Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

VUNDO is no FUN-DO

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

VUNDO is no FUN-DO

Unread postby monza » January 1st, 2009, 1:39 am

I managed to clear VUNDO out of my bloodstream (computer) but guess what I'm still stuck with pop-ups. I know there are a million forum topics on this. Here's my hijackthis log. I use Firefox as my main browser. The popups happen atleast twice every 5mins or less it seems. I really didn't want to format so here I am. I guess that's all the information to start out with. Hope you can help, thks. Oh, I did delete all my old versions of sun java since they don't uninstall themselves after up date. Didn't help seem to help much if any.
You do not have the required permissions to view the files attached to this post.
monza
Active Member
 
Posts: 7
Joined: January 1st, 2009, 1:29 am
Advertisement
Register to Remove

Re: VUNDO is no FUN-DO

Unread postby DFW » January 1st, 2009, 8:45 am

My name is DFW, and I will be helping you to remove any infection(s) that you may have.

Perform all actions in the order given.
Please reply to this thread. Do not start a new topic.
Stick with it till you're given the all clear.
REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
Please do not try and clean your computer with any tools other than the ones I ask you to use during the cleanup process.
If you fail to reply in 5 days period from now, this thread will close, and you will have to open another topic, and wait for another helper.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a different computer or infection.




First Off please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.


Click on the Save list... button and specify where you would like to save this file.

When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad here on your next reply.




Please post back the uninstall list and a new Highjackthis Log, can you please post them into the
body of you message and not as a Attachment
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: VUNDO is no FUN-DO

Unread postby monza » January 1st, 2009, 9:22 am

Hello sir and here you are sir.

Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Stock Photos 1.0
Apple Mobile Device Support
Apple Software Update
Battlefield 2(TM)
Bonjour
BootSkin
ClearType Tuning Control Panel Applet
Counter-Strike: Source
Creative Audio Console
Diablo II
Fallout 3
Fallout2
ffdshow [rev 2364] [2008-11-25]
Growler Guncam
GTR 2 1.0.0.0
Haali Media Splitter
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
HHD Software Free Hex Editor Neo 4.64
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
IL-2 Manager 5.0 PF
IL-2 Sturmovik 1946
Image Resizer Powertoy for Windows XP
ImTOO iPod Movie Converter
iTunes
Java(TM) 6 Update 11
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Pro Photo Tools
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Mozilla Firefox (3.1b2)
MSXML 6.0 Parser (KB933579)
Nero Suite
Nintendo Wi-Fi USB Connector Registration Tool
NVIDIA Drivers
OpenOffice.org Installer 1.0
Portal
QuickTime
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Shadowgrounds
Steam
Team Fortress 2
Titan Quest
Tweak UI
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VIA Platform Device Manager
VIA Rhine-Family Fast-Ethernet Adapter
Winamp
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
XviD MPEG-4 Video Codec

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:45 AM, on 1/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 2\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: {d4c6e306-419b-82da-87f4-96be3a8e7ca3} - {3ac7e8a3-eb69-4f78-ad28-b914603e6c4d} - C:\WINDOWS\system32\xoejjs.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0778122984
O20 - AppInit_DLLs: xoejjs.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 8320 bytes
monza
Active Member
 
Posts: 7
Joined: January 1st, 2009, 1:29 am

Re: VUNDO is no FUN-DO

Unread postby DFW » January 1st, 2009, 10:59 am

Hi monza


Rename Highjackthis

Go to C Drive, Program Files, Trend Micro Folder, then HijackThis Folder,
Inside you will find HijackThis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe




Can you please update and run Malwarebytes' Anti-Malware you already have installed

Launch Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware and check check for updates.
Click on the update tab, then click on updates.

Select the Scanner tab. Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
When done, you will be prompted. Click OK, then click on Show Results.
Checked (ticked) all items and click on Remove Selected.
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.



You have a program installed I would like some more information on, Portal.


  1. Open HijackThis.
  2. Click on the Open the Misc Tools section button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Select Portal and click on Edit uninstall command button.
  6. Copy and paste this command to a document.


Please now reboot your system and then run Highjackthis and create a new Log.



Please post back with

The new HJT Log
Uninstall Manager information on Portal
The Malwarebytes' Anti-Malware Log
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: VUNDO is no FUN-DO

Unread postby monza » January 1st, 2009, 2:46 pm

24 new infections found with the new malware update. Ok here tis the stuff

"C:\Program Files\Steam\steam.exe" steam://uninstall/400

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:44 PM, on 1/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0778122984
O20 - AppInit_DLLs: xoejjs.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 8128 bytes

Malwarebytes' Anti-Malware 1.31
Database version: 1589
Windows 5.1.2600 Service Pack 3

1/1/2009 12:31:31 PM
mbam-log-2009-01-01 (12-31-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 116311
Time elapsed: 23 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\xoejjs.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{3ac7e8a3-eb69-4f78-ad28-b914603e6c4d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ac7e8a3-eb69-4f78-ad28-b914603e6c4d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ac7e8a3-eb69-4f78-ad28-b914603e6c4d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\xoejjs.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\King\Local Settings\Temp\senekab22.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfGvWPj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvUKAsS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wolfrcam.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byXppoMc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iifgDUoP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msqpdxyqvdkxew.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekavpabayxr.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekawqpuxjdb.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msqpdxmupotkyp.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekaqlrndotn.sys (Trojan.Agent) -> Quarantined and deleted successfully.
monza
Active Member
 
Posts: 7
Joined: January 1st, 2009, 1:29 am

Re: VUNDO is no FUN-DO

Unread postby DFW » January 1st, 2009, 3:33 pm

Hi monza, you doing good, but we still have a way to go.



Was This the result of the Unistall information on Portal??
"C:\Program Files\Steam\steam.exe" steam://uninstall/400





Next Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log




Download and run Combofix

Download ComboFix from one of these locations:
A word of warning: Please do not run ComboFix on your own. it tool is not a toy and not for everyday use.

Link 1
Link 2
Link 3

IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Very Important!, before running Combofix Temporarily disable your anti-virus (Your McAfee ) script blocking and any anti-malware real-time protection (Your Ad-Aware) before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.


Please Post back the log below so we can continue cleaning the system.

Combofix Log C:\ComboFix.txt
A New HijackThis log
SDFix Log
And information on Portal
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: VUNDO is no FUN-DO

Unread postby monza » January 1st, 2009, 6:21 pm

Portal might sound suspicious but it be only a game as they say (that can make you dizzy at times). Valve maker of the infamous or not so infamous Half-Life. Runs under Steam Platform :cheers:


SDFix: Version 1.240
Run by King on Thu 01/01/2009 at 03:46 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 15:52:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\msqpdxmupotkyp.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys\modules]
"msqpdxserv"="\\?\globalroot\systemroot\system32\drivers\msqpdxmupotkyp.sys"
"msqpdxl"="\\?\globalroot\systemroot\system32\msqpdxyqvdkxew.dll"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"="C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe:*:Enabled:Nintendo Wi-Fi USB Connector"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 31 Dec 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Wed 31 Dec 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Mon 1 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 31 Dec 2008 2,834 ...HR --- "C:\Documents and Settings\King\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!

ComboFix 08-12-31.01 - King 2009-01-01 16:04:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1536.973 [GMT -6:00]
Running from: c:\documents and settings\King\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\jkse73hedfdgf.dll
c:\windows\system32\pthreadGC2.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-01 to 2009-01-01 )))))))))))))))))))))))))))))))
.

2009-01-01 15:57 . 2009-01-01 15:57 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-01-01 15:45 . 2009-01-01 15:45 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-01 15:43 . 2009-01-01 15:43 <DIR> d-------- c:\windows\ERUNT
2009-01-01 15:39 . 2009-01-01 15:39 <DIR> d-------- c:\documents and settings\King\WINDOWS
2009-01-01 15:33 . 2009-01-01 15:54 <DIR> d-------- C:\SDFix
2008-12-31 22:42 . 2009-01-01 15:56 <DIR> d-------- c:\program files\Mozilla Firefox 3.1 Beta 2
2008-12-31 22:10 . 2008-12-31 22:10 <DIR> d-------- C:\VundoFix Backups
2008-12-31 21:33 . 2008-12-31 21:33 <DIR> d-------- c:\program files\Trend Micro
2008-12-31 21:08 . 2008-12-31 21:08 <DIR> d-------- c:\program files\Lavasoft
2008-12-31 21:07 . 2008-12-31 21:07 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-31 20:34 . 2008-12-31 20:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-31 20:34 . 2008-12-31 20:34 <DIR> d-------- c:\documents and settings\King\Application Data\Malwarebytes
2008-12-31 20:34 . 2008-12-31 20:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-31 20:34 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 20:34 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-31 20:24 . 2008-12-31 20:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-31 18:57 . 2008-12-31 18:57 <DIR> d-------- c:\program files\uTorrent
2008-12-31 18:57 . 2008-12-31 20:41 <DIR> d-------- c:\documents and settings\King\Application Data\uTorrent
2008-12-31 15:39 . 2009-01-01 16:08 9,799 --a------ c:\windows\system32\Config.MPF
2008-12-31 15:35 . 2009-01-01 15:52 <DIR> d-------- c:\program files\SiteAdvisor
2008-12-31 15:35 . 2009-01-01 15:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-12-31 15:34 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2008-12-31 15:32 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-31 15:32 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-31 15:32 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-31 15:32 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-31 15:31 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-31 15:31 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-31 15:30 . 2008-12-31 15:31 <DIR> d-------- c:\program files\McAfee.com
2008-12-31 15:30 . 2009-01-01 15:36 <DIR> d-------- c:\program files\McAfee
2008-12-31 15:30 . 2008-12-31 15:31 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-31 15:27 . 2009-01-01 15:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-31 13:59 . 2008-12-31 14:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-31 11:05 . 2008-12-31 11:05 40,448 --a------ c:\windows\system32\k9261108.exe
2008-12-16 19:32 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-16 19:32 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-16 19:31 . 2008-12-16 19:32 <DIR> d-------- c:\program files\iTunes
2008-12-16 19:31 . 2008-12-16 19:31 <DIR> d-------- c:\program files\iPod
2008-12-16 19:31 . 2008-12-16 19:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 05:02 --------- d-----w c:\program files\Yahoo!
2009-01-01 05:02 --------- d-----w c:\documents and settings\King\Application Data\Yahoo!
2009-01-01 05:02 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-01 05:01 --------- d-----w c:\program files\Java
2008-12-31 21:30 --------- d-----w c:\documents and settings\King\Application Data\Azureus
2008-12-31 17:52 --------- d-----w c:\program files\Steam
2008-12-19 03:18 --------- d-----w c:\program files\Bethesda Softworks
2008-12-19 01:19 --------- d-----w c:\program files\Diablo II
2008-12-17 01:31 --------- d-----w c:\program files\Common Files\Apple
2008-12-17 01:30 --------- d-----w c:\program files\QuickTime
2008-11-29 17:16 --------- d-----w c:\documents and settings\King\Application Data\Winamp
2008-11-29 12:04 --------- d-----w c:\program files\Winamp
2008-11-29 05:55 --------- d-----w c:\program files\Haali
2008-11-29 05:51 --------- d-----w c:\program files\ffdshow
2008-05-11 20:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051120080512\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BootSkin Startup Jobs"="c:\program files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 270336]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-06-15 4957736]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-06-15 20480]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\Ad-Watch.exe" [2008-12-31 2468200]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

c:\documents and settings\King\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2008-05-23 1073152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\logonui_blue.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xoejjs.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2009-01-01 206096]
R3 SaiH353e;SaiH353e;c:\windows\system32\DRIVERS\SaiH353e.sys [2004-07-26 56576]
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys []
S2 0034311230845832mcinstcleanup;McAfee Application Installer Cleanup (0034311230845832);c:\windows\TEMP\003431~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service []
.
Contents of the 'Scheduled Tasks' folder

2008-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-01 c:\windows\Tasks\dpzekqav.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]

