Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Vundo

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Vundo

Unread postby mchristisen » March 9th, 2009, 5:54 pm

Hello. Been infected with Vundo and can not shake it. SuperAnitSpyware, Malwarebytes and Spybot all detect it, but fail at removing it. Vundo also appears to have disabled the Spybot Teatimer "Deny Change" button. Any help would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:14 PM, on 3/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
J:\WINDOWS\System32\smss.exe
J:\WINDOWS\system32\winlogon.exe
J:\WINDOWS\system32\services.exe
J:\WINDOWS\system32\lsass.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\LEXBCES.EXE
J:\WINDOWS\system32\spoolsv.exe
J:\WINDOWS\system32\LEXPPS.EXE
J:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
J:\Program Files\Common Files\LightScribe\LSSrvc.exe
J:\Program Files\Norton Ghost\Agent\VProSvc.exe
J:\WINDOWS\Explorer.EXE
J:\WINDOWS\system32\nvsvc32.exe
J:\WINDOWS\System32\snmp.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\dllhost.exe
J:\WINDOWS\system32\fxssvc.exe
J:\Program Files\Canon\CAL\CALMAIN.exe
J:\WINDOWS\System32\dllhost.exe
J:\WINDOWS\system32\wscntfy.exe
J:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
J:\WINDOWS\system32\RunDLL32.exe
J:\Program Files\Griffin Technology\PowerMate\PowerMate.exe
J:\WINDOWS\RTHDCPL.EXE
J:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
J:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
J:\WINDOWS\system32\ctfmon.exe
J:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
J:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
J:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
J:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
J:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
J:\WINDOWS\system32\wuauclt.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\NOTEPAD.EXE
J:\Program Files\Mozilla Firefox\firefox.exe
J:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.defaulthomepage.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - J:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {47f49451-c221-4894-b94f-741ab11eecce} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - J:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - J:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7C17ED8D-8573-41F1-8833-BACFED538328} - (no file)
O2 - BHO: (no name) - {86c472dd-22da-4422-88c5-0a0112b339fc} - (no file)
O2 - BHO: (no name) - {CC253A61-3FE5-4311-83C9-D3992189147D} - (no file)
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [PowerMate] J:\Program Files\Griffin Technology\PowerMate\PowerMate.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "J:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Lexmark 3100 Series] "J:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] J:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE J:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [000000af] rundll32.exe "J:\WINDOWS\system32\idihdrog.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] J:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] J:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] J:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://J:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - J:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - J:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - J:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - J:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - J:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - J:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - J:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - J:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - J:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - J:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: dkdklc.dll qmukun.dll
O20 - Winlogon Notify: !SASWinLogon - J:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddcArSMd - J:\WINDOWS\
O20 - Winlogon Notify: wvUlmKeB - J:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - J:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - J:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - J:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - J:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - J:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - J:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - J:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Ghost - Symantec Corporation - J:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - J:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymSnapService - Symantec - J:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe

--
End of file - 7006 bytes
mchristisen
Regular Member
 
Posts: 15
Joined: December 19th, 2008, 4:43 am
Advertisement
Register to Remove

Re: Vundo

Unread postby dan12 » March 9th, 2009, 5:57 pm

welcome to malwareremoval forums

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Vundo

Unread postby mchristisen » March 9th, 2009, 6:08 pm

ABBYY FineReader 5.0 Sprint
Adobe AIR
Adobe AIR
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Reader 9
Advanced Video FX Utility
Apple Mobile Device Support
Apple Software Update
Canon Camera Access Library
Canon Camera Support Core Library
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MOV Decoder
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.5
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner (remove only)
Chinese Simplified Fonts Support For Adobe Reader 9
Creative WebCam Center
Creative WebCam Instant Driver (1.03.02.0425)
DAO
Defraggler (remove only)
DVDFab Platinum 4.0.6.0 Beta
EAGLE 5.4.0
Ext2 IFS 1.11 for Windows XP
FileZilla Client 3.0.7
Hackman Suite
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
HI-TECH PICC-Lite V9.60PL1
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
InfraRecorder
iPhoneBrowser
iTunes
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
K-Lite Codec Pack 3.2.5 Standard
Lexmark 3100 Series
Logitech Harmony Remote Software 7
Malwarebytes' Anti-Malware
Microchip TCP/IP Stack 3.75
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft RAW Image Thumbnailer and Viewer for Windows XP Version 1.0 (Build 50)
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Sync Framework Runtime v1.0 (x86)
Microsoft Sync Framework Services v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
MiniCSU-3 USB Drivers
mIRC
Mozilla Firefox (3.0.7)
MPLAB C18 v3.16 Student Edition
MPLAB Tools v7.60
MPLAB Tools v8.01
MSDN Library for Visual Studio 2005
MSDN Library for Visual Studio 2005
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Nero 7 Ultra Edition
neroxml
nLite 1.4.9.1
Norton Ghost
NVIDIA Drivers
Palm Desktop
Passware Kit 5.7
PCB123 V2
PE Builder 3.1.10a
PE Explorer 1.99
PowerDVD
PowerMate 1.5.3
PowerQuest PartitionMagic 8.0 Demo
QuickTime
Realtek AC'97 Audio
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
RunAlyzer
SATARaid
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926247)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
Skype™ 3.8
SourceBoost IDE 6.81
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
SureThing CD Labeler 4 SE
SyncToy 2.0 (x86)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
USBTrace V2.0
VCRedistSetup
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Mobile 5.0 Pocket PC SDK
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver


Thank you for your assistance Dan.
mchristisen
Regular Member
 
Posts: 15
Joined: December 19th, 2008, 4:43 am

Re: Vundo

Unread postby dan12 » March 9th, 2009, 6:15 pm

I see you have ccleaner, can you set it up as below and run the scan.

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
( Do not use the Registry block to clean anything with this program. It is for experts only and it is risky).
  • Select Cleaner Settings.
    Check Internet Explorer, Windows Explorer, and System so that all items are checked. In the Advanced section, have a check only on Old PreFetch Data.
  • Click on the Options block on the left. Select Advanced.
    Uncheck Only delete files in Windows Temp folders older than 48 hours.
  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
    Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.

----------------------


Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)


O2 - BHO: (no name) - {47f49451-c221-4894-b94f-741ab11eecce} - (no file)
O2 - BHO: (no name) - {7C17ED8D-8573-41F1-8833-BACFED538328} - (no file)
O2 - BHO: (no name) - {86c472dd-22da-4422-88c5-0a0112b339fc} - (no file)
O2 - BHO: (no name) - {CC253A61-3FE5-4311-83C9-D3992189147D} - (no file)


WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit

----------------------


Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Vundo

Unread postby mchristisen » March 9th, 2009, 7:39 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:42 PM, on 3/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
J:\WINDOWS\System32\smss.exe
J:\WINDOWS\system32\winlogon.exe
J:\WINDOWS\system32\services.exe
J:\WINDOWS\system32\lsass.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\LEXBCES.EXE
J:\WINDOWS\system32\LEXPPS.EXE
J:\WINDOWS\system32\spoolsv.exe
J:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
J:\Program Files\Common Files\LightScribe\LSSrvc.exe
J:\WINDOWS\Explorer.EXE
J:\Program Files\Norton Ghost\Agent\VProSvc.exe
J:\WINDOWS\system32\nvsvc32.exe
J:\WINDOWS\System32\snmp.exe
J:\WINDOWS\system32\RunDLL32.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\dllhost.exe
J:\Program Files\Griffin Technology\PowerMate\PowerMate.exe
J:\WINDOWS\system32\fxssvc.exe
J:\WINDOWS\RTHDCPL.EXE
J:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
J:\Program Files\Canon\CAL\CALMAIN.exe
J:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
J:\WINDOWS\system32\ctfmon.exe
J:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
J:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
J:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
J:\WINDOWS\system32\wscntfy.exe
J:\WINDOWS\System32\dllhost.exe
J:\Program Files\Trend Micro\HijackThis\HijackThis.exe
J:\WINDOWS\System32\svchost.exe
J:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
J:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.defaulthomepage.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - J:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - J:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - J:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [PowerMate] J:\Program Files\Griffin Technology\PowerMate\PowerMate.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "J:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Lexmark 3100 Series] "J:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] J:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE J:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [000000af] rundll32.exe "J:\WINDOWS\system32\idihdrog.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] J:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] J:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] J:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://J:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - J:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - J:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - J:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - J:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - J:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - J:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - J:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - J:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - J:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - J:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: dkdklc.dll qmukun.dll
O20 - Winlogon Notify: !SASWinLogon - J:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddcArSMd - J:\WINDOWS\
O20 - Winlogon Notify: wvUlmKeB - J:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - J:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - J:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - J:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - J:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - J:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - J:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - J:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Ghost - Symantec Corporation - J:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - J:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymSnapService - Symantec - J:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe

--
End of file - 6518 bytes
*******************************************************************************************************************************************
*******************************************************************************************************************************************
ComboFix 09-03-06.02 - Matt 2009-03-09 17:30:26.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.538 [GMT -5:00]
Running from: j:\documents and settings\Matt\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))
.

2009-03-09 16:46 . 2009-03-09 16:46 <DIR> d-------- j:\program files\Trend Micro
2009-03-08 16:34 . 2009-03-08 16:35 <DIR> d-------- j:\program files\Malwarebytes' Anti-Malware
2009-03-08 16:34 . 2009-03-08 16:34 <DIR> d-------- j:\documents and settings\Matt\Application Data\Malwarebytes
2009-03-08 16:34 . 2009-03-08 16:34 <DIR> d-------- j:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-08 16:34 . 2009-02-11 10:19 38,496 --a------ j:\windows\system32\drivers\mbamswissarmy.sys
2009-03-08 16:34 . 2009-02-11 10:19 15,504 --a------ j:\windows\system32\drivers\mbam.sys
2009-03-08 14:32 . 2009-03-08 14:32 <DIR> d-------- j:\program files\SUPERAntiSpyware
2009-03-08 14:32 . 2009-03-08 14:32 <DIR> d-------- j:\documents and settings\Matt\Application Data\SUPERAntiSpyware.com
2009-03-08 14:32 . 2009-03-08 14:32 <DIR> d-------- j:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-08 14:19 . 2009-03-08 14:19 <DIR> d-------- j:\program files\EAGLE-5.4.0
2009-03-08 14:19 . 2009-03-08 14:19 <DIR> d-------- j:\documents and settings\Matt\Application Data\CadSoft
2009-03-07 15:51 . 2009-03-08 20:38 <DIR> d--hs---- J:\Renamed for testingConfigDotMsi
2009-03-07 15:49 . 2009-03-07 15:49 <DIR> d-------- j:\documents and settings\All Users\Application Data\ScanSoft
2009-03-07 15:33 . 2009-03-07 15:55 <DIR> d-------- j:\documents and settings\All Users\Application Data\NeatReceipts Professional
2009-03-07 15:21 . 2009-03-07 15:55 <DIR> d-------- j:\program files\NeatReceipts Professional
2009-03-07 15:21 . 2009-03-07 15:53 <DIR> d-------- j:\program files\Common Files\NeatReceipts
2009-03-03 14:20 . 2009-03-03 14:20 <DIR> d-------- j:\documents and settings\Matt\Application Data\Intuit
2009-03-03 14:20 . 2009-03-03 14:20 <DIR> d-------- j:\documents and settings\All Users\Application Data\Intuit
2009-03-03 14:20 . 2009-03-04 13:39 31 --a------ j:\windows\QUICKEN.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-09 22:24 --------- d-----w j:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-08 19:32 --------- d-----w j:\documents and settings\Matt\Application Data\Skype
2009-03-08 19:31 --------- d-----w j:\program files\Common Files\Wise Installation Wizard
2009-03-08 19:31 --------- d-----w j:\documents and settings\Matt\Application Data\uTorrent
2009-03-08 19:16 --------- d-----w j:\program files\EAGLE-4.16r2
2009-03-08 19:15 --------- d-----w j:\program files\CCleaner
2009-03-08 13:04 --------- d-----w j:\documents and settings\Matt\Application Data\skypePM
2009-03-07 20:31 --------- d-----w j:\program files\Microsoft SQL Server
2009-03-07 20:18 --------- d--h--r j:\documents and settings\Matt\Application Data\Microchip
2009-03-05 04:48 --------- d-----w j:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-03 19:21 --------- d--h--w j:\program files\InstallShield Installation Information
2009-03-02 17:25 --------- d-----w j:\documents and settings\Matt\Application Data\FileZilla
2009-01-20 17:58 --------- d-----w j:\documents and settings\Matt\Application Data\Vso
2009-01-13 00:14 --------- d-----w j:\program files\Common Files\Skype
2009-01-09 02:46 --------- d-----w j:\program files\Microsoft ActiveSync
2009-01-09 02:46 --------- d-----w j:\program files\Common Files\Symantec Shared
2009-01-09 02:41 --------- d-----w j:\documents and settings\Matt\Application Data\Ahead
2008-12-20 23:15 826,368 ----a-w j:\windows\system32\wininet.dll
2008-09-26 02:19 479,232 --sha-w j:\documents and settings\Matt\Rename_css.exe
2008-03-19 01:18 47,360 ----a-w j:\documents and settings\Matt\Application Data\pcouffin.sys
2008-04-18 15:56 118,784 ----a-w j:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-03-09_10.04.40.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-09 17:26:36 16,384 ------w j:\windows\Temp\Perflib_Perfdata_104.dat
+ 2009-03-09 17:26:53 16,384 ------w j:\windows\Temp\Perflib_Perfdata_258.dat
+ 2009-03-09 17:26:46 16,384 ------w j:\windows\Temp\Perflib_Perfdata_bc0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="j:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="j:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"SUPERAntiSpyware"="j:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerMate"="j:\program files\Griffin Technology\PowerMate\PowerMate.exe" [2004-03-23 73728]
"Adobe Reader Speed Launcher"="j:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Lexmark 3100 Series"="j:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 106496]
"LXBRKsk"="j:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"NvCplDaemon"="j:\windows\system32\NvCpl.dll" [2006-04-05 7561216]
"000000af"="j:\windows\system32\idihdrog.dll" [BU]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 j:\windows\system32\P0620Pin.dll]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 j:\windows\RTHDCPL.exe]

j:\documents and settings\Nikki\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - j:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

j:\documents and settings\All Users\Start Menu\Programs\Startup\
SATARaid.lnk - j:\program files\Silicon Image\SiISATARaid\SATARaid.exe [2008-03-09 1019961]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "j:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 j:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcArSMd]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlmKeB]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=dkdklc.dll qmukun.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKLM\~\startupfolder\J:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=j:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=j:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\J:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=j:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=j:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 j:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-07-18 18:55 451872 j:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 j:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 j:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-11-07 15:31 21633320 j:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 j:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 00:56 110592 j:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2007-08-03 00:22 1826816 j:\windows\SkyTel.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"H/PC Connection Agent"="j:\program files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Css"=j:\documents and settings\Matt\css.exe
"Norton Ghost 14.0"="j:\program files\Norton Ghost\Agent\VProTray.exe"
"GrooveMonitor"="j:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"iTunesHelper"="j:\program files\iTunes\iTunesHelper.exe"
"NeroFilterCheck"=j:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"NvCplDaemon"=RUNDLL32.EXE j:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE j:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"j:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"j:\\WINDOWS\\system32\\LEXPPS.EXE"=
"j:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"j:\\Program Files\\uTorrent\\uTorrent.exe"=
"j:\\WINDOWS\\system32\\fxsclnt.exe"=
"j:\\Program Files\\iTunes\\iTunes.exe"=
"j:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"j:\\Program Files\\Messenger\\msmsgs.exe"=
"j:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"j:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"j:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"j:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"j:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 si3112r;ATI-437A Serial ATA Controller;j:\windows\system32\drivers\SI3112r.sys [2007-10-07 102528]
R0 SiWinAcc;SiWinAcc;j:\windows\system32\drivers\SiWinAcc.sys [2003-10-15 10240]
R1 Ext2fs;Ext2fs;j:\windows\system32\drivers\ext2fs.sys [2008-05-18 179584]
R1 IfsMount;IfsMount;j:\windows\system32\drivers\ifsmount.sys [2008-05-18 49536]
R1 SASDIFSV;SASDIFSV;j:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;j:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;j:\windows\system32\dllhost.exe [2001-08-23 5120]
R3 SASENUM;SASENUM;j:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
R3 SymSnapService;SymSnapService;j:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [2007-12-20 1553896]
S3 BTCOMM;BTCOMM;j:\windows\system32\drivers\Btcomm.sys [2008-01-08 55344]
S3 BTKRNBDG;AmbiCom Bluetooth COM Bridge;j:\windows\system32\drivers\BtKrnBdg.sys [2008-01-08 15908]
S3 usbsnoop;USB Snoopy Filter Driver Service;j:\windows\system32\drivers\USBSnoop.sys [2008-02-13 72588]
S3 usbsnpys;USB Snoopy Driver Exposer Service;j:\windows\system32\drivers\USBSnpys.sys [2008-02-13 92544]
S3 utdrv;utdrv;j:\windows\system32\drivers\utdrv.sys [2008-11-18 12288]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;j:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ad9a9a6-8a72-11dd-9fdf-001d7d0013cf}]
\Shell\AutoRun\command - C:\WDSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"j:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-03-09 j:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- j:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 14:45]

2009-03-09 j:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- j:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-08-14 13:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.defaulthomepage.info
IE: E&xport to Microsoft Excel - j:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - j:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\52601g5e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: j:\program files\Mozilla Firefox\plugins\NPCIG.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 17:32:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
j:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-03-09 17:35:19
ComboFix-quarantined-files.txt 2009-03-09 22:35:15
ComboFix2.txt 2009-03-09 15:06:06

Pre-Run: 87,083,667,456 bytes free
Post-Run: 87,060,942,848 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
198 --- E O F --- 2009-02-25 09:00:30
***************************************************************************************************************************
***************************************************************************************************************************
mchristisen
Regular Member
 
Posts: 15
Joined: December 19th, 2008, 4:43 am

Re: Vundo

Unread postby dan12 » March 9th, 2009, 8:05 pm

Did you have problems with combofix as its been run three times?
I needed to see what it addressed in the first run.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Vundo

Unread postby mchristisen » March 9th, 2009, 8:13 pm

I had run combofix yesterday. The 2nd time was at your recommendation. After running thru your instructions I opened HijackThis and found the four BHO entries listed again.
So I ran thru the instructions one more time. I suppose the combofix file is overwritten each time.
mchristisen
Regular Member
 
Posts: 15
Joined: December 19th, 2008, 4:43 am

Re: Vundo

Unread postby dan12 » March 9th, 2009, 8:21 pm

The 2nd time was at your recommendation

where did I ask to run it again? Only asked the once :)
You didn't install the recovery consul!
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Vundo

Unread postby mchristisen » March 9th, 2009, 8:36 pm

Oh, sorry Dan. I wasnt saying that you told me to run it a second time. I failed to mention that I already ran combofix while trying to remedy my problem. So, when I ran combofix at your recommendation it was the second time it had run. Then, after completing your instructions I checked HijackThis and found the four BHO files again. So I ran thru your instructions again thinking
I may have missed something. That is the reason you saw combofix ran three times.
mchristisen
Regular Member
 
Posts: 15
Joined: December 19th, 2008, 4:43 am

Re: Vundo

Unread postby dan12 » March 9th, 2009, 8:47 pm

It's important you only run the tools I ask for the duration of the fix.
Your luck you didn't nuke your system as combofix is a very powerful tool and only to be used with guidance.
I'm presently going over your returned log, as it will take me a little time ,I should be posting a reply tomorrow uk time.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Vundo

Unread postby dan12 » March 10th, 2009, 6:31 am

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window
j:\documents and settings\Matt\css.exe

Click Submit/Send File
Please post back, to let me know the results.

If Jotti is too busy please try Virustotal



Download and Run OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
Code: Select all
:files 
j:\windows\system32\idihdrog.dll
 j:\documents and settings\Matt\Application Data\uTorrent
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"000000af"="j:\windows\system32\idihdrog.dll" [BU]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ad9a9a6-8a72-11dd-9fdf-001d7d0013cf}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-


    

  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcArSMd]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlmKeB]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify]
    
    


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Post:
jotti's report
otmoveit report
system look txt
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Vundo

Unread postby mchristisen » March 10th, 2009, 10:48 am

css.exe is infected. I found css.exe with the following filename: "Renamed_css.exe". I am not sure if I did that in the past or not, sometimes I rename suspect files in that manner before deleting them. I have not run OTmoveIt3 or SystemLook.
Image
mchristisen
Regular Member
 
Posts: 15
Joined: December 19th, 2008, 4:43 am

Re: Vundo

Unread postby mchristisen » March 10th, 2009, 11:37 am

========== FILES ==========
File/Folder j:\windows\system32\idihdrog.dll not found.
j:\documents and settings\Matt\Application Data\uTorrent moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\"000000af"|"j:\windows\system32\idihdrog.dll" [BU] /E : value set successfully!
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ad9a9a6-8a72-11dd-9fdf-001d7d0013cf}\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows\\AppInit_DLLs deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03102009_103445

************************************************************************************************************************************************
************************************************************************************************************************************************

SystemLook v1.0 by jpshortstuff (02.03.09)
Log created at 10:36 on 10/03/2009 by Matt (Administrator - Elevation successful)

========== reg ==========

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcArSMd]
(No values found)


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlmKeB]
(No values found)


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify]
(No values found)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcArSMd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlmKeB]


-=End Of File=-
mchristisen
Regular Member
 
Posts: 15
Joined: December 19th, 2008, 4:43 am

Re: Vundo

Unread postby dan12 » March 10th, 2009, 12:55 pm

As you have malwarebytes on your system can you now update it before running and send me the log
don't forget to fix selected items.

Can I see a fresh HJT log also, let me know how things are?
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Vundo

Unread postby mchristisen » March 10th, 2009, 1:27 pm

Malwarebytes' Anti-Malware 1.34
Database version: 1831
Windows 5.1.2600 Service Pack 2

3/10/2009 12:03:44 PM
mbam-log-2009-03-10 (12-03-44).txt

Scan type: Quick Scan
Objects scanned: 82654
Time elapsed: 2 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
J:\Documents and Settings\Matt\css.exe (Trojan.Agent) -> Quarantined and deleted successfully.

=================================================================================================================================
=================================================================================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:00 PM, on 3/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
J:\WINDOWS\System32\smss.exe
J:\WINDOWS\system32\winlogon.exe
J:\WINDOWS\system32\services.exe
J:\WINDOWS\system32\lsass.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\LEXBCES.EXE
J:\WINDOWS\system32\LEXPPS.EXE
J:\WINDOWS\system32\spoolsv.exe
J:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
J:\Program Files\Common Files\LightScribe\LSSrvc.exe
J:\WINDOWS\Explorer.EXE
J:\Program Files\Norton Ghost\Agent\VProSvc.exe
J:\WINDOWS\system32\nvsvc32.exe
J:\WINDOWS\System32\snmp.exe
J:\WINDOWS\system32\RunDLL32.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\dllhost.exe
J:\Program Files\Griffin Technology\PowerMate\PowerMate.exe
J:\WINDOWS\system32\fxssvc.exe
J:\WINDOWS\RTHDCPL.EXE
J:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
J:\Program Files\Canon\CAL\CALMAIN.exe
J:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
J:\WINDOWS\system32\ctfmon.exe
J:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
J:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
J:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
J:\WINDOWS\system32\wscntfy.exe
J:\WINDOWS\System32\dllhost.exe
J:\WINDOWS\System32\svchost.exe
J:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
J:\WINDOWS\system32\wuauclt.exe
J:\Program Files\Mozilla Firefox\firefox.exe
J:\Documents and Settings\Matt\Desktop\OTMoveIt3.exe
J:\Documents and Settings\Matt\Desktop\SystemLook.exe
J:\WINDOWS\system32\NOTEPAD.EXE
J:\WINDOWS\system32\NOTEPAD.EXE
J:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.defaulthomepage.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - J:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - J:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - J:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [PowerMate] J:\Program Files\Griffin Technology\PowerMate\PowerMate.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "J:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Lexmark 3100 Series] "J:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] J:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE J:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [000000af] j:\windows\system32\idihdrog.dll" [BU
O4 - HKCU\..\Run: [ctfmon.exe] J:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] J:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] J:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://J:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - J:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - J:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - J:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - J:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - J:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - J:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - J:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - J:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - J:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - J:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - J:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddcArSMd - J:\WINDOWS\
O20 - Winlogon Notify: wvUlmKeB - J:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - J:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - J:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - J:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - J:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - J:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - J:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - J:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Ghost - Symantec Corporation - J:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - J:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymSnapService - Symantec - J:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe

--
End of file - 6686 bytes

===========================================================================================================================================
===========================================================================================================================================

:!: MalwareBytes found css.exe and fixed it. Another MalwareBytes scan showed no problems. Immediately after starting TeaTimer a registry change popup for "idihdrog.dll" appeared. This
change was denied and two subsequent scans with MalwareBytes showed no problems. TeaTimer process was killed and restarted without further registry change alerts. The following log is after the registry change pop up from teatimer. :!:

===============================================================================================================================================
===============================================================================================================================================
Malwarebytes' Anti-Malware 1.34
Database version: 1831
Windows 5.1.2600 Service Pack 2

3/10/2009 12:11:09 PM
mbam-log-2009-03-10 (12-11-09).txt

Scan type: Quick Scan
Objects scanned: 82627
Time elapsed: 3 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\000000af (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
mchristisen
Regular Member
 
Posts: 15
Joined: December 19th, 2008, 4:43 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 488 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware