Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1]   Go Down

Author Topic: Malware problem vundo involved  (Read 7162 times)

0 Members and 1 Guest are viewing this topic.

AstorSigma

    Topic Starter


    Greenhorn

    Malware problem vundo involved
    « on: December 21, 2008, 04:09:20 PM »
    My laptop running xp is infected with vundo and maybe other things. I'm not sure. I've gotten some bad processes like prunnet.exe and had things trying to install on their own. I have norton internet security but it seems to have an issue with scanning sometimes. That may be unrelated. The symptoms seem to be gone after doing the steps you listed but Malwarebytes didn't restart when it asked me to. I had to manually restart which I'm not sure is the right way to do it. Here are the logs requested:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 12/21/2008 at 04:11 PM

    Application Version : 4.23.1006

    Core Rules Database Version : 3661
    Trace Rules Database Version: 1641

    Scan type       : Complete Scan
    Total Scan Time : 00:38:25

    Memory items scanned      : 453
    Memory threats detected   : 2
    Registry items scanned    : 4660
    Registry threats detected : 9
    File items scanned        : 59134
    File threats detected     : 2

    Trojan.Vundo-Variant/Packed-GEN
       C:\WINDOWS\SYSTEM32\KHFDVSJB.DLL
       C:\WINDOWS\SYSTEM32\KHFDVSJB.DLL
       C:\WINDOWS\SYSTEM32\LJJBTUVM.DLL
       C:\WINDOWS\SYSTEM32\LJJBTUVM.DLL
       Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\khfDvSJB

    Unclassified.Unknown Origin
       HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
       HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
       HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32
       HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel
       HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
       HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

    Trojan.Unknown Origin
       HKLM\Software\xpre
       HKLM\Software\xpre#execount




    Malwarebytes' Anti-Malware 1.31
    Database version: 1528
    Windows 5.1.2600 Service Pack 2

    12/21/2008 4:27:41 PM
    mbam-log-2008-12-21 (16-27-41).txt

    Scan type: Quick Scan
    Objects scanned: 47448
    Time elapsed: 4 minute(s), 52 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:57:23 PM, on 12/21/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
    O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

    --
    End of file - 7434 bytes



    Any help would be appreciated.
    Logged

    CBMatt

    • Mod & Malware Specialist


      • Prodigy

    • Sad and lonely...and loving every minute of it.
      • Thanked: 167
      • Yes
    • Experience: Experienced
    • OS: Windows 7
    Re: Malware problem vundo involved
    « Reply #1 on: December 21, 2008, 09:16:11 PM »
    Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    http://subs.geekstogo.com/ComboFix.exe

    Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

    Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

    Double-click combofix.exe and follow the prompts.
    When finished, ComboFix will produce a log for you.
    Post the ComboFix log and a new HijackThis log in your next reply.

    NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

    Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
    Logged
    Quote
    An undefined problem has an infinite number of solutions.
    由obert A. Humphrey

    AstorSigma

      Topic Starter


      Greenhorn

      Re: Malware problem vundo involved
      « Reply #2 on: December 24, 2008, 05:25:05 PM »
      Another problem has popped up. I'm getting rapid-fire popups on some sites. Just thought you should know. Here are the logs you asked for:

      ComboFix 08-12-24.01 - Owner 2008-12-24 18:16:14.2 - NTFSx86
      Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.3071.2504 [GMT -6:00]
      Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
      .

      (((((((((((((((((((((((((   Files Created from 2008-11-25 to 2008-12-25  )))))))))))))))))))))))))))))))
      .

      2008-12-22 16:36 . 2008-12-22 16:36   <DIR>   d--------   c:\program files\RealMedia
      2008-12-22 16:36 . 2008-12-22 16:36   <DIR>   d--------   c:\program files\OpenSource Flash Video Splitter
      2008-12-22 16:36 . 2008-12-22 16:36   <DIR>   d--------   c:\program files\MONOGRAM AMR SplitterDecoder
      2008-12-22 16:36 . 2008-12-22 16:36   <DIR>   d--------   c:\program files\DScaler5
      2008-12-22 16:36 . 2008-12-22 16:36   <DIR>   d--------   c:\program files\CD Audio Reader Filter
      2008-12-22 16:35 . 2008-12-22 16:35   <DIR>   d--------   c:\program files\SHOUTcast Source
      2008-12-22 16:35 . 2008-12-22 16:35   <DIR>   d--------   c:\program files\Haali
      2008-12-22 16:35 . 2008-12-22 16:35   <DIR>   d--------   c:\program files\ffdshow
      2008-12-22 16:35 . 2008-12-22 16:35   <DIR>   d--------   c:\program files\DSP-worx
      2008-12-22 16:35 . 2008-12-22 16:35   <DIR>   d--------   c:\program files\DirectVobSub
      2008-12-22 16:35 . 2007-11-29 12:52   499,712   --a------   c:\windows\system32\msvcp71.dll
      2008-12-22 16:35 . 2007-11-29 12:52   348,160   --a------   c:\windows\system32\msvcr71.dll
      2008-12-22 16:35 . 2007-11-29 12:52   60,273   --a------   c:\windows\system32\pthreadGC2.dll
      2008-12-22 16:35 . 2007-12-03 16:34   7,680   --a------   c:\windows\system32\ff_vfw.dll
      2008-12-22 16:35 . 2007-11-29 12:52   547   --a------   c:\windows\system32\ff_vfw.dll.manifest
      2008-12-22 16:34 . 2008-12-24 17:56   <DIR>   d--------   c:\program files\Zoom Player
      2008-12-22 16:27 . 2008-12-22 16:28   <DIR>   d--------   c:\documents and settings\Owner\Application Data\FLVPlayer4Free
      2008-12-22 15:57 . 2008-12-22 15:57   0   --a------   c:\windows\PlayList.Fpl
      2008-12-22 15:54 . 2008-12-22 15:54   <DIR>   d--------   c:\windows\tmp
      2008-12-22 15:54 . 2008-12-22 15:54   389,120   --a------   c:\windows\system32\ACTSKN43.OCX
      2008-12-21 16:55 . 2008-12-21 16:55   <DIR>   d--------   c:\program files\Trend Micro
      2008-12-21 16:45 . 2008-12-21 16:45   <DIR>   d--------   c:\program files\Java
      2008-12-21 16:45 . 2008-12-21 16:45   410,984   --a------   c:\windows\system32\deploytk.dll
      2008-12-21 16:45 . 2008-12-21 16:45   73,728   --a------   c:\windows\system32\javacpl.cpl
      2008-12-21 16:21 . 2008-12-21 16:21   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
      2008-12-21 16:21 . 2008-12-21 16:21   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Malwarebytes
      2008-12-21 16:21 . 2008-12-21 16:21   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
      2008-12-21 16:21 . 2008-12-03 19:59   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
      2008-12-21 16:21 . 2008-12-03 19:59   15,504   --a------   c:\windows\system32\drivers\mbam.sys
      2008-12-21 15:25 . 2008-12-21 15:25   <DIR>   d--------   c:\program files\SUPERAntiSpyware
      2008-12-21 15:25 . 2008-12-21 15:25   <DIR>   d--------   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
      2008-12-21 15:25 . 2008-12-21 15:25   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
      2008-12-21 15:24 . 2008-12-21 15:24   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard
      2008-12-21 15:18 . 2008-12-21 15:18   <DIR>   d--------   c:\program files\CCleaner
      2008-12-17 12:23 . 2008-12-17 12:23   <DIR>   d--------   c:\program files\Webteh
      2008-12-14 23:50 . 2008-12-14 23:50   96   --ah-----   c:\windows\system32\HsInfo.dat
      2008-12-14 23:16 . 2008-12-21 13:40   <DIR>   d--------   c:\program files\Gravity
      2008-12-12 19:09 . 2008-12-12 19:09   <DIR>   d--------   c:\program files\uTorrent
      2008-12-12 19:08 . 2008-12-20 16:50   <DIR>   d--------   c:\documents and settings\Owner\Application Data\uTorrent
      2008-12-10 16:15 . 2008-12-10 16:15   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Red Kawa
      2008-12-09 23:58 . 2008-12-09 23:59   <DIR>   d--------   c:\program files\QuickTime
      2008-12-07 20:23 . 2008-12-07 20:23   249,856   ---------   c:\windows\Setup1.exe
      2008-12-07 20:23 . 2008-12-07 20:23   73,216   --a------   c:\windows\ST6UNST.EXE
      2008-12-03 19:14 . 2008-12-03 19:14   <DIR>   d--------   c:\program files\Red Kawa
      2008-12-03 19:14 . 2008-12-03 19:14   <DIR>   d--------   c:\program files\AviSynth 2.5
      2008-12-03 19:13 . 2008-12-03 19:13   <DIR>   d--------   C:\OpenCandy
      2008-12-03 16:00 . 2008-12-03 16:00   <DIR>   d--------   c:\program files\iTunes
      2008-12-03 16:00 . 2008-12-03 16:00   <DIR>   d--------   c:\program files\iPod
      2008-12-03 16:00 . 2008-12-03 16:16   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Apple Computer
      2008-12-03 16:00 . 2008-12-03 16:00   <DIR>   d--------   c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
      2008-12-03 16:00 . 2008-04-17 13:12   107,368   --a------   c:\windows\system32\GEARAspi.dll
      2008-12-03 16:00 . 2008-04-17 13:12   15,464   --a------   c:\windows\system32\drivers\GEARAspiWDM.sys
      2008-12-03 15:59 . 2008-12-07 20:28   <DIR>   d--------   c:\program files\Bonjour
      2008-12-03 15:59 . 2008-12-07 03:01   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Apple Computer
      2008-12-03 15:58 . 2008-12-03 16:00   <DIR>   d--------   c:\program files\Common Files\Apple
      2008-12-03 15:58 . 2008-12-03 15:58   <DIR>   d--------   c:\program files\Apple Software Update
      2008-12-03 15:58 . 2008-12-03 15:58   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Apple
      2008-12-03 15:58 . 2008-11-07 14:23   32,000   --a------   c:\windows\system32\drivers\usbaapl.sys

      .
      ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2008-12-25 00:15   ---------   d-----w   c:\program files\Common Files\Symantec Shared
      2008-12-24 20:38   ---------   d-----w   c:\documents and settings\All Users\Application Data\Symantec
      2008-12-21 19:40   ---------   d--h--w   c:\program files\InstallShield Installation Information
      2008-12-17 07:05   ---------   d-----w   c:\program files\VideoLAN
      2008-12-01 18:12   ---------   d-----w   c:\documents and settings\Owner\Application Data\dvdcss
      2008-11-25 18:39   ---------   d-----w   c:\program files\Steam
      2008-11-25 00:21   ---------   d-----w   c:\documents and settings\All Users\Application Data\VMware
      2008-11-25 00:19   ---------   d-----w   c:\documents and settings\Owner\Application Data\VMware
      2008-11-24 19:45   ---------   d-----w   c:\documents and settings\LocalService\Application Data\VMware
      2008-11-13 22:07   3,532   ----a-w   C:\drmHeader.bin
      2008-10-31 04:57   ---------   d-----w   c:\program files\SystemRequirementsLab
      2008-10-23 13:01   283,648   ----a-w   c:\windows\system32\gdi32.dll
      2008-10-16 20:38   826,368   ----a-w   c:\windows\system32\wininet.dll
      2008-10-16 20:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
      2008-10-16 20:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
      2008-10-16 20:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
      2008-10-16 20:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
      2008-10-16 20:09   92,696   ----a-w   c:\windows\system32\cdm.dll
      2008-10-16 20:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
      2008-10-16 20:09   43,544   ----a-w   c:\windows\system32\wups2.dll
      2008-10-16 20:08   34,328   ----a-w   c:\windows\system32\wups.dll
      2008-10-03 10:15   247,326   ----a-w   c:\windows\system32\strmdll.dll
      2008-07-14 15:55   308,600   ----a-w   c:\documents and settings\All Users\Application Data\NortonProtectionMemo.exe
      .

      (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* empty entries & legit default entries are not shown
      REGEDIT4

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 86016]
      "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-26 786521]
      "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-21 13508608]
      "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-21 86016]
      "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
      "osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608]
      "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
      "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
      "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
      "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
      "RTHDCPL"="RTHDCPL.EXE" [2008-03-06 c:\windows\RTHDCPL.exe]
      "nwiz"="nwiz.exe" [2008-02-21 c:\windows\system32\nwiz.exe]

      [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
      "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
      2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
      --a------ 2007-03-05 15:57 1103480 c:\program files\Download Manager\DLM.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
      --a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
      "DisableMonitoring"=dword:00000001

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
      "DisableMonitoring"=dword:00000001

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
      "DisableMonitoring"=dword:00000001

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
      "EnableFirewall"= 0 (0x0)

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "%windir%\\system32\\sessmgr.exe"=
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
      "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
      "c:\\Program Files\\iTunes\\iTunes.exe"=
      "c:\\Program Files\\uTorrent\\uTorrent.exe"=

      R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
      R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
      R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2007-08-24 149352]
      R3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2007-05-29 23888]
      R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]
      R3 itecir;ITE EC CIR Driver (RTC);c:\windows\system32\DRIVERS\itecir.sys [2008-05-02 9728]
      S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
      S3 XDva090;XDva090;\??\c:\windows\system32\XDva090.sys []

      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53d3199c-75e9-11dd-aea0-005056c00008}]
      \Shell\AutoRun\command - E:\LaunchU3.exe -a

      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b45d9212-763f-11dd-aea2-005056c00008}]
      \Shell\AutoRun\command - E:\LaunchU3.exe -a

      *Newly Created Service* - CATCHME
      *Newly Created Service* - COMHOST
      *Newly Created Service* - PROCEXP90
      .
      Contents of the 'Scheduled Tasks' folder

      2008-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job
      - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

      2008-12-23 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Owner.job
      - c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 19:19]
      .
      .
      ------- Supplementary Scan -------
      .
      uStart Page = hxxp://www.google.com/
      uInternet Settings,ProxyOverride = *.local

      c:\windows\Downloaded Program Files\sysreqlab3.dll - c:\windows\Downloaded Program Files\sysreqlab_srl.dll
      O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
      hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
      c:\windows\Downloaded Program Files\sysreqlab.osd
      .

      **************************************************************************

      catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2008-12-24 18:16:48
      Windows 5.1.2600 Service Pack 2 NTFS

      scanning hidden processes ...

      scanning hidden autostart entries ...

      scanning hidden files ...

      scan completed successfully
      hidden files: 0

      **************************************************************************
      .
      --------------------- DLLs Loaded Under Running Processes ---------------------

      - - - - - - - > 'winlogon.exe'(980)
      c:\program files\SUPERAntiSpyware\SASWINLO.dll
      .
      Completion time: 2008-12-24 18:17:15
      ComboFix-quarantined-files.txt  2008-12-25 00:17:13
      ComboFix2.txt  2008-12-25 00:13:37

      Pre-Run: 13,045,497,856 bytes free
      Post-Run: 13,029,519,360 bytes free

      185   --- E O F ---   2008-12-18 09:00:56
      Logged

      AstorSigma

        Topic Starter


        Greenhorn

        Re: Malware problem vundo involved
        « Reply #3 on: December 24, 2008, 05:25:55 PM »
        Logfile of Trend Micro HijackThis v2.0.2
        Scan saved at 6:19:31 PM, on 12/24/2008
        Platform: Windows XP SP2 (WinNT 5.01.2600)
        MSIE: Internet Explorer v7.00 (7.00.6000.16762)
        Boot mode: Normal

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\svchost.exe
        C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
        C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
        C:\Program Files\Bonjour\mDNSResponder.exe
        C:\WINDOWS\system32\nvsvc32.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\RTHDCPL.EXE
        C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
        C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
        C:\WINDOWS\system32\RUNDLL32.EXE
        C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
        C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
        C:\Program Files\Java\jre6\bin\jusched.exe
        C:\WINDOWS\system32\ctfmon.exe
        C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
        C:\WINDOWS\explorer.exe
        C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
        R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
        O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
        O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
        O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
        O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
        O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
        O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
        O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
        O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
        O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
        O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
        O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
        O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
        O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
        O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
        O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
        O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
        O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
        O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
        O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
        O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
        O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
        O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
        O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
        O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
        O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
        O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
        O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
        O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
        O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
        O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
        O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
        O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
        O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
        O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
        O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
        O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
        O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
        O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
        O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
        O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
        O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
        O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
        O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

        --
        End of file - 7274 bytes
        Logged

        CBMatt

        • Mod & Malware Specialist


          • Prodigy

        • Sad and lonely...and loving every minute of it.
          • Thanked: 167
          • Yes
        • Experience: Experienced
        • OS: Windows 7
        Re: Malware problem vundo involved
        « Reply #4 on: December 26, 2008, 12:44:01 AM »
        You're looking much better.  How are things running now?  Are you still receiving the popups?  If so, is it constant or only on certain sites?
        Logged
        Quote
        An undefined problem has an infinite number of solutions.
        由obert A. Humphrey

        AstorSigma

          Topic Starter


          Greenhorn

          Re: Malware problem vundo involved
          « Reply #5 on: December 27, 2008, 02:28:29 AM »
          It's only on select sites and very rare. It's more like popups that used to get blocked, don't get blocked anymore.
          Logged

          CBMatt

          • Mod & Malware Specialist


            • Prodigy

          • Sad and lonely...and loving every minute of it.
            • Thanked: 167
            • Yes
          • Experience: Experienced
          • OS: Windows 7
          Re: Malware problem vundo involved
          « Reply #6 on: December 27, 2008, 02:41:57 AM »
          If it's only on select sites, then it sounds more like their advertising rather than an infection.  Your popup blocker may simply not be catching them (upgrading to Widnows XP SP3 may help slightly).  As a test, you should install Firefox and visit these sites.  Do you still get the popups?
          Logged
          Quote
          An undefined problem has an infinite number of solutions.
          由obert A. Humphrey

          AstorSigma

            Topic Starter


            Greenhorn

            Re: Malware problem vundo involved
            « Reply #7 on: December 29, 2008, 01:05:19 AM »
            Well the popups aside, my old symptoms just returned. My computer periodically lets me know that I've failed downloading something that I'm not sure what it is. I'm unable to scan with or disable any part of Norton. My desktop also periodically opens in a window, usually after the failed download message. Whatever's on my system keeps coming back it seems. Advice is appreciated.

            **Update**
            I just ran all the programs again to fix it. Here are the logs:



            SUPERAntiSpyware Scan Log
            http://www.superantispyware.com

            Generated 12/29/2008 at 02:44 AM

            Application Version : 4.23.1006

            Core Rules Database Version : 3680
            Trace Rules Database Version: 1659

            Scan type       : Complete Scan
            Total Scan Time : 00:48:32

            Memory items scanned      : 464
            Memory threats detected   : 2
            Registry items scanned    : 5122
            Registry threats detected : 18
            File items scanned        : 59108
            File threats detected     : 5

            Trojan.Vundo-Variant/Packed-GEN
               C:\WINDOWS\SYSTEM32\IIFEEDVW.DLL
               C:\WINDOWS\SYSTEM32\IIFEEDVW.DLL
               HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51C5659B-88E6-4FEE-B44A-47CCF1B07B72}
               HKCR\CLSID\{51C5659B-88E6-4FEE-B44A-47CCF1B07B72}
               HKCR\CLSID\{51C5659B-88E6-4FEE-B44A-47CCF1B07B72}\InprocServer32
               HKCR\CLSID\{51C5659B-88E6-4FEE-B44A-47CCF1B07B72}\InprocServer32#ThreadingModel
               C:\WINDOWS\SYSTEM32\KHFCVUON.DLL
               HKU\S-1-5-21-515967899-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{51C5659B-88E6-4FEE-B44A-47CCF1B07B72}
               Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\iifeeDvw

            Trojan.Unclassified-Packed/Suspicious
               C:\PROGRA~1\ZOOMPL~1\ZPSHLEXT.DLL
               C:\PROGRA~1\ZOOMPL~1\ZPSHLEXT.DLL

            Unclassified.Unknown Origin
               HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
               HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
               HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
               HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\CLSID
               HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
               HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32

            Adware.Vundo Variant/Rel
               HKLM\SOFTWARE\Microsoft\FCOVM
               HKLM\SOFTWARE\Microsoft\RemoveRP

            Rogue.Component/Trace
               HKLM\Software\Microsoft\6CADFD1D
               HKLM\Software\Microsoft\6CADFD1D#6cadfd1d
               HKLM\Software\Microsoft\6CADFD1D#Version
               HKU\S-1-5-21-515967899-1454471165-725345543-1003\Software\Microsoft\CS41275

            Adware.Tracking Cookie
               C:\Documents and Settings\Owner\Cookies\owner@adtrafficstats[1].txt
               C:\Documents and Settings\Owner\Cookies\owner@wmvmedialease[1].txt





            Malwarebytes' Anti-Malware 1.31
            Database version: 1528
            Windows 5.1.2600 Service Pack 2

            12/29/2008 3:09:03 AM
            mbam-log-2008-12-29 (03-09-03).txt

            Scan type: Quick Scan
            Objects scanned: 47316
            Time elapsed: 2 minute(s), 33 second(s)

            Memory Processes Infected: 0
            Memory Modules Infected: 1
            Registry Keys Infected: 6
            Registry Values Infected: 1
            Registry Data Items Infected: 0
            Folders Infected: 0
            Files Infected: 2

            Memory Processes Infected:
            (No malicious items detected)

            Memory Modules Infected:
            C:\WINDOWS\system32\nbsfceyp.dll (Trojan.Vundo.H) -> Delete on reboot.

            Registry Keys Infected:
            HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
            HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

            Registry Values Infected:
            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6cadef93 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

            Registry Data Items Infected:
            (No malicious items detected)

            Folders Infected:
            (No malicious items detected)

            Files Infected:
            C:\WINDOWS\system32\nbsfceyp.dll (Trojan.Vundo.H) -> Delete on reboot.
            C:\WINDOWS\system32\pyecfsbn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.




            ComboFix 08-12-28.01 - Owner 2008-12-29  3:21:35.3 - NTFSx86
            Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.3071.2659 [GMT -6:00]
            Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
            AV: Norton Internet Security *On-access scanning disabled* (Updated)
            FW: Norton Internet Security *disabled*
             * Created a new restore point
            .

            (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
            .

            c:\windows\system32\NoUvCfhk.ini
            c:\windows\system32\NoUvCfhk.ini2
            c:\windows\system32\pthreadGC2.dll
            c:\windows\system32\scgqqvsj.dll
            c:\windows\system32\tcjozt.dll

            .
            (((((((((((((((((((((((((   Files Created from 2008-11-28 to 2008-12-29  )))))))))))))))))))))))))))))))
            .

            2008-12-29 01:44 . 2008-12-29 01:44   <DIR>   d--------   c:\windows\Sun
            2008-12-25 20:10 . 2008-12-25 20:10   <DIR>   d--------   c:\program files\VideoLAN
            2008-12-22 16:36 . 2008-12-22 16:36   <DIR>   d--------   c:\program files\RealMedia
            2008-12-22 16:36 . 2008-12-22 16:36   <DIR>   d--------   c:\program files\OpenSource Flash Video Splitter
            2008-12-22 16:36 . 2008-12-22 16:36   <DIR>   d--------   c:\program files\MONOGRAM AMR SplitterDecoder
            2008-12-22 16:36 . 2008-12-22 16:36   <DIR>   d--------   c:\program files\DScaler5
            2008-12-22 16:36 . 2008-12-22 16:36   <DIR>   d--------   c:\program files\CD Audio Reader Filter
            2008-12-22 16:35 . 2008-12-22 16:35   <DIR>   d--------   c:\program files\SHOUTcast Source
            2008-12-22 16:35 . 2008-12-22 16:35   <DIR>   d--------   c:\program files\Haali
            2008-12-22 16:35 . 2008-12-22 16:35   <DIR>   d--------   c:\program files\ffdshow
            2008-12-22 16:35 . 2008-12-22 16:35   <DIR>   d--------   c:\program files\DSP-worx
            2008-12-22 16:35 . 2008-12-22 16:35   <DIR>   d--------   c:\program files\DirectVobSub
            2008-12-22 16:35 . 2007-11-29 12:52   499,712   --a------   c:\windows\system32\msvcp71.dll
            2008-12-22 16:35 . 2007-11-29 12:52   348,160   --a------   c:\windows\system32\msvcr71.dll
            2008-12-22 16:35 . 2007-12-03 16:34   7,680   --a------   c:\windows\system32\ff_vfw.dll
            2008-12-22 16:35 . 2007-11-29 12:52   547   --a------   c:\windows\system32\ff_vfw.dll.manifest
            2008-12-22 16:34 . 2008-12-29 03:04   <DIR>   d--------   c:\program files\Zoom Player
            2008-12-22 16:27 . 2008-12-22 16:28   <DIR>   d--------   c:\documents and settings\Owner\Application Data\FLVPlayer4Free
            2008-12-22 15:57 . 2008-12-22 15:57   0   --a------   c:\windows\PlayList.Fpl
            2008-12-22 15:54 . 2008-12-22 15:54   <DIR>   d--------   c:\windows\tmp
            2008-12-22 15:54 . 2008-12-22 15:54   389,120   --a------   c:\windows\system32\ACTSKN43.OCX
            2008-12-21 16:55 . 2008-12-21 16:55   <DIR>   d--------   c:\program files\Trend Micro
            2008-12-21 16:45 . 2008-12-21 16:45   <DIR>   d--------   c:\program files\Java
            2008-12-21 16:45 . 2008-12-21 16:45   410,984   --a------   c:\windows\system32\deploytk.dll
            2008-12-21 16:45 . 2008-12-21 16:45   73,728   --a------   c:\windows\system32\javacpl.cpl
            2008-12-21 16:21 . 2008-12-21 16:21   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
            2008-12-21 16:21 . 2008-12-21 16:21   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Malwarebytes
            2008-12-21 16:21 . 2008-12-21 16:21   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
            2008-12-21 16:21 . 2008-12-03 19:59   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
            2008-12-21 16:21 . 2008-12-03 19:59   15,504   --a------   c:\windows\system32\drivers\mbam.sys
            2008-12-21 15:25 . 2008-12-21 15:25   <DIR>   d--------   c:\program files\SUPERAntiSpyware
            2008-12-21 15:25 . 2008-12-21 15:25   <DIR>   d--------   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
            2008-12-21 15:25 . 2008-12-21 15:25   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
            2008-12-21 15:24 . 2008-12-21 15:24   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard
            2008-12-21 15:18 . 2008-12-21 15:18   <DIR>   d--------   c:\program files\CCleaner
            2008-12-14 23:50 . 2008-12-14 23:50   96   --ah-----   c:\windows\system32\HsInfo.dat
            2008-12-14 23:16 . 2008-12-21 13:40   <DIR>   d--------   c:\program files\Gravity
            2008-12-12 19:09 . 2008-12-12 19:09   <DIR>   d--------   c:\program files\uTorrent
            2008-12-12 19:08 . 2008-12-29 00:42   <DIR>   d--------   c:\documents and settings\Owner\Application Data\uTorrent
            2008-12-10 16:15 . 2008-12-10 16:15   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Red Kawa
            2008-12-09 23:58 . 2008-12-09 23:59   <DIR>   d--------   c:\program files\QuickTime
            2008-12-07 20:23 . 2008-12-07 20:23   249,856   ---------   c:\windows\Setup1.exe
            2008-12-07 20:23 . 2008-12-07 20:23   73,216   --a------   c:\windows\ST6UNST.EXE
            2008-12-03 19:14 . 2008-12-03 19:14   <DIR>   d--------   c:\program files\Red Kawa
            2008-12-03 19:14 . 2008-12-03 19:14   <DIR>   d--------   c:\program files\AviSynth 2.5
            2008-12-03 19:13 . 2008-12-03 19:13   <DIR>   d--------   C:\OpenCandy
            2008-12-03 16:00 . 2008-12-03 16:00   <DIR>   d--------   c:\program files\iTunes
            2008-12-03 16:00 . 2008-12-03 16:00   <DIR>   d--------   c:\program files\iPod
            2008-12-03 16:00 . 2008-12-03 16:16   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Apple Computer
            2008-12-03 16:00 . 2008-12-03 16:00   <DIR>   d--------   c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
            2008-12-03 16:00 . 2008-04-17 13:12   107,368   --a------   c:\windows\system32\GEARAspi.dll
            2008-12-03 16:00 . 2008-04-17 13:12   15,464   --a------   c:\windows\system32\drivers\GEARAspiWDM.sys
            2008-12-03 15:59 . 2008-12-07 20:28   <DIR>   d--------   c:\program files\Bonjour
            2008-12-03 15:59 . 2008-12-07 03:01   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Apple Computer
            2008-12-03 15:58 . 2008-12-03 16:00   <DIR>   d--------   c:\program files\Common Files\Apple
            2008-12-03 15:58 . 2008-12-03 15:58   <DIR>   d--------   c:\program files\Apple Software Update
            2008-12-03 15:58 . 2008-12-03 15:58   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Apple
            2008-12-03 15:58 . 2008-11-07 14:23   32,000   --a------   c:\windows\system32\drivers\usbaapl.sys

            .
            ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
            .
            2008-12-29 09:25   ---------   d-----w   c:\program files\Common Files\Symantec Shared
            2008-12-29 00:45   ---------   d-----w   c:\documents and settings\All Users\Application Data\Symantec
            2008-12-26 02:11   ---------   d-----w   c:\documents and settings\Owner\Application Data\dvdcss
            2008-12-25 23:32   ---------   d-----w   c:\program files\Steam
            2008-12-21 19:40   ---------   d--h--w   c:\program files\InstallShield Installation Information
            2008-11-25 00:21   ---------   d-----w   c:\documents and settings\All Users\Application Data\VMware
            2008-11-25 00:19   ---------   d-----w   c:\documents and settings\Owner\Application Data\VMware
            2008-11-24 19:45   ---------   d-----w   c:\documents and settings\LocalService\Application Data\VMware
            2008-11-13 22:07   3,532   ----a-w   C:\drmHeader.bin
            2008-10-31 04:57   ---------   d-----w   c:\program files\SystemRequirementsLab
            2008-07-14 15:55   308,600   ----a-w   c:\documents and settings\All Users\Application Data\NortonProtectionMemo.exe
            .

            (((((((((((((((((((((((((((((   snapshot@2008-12-24_18.13.24.45   )))))))))))))))))))))))))))))))))))))))))
            .
            + 2005-10-21 02:02:28   163,328   ----a-w   c:\windows\ERDNT\subs\ERDNT.EXE
            + 2008-12-29 09:24:40   16,384   ----atw   c:\windows\Temp\Perflib_Perfdata_2d4.dat
            .
            (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
            .
            .
            *Note* empty entries & legit default entries are not shown
            REGEDIT4

            [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
            "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

            [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
            "Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 86016]
            "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-26 786521]
            "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-21 13508608]
            "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-21 86016]
            "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
            "osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608]
            "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
            "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
            "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
            "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
            "RTHDCPL"="RTHDCPL.EXE" [2008-03-06 c:\windows\RTHDCPL.exe]
            "nwiz"="nwiz.exe" [2008-02-21 c:\windows\system32\nwiz.exe]

            [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
            "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

            [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
            2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

            [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
            "AppInit_DLLs"=tcjozt.dll

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
            --a------ 2007-03-05 15:57 1103480 c:\program files\Download Manager\DLM.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
            --a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
            "DisableMonitoring"=dword:00000001

            [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
            "DisableMonitoring"=dword:00000001

            [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
            "DisableMonitoring"=dword:00000001

            [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
            "EnableFirewall"= 0 (0x0)

            [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
            "%windir%\\system32\\sessmgr.exe"=
            "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
            "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
            "c:\\Program Files\\iTunes\\iTunes.exe"=
            "c:\\Program Files\\uTorrent\\uTorrent.exe"=

            R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
            R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
            R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2007-08-24 149352]
            R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]
            R3 itecir;ITE EC CIR Driver (RTC);c:\windows\system32\DRIVERS\itecir.sys [2008-05-02 9728]
            S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2007-05-29 23888]
            S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
            S3 XDva090;XDva090;\??\c:\windows\system32\XDva090.sys []

            [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53d3199c-75e9-11dd-aea0-005056c00008}]
            \Shell\AutoRun\command - E:\LaunchU3.exe -a

            [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b45d9212-763f-11dd-aea2-005056c00008}]
            \Shell\AutoRun\command - E:\LaunchU3.exe -a

            *Newly Created Service* - COMHOST
            .
            Contents of the 'Scheduled Tasks' folder

            2008-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job
            - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

            2008-12-23 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Owner.job
            - c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 19:19]
            .
            - - - - ORPHANS REMOVED - - - -

            BHO-{7e9a7673-62b8-4e42-9ba8-b306f924e9c1} - c:\windows\system32\tcjozt.dll


            .
            ------- Supplementary Scan -------
            .
            uStart Page = hxxp://www.google.com/
            uInternet Settings,ProxyOverride = *.local

            c:\windows\Downloaded Program Files\sysreqlab3.dll - c:\windows\Downloaded Program Files\sysreqlab_srl.dll
            O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
            hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
            c:\windows\Downloaded Program Files\sysreqlab.osd
            .

            **************************************************************************

            catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
            Rootkit scan 2008-12-29 03:25:01
            Windows 5.1.2600 Service Pack 2 NTFS

            scanning hidden processes ...

            scanning hidden autostart entries ...

            scanning hidden files ...

            scan completed successfully
            hidden files: 0

            **************************************************************************
            .
            --------------------- DLLs Loaded Under Running Processes ---------------------

            - - - - - - - > 'winlogon.exe'(984)
            c:\program files\SUPERAntiSpyware\SASWINLO.dll
            .
            ------------------------ Other Running Processes ------------------------
            .
            c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
            c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
            c:\program files\Bonjour\mDNSResponder.exe
            c:\program files\Java\jre6\bin\jqs.exe
            c:\windows\system32\nvsvc32.exe
            c:\windows\system32\rundll32.exe
            .
            **************************************************************************
            .
            Completion time: 2008-12-29  3:27:00 - machine was rebooted
            ComboFix-quarantined-files.txt  2008-12-29 09:26:57
            ComboFix2.txt  2008-12-25 00:17:15
            ComboFix3.txt  2008-12-25 00:13:37

            Pre-Run: 14,147,338,240 bytes free
            Post-Run: 14,027,763,712 bytes free

            203   --- E O F ---   2008-12-18 09:00:56
            « Last Edit: December 29, 2008, 02:57:15 AM by AstorSigma »
            Logged

            AstorSigma

              Topic Starter


              Greenhorn

              Re: Malware problem vundo involved
              « Reply #8 on: December 29, 2008, 02:57:37 AM »
              Logfile of Trend Micro HijackThis v2.0.2
              Scan saved at 3:48:32 AM, on 12/29/2008
              Platform: Windows XP SP2 (WinNT 5.01.2600)
              MSIE: Internet Explorer v7.00 (7.00.6000.16762)
              Boot mode: Normal

              Running processes:
              C:\WINDOWS\System32\smss.exe
              C:\WINDOWS\system32\winlogon.exe
              C:\WINDOWS\system32\services.exe
              C:\WINDOWS\system32\lsass.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\System32\svchost.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\Explorer.EXE
              C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
              C:\WINDOWS\system32\spoolsv.exe
              C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
              C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
              C:\Program Files\Bonjour\mDNSResponder.exe
              C:\Program Files\Java\jre6\bin\jqs.exe
              C:\WINDOWS\system32\nvsvc32.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\RTHDCPL.EXE
              C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
              C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
              C:\WINDOWS\system32\RUNDLL32.EXE
              C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
              C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
              C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
              C:\Program Files\Java\jre6\bin\jusched.exe
              C:\WINDOWS\system32\ctfmon.exe
              C:\WINDOWS\system32\wuauclt.exe
              C:\Program Files\internet explorer\iexplore.exe
              C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
              R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
              R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
              O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
              O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
              O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
              O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
              O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
              O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
              O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
              O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
              O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
              O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
              O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
              O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
              O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
              O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
              O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
              O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
              O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
              O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
              O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
              O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
              O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
              O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
              O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
              O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
              O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
              O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
              O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
              O20 - AppInit_DLLs: tcjozt.dll
              O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
              O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
              O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
              O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
              O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
              O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
              O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
              O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
              O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
              O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
              O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
              O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
              O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
              O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
              O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

              --
              End of file - 7143 bytes
              Logged

              CBMatt

              • Mod & Malware Specialist


                • Prodigy

              • Sad and lonely...and loving every minute of it.
                • Thanked: 167
                • Yes
              • Experience: Experienced
              • OS: Windows 7
              Re: Malware problem vundo involved
              « Reply #9 on: December 29, 2008, 11:16:44 PM »
              You should remove this entry with HijackThis...
              O20 - AppInit_DLLs: tcjozt.dll

              Aside from that, I don't see much going on in your logs.

              You may want to fully remove Norton and either reinstall it or install a different anti-virus...
              http://www.computerhope.com/forum/index.php?topic=34939.0

              Also, go ahead and do the following...
              1. Download VundoFix and save it to your desktop.
              2. Run VundoFix and click on Scan For Vundo.
              3. Once it's done scanning, click on Remove Vundo.
              4. When it prompts you to remove the files, click on Yes.
              5. Your desktop will go blank as it's removing files.  Don't worry, this is normal.
              6. It will prompt you to restart your computer, so click OK.
              7. When your computer is turned back on, your problem should be gone.
              8. The program normally produces a Vundofix.txt file.  Please locate this file and paste the contents in your next post.

              And then, just to be thorough...
              1. Download VirtumundoBeGone and save it to your desktop.
              2. Reboot into Safe Mode.
              3. Once you are in Safe Mode, run VirtumundoBeGone and follow the instructions.
              4. Exit when it has finished and reboot back into normal mode.
              5. The program normally produces a VBG.txt file.  Please locate this file and paste the contents in your next post.
              Logged
              Quote
              An undefined problem has an infinite number of solutions.
              由obert A. Humphrey

              AstorSigma

                Topic Starter


                Greenhorn

                Re: Malware problem vundo involved
                « Reply #10 on: January 01, 2009, 02:03:53 PM »
                Vundofix didn't find anything so no log for that.

                Here's the Virtumundobegone log which apparently found nothing as well:



                [12/30/2008, 0:59:33] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" )
                [12/30/2008, 0:59:41] - Detected System Information:
                [12/30/2008, 0:59:41] -  Windows Version: 5.1.2600, Service Pack 2
                [12/30/2008, 0:59:41] -  Current Username: Owner (Admin)
                [12/30/2008, 0:59:41] -  Windows is in SAFE mode with Networking.
                [12/30/2008, 0:59:41] - Searching for Browser Helper Objects:
                [12/30/2008, 0:59:41] -  BHO 1: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} ()
                [12/30/2008, 0:59:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
                [12/30/2008, 0:59:41] -  Checking for HKLM\...\Winlogon\Notify\coIEPlg
                [12/30/2008, 0:59:41] -  Key not found: HKLM\...\Winlogon\Notify\coIEPlg, continuing.
                [12/30/2008, 0:59:41] -  BHO 2: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} (Symantec Intrusion Prevention)
                [12/30/2008, 0:59:41] -  BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (Java(tm) Plug-In SSV Helper)
                [12/30/2008, 0:59:41] -  BHO 4: {DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
                [12/30/2008, 0:59:41] - Finished Searching Browser Helper Objects
                [12/30/2008, 0:59:41] - Finishing up...
                [12/30/2008, 0:59:41] - Nothing found! Exiting...


                I haven't done the norton thing yet because I wanted to ask what you would recommend for good protection. Are the programs I used to remove this stuff good ones? I'll buy the pro versions if they're good. I'm referring to Superantispyware and Malwarebytes of course. The others are free anyway.
                Logged

                CBMatt

                • Mod & Malware Specialist


                  • Prodigy

                • Sad and lonely...and loving every minute of it.
                  • Thanked: 167
                  • Yes
                • Experience: Experienced
                • OS: Windows 7
                Re: Malware problem vundo involved
                « Reply #11 on: January 01, 2009, 07:40:25 PM »
                If you would like to use another anti-virus, AVG is a good program.  It is the one I personally use.  Avira or Avast are also good.  With any of these, you will have decent security.  Just search for the names on Google and you'll find the proper results quickly.  Of course, you are also going to want a decent firewall; the one that comes with Windows just doesn't cut it.  I use Comodo, but ZoneAlarm and Kerio Sunbelt are good as well.  All of these programs have free versions that provide good protection.  You can buy the premium versions if you wish, but it's not necessary.

                Malwarebytes' Anti-Malware and SUPERAntiSpyware are both good programs.  They are anti-spyware programs, however, and provide a slightly different kind of protection.  I would suggest keeping them and scanning with them once every week or two.

                As for your logs, nothing is showing up now.  If you're still having problems, I think the best thing to do is try out these new programs instead of Norton and run their scans often.  One at a time, of course; you don't want to scan with any of them at the same time.
                Logged
                Quote
                An undefined problem has an infinite number of solutions.
                由obert A. Humphrey
                Pages: [1]   Go Up
                « previous next »