2008-12-31 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-NVIDIA nTune - c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
HKU-Default-Run-msiexec.exe - msiconf.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\King\Application Data\Mozilla\Firefox\Profiles\7rxrunop.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 16:08:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-796845957-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*NULL*]
@Security="Inherited"
"??"=hex:9c,c8,84,e9,49,e5,6c,1c,95,5d,b0,8f,36,bf,c7,f2,88,ec,22,37,b8,66,1e,\
c8,e1,00,83,c2,09,43,a1,77,cf,88,f8,a0,d2,a7,64,0a,95,fb,6f,de,fc,3f,fa,6c,\
3d,61,c2,77,d4,da,a3,ab,2c,a7,cc,d5,d1,64,4e,24,53,34,d1,c5,01,d6,3b,8b,d2,\
c2,90,9b,6d,08,ab,7d,c5,13,22,c0,0a,cb,dc,aa,fc,a7,f5,db,19,4d,f4,9d,e0,ef,\
ef,b8,1d,48,f8,01,f8,67,8f,68,87,a3,48,48,e2,c8,0a,4b,a6,ee,26,5f,8e,6d,37,\
7f,eb,f1,85,b2,9b,a1,58,0a,e9,57,7f,e5,79,e4,e6,98,36,fa,88,a8,18,fc,d9,8b,\
64,dc,15,fa,da,8c,c8,22,45,5f,81,d5,43,c1,a6,27,b5,cf,bc,93,ae,49,08,0c,67,\
58,e4,c0,a9,c0,c5,34,95,61,c1,69,34,85,2c,7b,47,1e,a6,e4,7c,58,ab,c7,5d,a5,\
ba,04,e1,0b,d0,3a,0e,de,0c,d1,24,89,91,c0,61,72,c4,02,fb,1a,f7,5d,bb,28,b7,\
ab,a4,5c,80,4c,c9,5f,cc,fb,e1,49,d6,bc,9c,dd,f7,87,3f,08,c6,f1,e9,fc,db,db,\
b6,38,39,d2,a6,e6,b7,d8,e9,e3,8d,f3,56,ff,ff,5a,a0,1f,d1,f0,5c,f5,70,a8,a3,\
c4,b9,4e,3f,80,3b,7a,19,b5,c1,14,c7,24,01,7d,3a,f5,2e,e7,68,06,f3,2a,33,cb,\
84,69,fc,40,7e,5e,ca,37,59,a0,10,e1,23,a0,34,63,e0,69,1c,d1,2b,08,f1,7b,e4,\
12,f6,1b,02,b9,d1,9c,d6,d0,30,ec,11,e1,8c,76,f0,2c,d2,e1,21,96,fd,b0,48,c8,\
9b,f6,3b,fa,29,bc,0c,77,aa,e1,f1,99,75,9d,1e,3a,0d,11,b0,54,7a,23,f5,a4,fa,\
3f,2a,41,f7,cf,87,90,5d,fc,e5,ec,0e,1e,09,f2,28,ad,33,36,45,5c,70,04,8e,08,\
2d,86,f0,db,e7,00,7d,38,5b,ed,72,5f,1c,01,3f,da,7b,3b,1c,cf,e9,23,28,d4,9f,\
da,d1,03,45,04,fa,eb,81,8d,39,3f,11,f4,e1,25,b1,c9,00,34,46,f8,a4,ee,d2,09,\
a9,7c,ce,fc,90,6d,21,d8,14,1a,e5,eb,91,79,56,b8,d6,f8,52,0a,4e,68,cc,e2,d5,\
31,21,4c,37,8b,3d,ed,74,89,44,63,59,89,b3,84,d2,23,13,57,b1,12,fa,b5,bd,0c,\
c0,91,ba,44,52,84,ad,82,c3,07,26,8e,f1,e4,be,8e,42,93,18,8f,83,f9,74,d7,85,\
1c,99,64,98,ae,c9,51,ce,73,41,a5,c1,fd,dd,f4,27,08,e0,88,6f,a9,d7,30,15,8c,\
a0,93,c0,44,ec,3d,d6,f4,8d,fe,ea,0d,49,f7,31,dd,5a,05,36,15,e7,16,a2,54,29,\
d2,c3,4e,87,fb,7d,97,0d,f7,97,ab,59,97,db,9b,99,f4,6f,31,aa,7c,26,1e,48,1d,\
e9,38,b1,25,ef,63,3f,e3,b7,0a,2f,2f,2c,a7,7c,c9,08,cf,ce,9e,c6,0b,36,d6,e5,\
8a,46,51,a7,39,3f,01,a6,22,df,6b,86,f6,4f,ca,4c,8c,69,af,82,8d,f5,1a,72,b3,\
c1,21,0a,61,1c,9d,cc,7a,6a,98,13,84,eb,23,7a,f6,60,be,de,0b,88,75,79,bc,96,\
2d,da,15,9f,1d,9e,f5,6f,1e,46,a7,4c,77,28,71,8a,6b,52,28,74,69,8c,52,50,c3,\
e5,87,13,95,d7,93,30,4e,a8,d9,a7,4b,0c,ce,74,23,b8,89,5d,4f,59,e0,e6,d1,af,\
fa,54,e6,f1,8f,ef,27,44,28,c2,2b,ad,41,87,53,51,7d,52,45,1d,20,5e,e4,42,c0,\
5a,dc,f7,16,5b,f0,43,79,9d,45,ef,27,cc,82,2e,8c,19,23,09,7c,5b,d2,dd,71,2f,\
70,d3,ba,d5,13,65,5f,8f,62,ce,49,71,e0,99,5f,3a,7c,4a,da,48,c4,35,2d,2d,90,\
e3,1a,99,e7,1e,a5,cc,82,86,1c,32,5e,e3,69,ff,b8,b1,26,03,af,5a,60,34,83,4a,\
ab,d3,dc,1f,27,2e,4c,2c,55,33,66,2a,f5,06,5a,8f,59,64,83,22,09,ab,48,9e,88,\
a5,11,e5,d3,52,d8,51,60,6d,4f,6f,e6,e4,49,40,90,2f,f8,d1,c5,93,31,47,ad,18,\
ca,b7,ba,0d,2d,10,e6,63,82,c8,8b,7b,f5,d5,74,05,98,f9,fb,35,31,1e,60,8a,28,\
73,89,ae,10,f4,73,8e,6b,44,cf,2d,d2,cc,f9,2f,14,94,69,ba,83,ec,b1,da,79,42,\
92,36,aa,4e,d3,32,d1,c3,85,ff,22,29,29,75,62,91,66,96,0a,cf,f3,18,cc,70,9c,\
a8,fe,60,4e,7a,7f,0d,1a,1d,bd,cc,78,0a,63,c8,b3,7c,1c,14,0e,b4,96,e4,19,9d,\
69,5d,39,6e,5f,2f,07,62,81,05,dd,c9,56,af,b3,08,6f,fb,f2,2f,b8,0e,55,24,15,\
5b,82,8f,02,36,93,62,26,c9,4d,eb,68,f3,e5,18,48,52,46,3e,26,2f,52,52,f3,21,\
06,c7,f9,77,ae,d2,f6,a3,fc,0d,00,93,64,8e,a5,ec,6a,8f,09,9f,cd,3b,b4,8f,fb,\
89,3c,42,4f,d9,a5,7e,f3,8a,34,27,21,cb,54,1f,12,27,80,b0,43,0e,43,a3,b4,38,\
c9,22,92,e5,03,c7,40,a5,e9,82,a5,9b,99,8c,b8,ff,7e,89,bd,45,c9,ac,6c,34,10,\
2d,92,aa,ee,aa,b7,e8,23,df,65,c8,7d,3c,a2,5d,fe,d4,31,97,7c,57,da,45,fd,cc,\
34,2b,0b,73,0a,56,55,9e,e0,17,92,a3,45,d2,69,cb,9f,73,82,4f,21,37,27,9d,c1,\
a9,00,29,79,56,03,ba,a6,c3,be,67,7c,16,7e,bf,60,72,60,9e,50,4b,bd,00,c3,41,\
78,fd,c9,13,ad,1e,72,a7,b1,43,96,55,8a,98,2f,8e,92,80,2c,f7,f7,fc,68,85,af,\
1b,19,e4,10,7a,37,62,ea,e5,0b,a4,01,14,94,b9,91,bd,0e,46,94,a7,3d,06,ca,6b,\
b9,f2,1a,64,c7,8f,ed,b2,d5,e9,f4,65,79,4e,cd,24,6f,62,c7,f4,0d,45,6c,1e,f7,\
7b,5c,4d,de,2d,16,b6,ca,2d,51,cd,9a,fb,0c,6f,05,b0,82,2e,2e,4f,cf,c9,de,5b,\
8b,82,ee,b9,92,9a,d6,31,bf,91,64,14,e5,70,09,56,2e,da,38,dc,e2,60,f2,c9,ee,\
c1,b7,00,b8,8a,14,78,5b,94,80,33,48,04,fb,24,b8,be,fc,ea,6e,09,0e,a2,d1,bc,\
2c,bb,67,3e,2a,9f,0b,b6,73,3b,8f,91,05,ac,a8,31,6f,61,d2,ce,a6,fd,4e,48,9c,\
66,e1,4f,f0,12,ad,01,07,3c,5b,3a,7d,19,58,8d,04,7e,16,a4,2a,c1,d9,ff,00,20,\
98,d8,bd,ce,09,cb,dc,70,3b,f0,64,cb,fc,07,21,d8,2e,8f,3b,43,de,8c,c8,58,eb,\
ff,90,a2,03,a4,c5,b8,f6,2f,56,76,55,ee,52,c1,db,96,83,5e,f0,86,80,75,dd,1f,\
9e,09,7b,d6,d6,fc,b6,b1,e9,49,e4,d7,56,e6,e0,2d,19,e5,49,1e,c6,29,79,34,dc,\
42,6e,8b,ec,28,43,31,66,ed,ba,31,46,bd,0e,20,05,8e,2d,fb,0f,cb,78,77,c6,5e,\
e9,1b,c1,5d,73,de,2b,4e,18,33,da,f7,dd,b2,07,61,de,25,ec,a4,db,33,b5,1a,5e,\
4b,be,55,d0,0b,69,d3,81,1c,9a,6d,e8,c8,7e,46,3e,ed,34,8e,a8,67,0f,5e,c5,50,\
ef,d8,93,0d,4a,0b,8f,23,b1,26,a4,e4,4b,eb,39,6e,60,fd,96,24,8b,f4,3c,dd,39,\
da,66,a1,76,6f,ac,65,1d,f1,c9,c7,f1,d4,b6,24,20,26,9d,94,02,32,df,bc,50,70,\
04,c0,6b,59,e6,fd,a1,33,46,f0,c1,09,a3,74,d2,91,67,13,b9,4b,2b,fb,1e,be,e5,\
2f,11,d3,d8,c7,38,be,62,b3,9b,17,62,2f,58,d8,42,7b,37,a6,40,fb,1c,5d,fe,09,\
a7,53,9e,69,51,85,b7,18,7f,bf,d9,29,63,7b,02,02,2f,8a,89,67,9a,12,6c,26,96,\
5b,f5,85,3c,5f,be,44,c0,e1,69,bf,0a,ac,2e,d4,1a,07,b0,c7,a1,04,34,6a,0d,98,\
f8,cf,86,3f,75,8d,94,a4,1c,c6,b0,53,08,78,25,9c,5f,eb,47,d0,b1,ac,02,c6,38,\
e2,e6,ab,4f,93,f4,b4,39,a2,cd,76,98,76,99,2d,b1,1a,38,74,d8,ee,21,5f,78,cd,\
cb,71,e9,d3,1c,eb,20,99,ad,54,c7,34,9d,e7,86,63,d5,b8,cd,8d,46,77,4c,d2,a7,\
59,b1,3f,10,cb,27,81,39,0e,8f,69,23,8f,92,a8,74,74,a6,39,38,15,79,d4,ab,ea,\
aa,a4,04,65,06,46,89,50,2c,6c,ad,2b,61,7c,79,d0,96,c0,7d,53,68,8d,c6,35,42,\
f8,a1,7a,ed,8e,b7,0d,65,30,04,27,fc,d7,87,2a,02,c8,93,21,95,7a,b5,82,83,40,\
25,87,c8,24,de,e0,6f,ba,f3,54,86,3d,e2,61,13,99,2c,a8,0f,29,37,37,61,86,ad,\
e8,be,ac,db,f5,25,24,ab,7a,ae,b4,23,66,43,2c,36,0b,71,6e,33,90,6e,77,16,a9,\
ab,45,ed,8c,ba,f7,4c,88,b2,b3,80,0f,ef,1e,e8,3a,47,b2,17,03,14,68,ad,ac,bb,\
a3,50,2c,6c,77,48,90,21,5b,6c,cb,40,a6,44,58,64,ea,7f,31,4a,15,f2,21,d5,76,\
fc,8e,3c,dd,f1,53,eb,72,2d,e9,eb,2c,9f,f0,cd,6a,5f,63,42,bf,99,65,93,82,4d,\
62,e9,bd,36,91,4f,af,ba,d8,5e,6a,92,bd,8a,52,e5,c7,81,f5,e2,20,ea,92,19,e0,\
ea,92,09,e0
"??"=hex:1b,5c,00,6c,19,29,b6,60,a7,81,26,f9,6d,5e,cb,bb

[HKEY_USERS\S-1-5-21-1644491937-796845957-839522115-1004\Software\SecuROM\License information*NULL*]
@Security="Inherited"
"datasecu"=hex:14,62,9b,0f,86,88,97,91,8d,cb,d4,0b,aa,1d,d5,35,2a,8b,13,bf,02,\
5d,b8,b0,d6,c1,0a,50,ad,91,68,d5,61,76,37,8c,36,9d,80,79,17,53,24,3e,c6,cd,\
a7,2e,d5,8b,5d,59,98,95,d5,b9,6f,01,a7,31,82,64,24,ed,63,e6,af,8e,4b,5f,c2,\
6a,92,1f,1b,4f,95,f1,ec,be,42,21,77,9d,f8,bd,65,5d,1f,95,a3,56,ed,98,0b,ae,\
58,bf,8f,0e,ed,33,8d,65,16,c0,90,9e,4a,b2,03,9e,3d,95,1a,44,cf,a3,ac,03,67,\
07,af,93,89,3d,ee,f9,ad,e4,2b,41,c0,d1,18,0b,16,76,d7,64,96,bd,f0,7c,fd,91,\
b5,a9,87,68,84,7a,4b,c0,d4,b9,d6,77,46,88,db,d3,37,ab,55,6b,75,76,c5,22,a6,\
fd,48,d5,fc,cb,7f,52,3e,b1,4b,3e,08,81,fb,88,e5,f0,4a,13,7c,09,d5,8a,9d,f5,\
04,b9,07,f3,ce,85,69,5d,0d,ad,62,3f,62,15,da,5b,17,fe,6e,87,b4,99,bf,11,1b,\
da,3a,20,43,90,50,04,bb,df,47,27,88,12,52,a0,3d,ab,5f,14,fe,52,bf,5b,18,40,\
56,f0,5b,f2,14,7e,22,d3,b7,48,d4,06,94,ce,d6,ba,eb,0a,4b,e0,3e,e2,d1,d3,fd,\
1f,ac,cf,de,e4,03,8b,8f,03,de,16,b2,d9,13,80,58,71,21,57,8c,e7,24,b3,30,54,\
0a,0a,7a,91,f4,ad,16,ce,50,57,1f,77,f1,ee,a1,dd,4b,ed,fe,96,89,be,d7,04,3d,\
c2,55,31,3a,79,d1,ad,1d,df,a4,d4,c9,98,a8,b8,3b,57,51,52,6c,80,ef,10,4c,ed,\
0a,f7,f7,9e,8c,5d,81,ec,3c,93,af,60,07,0b,26,7e,77,ee,30,e4,6c,5d,5f,a5,96,\
7b,99,07,b4,40,0a,50,83,d5,d3,ff,65,56,6a,1b,4d,2c,e2,2d,c4,90,96,b7,a7,2b,\
8f,b3,3b,2d,d4,fc,f6,26,24,20,ca,1a,7c,04,24,fd,9b,55,8a,0d,e6,2c,e8,f1,61,\
6b,11,2f,12,79,b9,e9,1c,2b,70,b5,b2,4d,9e,9a,4a,2d,be,29,94,14,fb,0d,e1,93,\
c3,98,23,67,7c,a3,e4,45,0b,20,d1,f1,8d,1a,cb,f2,33,4b,9a,cb,dd,27,b4,7f,54,\
65,83,13,9f,ae,2b,b8,86,3b,02,30,b7,cf,b8,d7,4f,7f,f0,65,92,2d,b3,c8,93,cb,\
de,be,8c,4e,87,e6,3a,4e,c3,a3,7d,66,ac,bf,c1,1c,07,bc,bb,3e,6d,e4,a2,3c,b5,\
13,9a,e7,54,cd,87,94,62,c3,8a,5b,b6,cd,fa,84,6a,46,1b,63,d7,2c,fa,11,b5,48,\
78,c1,75,f7,00,eb,6d,c7,ae,30,0e,2f,0a,68,07,82,8c,4f,9d,fe,00,c7,42,8a,69,\
e7,b7,46,31,aa,cc,8c,c8,9b,2e,32,f2,3a,bf,9c,f6,20,8d,5a,09,37,ea,f1,86,48,\
4e,96,fe,60,16,78,db,de,6e,5f,fa,82,d2,61,ee,b0,f7,99,8b,38,b0,06,e1,a6,7d,\
c8,64,80,b8,f0,4b,88,44,0d,73,29,68,8d,23,f6,9f,29,4d,a0,78,8f,4e,30,57,4c,\
ea,f5,87,47,9c,2e,a1,e6,c6,3e,34,e0,26,78,93,21,80,9a,99,05,21,8d,b3,2a,2b,\
a2,23,e9,33,15,35,06,37,0c,9c,3b,ef,78,1e,87,d6,03,bb,35,3e,2a,73,06,f0,e3,\
20,ee,b0,7c,5c,e5,00,ec,87,68,f6,24,b8,09,f8,61,46,c9,8e,03,58,a7,dd,3c,5a,\
95,42,a3,34,4c,4d,63,1b,75,a4,a7,6a,39,cc,09,e6,a1,6c,da,2d,5f,41,8a,99,43,\
45,49,40,01,03,36,a3,c5,54,1a,80,c4,e3,23,76,6b,b1,0c,6c,ce,f9,63,f9,56,18,\
5b,e1,c0,01,0a,99,58,56,95,ff,80,b7,f4,65,4c,50,95,5d,0b,ea,f6,e4,d2,f4,44,\
b3,92,37,10,94,36,16,6f,7f,e9,1b,6b,eb,d1,f6,f1,8a,54,b3,31,de,4a,b4,1c,63,\
a8,00,8c,0f,64,d7,f8,7e,62,29,5d,c9,c0,fc,c5,19,da,3b,2f,06,22,05,ec,84,27,\
cb,7a,c1,3f,a8,7e,81,b2,7c,28,0a,0a,71,f6,ce,81,dc,a7,59,84,86,ab,ad,e5,ec,\
09,d1,29,10,d1,7b,2e,29,ea,cd,34,d4,39,43,0e,ea,36,64,ea,53,e1,1d,73,f4,7a,\
c5,2c,e3,0f,92,1f,71,62,bd,93,a7,1e,76,aa,b5,1c,f6,eb,bb,41,0e,f1,18,fc,77,\
1f,b5,12,34,0c,92,46,2f,65,99,3e,8f,2f,37,ba,15,72,06,39,c6,87,9d,83,a8,25,\
06,45,86,2c,3d,e0,25,c0,ff,95,66,81,f5,1d,d1,4e,6f,f9,0e,61,5b,4b,3a,19,9c,\
05,7b,44,5f,41,5f,18,3f,c5,10,17,78,36,56,a8,6d,09,73,a2,26,c1,5a,a2,f4,90,\
bf,c9,db,b4,a2,17,c9,9c,61,2b,0f,92,3d,81,4d,7b,39,3a,45,b6,a3,b6,44,2f,45,\
e7,f8,d1,c0,10,c0,68,5c,a3,ba,29,6d,fb,0a,a2,a7,8c,ed,e7,e0,b3,ab,d4,fd,b5,\
59,c3,1e,f4,ad,ff,59,f1,6e,85,56,9d,fa,e9,93,20,8f,2e,27,8b,42,5e,3e,de,8c,\
5b,04,69,cb,99,7f,f2,de,d3,d6,3d,e5,1f,05,8e,86,97,78,31,90,c2,91,48,50,0c,\
7e,15,b4,af,87,17,b6,fb,fb,6a,aa,bd,50,a3,52,ec,87,a0,8c,54,59,12,9d,38,9d,\
12,82,49,66,dc,cf,7f,93,48,be,24,77,e6,41,c4,1a,64,d4,64,32,28,4d,ed,4b,eb,\
7b,05,f8,82,cd,3f,da,e5,dd,1b,29,f8,d2,5b,68,1a,3b,46,98,97,9f,0d,24,fe,f6,\
58,06,28,2d,7e,b0,73,11,a6,be,fa,09,3c,e6,f4,e9,3f,0d,65,8d,9d,51,32,61,06,\
8d,dd,96,7b,f0,05,c2,11,76,bb,7e,ff,e8,2b,92,2a,e4,5b,05,f5,58,82,e1,72,c3,\
63,b5,d3,3d,37,da,3a,48,71,d1,4c,5b,7a,12,07,c9,fa,33,72,d4,e6,be,7a,9b,34,\
9d,ef,fc,d0,fd,96,b5,82,bb,ee,4f,0f,e2,14,41,30,52,7d,ec,4f,6f,fe,a3,ae,60,\
ae,31,99,05,b1,e8,23,65,15,f8,5b,0f,cd,4e,cc,9e,f0,5b,8a,32,8b,94,ff,04,ee,\
24,e8,13,7e,92,1f,57,14,a2,33,b3,2c,94,4a,bb,39,ac,ac,48,46,e6,f4,a0,76,67,\
e7,bf,d8,26,e7,2c,0d,f0,8f,54,93,59,78,de,6f,c2,e9,84,63,0f,51,ee,1a,0e,a7,\
e4,bd,3f,33,e3,d2,8e,98,ec,d9,86,e5,c1,6b,bc,c5,5d,3d,42,6c,1b,12,81,6d,e0,\
01,78,4a,9d,d9,a6,00,f7,f3,47,ec,e9,27,f4,f8,53,86,fc,41,99,f6,47,a3,e9,d1,\
76,a1,50,5b,b3,7c,1b,e4,f0,63,b3,ad,15,22,e0,13,7c,3f,5f,90,87,3f,de,09,ef,\
59,cd,f5,d6,a3,b0,3d,70,a5,09,67,20,14,0c,e0,dd,fe,d4,3d,18,e0,7a,be,67,7c,\
98,2d,af,96,21,b2,fe,17,66,61,8b,bf,86,4f,a0,1e,be,ac,7e,62,d2,c4,22,f3,68,\
af,4b,8c,45,dc,2d,ff,8c,a8,43,f2,1e,25,6d,48,b9,c5,4c,c4,85,82,3b,98,4b,9c,\
0b,5a,a0,93,41,b1,b3,f4,6d,e7,aa,fc,ba,e7,94,75,97,1e,a8,bd,7f,ca,82,6c,cd,\
c4,b6,3e,7c,b9,9d,7a,e7,fd,9e,85,8e,81,f3,7c,49,f2,ed,7d,62,b2,39,35,3c,b1,\
3c,72,55,79,13,99,a1,27,eb,84,f5,05,bd,6d,23,2c,89,a0,39,70,a9,a7,b2,d8,30,\
cc,e1,fe,90,a2,1d,9d,12,4e,1d,9c,23,fa,6e,51,82,77,7f,07,74,b5,3e,84,92,18,\
2a,8b,6b,a5,72,8a,fa,ec,1e,03,a6,19,20,02,8b,3c,f6,a3,0f,e1,54,24,4b,b0,82,\
fa,0e,19,96,19,03,35,ce,2e,de,05,bf,cc,4d,0f,08,ee,54,91,49,ab,ac,ef,4a,58,\
39,c9,c8,65,74,8f,78,0d,e7,be,ee,d1,43,ba,9f,9f,3f,ea,a4,47,14,99,a7,99,7f,\
1d,11,5a,14,f9,96,46,3a,bf,71,44,bb,8e,65,b1,0c,1b,7b,42,3e,25,1f,c3,a3,df,\
c5,f4,ee,b0,e0,e3,b3,aa,99,a2,e4,0c,c1,de,70,2f,6d,cf,8c,3d,b7,ba,08,d2,cd,\
a8,b3,4a,c4,cc,40,e1,e7,d2,ff,d5,65,be,09,e9,a3,a5,5d,21,f0,33,f8,9b,9c,c7,\
f9,3b,3a,39,01,49,2f,49,41,58,32,fe,0a,3c,d5,10,00,d7,b1,37,b5,89,9b,ce,6b,\
9a,89,57,39,c4,88,f2,fd,80,7c,92,66,d4,79,a7,f7,35,5d,d6,09,9b,93,66,01,bd,\
67,8c,15,9e,81,e2,09,21,dc,70,d9,ad,83,ea,98,2a,0e,57,d6,b2,05,cd,45,c0,f1,\
6b,8f,85,4e,b5,26,85,83,35,21,6a,32,95,58,26,50,2d,d8,e4,29,9a,9b,16,ff,f2,\
d8,b4,c8,2f,fd,7a,cf,9e,d7,40,d4,b9,69,cf,b0,75,f5,42,70,b8,26,ae,f1,51,e2,\
a8,a4,bd,c8,ee,f9,da,db,2e,cc,a5,4f,a9,45,02,ab,38,64,77,2a,f6,05,07,95,ba,\
03,f2,68,47,ff,fd,d2,10,cc,fe,53,de,d3,7e,5f,23,c8,c7,6d,78,3d,83,5e,17,55,\
cf,1d,db,4d,4f,2c,2d,9d,33,57,f8,ff,c3,27,6d,77,2f,0d,35,f0,d1,8b,5c,66,fc,\
54,48,9e,83,ff,d3,f5,29,19,99,c6,eb,98,6f,45,a0,37,37,ea,64,46,54,a5,80,4b,\
55,52,e3,2f,76,d4,29,e1,22,48,4b,7a,8a,7c,05,72,0d,08,ba,50,4d,49,d8,a8,9f,\
65,44,8c,a5,39,bd,a1,42,a3,8d,a7,3e,d7,26,bf,8b,01,ae,2d,11,64,3f,e6,82,de,\
4c,a1,d9,4a,48,69,63,c7,63,7e,b8,6b,2e,78,35,52,a1,c7,c8,18,24,85,ab,3f,ab,\
af,af,98,e4,f9,74,ef,d6,12,51,1a,65,91,2c,c4,a6,66,d4,28,2e,5a,3b,02,db,7d,\
d2,97,6d,a9,36,09,a7,db,19,9e,9d,af,65,70,f4,4d,4d,f2,cf,24,74,05,ea,c6,c6,\
b4,75,dc,53,b5,ca,55,3f,de,26,5a,79,49,3b,fe,d1,cc,2d,5d,bc,ad,c0,b7,87,e9,\
d7,cb,3f,d9,64,34,90,98,0e,f0,1e,29,fb,e2,43,c0,28,55,43,2e,80,82,7d,71,b2,\
04,9d,2e,ff,23,ac,29,81,3b,d3,39,96,02,93,a5,db,e3,58,60,3a,58,0f,cd,58,5f,\
d7,3f,28,06,67,3c,1d,75,a4,c6,86,41,be,41,7a,9a,6e,d5,b0,1b,f6,19,6e,ef,68,\
fe,5d,9d,bc,7d,c8,13,eb,22,58,98,75,2d,16,33,72,35,7e,a6,e7,bd,52,58,56,62,\
de,0b,b1,44,fe,9f,a9,a0,98,82,f4,85,e6,2d,e7,2d,c6,b6,b6,c4,b8,22,42,d4,11,\
37,76,00,56,39,85,b5,4d,63,ff,eb,c8,df,e4,b8,df,5b,f4,5a,b9,a4,62,56,68,ad,\
e6,78,49,19,95,77,0c,de,27,57,e8,ae,9b,ac,78,06,cc,d8,bf,8d,7c,d8,16,16,60,\
3b,8a,ed,ff,5e,fa,e0,fa,ec,80,3b,c7,15,6f,b3,27,b8,43,4e,db,d9,8a,85,02,7f,\
80,90,46,54,21,45,71,41,d8,25,d3,17,1f,a2,fb,ad,13,2c,7e,31,e3,05,6e,63,df,\
95,31,60,8f,ca,7a,14,da,68,a9,a0,46,d9,5b,e6,76,81,6a,8e,1e,89,73,c9,68,ad,\
80,15,04,b2,f8,7b,ea,de,01,71,60,ac,8f,a3,26,39,33,0e,a2,95,14,0b,de,41,4b,\
15,0e,72,53,f1,6c,72,fa,03,97,cf,58,43,e4,28,1d,d9,37,47,d1,f9,56,af,d8,f7,\
8d,70,fd,fb,3a,66,cc,a8,ad,06,13,16,8e,d2,ad,ba,54,0c,24,de,c1,ce,e6,4b,53,\
65,42,62,a5,b3,a1,9b,19,f9,de,3d,0a,ba,38,02,e0,08,94,5f,af,1f,c9,f7,d9,33,\
45,d3,a2,b1,13,ca,9c,5f,10,5c,7b,f2,a9,2b,0f,d8,fa,35,47,3a,32,81,80,2d,35,\
43,23,f9,b5,61,a9,87,89,f0,f1,cd,cb,b4,46,76,19,02,ce,5c,83,f8,0e,48,e9,28,\
f1,0a,bc,df,fc,21,ff,09,6d,69,75,85,4e,6d,80,e4,75,66,0f,bb,9c,27,ed,7a,63,\
91,06,17,e2,09,df,ff,ec,0e,85,ae,db,55,0d,1c,1e,52,4b,54,a8,84,97,74,40,c3,\
4e,e4,6f,76,5c,c5,10,19,11,f1,3d,21,e2,d5,d2,f4,b3,c3,55,7a,f9,ab,48,bb,55,\
2c,f4,4d,0d,eb,1c,df,8b,82,42,96,df,f0,fb,2f,7f,a8,87,39,ca,93,e5,23,7a,0b,\
c0,11,ef,5a,ac,04,de,aa,8e,c5,f0,d7,b5,23,16,48,1c,6e,50,3b,38,58,eb,1c,33,\
06,78,0e,ab,c0,5d,89,f3,8c,88,ef,ac,63,ae,21,c7,24,b4,47,51,48,85,50,f8,05,\
e4,2c,fb,a8,7d,04,a6,64,fc,47,9a,07,81,9d,49,95,5f,6f,4c,a5,9b,31,08,96,e4,\
19,ab,29,29,6f,fb,d0,85,71,de,87,25,f4,06,7a,95,f3,ad,b0,79,1d,b3,3d,cc,f4,\
f8,00,71,59,c6,3a,0c,bf,26,c9,fd,e6,66,41,bf,ce,81,03,fc,b6,54,01,5d,03,01,\
51,0c,f7,38,e0,eb,87,3d,95,71,af,fd,59,db,ce,a5,da,f6,8e,74,d0,54,69,30,5a,\
43,45,20,4b,00,29,08,e4,f1,98,23,bf,84,e4,bf,75,ee,38,de,13,7b,04,51,11,fe,\
de,a6,e0,a1,3b,a4,bb,90,86,ef,da,2c,be,60,a3,61,80,a9,5d,31,6e,49,4f,3b,35,\
21,98,d1,13,bf,37,a1,c8,04,b4,e7,d6,df
"rkeysecu"=hex:57,94,b2,4d,4c,cd,fe,bf,32,a3,20,a6,ce,19,23,b7
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\MBK\MBackMonitor.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\nvsvc32.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-01-01 16:11:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-01 22:11:03

Pre-Run: 266,178,510,848 bytes free
Post-Run: 266,354,556,928 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

405

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:32 PM, on 1/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 2\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0778122984
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: xoejjs.dll
O23 - Service: McAfee Application Installer Cleanup (0034311230845832) (0034311230845832mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\003431~1.EXE (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7908 bytes
monza
Active Member
 
Posts: 7
Joined: January 1st, 2009, 1:29 am

Re: VUNDO is no FUN-DO

Unread postby DFW » January 1st, 2009, 6:59 pm

Hi monza

Thank you for the information on portal, Better to be safe than sorry.


While I was looking at the Combofix Log I noticed that there are signs of P2P programs installed, they were not on
the uninstall list you posted, have you uninstalled them already, if not read below.



IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Azureus
uTorrent


Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
We see no purpose in cleaning your machine if you use P2P programmes, as it is pretty much certain that if you continue to use them then you will get infected again.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.

Please confirm that the programs have been uninstalled so we can continue
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: VUNDO is no FUN-DO

Unread postby monza » January 1st, 2009, 7:14 pm

Yeah I had Azur I had it uninstalled but I do have utorrent and I just uninstalled it. I contracted the vondu from photobucket (well that's when it hit the hardest atleast when I really noticed performance drop and popup hell), I was just sitting there browsing my pics on photobucket and then all of a sudden I was hit. I fully understand p2p programs are eventually going to sink your comp into virus hell if you actually use them alot. I rarely did. No sweat.

This is my list of add/remove programs. That all I need to post for confirmation?

Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Stock Photos 1.0
Apple Mobile Device Support
Apple Software Update
Battlefield 2(TM)
Bonjour
BootSkin
ClearType Tuning Control Panel Applet
Counter-Strike: Source
Creative Audio Console
Diablo II
Fallout 3
Fallout2
ffdshow [rev 2364] [2008-11-25]
Growler Guncam
GTR 2 1.0.0.0
Haali Media Splitter
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
HHD Software Free Hex Editor Neo 4.64
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
IL-2 Manager 5.0 PF
IL-2 Sturmovik 1946
Image Resizer Powertoy for Windows XP
ImTOO iPod Movie Converter
iTunes
Java(TM) 6 Update 11
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Pro Photo Tools
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Mozilla Firefox (3.1b2)
MSXML 6.0 Parser (KB933579)
Nero Suite
Nintendo Wi-Fi USB Connector Registration Tool
NVIDIA Drivers
OpenOffice.org Installer 1.0
Portal
QuickTime
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Shadowgrounds
Steam
Team Fortress 2
Titan Quest
Tweak UI
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VIA Platform Device Manager
VIA Rhine-Family Fast-Ethernet Adapter
Winamp
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
XviD MPEG-4 Video Codec
monza
Active Member
 
Posts: 7
Joined: January 1st, 2009, 1:29 am

Re: VUNDO is no FUN-DO

Unread postby DFW » January 2nd, 2009, 3:56 am

Well done, I need to go over all the logs, I be back ASAP
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: VUNDO is no FUN-DO

Unread postby DFW » January 2nd, 2009, 3:32 pm

Hi monza

One or more of the identified infections is a backdoor trojan.

It appears to be this one: http://www.greatis.com/appdata/d/m/msqp ... emoval.htm

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: VUNDO is no FUN-DO

Unread postby monza » January 2nd, 2009, 6:50 pm

I think I will reformat. Thanks for your help and time in the matter I appreciate it.
Good luck to you and hope I won't have to come back here anytime soon :)

I had a german shepard to as a kid his name was Mac. Best dog I ever had :cheers:
monza
Active Member
 
Posts: 7
Joined: January 1st, 2009, 1:29 am

Re: VUNDO is no FUN-DO

Unread postby DFW » January 2nd, 2009, 7:18 pm

Ok I understand, if you need any help with the reformat, any of the forums below will help


Computer Trouble here: http://forum.computertrouble.co.uk/index.php
or
TechSupportGuy here : http://forums.techguy.org/21-windows-nt-2000-xp/
or
VirtualDr here: http://discussions.virtualdr.com/forumdisplay.php?f=48
or
PCPitStop here : http://forums.pcpitstop.com/index.php?showforum=3


All may require you to register free before posting for help.



Here is some information to help you stay clean once you have reformatted, apart from reinstalling you Antivirus use the software below to strengthen your defences



Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide

Malwarebytes' Anti-Malware Scanning Guide



Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.




Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware


Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software



Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from inadvertently connecting to malware, spyware and adware sites by redirecting the connection request back to your own machine address (127.0.0.1). It is a very effective defense system.
If you are part fo a business network, if you are on AOL, or if you use Norton to scan e-mail, be sure to read the special instructions in the tutorial below..

Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
If this isn't done first, the next reboot may take a VERY LONG TIME.
This is how to do it. First be sure you are signed in as a user with administrative privileges:
Stop and Disable the DNS Client Service
Go to Start, Run and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find this service.
DNS Client
Right-Click on the DNS Client Service. Choose Properties
Select the General tab. Click on the Stop button.
Click the Arrow-down tab on the right-hand side at the Start-up Type box.
From the drop-down menu, click on Manual
Click the Apply tab, then click OK


Download BlueTack's HOSTS Manager here, using Internet Explorer:
http://www.bluetack.co.uk/forums/index.php?act=dscript&CODE=showdetails&f_id=5
A short distance down the page in the center, click on the Download button.
Agree to the license.
On the next page, to the right side of where it says "Download Estimates, right click on the underlined word "Hosts Manager" choose "Save Target As" and download the installer Hosts20setup.exe to your desktop.
Double click the Installer on your desktop and let it Install the Hosts Manager

After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the Hosts Switch icon).
When the manager comes up, got to the left pane, click Download.
It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then Save.
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.

If you have a firewall, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.






Read some information here how to prevent Malware.


Regards
Last edited by DFW on January 2nd, 2009, 7:37 pm, edited 1 time in total.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: VUNDO is no FUN-DO

Unread postby monza » January 2nd, 2009, 7:31 pm

How long will this Topic be here? I might not get to formatiing until next week.
monza
Active Member
 
Posts: 7
Joined: January 1st, 2009, 1:29 am

Re: VUNDO is no FUN-DO

Unread postby DFW » January 2nd, 2009, 7:35 pm

It will be locked in a day or so, but you will be able to veiw it anytime, just save this link.

http://malwareremoval.com/forum/viewtop ... 11&t=38256
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware