Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1]   Go Down

Author Topic: HijackThis log for a win32/vundo!generic problum  (Read 4616 times)

0 Members and 1 Guest are viewing this topic.

HippieGothie

    Topic Starter


    Starter

    HijackThis log for a win32/vundo!generic problum
    « on: May 10, 2008, 07:13:09 PM »
    if someone could please help

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:10:14 PM, on 5/10/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
    C:\PROGRA~1\Yahoo!\YOP\yop.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
    C:\WINDOWS\mrofinu1535.exe
    C:\program files\steam\steam.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
    C:\Program Files\Svconr\Svconr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\b155.exe
    C:\Program Files\JavaCore\JavaCore.exe
    C:\Program Files\InetGet2\sacatapo821058.exe
    C:\Program Files\Opera\Opera.exe
    C:\Documents and Settings\Jeff Hansen\My Documents\HiJackThis.exe
    C:\Program Files\Mozilla Firefox\firefox.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://enascor.com/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
    O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\Spcron\Spcron.dll
    O2 - BHO: (no name) - {2E1550C1-DB0B-4B2D-B338-CA5DCF368E13} - C:\WINDOWS\system32\pwlosnmw.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
    O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\ugmupocq.dll (file missing)
    O2 - BHO: (no name) - {E93121AD-7C67-417A-A6A5-87C60214AC80} - C:\WINDOWS\system32\pmnlm.dll (file missing)
    O2 - BHO: (no name) - {F7F6584C-864B-411D-A410-BB2DE0D33CA1} - C:\WINDOWS\system32\nnnmjgHy.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1535.exe 61A847B5BBF7281337983D466188719AB689201 522886B092CBD44BD8689220221DD3257
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
    O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
    O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures05.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
    O20 - Winlogon Notify: nnnmjgHy - C:\WINDOWS\SYSTEM32\nnnmjgHy.dll
    O20 - Winlogon Notify: pmnlm - C:\WINDOWS\system32\pmnlm.dll (file missing)
    O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 9893 bytes
    Logged

    evilfantasy

    • Malware Removal Specialist
    • Moderator


      • Genius
    • Calm like a bomb
      • Thanked: 493
    • Experience: Experienced
    • OS: Windows 11
    Re: HijackThis log for a win32/vundo!generic problum
    « Reply #1 on: May 10, 2008, 07:17:34 PM »
    Welcome to CH ;)

    Please download Combofix by sUBs from one of the below links.
    (Try all three if necessary)Important! Combofix.exe MUST be saved to and ran from the Desktop.
    • Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
    • Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
      • Click this link to see a list of security programs that should be disabled and how to disable them.
      • If yours is not listed and you don't know how to disable it, please ask.
    • Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
    • Double click combofix.exe & follow the prompts.
      • Choose Yes to accept the Disclaimers.[
      • When finished, it will produce a log for you.
      • Post that log in your next reply.
      Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall
      • If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
      • Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.
      Logged

      HippieGothie

        Topic Starter


        Starter

        Re: HijackThis log for a win32/vundo!generic problum
        « Reply #2 on: May 10, 2008, 07:49:28 PM »
        ComboFix 08-05-09.1 - Jeff Hansen 2008-05-10 21:26:51.1 - NTFSx86
        Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.166 [GMT -4:00]
        Running from: C:\Documents and Settings\Jeff Hansen\Desktop\ComboFix.exe
         * Created a new restore point

        WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
        .

        (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
        .

        C:\Documents and Settings\Guest\err.log
        C:\Documents and Settings\Jeff Hansen\Application Data\macromedia\Flash Player\#SharedObjects\JLWWAZY2\www.broadcaster.com
        C:\Documents and Settings\Jeff Hansen\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
        C:\Documents and Settings\Jeff Hansen\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
        C:\Documents and Settings\Jeff Hansen\err.log
        C:\Documents and Settings\Jeff Hansen\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
        C:\Documents and Settings\Jeff Hansen\Local Settings\Temporary Internet Files\bestwiner.stt
        C:\Documents and Settings\Jeff Hansen\Local Settings\Temporary Internet Files\CPV.stt
        C:\Documents and Settings\Jeff Hansen\Start Menu\Programs\Internet Speed Monitor
        C:\Documents and Settings\Jeff Hansen\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
        C:\Documents and Settings\Jeff Hansen\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
        C:\Program Files\Common Files\{34F43~1
        C:\Program Files\Common Files\{34F43~1\Uninstall.exe
        C:\Program Files\Common Files\{34F43~2
        C:\Program Files\Common Files\{C4F43~1
        C:\Program Files\CPV
        C:\Program Files\inetget2
        C:\Program Files\inetget2\sacatapo821058.exe
        C:\Program Files\ISM
        C:\Program Files\ISM\ism.exe
        C:\Program Files\ISM\Uninstall.exe
        C:\Program Files\JavaCore
        C:\Program Files\JavaCore\JavaCore.exe
        C:\Program Files\JavaCore\UnInstall.exe
        C:\Program Files\QdrDrive
        C:\Program Files\QdrDrive\qdrloader.exe
        C:\Program Files\QdrPack
        C:\Program Files\QdrPack\QdrPack15.exe
        C:\Program Files\Temporary
        C:\WA6P
        C:\WINDOWS\b104.exe
        C:\WINDOWS\b148.exe
        C:\WINDOWS\b149.exe
        C:\WINDOWS\b152.exe
        C:\WINDOWS\b155.exe
        C:\WINDOWS\b156.exe
        C:\WINDOWS\b999.exe
        C:\WINDOWS\mrofinu1535.exe
        C:\WINDOWS\system32\components
        C:\WINDOWS\system32\dgjlm.ini2
        C:\WINDOWS\system32\dgjlm.tmp
        C:\WINDOWS\system32\iyspawlq.ini
        C:\WINDOWS\system32\mcrh.tmp
        C:\WINDOWS\system32\mevrkpsw.ini
        C:\WINDOWS\system32\mlnmp.bak1
        C:\WINDOWS\system32\mlnmp.bak2
        C:\WINDOWS\system32\mlnmp.ini
        C:\WINDOWS\system32\mlnmp.ini2
        C:\WINDOWS\system32\mlnmp.tmp
        C:\WINDOWS\system32\nnnmjgHy.dll

        .
        (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
        .

        -------\Legacy_COM+_MESSAGES


        (((((((((((((((((((((((((   Files Created from 2008-04-11 to 2008-05-11  )))))))))))))))))))))))))))))))
        .

        2008-05-10 12:55 . 2008-05-10 12:55   <DIR>   d--------   C:\Program Files\Spcron
        2008-05-10 12:50 . 2008-05-10 12:50   <DIR>   d--------   C:\Program Files\Svconr
        2008-05-09 22:31 . 2008-05-09 22:32   <DIR>   d--------   C:\Documents and Settings\Jeff Hansen\.limewire
        2008-05-09 19:22 . 2008-05-09 19:22   <DIR>   d--------   C:\Documents and Settings\Jeff Hansen\Application Data\Lavasoft
        2008-05-09 12:40 . 2008-02-12 14:45   48   --a------   C:\Documents and Settings\Jeff Hansen\readme.bat
        2008-05-09 10:45 . 2008-05-09 10:45   <DIR>   d--------   C:\Program Files\Common Files\Macromedia Shared

        .
        ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        2008-05-11 01:39   ---------   d-----w   C:\Program Files\Steam
        2008-05-11 01:38   ---------   d-----w   C:\Documents and Settings\Jeff Hansen\Application Data\WTablet
        2008-05-11 01:37   ---------   d-----w   C:\Documents and Settings\LocalService\Application Data\WTablet
        2008-05-08 21:33   ---------   d-----w   C:\Program Files\Common Files\Adobe
        2008-05-08 21:27   ---------   d-----w   C:\Documents and Settings\Jeff Hansen\Application Data\AdobeUM
        2008-03-26 21:40   ---------   d-----w   C:\Program Files\LimeWire
        2008-03-26 17:45   ---------   d-----w   C:\Program Files\Kate's Video Converter
        2008-02-10 03:21   15   ----a-w   C:\Documents and Settings\Jeff Hansen\StopWZC.bat
        2008-02-10 03:20   16   ----a-w   C:\Documents and Settings\Jeff Hansen\StartWZC.bat
        2008-01-09 21:20   251   ----a-w   C:\Program Files\wt3d.ini
        2007-03-23 14:39   382   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb1942.dat
        2007-03-23 14:38   69,632   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb4827.dat
        2007-03-23 14:38   151   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb292.dat
        2007-03-23 14:38   0   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb2391.dat
        2006-11-30 03:42   49   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb41.dat
        2006-11-29 15:46   6,144   ----a-w   C:\Documents and Settings\Guest\Application Data\internaldb1362.dat
        2006-11-22 06:52   0   ----a-w   C:\Program Files\Common Files\err.log
        2006-11-18 17:08   0   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb5436.dat
        2006-11-16 20:07   9,216   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb9040.dat
        2006-11-16 20:07   0   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb1912.dat
        2006-11-16 04:57   0   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb4604.dat
        2006-11-16 04:57   0   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb3902.dat
        2006-11-16 04:57   0   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb153.dat
        2006-11-04 21:03   7,048   ----a-w   C:\Documents and Settings\All Users\Application Data\ypinfo.bin
        2007-12-06 23:10   88   --sh--r   C:\WINDOWS\system32\41457874FA.sys
        2007-09-10 18:07   56   --sh--r   C:\WINDOWS\system32\FA74784541.sys
        2007-12-06 23:10   6,580   --sha-w   C:\WINDOWS\system32\KGyGaAvL.sys
        .

        (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        .
        *Note* empty entries & legit default entries are not shown
        REGEDIT4

        [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E1550C1-DB0B-4B2D-B338-CA5DCF368E13}]
                 C:\WINDOWS\system32\pwlosnmw.dll

        [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7C0AA32-5656-42F4-BF96-09ED9F459BD9}]
        2008-02-07 21:07   217088   --a------   C:\Program Files\Messenger\kywokelyt821058.dll

        [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E93121AD-7C67-417A-A6A5-87C60214AC80}]
                 C:\WINDOWS\system32\pmnlm.dll

        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
        "Steam"="c:\program files\steam\steam.exe" [2008-04-01 19:03 1271032]
        "Svconr"="C:\Program Files\Svconr\Svconr.exe" [2008-05-10 12:50 57344]

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 17:44 98304]
        "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 17:41 77824]
        "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 17:45 118784]
        "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 09:08 1347584]
        "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 12:56 761947]
        "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
        "CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2007-03-23 14:31 230512]
        "CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2007-03-23 14:31 185456]
        "YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 10:43 407032]
        "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-07 19:15 180269]
        "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
        "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]
        "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
        "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
        "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]
        "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-16 02:37 57344]

        C:\Documents and Settings\Jeff Hansen\Start Menu\Programs\Startup\
        LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2005-03-09 15:57:14 81920]
        Microsoft Office Shortcut Bar.Lnk [2007-04-02 15:06:31 761]

        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
        Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
        Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-12-25 09:30:07 784912]
        WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-09-26 23:45:57 106560]

        [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
        "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
        "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
        c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 11:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlm]
        C:\WINDOWS\system32\pmnlm.dll

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
        @=""

        [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
        "DisableMonitoring"=dword:00000001

        [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
        "C:\\Program Files\\America Online 9.0\\waol.exe"=
        "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
        "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
        "C:\\Program Files\\LimeWire\\LimeWire.exe"=
        "C:\\WINDOWS\\system32\\sessmgr.exe"=
        "C:\\Program Files\\Messenger\\msmsgs.exe"=
        "C:\\StubInstaller.exe"=
        "C:\\Program Files\\Opera\\Opera.exe"=
        "C:\\Program Files\\AIM\\aim.exe"=
        "C:\\Program Files\\iTunes\\iTunes.exe"=
        "C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
        "C:\\Program Files\\Steam\\SteamApps\\hippiegothie\\team fortress 2\\hl2.exe"=

        R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
        R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2006-02-14 17:18]
        R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2006-11-15 15:55]
        S3 SaiH0461;SaiH0461;C:\WINDOWS\system32\DRIVERS\SaiH0461.sys [2006-08-08 13:25]

        [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
        \Shell\AutoRun\command - E:\setup.exe

        .
        Contents of the 'Scheduled Tasks' folder
        "2008-05-05 15:24:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
        - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
        "2008-05-11 01:37:22 C:\WINDOWS\Tasks\Winter Fun Wallpaper Changer.job"
        - C:\Documents and Settings\All Users\Start Menu\Programs\Winter Fun Pack 2004 for Windows XP\Winter Fun Wallpaper Changer.lnk
        .
        **************************************************************************

        catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
        Rootkit scan 2008-05-10 21:39:09
        Windows 5.1.2600 Service Pack 2 NTFS

        scanning hidden processes ...

        scanning hidden autostart entries ...

        scanning hidden files ...

        scan completed successfully
        hidden files: 0

        **************************************************************************
        .
        ------------------------ Other Running Processes ------------------------
        .
        C:\WINDOWS\system32\WLTRYSVC.EXE
        C:\WINDOWS\system32\BCMWLTRY.EXE
        C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
        C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
        C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
        C:\Program Files\Yahoo!\Antivirus\iSafe.exe
        C:\WINDOWS\ehome\ehrecvr.exe
        C:\WINDOWS\ehome\ehSched.exe
        C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
        C:\WINDOWS\ehome\mcrdsvc.exe
        C:\WINDOWS\system32\Tablet.exe
        C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
        C:\WINDOWS\system32\dllhost.exe
        C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
        C:\WINDOWS\system32\WTablet\TabUserW.exe
        C:\WINDOWS\system32\Tablet.exe
        C:\WINDOWS\system32\wscntfy.exe
        C:\WINDOWS\system32\igfxsrvc.exe
        C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
        C:\PROGRA~1\Yahoo!\browser\ycommon.exe
        C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
        C:\Program Files\iPod\bin\iPodService.exe
        C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
        .
        **************************************************************************
        .
        Completion time: 2008-05-10 21:45:36 - machine was rebooted
        ComboFix-quarantined-files.txt  2008-05-11 01:45:30

        Pre-Run: 10,848,620,544 bytes free
        Post-Run: 10,703,892,480 bytes free

        220   --- E O F ---   2008-04-11 07:09:05
        Logged

        evilfantasy

        • Malware Removal Specialist
        • Moderator


          • Genius
        • Calm like a bomb
          • Thanked: 493
        • Experience: Experienced
        • OS: Windows 11
        Re: HijackThis log for a win32/vundo!generic problum
        « Reply #3 on: May 10, 2008, 08:12:05 PM »
        Delete these files/folders, as follows:

        1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
        It must be Notepad, not Wordpad.
        • Click Start , then Run
        • Type notepad.exe in the Run Box.
        2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

        Code: [Select]
        KillAll::

        Folder::
        C:\Program Files\Spcron
        C:\Program Files\Svconr

        Registry::
        [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E1550C1-DB0B-4B2D-B338-CA5DCF368E13}]
        [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7C0AA32-5656-42F4-BF96-09ED9F459BD9}]
        [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E93121AD-7C67-417A-A6A5-87C60214AC80}]
        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "Svconr"=-
        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlm]
        3. Go to the Notepad window and click Edit > Paste
        4. Then click File > Save
        5. Name the file CFScript.txt - Save the file to your Desktop
        6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



        ComboFix will begin to execute, just follow the prompts.
        After reboot (in case it asks to reboot), it will produce a log for you.
        Post that log (Combofix.txt) in your next reply.

        Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

        ----------

        Create An Uninstall List
        • Start HijackThis
        • Click on the Open the Misc Tools section
        • Click on the Open Uninstall Manager button.
        • Click on the Save list button and specify where you would like to save this file and click Save.
          • When you press Save button a notepad will open with the contents of that file.
        • Copy and paste that list in your reply.
        .
        ----------

        Next post add (you may need to use two posts to get everything in)
        New Combofix log
        Uninstall list

        Let me know how everything is now
        .
        Logged

        HippieGothie

          Topic Starter


          Starter

          Re: HijackThis log for a win32/vundo!generic problum
          « Reply #4 on: May 10, 2008, 09:26:15 PM »
          ComboFix 08-05-09.1 - Jeff Hansen 2008-05-10 22:18:40.2 - NTFSx86
          Running from: C:\Documents and Settings\Jeff Hansen\Desktop\ComboFix.exe
          Command switches used :: C:\Documents and Settings\Jeff Hansen\Desktop\CFScript.txt
           * Created a new restore point

          WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
          .

          (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
          .

          C:\Documents and Settings\Jeff Hansen\Local Settings\Temporary Internet Files\bestwiner.stt
          C:\Program Files\Spcron
          C:\Program Files\Spcron\Spcron.dll
          C:\Program Files\Svconr
          C:\Program Files\Svconr\Svconr.exe

          .
          (((((((((((((((((((((((((   Files Created from 2008-04-11 to 2008-05-11  )))))))))))))))))))))))))))))))
          .

          2008-05-09 22:31 . 2008-05-09 22:32   <DIR>   d--------   C:\Documents and Settings\Jeff Hansen\.limewire
          2008-05-09 19:22 . 2008-05-09 19:22   <DIR>   d--------   C:\Documents and Settings\Jeff Hansen\Application Data\Lavasoft
          2008-05-09 12:40 . 2008-02-12 14:45   48   --a------   C:\Documents and Settings\Jeff Hansen\readme.bat
          2008-05-09 10:45 . 2008-05-09 10:45   <DIR>   d--------   C:\Program Files\Common Files\Macromedia Shared

          .
          ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
          .
          2008-05-11 02:26   ---------   d-----w   C:\Program Files\Steam
          2008-05-11 02:25   ---------   d-----w   C:\Documents and Settings\Jeff Hansen\Application Data\WTablet
          2008-05-11 02:24   ---------   d-----w   C:\Documents and Settings\LocalService\Application Data\WTablet
          2008-05-08 21:33   ---------   d-----w   C:\Program Files\Common Files\Adobe
          2008-05-08 21:27   ---------   d-----w   C:\Documents and Settings\Jeff Hansen\Application Data\AdobeUM
          2008-03-26 21:40   ---------   d-----w   C:\Program Files\LimeWire
          2008-03-26 17:45   ---------   d-----w   C:\Program Files\Kate's Video Converter
          2008-03-19 09:47   1,845,248   ----a-w   C:\WINDOWS\system32\win32k.sys
          2008-03-19 09:47   1,845,248   ------w   C:\WINDOWS\system32\dllcache\win32k.sys
          2008-03-10 13:46   32,768   ----a-w   C:\WINDOWS\system32\~GLH0003.TMP
          2008-02-20 06:51   282,624   ----a-w   C:\WINDOWS\system32\gdi32.dll
          2008-02-20 06:51   282,624   ------w   C:\WINDOWS\system32\dllcache\gdi32.dll
          2008-02-20 05:32   45,568   ----a-w   C:\WINDOWS\system32\dnsrslvr.dll
          2008-02-20 05:32   45,568   ------w   C:\WINDOWS\system32\dllcache\dnsrslvr.dll
          2008-02-20 05:32   148,992   ------w   C:\WINDOWS\system32\dllcache\dnsapi.dll
          2008-02-15 09:07   18,432   ------w   C:\WINDOWS\system32\dllcache\iedw.exe
          2008-02-10 03:21   15   ----a-w   C:\Documents and Settings\Jeff Hansen\StopWZC.bat
          2008-02-10 03:20   16   ----a-w   C:\Documents and Settings\Jeff Hansen\StartWZC.bat
          2008-01-09 21:20   251   ----a-w   C:\Program Files\wt3d.ini
          2007-03-23 14:39   382   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb1942.dat
          2007-03-23 14:38   69,632   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb4827.dat
          2007-03-23 14:38   151   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb292.dat
          2007-03-23 14:38   0   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb2391.dat
          2006-11-30 03:42   49   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb41.dat
          2006-11-29 15:46   6,144   ----a-w   C:\Documents and Settings\Guest\Application Data\internaldb1362.dat
          2006-11-22 06:52   0   ----a-w   C:\Program Files\Common Files\err.log
          2006-11-18 17:08   0   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb5436.dat
          2006-11-16 20:07   9,216   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb9040.dat
          2006-11-16 20:07   0   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb1912.dat
          2006-11-16 04:57   0   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb4604.dat
          2006-11-16 04:57   0   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb3902.dat
          2006-11-16 04:57   0   ----a-w   C:\Documents and Settings\Jeff Hansen\Application Data\internaldb153.dat
          2006-11-04 21:03   7,048   ----a-w   C:\Documents and Settings\All Users\Application Data\ypinfo.bin
          2007-12-06 23:10   88   --sh--r   C:\WINDOWS\system32\41457874FA.sys
          2007-09-10 18:07   56   --sh--r   C:\WINDOWS\system32\FA74784541.sys
          2007-12-06 23:10   6,580   --sha-w   C:\WINDOWS\system32\KGyGaAvL.sys
          .

          (((((((((((((((((((((((((((((   snapshot@2008-05-10_21.45.14.05   )))))))))))))))))))))))))))))))))))))))))
          .
          - 2008-05-11 01:37:18   2,048   --s-a-w   C:\WINDOWS\bootstat.dat
          + 2008-05-11 02:24:27   2,048   --s-a-w   C:\WINDOWS\bootstat.dat
          .
          (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
          .
          .
          *Note* empty entries & legit default entries are not shown
          REGEDIT4

          [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E1550C1-DB0B-4B2D-B338-CA5DCF368E13}]
                   C:\WINDOWS\system32\pwlosnmw.dll

          [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7C0AA32-5656-42F4-BF96-09ED9F459BD9}]
          2008-02-07 21:07   217088   --a------   C:\Program Files\Messenger\kywokelyt821058.dll

          [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E93121AD-7C67-417A-A6A5-87C60214AC80}]
                   C:\WINDOWS\system32\pmnlm.dll

          [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
          "Steam"="c:\program files\steam\steam.exe" [2008-04-01 19:03 1271032]

          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 17:44 98304]
          "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 17:41 77824]
          "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 17:45 118784]
          "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 09:08 1347584]
          "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 12:56 761947]
          "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
          "CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2007-03-23 14:31 230512]
          "CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2007-03-23 14:31 185456]
          "YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 10:43 407032]
          "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-07 19:15 180269]
          "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
          "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]
          "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
          "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
          "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]
          "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-16 02:37 57344]

          C:\Documents and Settings\Jeff Hansen\Start Menu\Programs\Startup\
          LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2005-03-09 15:57:14 81920]
          Microsoft Office Shortcut Bar.Lnk [2007-04-02 15:06:31 761]

          C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
          Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
          Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-12-25 09:30:07 784912]
          WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-09-26 23:45:57 106560]

          [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
          "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
          "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

          [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
          c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 11:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

          [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlm]
          C:\WINDOWS\system32\pmnlm.dll

          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
          @=""

          [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
          "DisableMonitoring"=dword:00000001

          [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
          "C:\\Program Files\\America Online 9.0\\waol.exe"=
          "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
          "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
          "C:\\Program Files\\LimeWire\\LimeWire.exe"=
          "C:\\WINDOWS\\system32\\sessmgr.exe"=
          "C:\\Program Files\\Messenger\\msmsgs.exe"=
          "C:\\StubInstaller.exe"=
          "C:\\Program Files\\Opera\\Opera.exe"=
          "C:\\Program Files\\AIM\\aim.exe"=
          "C:\\Program Files\\iTunes\\iTunes.exe"=
          "C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
          "C:\\Program Files\\Steam\\SteamApps\\hippiegothie\\team fortress 2\\hl2.exe"=

          R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
          R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2006-02-14 17:18]
          R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2006-11-15 15:55]
          S3 SaiH0461;SaiH0461;C:\WINDOWS\system32\DRIVERS\SaiH0461.sys [2006-08-08 13:25]

          [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
          \Shell\AutoRun\command - E:\setup.exe

          .
          Contents of the 'Scheduled Tasks' folder
          "2008-05-05 15:24:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
          - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
          "2008-05-11 02:24:33 C:\WINDOWS\Tasks\Winter Fun Wallpaper Changer.job"
          - C:\Documents and Settings\All Users\Start Menu\Programs\Winter Fun Pack 2004 for Windows XP\Winter Fun Wallpaper Changer.lnk
          .
          **************************************************************************

          catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
          Rootkit scan 2008-05-10 22:26:55
          Windows 5.1.2600 Service Pack 2 NTFS

          scanning hidden processes ...

          scanning hidden autostart entries ...

          scanning hidden files ...

          scan completed successfully
          hidden files: 0

          **************************************************************************
          .
          ------------------------ Other Running Processes ------------------------
          .
          C:\WINDOWS\system32\WLTRYSVC.EXE
          C:\WINDOWS\system32\BCMWLTRY.EXE
          C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
          C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
          C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
          C:\Program Files\Yahoo!\Antivirus\iSafe.exe
          C:\WINDOWS\ehome\ehrecvr.exe
          C:\WINDOWS\ehome\ehSched.exe
          C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
          C:\WINDOWS\ehome\mcrdsvc.exe
          C:\WINDOWS\system32\Tablet.exe
          C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
          C:\WINDOWS\system32\dllhost.exe
          C:\WINDOWS\system32\WTablet\TabUserW.exe
          C:\WINDOWS\system32\Tablet.exe
          C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
          C:\WINDOWS\system32\igfxsrvc.exe
          C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
          C:\PROGRA~1\Yahoo!\browser\ycommon.exe
          C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
          C:\Program Files\iPod\bin\iPodService.exe
          C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
          .
          **************************************************************************
          .
          Completion time: 2008-05-10 22:35:20 - machine was rebooted
          ComboFix-quarantined-files.txt  2008-05-11 02:34:55
          ComboFix2.txt  2008-05-11 01:45:37

          Pre-Run: 10,695,467,008 bytes free
          Post-Run: 12,507,443,200 bytes free

          183   --- E O F ---   2008-04-11 07:09:05
          Logged

          HippieGothie

            Topic Starter


            Starter

            Re: HijackThis log for a win32/vundo!generic problum
            « Reply #5 on: May 10, 2008, 09:28:22 PM »
            uninstall list


            Ad-Aware SE Personal
            Adobe Flash Player 9 ActiveX
            Adobe Flash Player Plugin
            Adobe Help Center 2.0
            Adobe Photoshop Elements 4.0
            Adobe Reader 7.1.0
            Adobe Shockwave Player
            AIM "You've Got Pictures" Picture Finder Plugin v9.5.1.8
            AOL Coach Version 1.0(Build:20040229.1 en)
            AOL Connectivity Services
            AOL Instant Messenger
            AOL Uninstaller (Choose which Products to Remove)
            Apple Mobile Device Support
            Apple Software Update
            AT&T Yahoo! Applications
            Audacity 1.2.5
            Broadcom Management Programs
            CDDRV_Installer
            Conexant HDA D110 MDC V.92 Modem
            Corel Painter Essentials 3
            CursorXP
            Dell Digital Jukebox Driver
            Dell Support 3.1
            Dell Wireless WLAN Card
            DellConnect
            Digital Content Portal
            Digital Line Detect
            DivX Codec
            DivX Content Uploader
            DivX Converter
            DivX Player
            DivX Web Player
            Documentation & Support Launcher
            EducateU
            ESPNMotion
            Games, Music, & Photos Launcher
            GemMaster Mystic
            Half-Life 2
            High Definition Audio Driver Package - KB835221
            HijackThis 2.0.2
            Hotfix for Windows Media Format 11 SDK (KB929399)
            Hotfix for Windows Media Player 10 (KB903157)
            Hotfix for Windows Media Player 11 (KB939683)
            Hotfix for Windows XP (KB888795)
            Hotfix for Windows XP (KB891593)
            Hotfix for Windows XP (KB895961)
            Hotfix for Windows XP (KB899337)
            Hotfix for Windows XP (KB899510)
            Hotfix for Windows XP (KB902841)
            Hotfix for Windows XP (KB926239)
            HyperCam 2
            Intel(R) Graphics Media Accelerator Driver
            Internal Network Card Power Management
            Internet Service Offers Launcher
            iPod for Windows 2006-03-23
            iTunes
            J2SE Runtime Environment 5.0 Update 1
            J2SE Runtime Environment 5.0 Update 3
            Java 2 Runtime Environment, SE v1.4.2_03
            Java(TM) SE Runtime Environment 6 Update 1
            KhalInstallWrapper
            Learn2 Player (Uninstall Only)
            LimeWire PRO 4.8.1
            Logitech SetPoint
            Macromedia Flash 5
            MCU
            Microsoft .NET Framework 1.0 Hotfix (KB887998)
            Microsoft .NET Framework 1.0 Hotfix (KB930494)
            Microsoft .NET Framework 1.1
            Microsoft .NET Framework 1.1
            Microsoft .NET Framework 1.1 Hotfix (KB928366)
            Microsoft .NET Framework 2.0 Service Pack 1
            Microsoft Compression Client Pack 1.0 for Windows XP
            Microsoft GIF Animator
            Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
            Microsoft Office 97, Professional Edition
            Microsoft Plus! Digital Media Edition Installer
            Microsoft Plus! Photo Story 2 LE
            Microsoft User-Mode Driver Framework Feature Pack 1.0
            Microsoft Visual C++ 2005 Redistributable
            Modem Helper
            Mozilla Firefox (2.0.0.14)
            MSXML 4.0 SP2 (KB927978)
            MSXML 4.0 SP2 (KB936181)
            MSXML 4.0 SP2 Parser and SDK
            NetWaiting
            NetZeroInstallers
            nik Color Efex Pro 2.0 IE
            Opera 9.24
            Otto
            Peggle Deluxe
            Peggle Extreme
            Picasa 2
            Portal
            PowerDVD 5.7
            QuickSet
            QuickTime
            RealPlayer
            RealWorld Cursor Editor
            Safety Alert 2006
            Safety Bar
            Saitek SST Programming Software
            Search Enhancer
            Security Update for Windows Media Player (KB911564)
            Security Update for Windows Media Player 10 (KB911565)
            Security Update for Windows Media Player 11 (KB936782)
            Security Update for Windows Media Player 6.4 (KB925398)
            Security Update for Windows XP (KB890046)
            Security Update for Windows XP (KB893756)
            Security Update for Windows XP (KB896428)
            Security Update for Windows XP (KB899587)
            Security Update for Windows XP (KB899589)
            Security Update for Windows XP (KB900725)
            Security Update for Windows XP (KB901017)
            Security Update for Windows XP (KB902400)
            Security Update for Windows XP (KB905414)
            Security Update for Windows XP (KB905749)
            Security Update for Windows XP (KB911562)
            Security Update for Windows XP (KB911567)
            Security Update for Windows XP (KB911927)
            Security Update for Windows XP (KB913580)
            Security Update for Windows XP (KB914388)
            Security Update for Windows XP (KB914389)
            Security Update for Windows XP (KB917344)
            Security Update for Windows XP (KB917422)
            Security Update for Windows XP (KB917953)
            Security Update for Windows XP (KB918118)
            Security Update for Windows XP (KB918439)
            Security Update for Windows XP (KB918899)
            Security Update for Windows XP (KB919007)
            Security Update for Windows XP (KB920213)
            Security Update for Windows XP (KB920214)
            Security Update for Windows XP (KB920670)
            Security Update for Windows XP (KB920683)
            Security Update for Windows XP (KB920685)
            Security Update for Windows XP (KB921398)
            Security Update for Windows XP (KB921503)
            Security Update for Windows XP (KB921883)
            Security Update for Windows XP (KB922616)
            Security Update for Windows XP (KB922760)
            Security Update for Windows XP (KB922819)
            Security Update for Windows XP (KB923191)
            Security Update for Windows XP (KB923414)
            Security Update for Windows XP (KB923694)
            Security Update for Windows XP (KB923980)
            Security Update for Windows XP (KB924191)
            Security Update for Windows XP (KB924270)
            Security Update for Windows XP (KB924496)
            Security Update for Windows XP (KB924667)
            Security Update for Windows XP (KB925454)
            Security Update for Windows XP (KB925486)
            Security Update for Windows XP (KB925902)
            Security Update for Windows XP (KB926255)
            Security Update for Windows XP (KB926436)
            Security Update for Windows XP (KB927779)
            Security Update for Windows XP (KB927802)
            Security Update for Windows XP (KB928090)
            Security Update for Windows XP (KB928255)
            Security Update for Windows XP (KB928843)
            Security Update for Windows XP (KB929123)
            Security Update for Windows XP (KB929969)
            Security Update for Windows XP (KB930178)
            Security Update for Windows XP (KB931261)
            Security Update for Windows XP (KB931768)
            Security Update for Windows XP (KB931784)
            Security Update for Windows XP (KB932168)
            Security Update for Windows XP (KB933566)
            Security Update for Windows XP (KB933729)
            Security Update for Windows XP (KB935839)
            Security Update for Windows XP (KB935840)
            Security Update for Windows XP (KB936021)
            Security Update for Windows XP (KB937143)
            Security Update for Windows XP (KB937894)
            Security Update for Windows XP (KB938127)
            Security Update for Windows XP (KB938829)
            Security Update for Windows XP (KB939653)
            Security Update for Windows XP (KB941202)
            Security Update for Windows XP (KB941568)
            Security Update for Windows XP (KB941569)
            Security Update for Windows XP (KB941644)
            Security Update for Windows XP (KB941693)
            Security Update for Windows XP (KB942615)
            Security Update for Windows XP (KB943055)
            Security Update for Windows XP (KB943460)
            Security Update for Windows XP (KB943485)
            Security Update for Windows XP (KB944338)
            Security Update for Windows XP (KB944533)
            Security Update for Windows XP (KB944653)
            Security Update for Windows XP (KB945553)
            Security Update for Windows XP (KB946026)
            Security Update for Windows XP (KB947864)
            Security Update for Windows XP (KB948590)
            Security Update for Windows XP (KB948881)
            SigmaTel Audio
            Sonic DLA
            Sonic Encoders
            Sonic RecordNow Audio
            Sonic RecordNow Copy
            Sonic RecordNow Data
            Sonic Update Manager
            Spybot - Search & Destroy 1.4
            Steam
            Synaptics Pointing Device Driver
            Tablet
            Team Fortress 2 Dedicated Server
            Update for Windows Media Player 10 (KB913800)
            Update for Windows XP (KB894391)
            Update for Windows XP (KB898461)
            Update for Windows XP (KB900485)
            Update for Windows XP (KB908531)
            Update for Windows XP (KB910437)
            Update for Windows XP (KB911280)
            Update for Windows XP (KB916595)
            Update for Windows XP (KB920872)
            Update for Windows XP (KB922582)
            Update for Windows XP (KB927891)
            Update for Windows XP (KB929338)
            Update for Windows XP (KB930916)
            Update for Windows XP (KB931836)
            Update for Windows XP (KB933360)
            Update for Windows XP (KB936357)
            Update for Windows XP (KB938828)
            Update for Windows XP (KB942763)
            Update for Windows XP (KB942840)
            Update for Windows XP (KB946627)
            Update Rollup 2 for Windows XP Media Center Edition 2005
            URGE
            Viewpoint Manager (Remove Only)
            Viewpoint Media Player
            Viewpoint Toolbar
            WebCyberCoach 3.2 Dell
            WhiteCap
            Windows Media Format 11 runtime
            Windows Media Format 11 runtime
            Windows Media Player 10
            Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
            Windows Media Player 11
            Windows Media Player 11
            Windows XP Hotfix - KB885836
            Windows XP Hotfix - KB886185
            Windows XP Hotfix - KB888302
            Windows XP Hotfix - KB890859
            Windows XP Hotfix - KB890927
            Windows XP Media Center Edition 2005 KB908246
            Windows XP Media Center Edition 2005 KB925766
            WinZip
            Xvid 1.1.2 final uninstall

            Logged

            evilfantasy

            • Malware Removal Specialist
            • Moderator


              • Genius
            • Calm like a bomb
              • Thanked: 493
            • Experience: Experienced
            • OS: Windows 11
            Re: HijackThis log for a win32/vundo!generic problum
            « Reply #6 on: May 10, 2008, 09:50:37 PM »
            That didn't get everything I hoped it would and there was a new entry I have not seen before. We may need to run it again if the next set of instructions don't work.

            -----

            Your Java is out of date.
            Older versions of Java have vulnerabilities that malware can use to infect your system.
            Please follow these steps to remove older version(s) of Java components and update.
             
            Step 1 - Get the new version
            • Go to the Sun Java Download Page
            • On the Sun Java page scroll to the 5th download. Java Runtime Environment (JRE) 6 Update 6
            • Click the button and choose the options.
              • Platform Windows
              • Language English
              • Next place a check mark in the box to agree to the License Agreement.
            • "I agree to the Java SE Runtime Environment 6 License Agreement"
            • Click Continue
            • Click on the link to download Windows Offline Installation and save to your desktop.
            • Then from your desktop double-click on jre-6u6-windowsi586-p.exe to install the newest version.
            • Follow the prompts to complete the installation.
            Step 2 - Remove old version(s)
            • Close any programs you may have running - especially your web browser.
            • Go to Start > Control Panel > Add/Remove programs and remove all older versions of Java.
            • Uninstall:
            • J2SE Runtime Environment 5.0 Update 1
            • J2SE Runtime Environment 5.0 Update 3
            • Java 2 Runtime Environment, SE v1.4.2_03
            • Java(TM) SE Runtime Environment 6 Update 1
            • Do not remove Java 6 Update 6
              • Click the Remove or Change/Remove button.
              • Repeat as many times as necessary to remove each old Java version.
              • Restart your computer once all Java components are removed.
              Step 3 - Remove old folder(s)
              • Double click My Computer on the desktop, Locate this folder: C:\Program Files\Java
              • Open the Java folder and delete any subfolders except the jre1.6.0_06 folder which was just created by the newest Java installation.
              -----

              Go to add/remove programs and uninstall:
              Safety Alert 2006
              Safety Bar
              Search Enhancer
              Viewpoint Manager (Remove Only)
              Viewpoint Media Player
              Viewpoint Toolbar

              Please check add/remove programs to be sure these actually uninstalled. Let me know if they don't.

              ----------

              Download SDFix.exe and save it to your Desktop.

              Double click SDFix.exe and it will extract the files to %systemdrive%
              (Drive that contains the Windows Directory, typically C:\SDFix)

              Please then reboot your computer in Safe Mode by doing the following:

              • Restart your computer
              • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
              • Instead of Windows loading as normal, the Advanced Options Menu should appear;
              • Select the first option, to run Windows in Safe Mode, then press Enter.
              • Choose your usual account.
              • Open the extracted SDFix folder and double click RunThis.bat to start the script.
              • Type Y to begin the cleanup process.
              • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
              • Press any Key and it will restart the PC.
              • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
              • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
                (Report.txt will also be copied to Clipboard).
              • Finally add the contents of the Report.txt in your next post.
              ----------

              Now run a new Hijackthis scan and post that log as well.

              ----------

              Next post
              SDFix log
              New Hijackthis log

            « Last Edit: May 10, 2008, 10:01:02 PM by evilfantasy »
            Logged
            Pages: [1]   Go Up
            « previous next »