




You may want to printout the following instructions:

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to the words Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update successful message.
    • Click on Scanner on the toolbar at top of this screen.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All checkboxes should be ticked.
      • Under Possibly unwanted software:
        • All checkboxes should be ticked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
    • Close AVG Anti-Spyware without running yet.
Now disable (turn off AVG Anti-Spyware)
  • Right-click the AVG Anti-Spyware Tray Icon (Bottom right corner of computer screen near clock) and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon again and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG Anti-Spyware.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.If you can't go to safe mode or run from safe mode, use NORMAL MODE.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________


Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Note: If AVG Anti-Spyware screen does not fit your monitor screen Hold down the Alt button on keyboard then tap spacebar, menu should pop up then choose maximize. AVG Anti-Spyware screen should now fit to the screen a lot better.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.


IMPORTANT : Don't click on the "Save Scan Report" button before you hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button.(3)
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop. I will need you to post this in your next reply.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #9 (permalink)  
Old 04-11-2007, 07:15 PM
Junior Member
D-A-L Newbie
  
Join Date: Nov 2006
Posts: 21
gr8fldad Is a beginner here at D-A-L
Re: Vundo Trojan
Here's the OTMoveIt Results:

File move failed. C:\WINDOWS\SYSTEM32\DRIVERS\snkwevbj.dat scheduled to be moved on reboot.
C:\WINDOWS\system32\ilsk.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\ilsk.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\ilsk.dll.bak scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\msrepl40p.dll
C:\WINDOWS\system32\msrepl40p.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\msrepl40p.dll scheduled to be moved on reboot.

Created on 11/04/2007 11:38:57


However, it asked to reboot and I did, but OTM didn't do anything different after start up. I followed the same procedure without rebooting a second time (even though it asked).

Here's the F-Secure report:
Scanning Report
Sunday, November 04, 2007 11:50:06 - 14:13:15
Computer name: FAMILY
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 25 malware found
SpamTool.Win32.Agent.bk (virus)
C:\WINDOWS\SYSTEM32\APPCERT\PRX66B.DLL (Submitted)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
Trojan-Clicker.Win32.Agent.mk (virus)
C:\WINDOWS\SYSTEM32\ILSK(2).DLL (Renamed & Submitted)
Trojan-Clicker.Win32.Agent.mu (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP12\A0002024.DLL (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.dng (virus)
C:\WINDOWS\SYSTEM32\APPCERT\WNL32.DLL (Renamed & Submitted)
Trojan-Downloader.Win32.Small.gkq (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005523.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.VB.blj (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005521.EXE (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005522.EXE (Renamed)
Trojan-Spy.Win32.Zbot.bg (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP27\A0006686.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP25\A0005635.EXE (Renamed & Submitted)
Trojan.Win32.Obfuscated.iz (virus)
C:\WINDOWS\SYSTEM32\ICF.EXE (Renamed & Submitted)
W32/Adload.gen3 (virus)
C:\GETTER.EXE (Submitted)
W32/BHO.QG (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP29\A0006782.EXE (Submitted)
W32/DLoader.ANVE (virus)
C:\PROGRAM FILES\ALTPAYMENTS\ALTPAYMENTS.EXE (Submitted)
W32/Zapchast.AQK (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005506.EXE (Submitted)
W32/Zapchast.AQT (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005502.EXE (Submitted)
W32/Zapchast.ARC (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005501.EXE (Submitted)
W32/Zapchast.ARD (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005499.EXE (Submitted)
W32/Zapchast.ARF (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005500.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 29974
System: 4625
Not scanned: 3
Actions:
Disinfected: 1
Renamed: 9
Deleted: 0
None: 15
Submitted: 16
Files not scanned:
C:\PAGEFILE.SYS
C:\HIBERFIL.SYS
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

Time for AVG. I'll be back with the results...
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #10 (permalink)  
Old 05-11-2007, 03:49 AM
Junior Member
D-A-L Newbie
  
Join Date: Nov 2006
Posts: 21
gr8fldad Is a beginner here at D-A-L
Re: Vundo Trojan
Everything seemed to be going fine until I got up to rebooting in safe mode to run AVG. I don't know if it's because of AVG alone or AVG combined with running McAfee in the background, or it it was the result of one of the other programs we ran, but the computer wouldn't start up in safe mode or regular mode. Would take 45 minutes plus to get to the desktop. Didn't think I had much of a choice, so I did a system resore back to the Combofix restore point. I hope I didn't undo anything beneficial from the programs after Combofix, but again, not much of a choice. AVG now gone and computer running...Should I redo OTMoveIT and/or F-Secure?

Didn't know if it would help at all, but here's a current Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:47, on 2007-11-04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {9ECB0138-A7B2-4B4B-B690-085B77BED5AA} - C:\WINDOWS\System32\tustq.dll (file missing)
O2 - BHO: (no name) - {B16EE9E5-852A-4FFA-B9B4-E1BB1B63C0CC} - C:\WINDOWS\System32\msrepl40p.dll
O2 - BHO: (no name) - {D2FD5F8D-7716-453D-B69D-F5062FC26681} - c:\windows\system32\ilsk.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: http://www.ticketmaster.com
O15 - Trusted Zone: *.westlaw.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbi...3/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124288862560
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbi...20/McGDMgr.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O20 - Winlogon Notify: hpghulnk - C:\WINDOWS\SYSTEM32\ilsk.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6045 bytes



Suggestions? Thanks.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Have a Vundo Trojan, can't seem to get rid of it, help... mark227 Spyware, Adware, Viruses and HijackThis Logs 8 16-01-2009 12:48 AM
Vundo Trojan keeps reinstalling help robert39n Spyware, Adware, Viruses and HijackThis Logs 3 20-10-2008 12:14 AM
Trojan:Win32/Vundo.gen!M michaelh Spyware, Adware, Viruses and HijackThis Logs 5 26-06-2008 10:35 PM
Vundo Trojan(RESOLVED) viruzxp Spyware, Adware, Viruses and HijackThis Logs 7 23-05-2008 08:20 PM
Vundo trojan cannot remove - Please help Springer2002 Spyware, Adware, Viruses and HijackThis Logs 1 20-06-2007 09:35 PM


All times are GMT +1. The time now is 09:21 PM.
Member Login
Remember me ?
Forgot password?
Ads

Want to Advertise? Click Here
Help Categories
Desktop / Server Apps
Drivers
Firewalls and Networks
Games
General Internet Issues
Hardware
Linux
MAC OS
Modding / Overclocking
Search Engines
Spyware and Security
Web Development
Windows 2000
Windows 7
Windows 98
Windows ME
Windows Vista
Windows XP

Computer Repair Companies
Bottom Corner Bottom Nav