Fixed: Tojan Vundo H - Page 3

pcpaul · 05-07-2009

Ok, thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:15, on 07/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [sarinomeku] Rundll32.exe "C:\WINDOWS\system32\merunime.dll",s
O4 - HKLM\..\Run: [94f808ee] rundll32.exe "C:\WINDOWS\system32\praufyle.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-27-0.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9945260b566e0) (gupdate1c9945260b566e0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Steve/LOCALS~1/T...p_image002.jpg
--
End of file - 7053 bytes

ComboFix 09-05-06.07 - Steve 07/05/2009 12:04.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.518 [GMT 1:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
.
((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.
2009-05-03 12:33 . 2009-05-03 12:33 -------- d-----w C:\VundoFix Backups
2009-05-01 16:41 . 2009-05-01 16:41 -------- d-----w c:\program files\Trend Micro
2009-05-01 16:34 . 2009-05-01 16:40 13344 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-05-01 16:34 . 2009-05-01 16:40 120096 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-01 16:23 . 2009-05-01 16:38 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-05-01 16:23 . 2009-05-01 16:38 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-05-01 16:09 . 2009-05-01 16:09 87918580 ----a-w C:\RegBackUp.reg
2009-04-27 15:02 . 2009-04-27 15:02 -------- d-----w c:\documents and settings\All Users\Application Data\Macrovision
2009-04-27 15:02 . 2002-01-05 06:10 57344 ------w c:\windows\system32\mfc70enu.dll
2009-04-27 15:02 . 2002-01-05 06:48 974848 ------w c:\windows\system32\mfc70.dll
2009-04-27 15:02 . 2009-04-27 15:02 -------- d-----w c:\program files\Common Files\Macromedia Shared
2009-04-27 15:02 . 2009-04-27 15:02 -------- d-----w c:\program files\Common Files\Macromedia
2009-04-27 15:01 . 2009-04-27 15:01 -------- d-----w c:\program files\Macromedia
2009-04-15 19:27 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 19:27 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 19:27 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 19:27 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 19:27 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 19:27 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 19:27 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 19:27 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 19:27 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 19:25 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 19:25 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-01 16:40 . 2009-05-01 16:34 3728 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-01 16:40 . 2009-05-01 16:34 2300 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-05-01 15:24 . 2008-11-16 17:09 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-27 15:01 . 2008-02-28 14:42 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-06 14:32 . 2008-11-16 17:09 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-11-16 17:09 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 19:03 . 2009-02-06 19:03 307576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 18:52 . 2009-02-06 18:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 18:08 . 2009-02-21 18:05 55152 ----a-w c:\windows\system32\drivers\fssfltr_tdi.sys
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-07-09 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-07-09 114688]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-04-06 1277584]
"sarinomeku"="c:\windows\system32\merunime.dll " [BU]
"94f808ee"="c:\windows\system32\praufyle.dll" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"MIDI1"= SYNCOR11.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssflt r_tdi.sys [21/02/2009 19:05 55152]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [14/01/2009 18:53 226656]
S2 gupdate1c9945260b566e0;Google Update Service (gupdate1c9945260b566e0);c:\program files\Google\Update\GoogleUpdate.exe [21/02/2009 19:29 133104]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 19:08 533360]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{b9593ca2-46c0-11dd-bc45-000ea6a67ded}]
\Shell\AutoRun\command - J:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
2009-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-05-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-21 20:43]
2009-05-07 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 18:29]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Windows &Live Favorites
IE: E&xport to Microsoft Excel
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\j16og33j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-07 12:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(260)
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Ahead\InCD\incdsrv.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-05-07 12:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-07 11:11
ComboFix2.txt 2009-05-07 10:45
ComboFix3.txt 2009-05-03 16:08
ComboFix4.txt 2009-05-03 15:59
ComboFix5.txt 2009-05-07 11:03
Pre-Run: 11,221,790,720 bytes free
Post-Run: 11,216,424,960 bytes free
157 --- E O F --- 2009-04-29 10:15

chiaz · 05-07-2009

Hmmm looks like the Vundo infection is very persistent...I need to give this a think over.

In the meantime...

Download " SUPERAntiSpyware Free Edition" from this link:
SUPERAntiSpyware.com - Downloads

Install and update the scanner.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
PC Hell: How to Start Windows in Safe Mode

Start the scanner, click "Scan your computer", mark the drives that you want to scan (in the left window). Select "Perform Complete Scan" (in the right window). Click "next"

The scanner will now start to scan. As soon as it has finished, you should mark everything that is found, and let the scanner fix it.

Reboot your computer. After reboot, open the scanner again. Click "preferences"-> "stastics/logs". Mark the log. Click "View log", and copy the content of this log into your next reply.

pcpaul · 05-07-2009

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!
Generated 05/07/2009 at 02:11 PM
Application Version : 4.26.1002
Core Rules Database Version : 3881
Trace Rules Database Version: 1829
Scan type : Complete Scan
Total Scan Time : 00:46:49
Memory items scanned : 205
Memory threats detected : 0
Registry items scanned : 5177
Registry threats detected : 4
File items scanned : 16281
File threats detected : 12
Adware.Tracking Cookie
C:\Documents and Settings\Steve\Cookies\steve@bs.serving-sys[2].txt
C:\Documents and Settings\Steve\Cookies\steve@ad.yieldmanager[1].txt
C:\Documents and Settings\Steve\Cookies\steve@mediaplex[2].txt
C:\Documents and Settings\Steve\Cookies\steve@doubleclick[2].txt
C:\Documents and Settings\Steve\Cookies\steve@247realmedia[1].txt
C:\Documents and Settings\Steve\Cookies\steve@msnportal.112.2o7[1].txt
C:\Documents and Settings\Steve\Cookies\steve@serving-sys[1].txt
C:\Documents and Settings\Steve\Cookies\steve@imrworldwide[2].txt
C:\Documents and Settings\Steve\Cookies\steve@tribalfusion[2].txt
C:\Documents and Settings\Steve\Cookies\steve@questionmarket[1].txt
C:\Documents and Settings\Steve\Cookies\steve@apmebf[1].txt
C:\Documents and Settings\Steve\Cookies\steve@atdmt[1].txt
Rogue.Component/Trace
HKLM\Software\Microsoft\94F81A60
HKLM\Software\Microsoft\94F81A60#94f81a60
HKLM\Software\Microsoft\94F81A60#Version
Trojan.Fake-Alert/Trace
HKU\S-1-5-21-1606980848-1123561945-725345543-1004\SOFTWARE\Microsoft\fias4013

chiaz · 05-09-2009

OK run one more scanner before we check how things are again...

Download Dr. Web to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
PC Hell: How to Start Windows in Safe Mode

Doubleclick the drweb-cureit.exe file. It will then suggest to run an expressscan -- this you should allow.
After this (Dr.Web writes "Select object for Scanning" at the Bottom-left), you click Options->Change settings.
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Choose the "Actions"-tab, and choose "Rename" under all the Malware-issues.
Back at the main window, you should now mark the drives that you want to scan (a red dot shows which drives have been chosen).

Click the green arrow at the right, and the scan will start. The first time Dr.Web finds something, you click "Yes to All", and it will after this automatically fix what is found.
After the scan: Close Dr.Web. Click Start->search, find the following file: CureIt.log, and copy the last lines of this log into the thread (starting with: Scan statistics).

Now also run HijackThis and post the fresh log here.

pcpaul · 05-10-2009

If i run express scan it completes with no infections found (it doesnt give me an option to select object for scanning). If i select custom scan then select c: drive(red dot) it goes for about 10 minutes then i get an error message "zw4pf.exe has encountered a problem and needs to close", and drweb stops scanning. If i press "send" or "dont send" drweb shuts down.

pcpaul · 05-12-2009

Any more help?

chiaz · 05-12-2009

I'm terribly sorry - I must have missed your last reply to this thread.

Let's have you reinstall ComboFix first, since it may have gotten outdated since you last downloaded it.

Go to :
Start > Run then copy and paste the following highlighted text below into the box and click OK.

ComboFix /u

Then download and run a fresh copy of ComboFix. Post the new log in your reply, we'll take it from there again.

05-07-2009	#15
pcpaul Bronze Member Join Date: May 2009 Posts: 67 PC Experience: Very Experienced	Re: Tojan Vundo H Ok, thanks. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:18:15, on 07/05/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = .local O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file) O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [sarinomeku] Rundll32.exe "C:\WINDOWS\system32\merunime.dll",s O4 - HKLM\..\Run: [94f808ee] rundll32.exe "C:\WINDOWS\system32\praufyle.dll",b O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-27-0.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Update Service (gupdate1c9945260b566e0) (gupdate1c9945260b566e0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Steve/LOCALS~1/T...p_image002.jpg -- End of file - 7053 bytes ComboFix 09-05-06.07 - Steve 07/05/2009 12:04.7 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.518 [GMT 1:00] Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt . ((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 ))))))))))))))))))))))))))))))) . 2009-05-03 12:33 . 2009-05-03 12:33 -------- d-----w C:\VundoFix Backups 2009-05-01 16:41 . 2009-05-01 16:41 -------- d-----w c:\program files\Trend Micro 2009-05-01 16:34 . 2009-05-01 16:40 13344 --sha-w c:\windows\system32\drivers\fidbox2.dat 2009-05-01 16:34 . 2009-05-01 16:40 120096 --sha-w c:\windows\system32\drivers\fidbox.dat 2009-05-01 16:23 . 2009-05-01 16:38 -------- d-----w c:\program files\Common Files\ParetoLogic 2009-05-01 16:23 . 2009-05-01 16:38 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic 2009-05-01 16:09 . 2009-05-01 16:09 87918580 ----a-w C:\RegBackUp.reg 2009-04-27 15:02 . 2009-04-27 15:02 -------- d-----w c:\documents and settings\All Users\Application Data\Macrovision 2009-04-27 15:02 . 2002-01-05 06:10 57344 ------w c:\windows\system32\mfc70enu.dll 2009-04-27 15:02 . 2002-01-05 06:48 974848 ------w c:\windows\system32\mfc70.dll 2009-04-27 15:02 . 2009-04-27 15:02 -------- d-----w c:\program files\Common Files\Macromedia Shared 2009-04-27 15:02 . 2009-04-27 15:02 -------- d-----w c:\program files\Common Files\Macromedia 2009-04-27 15:01 . 2009-04-27 15:01 -------- d-----w c:\program files\Macromedia 2009-04-15 19:27 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 19:27 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 19:27 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 19:27 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 19:27 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 19:27 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 19:27 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 19:27 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 19:27 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 19:25 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 19:25 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-05-01 16:40 . 2009-05-01 16:34 3728 --sha-w c:\windows\system32\drivers\fidbox.idx 2009-05-01 16:40 . 2009-05-01 16:34 2300 --sha-w c:\windows\system32\drivers\fidbox2.idx 2009-05-01 15:24 . 2008-11-16 17:09 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-27 15:01 . 2008-02-28 14:42 -------- d--h--w c:\program files\InstallShield Installation Information 2009-04-06 14:32 . 2008-11-16 17:09 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 14:32 . 2008-11-16 17:09 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll 2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll 2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll 2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys 2009-02-07 18:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-06 19:03 . 2009-02-06 19:03 307576 ----a-w c:\windows\WLXPGSS.SCR 2009-02-06 18:52 . 2009-02-06 18:52 49504 ----a-w c:\windows\system32\sirenacm.dll 2009-02-06 18:08 . 2009-02-21 18:05 55152 ----a-w c:\windows\system32\drivers\fssfltr_tdi.sys 2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-07-09 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-07-09 114688] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-04-06 1277584] "sarinomeku"="c:\windows\system32\merunime.dll " [BU] "94f808ee"="c:\windows\system32\praufyle.dll" [BU] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "MIDI1"= SYNCOR11.DLL [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\AVG Anti-Spyware Driver] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\AVG Anti-Spyware Guard] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssflt r_tdi.sys [21/02/2009 19:05 55152] R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [14/01/2009 18:53 226656] S2 gupdate1c9945260b566e0;Google Update Service (gupdate1c9945260b566e0);c:\program files\Google\Update\GoogleUpdate.exe [21/02/2009 19:29 133104] S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 19:08 533360] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{b9593ca2-46c0-11dd-bc45-000ea6a67ded}] \Shell\AutoRun\command - J:\setupSNK.exe . Contents of the 'Scheduled Tasks' folder 2009-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2009-05-07 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-21 20:43] 2009-05-07 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 18:29] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = .local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie IE: Add to Windows &Live Favorites IE: E&xport to Microsoft Excel DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\j16og33j.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157 FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q= . *********************************************** ******************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-07 12:08 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************** ******************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(260) c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\brss01a.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Ahead\InCD\incdsrv.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\windows\system32\wscntfy.exe . ********************************************** ********************** . Completion time: 2009-05-07 12:11 - machine was rebooted ComboFix-quarantined-files.txt 2009-05-07 11:11 ComboFix2.txt 2009-05-07 10:45 ComboFix3.txt 2009-05-03 16:08 ComboFix4.txt 2009-05-03 15:59 ComboFix5.txt 2009-05-07 11:03 Pre-Run: 11,221,790,720 bytes free Post-Run: 11,216,424,960 bytes free 157 --- E O F --- 2009-04-29 10:15

05-07-2009	#16
chiaz Senior Security Analyst Join Date: Jun 2006 Location: Singapore Posts: 5,176 PC Experience: PC Guru	Re: Tojan Vundo H Hmmm looks like the Vundo infection is very persistent...I need to give this a think over. In the meantime... Download " SUPERAntiSpyware Free Edition" from this link: SUPERAntiSpyware.com - Downloads Install and update the scanner. Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: PC Hell: How to Start Windows in Safe Mode Start the scanner, click "Scan your computer", mark the drives that you want to scan (in the left window). Select "Perform Complete Scan" (in the right window). Click "next" The scanner will now start to scan. As soon as it has finished, you should mark everything that is found, and let the scanner fix it. Reboot your computer. After reboot, open the scanner again. Click "preferences"-> "stastics/logs". Mark the log. Click "View log", and copy the content of this log into your next reply.

05-07-2009	#17
pcpaul Bronze Member Join Date: May 2009 Posts: 67 PC Experience: Very Experienced	Re: Tojan Vundo H SUPERAntiSpyware Scan Log SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware! Generated 05/07/2009 at 02:11 PM Application Version : 4.26.1002 Core Rules Database Version : 3881 Trace Rules Database Version: 1829 Scan type : Complete Scan Total Scan Time : 00:46:49 Memory items scanned : 205 Memory threats detected : 0 Registry items scanned : 5177 Registry threats detected : 4 File items scanned : 16281 File threats detected : 12 Adware.Tracking Cookie C:\Documents and Settings\Steve\Cookies\steve@bs.serving-sys[2].txt C:\Documents and Settings\Steve\Cookies\steve@ad.yieldmanager[1].txt C:\Documents and Settings\Steve\Cookies\steve@mediaplex[2].txt C:\Documents and Settings\Steve\Cookies\steve@doubleclick[2].txt C:\Documents and Settings\Steve\Cookies\steve@247realmedia[1].txt C:\Documents and Settings\Steve\Cookies\steve@msnportal.112.2o7[1].txt C:\Documents and Settings\Steve\Cookies\steve@serving-sys[1].txt C:\Documents and Settings\Steve\Cookies\steve@imrworldwide[2].txt C:\Documents and Settings\Steve\Cookies\steve@tribalfusion[2].txt C:\Documents and Settings\Steve\Cookies\steve@questionmarket[1].txt C:\Documents and Settings\Steve\Cookies\steve@apmebf[1].txt C:\Documents and Settings\Steve\Cookies\steve@atdmt[1].txt Rogue.Component/Trace HKLM\Software\Microsoft\94F81A60 HKLM\Software\Microsoft\94F81A60#94f81a60 HKLM\Software\Microsoft\94F81A60#Version Trojan.Fake-Alert/Trace HKU\S-1-5-21-1606980848-1123561945-725345543-1004\SOFTWARE\Microsoft\fias4013

05-09-2009	#18
chiaz Senior Security Analyst Join Date: Jun 2006 Location: Singapore Posts: 5,176 PC Experience: PC Guru	Re: Tojan Vundo H OK run one more scanner before we check how things are again... Download Dr. Web to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: PC Hell: How to Start Windows in Safe Mode Doubleclick the drweb-cureit.exe file. It will then suggest to run an expressscan -- this you should allow. After this (Dr.Web writes "Select object for Scanning" at the Bottom-left), you click Options->Change settings. Choose the "Scan"-tab, remove the mark at "Heuristic analysis". Choose the "Actions"-tab, and choose "Rename" under all the Malware-issues. Back at the main window, you should now mark the drives that you want to scan (a red dot shows which drives have been chosen). Click the green arrow at the right, and the scan will start. The first time Dr.Web finds something, you click "Yes to All", and it will after this automatically fix what is found. After the scan: Close Dr.Web. Click Start->search, find the following file: CureIt.log, and copy the last lines of this log into the thread (starting with: Scan statistics). Now also run HijackThis and post the fresh log here.

05-10-2009	#19
pcpaul Bronze Member Join Date: May 2009 Posts: 67 PC Experience: Very Experienced	Re: Tojan Vundo H If i run express scan it completes with no infections found (it doesnt give me an option to select object for scanning). If i select custom scan then select c: drive(red dot) it goes for about 10 minutes then i get an error message "zw4pf.exe has encountered a problem and needs to close", and drweb stops scanning. If i press "send" or "dont send" drweb shuts down. Last edited by pcpaul; 05-10-2009 at 08:32 PM.

05-12-2009	#20
pcpaul Bronze Member Join Date: May 2009 Posts: 67 PC Experience: Very Experienced	Re: Tojan Vundo H Any more help?

05-12-2009	#21
chiaz Senior Security Analyst Join Date: Jun 2006 Location: Singapore Posts: 5,176 PC Experience: PC Guru	Re: Tojan Vundo H I'm terribly sorry - I must have missed your last reply to this thread. Let's have you reinstall ComboFix first, since it may have gotten outdated since you last downloaded it. Go to : Start > Run then copy and paste the following highlighted text below into the box and click OK. ComboFix /u Then download and run a fresh copy of ComboFix. Post the new log in your reply, we'll take it from there again.

Similar discussions...
Thread	Thread Starter	Forum	Replies	Last Post
False Trojan Errors: Tojan.Zlob.G Hoax	MeaoSchultz	[Pending] HJT Logs	4	04-03-2009 05:23 AM
Pending: Got Vundo	nick7272	[Pending] HJT Logs	2	04-02-2009 11:35 PM
Fixed: Vundo: Is it really gone?	bivegan	[Fixed] Hijackthis! Logs	2	05-28-2008 01:44 AM
Fixed: Got hit with vundo.....	D__	[Fixed] Hijackthis! Logs	4	05-20-2008 03:38 PM
Help with Vundo	Spliefer	Anti-Virus	3	03-12-2008 03:11 AM

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode