lesser-equity

Magazine
Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

I Can't Get Rid of the Troojan.Vundo.H Virus No Matter What I Do

Register Site Spy Member List Donate Search Today's Posts Mark Forums Read Forum Rules


Register


Reply
 
Thread Tools
  #1  
Old 23rd Mar 2009, 20:27
New Member Group
  
I have the Trojan.Vundo.H virus in my computer and have battling it since yesterday afternoon. I have tried using Malwarebytes' Anti-Maleware, Symantec Vundo Removal Tool, and Norton 360. Every time I run a scan it says it has been deleted but when I scan again it keeps shwoing 4 infected file. Can anyone help? I really want to get this virus out of my computer ASAP!!! Here is my scan log:

ComboFix 09-03-22.01 - Administrator 2009-03-23 21:55:13.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.759 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.
2009-03-23 18:08 . 2009-03-23 18:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2009-03-23 18:06 . 2009-03-23 18:06 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2009-03-23 18:06 . 2009-03-23 18:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2009-03-23 18:05 . 2009-03-23 18:06 <DIR> d-------- c:\program files\Common Files\HP
2009-03-23 18:03 . 2009-03-23 18:03 <DIR> d-------- c:\program files\Hewlett-Packard
2009-03-23 18:02 . 2009-03-23 18:02 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-03-23 18:01 . 2005-03-07 23:43 51,120 -ra------ c:\windows\system32\drivers\HPZid412.sys
2009-03-23 18:01 . 2005-03-07 23:43 21,744 -ra------ c:\windows\system32\drivers\HPZius12.sys
2009-03-23 18:01 . 2005-03-07 23:43 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2009-03-23 18:01 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-03-23 18:01 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-03-23 18:00 . 2004-09-29 12:12 278,584 --a------ c:\windows\system32\HPZidr12.dll
2009-03-23 18:00 . 2004-09-29 12:15 204,800 --a------ c:\windows\system32\HPZipr12.dll
2009-03-23 18:00 . 2004-09-29 12:09 94,208 --a------ c:\windows\system32\HPZipt12.dll
2009-03-23 18:00 . 2004-09-29 12:14 69,632 --a------ c:\windows\system32\HPZipm12.exe
2009-03-23 18:00 . 2004-09-29 12:08 61,440 --a------ c:\windows\system32\HPZinw12.exe
2009-03-23 18:00 . 2004-09-29 12:09 57,344 --a------ c:\windows\system32\HPZisn12.dll
2009-03-23 17:59 . 2009-03-23 18:08 <DIR> d-------- c:\program files\HP
2009-03-23 17:58 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-03-23 17:58 . 2008-04-14 00:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-03-23 17:56 . 2009-03-23 18:10 112,667 --a------ c:\windows\hpoins07.dat
2009-03-23 17:56 . 2005-05-24 01:52 21,124 --------- c:\windows\hpomdl07.dat
2009-03-23 17:55 . 2009-03-23 18:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\HP
2009-03-23 04:11 . 2009-03-23 04:11 10,246,088 --a------ C:\windows-kb890830-v2.8.exe
2009-03-23 02:44 . 2009-03-23 02:44 <DIR> d-------- c:\program files\WinPcap
2009-03-22 21:52 . 2009-03-22 21:52 <DIR> d-------- c:\windows\system32\N360_BACKUP
2009-03-22 20:35 . 2009-03-22 20:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-03-22 20:35 . 2008-04-17 12:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-03-22 20:35 . 2009-01-15 12:19 23,848 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-22 20:34 . 2009-03-22 20:34 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-22 20:34 . 2009-03-22 20:34 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-03-22 20:34 . 2009-03-22 20:34 36,400 -ra------ c:\windows\system32\drivers\SymIM.sys
2009-03-22 20:34 . 2009-03-22 20:34 7,386 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-22 20:34 . 2009-03-22 20:34 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-03-22 20:33 . 2009-03-22 20:33 <DIR> d-------- c:\windows\system32\drivers\N360
2009-03-22 20:33 . 2009-03-22 20:33 <DIR> d-------- c:\program files\Windows Sidebar
2009-03-22 20:33 . 2009-03-22 20:34 <DIR> d-------- c:\program files\Norton 360
2009-03-22 20:31 . 2009-03-22 20:31 <DIR> d-------- c:\program files\NortonInstaller
2009-03-22 20:31 . 2009-03-22 20:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-22 20:31 . 2009-03-22 20:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-22 20:27 . 2009-03-22 20:27 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files
2009-03-22 20:20 . 2009-03-22 20:20 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Symantec
2009-03-22 19:29 . 2009-03-22 19:29 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SampleView
2009-03-22 19:23 . 2009-03-22 19:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-22 19:23 . 2009-03-22 19:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-22 19:23 . 2009-03-22 19:23 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-22 19:23 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-22 19:23 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-22 19:07 . 2009-03-22 19:07 <DIR> d--hs---- c:\documents and settings\Administrator\IECompatCache
2009-03-22 19:06 . 2009-03-22 19:06 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCach e
2009-03-22 19:06 . 2009-03-22 19:06 <DIR> d--hs---- c:\documents and settings\NetworkService\IETldCache
2009-03-22 19:06 . 2009-03-22 19:06 <DIR> d--hs---- c:\documents and settings\Administrator\PrivacIE
2009-03-22 19:05 . 2009-03-22 19:05 <DIR> d--hs---- c:\documents and settings\Administrator\IETldCache
2009-03-22 19:03 . 2009-03-22 19:03 <DIR> d-------- c:\windows\ie8updates
2009-03-22 19:02 . 2009-03-22 19:02 <DIR> d-------- c:\program files\Yahoo!
2009-03-22 19:02 . 2009-03-22 19:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-22 19:02 . 2009-03-22 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2009-03-22 19:02 . 2009-03-22 19:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-03-22 19:01 . 2009-03-22 19:03 <DIR> d--h----- c:\windows\msdownld.tmp
2009-03-22 19:01 . 2009-03-22 19:02 <DIR> d--h-c--- c:\windows\ie8
2009-03-22 18:59 . 2009-02-27 23:55 105,984 -----c--- c:\windows\system32\dllcache\iecompat.dll
2009-03-22 18:41 . 2009-03-22 18:41 <DIR> d-------- c:\documents and settings\Administrator\Application Data\MSNInstaller
2009-03-22 18:39 . 2009-03-22 18:42 <DIR> d-------- c:\windows\SxsCaPendDel
2009-03-22 18:08 . 2009-03-22 18:08 1,152 --a------ c:\windows\system32\windrv.sys
2009-03-22 18:06 . 2009-03-22 18:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\GetRightToGo
2009-03-22 17:54 . 2009-03-22 17:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\bjutrejm
2009-03-22 17:50 . 2009-03-22 17:50 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\bjutrejm
2009-03-22 17:50 . 2009-03-22 17:50 491,768 --a------ C:\ie6setup.exe
2009-03-22 17:50 . 2009-03-22 17:50 857 --a------ c:\windows\Active Setup Log.BAK
2009-03-22 17:16 . 2009-03-23 21:58 2,206 --a------ c:\windows\system32\wpa.dbl
2009-03-21 22:00 . 2009-03-21 22:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-03-21 21:59 . 2009-03-22 18:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-21 21:59 . 2009-03-21 22:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-21 21:58 . 2009-03-22 20:35 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-03-21 19:43 . 2008-04-14 00:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-03-21 18:53 . 2009-03-21 18:53 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-21 18:46 . 2009-03-21 18:46 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-21 18:43 . 2008-06-13 06:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-21 18:42 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-21 18:42 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-21 18:42 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-21 18:42 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-21 18:42 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-21 18:42 . 2008-12-11 05:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-03-21 18:42 . 2008-05-01 09:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-03-21 18:42 . 2008-05-08 09:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-03-21 18:41 . 2009-03-08 04:39 11,063,808 --a--c--- c:\windows\system32\dllcache\ieframe.dll
2009-03-21 18:41 . 2009-02-06 21:07 3,698,584 --a--c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-03-21 18:41 . 2009-03-08 04:32 1,985,024 --a--c--- c:\windows\system32\dllcache\iertutil.dll
2009-03-21 18:41 . 2009-03-08 14:22 1,241,088 --a--c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-21 18:41 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-03-21 18:41 . 2009-03-08 04:32 594,432 --a--c--- c:\windows\system32\dllcache\msfeeds.dll
2009-03-21 18:41 . 2009-03-08 04:11 445,952 --a--c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-21 18:41 . 2009-03-08 04:31 59,904 --a--c--- c:\windows\system32\dllcache\icardie.dll
2009-03-21 18:41 . 2009-03-08 04:31 55,296 --a--c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-21 18:41 . 2008-12-19 04:10 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-03-21 18:40 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-03-21 18:40 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-21 18:38 . 2008-10-16 15:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-03-21 18:38 . 2008-10-16 15:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-03-21 18:33 . 2009-03-21 18:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\LightScribe
2009-03-21 18:30 . 2008-10-16 15:09 43,544 --a------ c:\windows\system32\wups2.dll
2009-03-21 18:30 . 2008-10-16 15:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2009-03-21 18:30 . 2008-10-16 15:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2009-03-21 18:30 . 2008-10-16 15:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-03-21 18:30 . 2008-10-16 15:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2009-03-21 16:50 . 2009-03-21 22:25 69 --a------ c:\windows\NeroDigital.ini
2009-03-21 16:31 . 2009-03-21 16:31 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-03-11 22:55 . 2009-03-11 22:55 <DIR> d-------- c:\program files\Common Files\LightScribe
2009-03-11 22:54 . 2009-03-11 22:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ahead
2009-03-11 22:54 . 2009-03-21 16:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Ahead
2009-03-11 22:51 . 2009-03-11 22:51 <DIR> d-------- c:\program files\Nero
2009-03-11 22:51 . 2009-03-11 22:53 <DIR> d-------- c:\program files\Common Files\Ahead
2009-03-11 22:51 . 2009-03-11 22:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2009-03-08 14:22 . 2009-03-08 14:22 49,152 --------- c:\windows\system32\msrating.dll.mui
2009-03-08 14:22 . 2009-03-08 14:22 2,560 --------- c:\windows\system32\mshta.exe.mui
2009-03-08 14:21 . 2009-03-08 14:21 4,096 --------- c:\windows\system32\ie4uinit.exe.mui
2009-03-08 14:20 . 2009-03-08 14:20 81,920 --------- c:\windows\system32\iedkcs32.dll.mui
2009-03-03 00:36 . 2009-03-03 00:36 <DIR> d-------- c:\windows\system32\scripting
2009-03-03 00:34 . 2009-03-03 00:34 <DIR> d-------- c:\windows\ServicePackFiles
2009-03-03 00:34 . 2008-04-14 06:42 294,912 -----c--- c:\windows\system32\dllcache\dlimport.exe
2009-03-03 00:31 . 2006-12-29 01:31 19,569 --a------ c:\windows\002888_.tmp
2009-03-02 22:39 . 2009-03-22 19:03 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-02 22:39 . 2009-01-07 18:21 26,144 --a------ c:\windows\system32\spupdsvc.exe
2009-03-02 22:37 . 2009-03-02 22:37 <DIR> d-------- C:\Intel
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-03-23 14:28 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-23 01:52 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-23 01:34 --------- d-----w c:\program files\Symantec
2009-03-08 09:34 914,944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:33 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:33 18,944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:32 72,704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:31 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 09:31 45,568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 09:31 34,816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 09:22 156,160 ----a-w c:\windows\system32\msls31.dll
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-01-07 23:20 265,720 ----a-w c:\windows\system32\msdbg2.dll
2009-01-07 23:20 26,112 ----a-w c:\windows\system32\idndl.dll
2009-01-07 23:20 24,576 ----a-w c:\windows\system32\nlsdl.dll
2009-01-07 23:20 23,552 ----a-w c:\windows\system32\normaliz.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D81B980C-9947-4165-8710-CCDE505CABEB}]
2004-08-04 14:00 105984 --a------ c:\windows\system32\ixvxcgz.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2005-04-05 114688]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 7090176]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"CHotkey"="zHotkey.exe" [2004-05-17 c:\windows\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 c:\windows\ShowWnd.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 73728]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaykapcc]
2004-08-04 14:00 105984 c:\windows\system32\ixvxcgz.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:@xpsp2res.dll,-22009
"53:UDP"= 53:UDP:Promo
"46377:TCP"= 46377:TCP:@xpsp2res.dll,-22009
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys [2009-03-22 20:34:29 310320]
R0 viwaohmv;viwaohmv;c:\windows\system32\drivers\viwa ohmv.sys [2004-05-26 23424]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys [2009-03-22 20:34:28 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys [2009-03-22 20:34:28 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090318. 001\IDSXpx86.sys [2009-03-23 276344]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [2009-03-22 115560]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-22 101936]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
sdsmvjhp
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder
2009-03-23 c:\windows\Tasks\At1.job
- c:\windows\system32\ixvxcgz.dll [2004-08-04 14:00]
2009-03-03 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-14 06:42]
2009-03-03 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-14 06:42]
2009-03-24 c:\windows\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe []
2009-03-24 c:\windows\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job
- c:\progra~1\mcafee.com\agent []
2009-03-24 c:\windows\Tasks\McAfee.com Update Check (YOUR-5E2704140D-Administrator).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe []
2009-03-24 c:\windows\Tasks\McAfee.com Update Check (YOUR-5E2704140D-Administrator).job
- c:\progra~1\mcafee.com\agent []
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-SigmatelSysTrayApp - sttray.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton 360\Engine\3.0.0.135\CoIEPlg.dll
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-23 21:58:57
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

c:\windows\TEMP\etilqs_SezuNEtAEAxi4HSyDzOi 1028 bytes
scan completed successfully
hidden files: 1
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N 360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3847709511-1297092624-2346641620-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2a,69,1f ,5c,c1,7f,80,45,a9,42,c0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2a,69,1f ,5c,c1,7f,80,45,a9,42,c0,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
************************************************** ************************
.
Completion time: 2009-03-23 22:03:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-24 03:03:32
Pre-Run: 64,208,150,528 bytes free
Post-Run: 63,207,890,944 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /fastdetect /NoExecute=OptOut
292 --- E O F --- 2009-03-23 08:20:32
  #2  
Old 24th Mar 2009, 09:42
Donor Group
  
Please follow this guide then return to this thread if you still have a problem.
__________________
"Why did they [PS3 Slim] stick with the UFO landing on a rectangle look" --- Nilay Patel; Engadget Ep. 160
__________________

My System: FordyPC

Processor(s):
Quad Q6600 Kentsfield 2.66@3.45GHz
Motherboard:
Asus P5Q/L PRO (Intel P43, ICH10)
RAM Memory:
PNY XLR8 4GB @ 1066MHz
Graphics Card(s):
PNY nVidia GeForce 9400 GT 512MB
Sound Card:
Hard Drive(s):
Seagate HDBarracuda 1x 1TB 1x 250GB
Optical Drive(s):
LG (HD)GGCH20L / LG GH22NP20AUAA50B
Case / PSU:
Antec Sonata III & Earthwatts 500W
Cooling:
Stock
Network / Internet:
Gigabit LAN, FireWire & WG111v2
Monitor(s):
2 x Acer P193WAd
Operating System(s):
XP PRO x86/XP PRO x64/Win7 RC1 x64
  #3  
Old 24th Mar 2009, 10:28
Malware Group
  
Hi there

I notice that you mention that you have Malwarebytes Antimalware (MBAM) installed
I want you to run a scan for me..
First I want you to update MBAM so we have the latest definitions onboard
Please open Malwarebytes Antimalware
Now click on the update tab
Next - Click on the Check for updates button
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.[/list]

Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop and copy and paste this in your next post


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Post back with both logs in your next reply
__________________
Proud member of ASAP & UNITE
__________________

My System: Steves Rig

Processor(s):
AMD Athlon 64x2 6000+
Motherboard:
ASUS M3N78 Pro
RAM Memory:
Corsair 4GB Dual Channel
Graphics Card(s):
NVIDIA GeForce 8400 GS
Sound Card:
Onboard
Hard Drive(s):
640GB Western Digital HD
Optical Drive(s):
LG Lightscribe
Case / PSU:
Cooling:
Stock HSF
Network / Internet:
20Mb Virgin Media Broadband
Monitor(s):
Hanns-G 19" Widescreen
Operating System(s):
Vista Premium 64x
  #4  
Old 24th Mar 2009, 14:50
New Member Group
  
Here are the 3 logs required:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 03/24/2009 at 03:49 PM
Application Version : 4.25.1014
Core Rules Database Version : 3812
Trace Rules Database Version: 1766
Scan type : Complete Scan
Total Scan Time : 00:20:17
Memory items scanned : 252
Memory threats detected : 0
Registry items scanned : 5601
Registry threats detected : 0
File items scanned : 42586
File threats detected : 29
Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@speci ficmedia[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media 6degrees[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@dynam ic.media.adrevolver[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adser ver.adtechus[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@speci ficclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@smart adserver[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsc i[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@triba lfusion[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adrev olver[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.t echguy[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@inter click[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@konte ra[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubl eclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@quest ionmarket[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@xiti[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@traff icmp[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@a1.in terclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adver tising[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media plex[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media .adrevolver[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yi eldmanager[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@chiti ka[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yi eldmanager[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@at.at wola[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@quest ionmarket[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsc i[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tacod a[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@triba lfusion[2].txt

Malwarebytes' Anti-Malware 1.34
Database version: 1892
Windows 5.1.2600 Service Pack 3
3/24/2009 4:34:12 PM
mbam-log-2009-03-24 (16-34-12).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 104880
Time elapsed: 33 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{d81b980c-9947-4165-8710-ccde505cabeb} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yaykapcc (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{d81b980c-9947-4165-8710-ccde505cabeb} (Trojan.Vundo.H) -> Delete on reboot.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\ixvxcgz.dll (Trojan.Vundo.H) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:41 PM, on 3/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL
O2 - BHO: (no name) - {D81B980C-9947-4165-8710-CCDE505CABEB} - c:\windows\system32\ixvxcgz.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstan ce.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...bs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1237678234406
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1237678224515
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: yaykapcc - C:\WINDOWS\SYSTEM32\ixvxcgz.dll
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 6742 bytes
  #5  
Old 24th Mar 2009, 16:36
New Member Group
  
Here is the Gmer.txt file:

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-24 18:35:27
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----
SSDT 8619B050 ZwAlertResumeThread
SSDT 86548050 ZwAlertThread
SSDT 85CE44A8 ZwAllocateVirtualMemory
SSDT 8651A358 ZwAssignProcessToJobObject
SSDT 862FE378 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xAA395040]
SSDT 862197B0 ZwCreateMutant
SSDT 86219298 ZwCreateSymbolicLinkObject
SSDT 861850C0 ZwCreateThread
SSDT 86199260 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xAA3952C0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAA395820]
SSDT 85CE4600 ZwDuplicateObject
SSDT 85CE4308 ZwFreeVirtualMemory
SSDT 8626F050 ZwImpersonateAnonymousToken
SSDT 861EF050 ZwImpersonateThread
SSDT 862D4940 ZwLoadDriver
SSDT 85CA45C0 ZwMapViewOfSection
SSDT 860F6050 ZwOpenEvent
SSDT 85CE47A0 ZwOpenProcess
SSDT 8625D168 ZwOpenProcessToken
SSDT 860DF050 ZwOpenSection
SSDT 85CE46D0 ZwOpenThread
SSDT 86219368 ZwProtectVirtualMemory
SSDT 861DFF28 ZwResumeThread
SSDT 86167050 ZwSetContextThread
SSDT 86219C38 ZwSetInformationProcess
SSDT 86427B08 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAA395A70]
SSDT 86298050 ZwSuspendProcess
SSDT 861591D8 ZwSuspendThread
SSDT 86267460 ZwTerminateProcess
SSDT 86170050 ZwTerminateThread
SSDT 8626AC80 ZwUnmapViewOfSection
SSDT 85CE43D8 ZwWriteVirtualMemory
---- Devices - GMER 1.0.15 ----
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device InCDFs.sys (InCD File System Driver/Nero AG)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
---- Files - GMER 1.0.15 ----
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6HV7WQ69\flashv10[1].js 4191 bytes
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6HV7WQ69\300x250[1].htm 279 bytes
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6HV7WQ69\10542744-3[2].jpg 0 bytes
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NFAPU721\j[5].ad 1726 bytes
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NFAPU721\10542744-3[1].jpg 15333 bytes
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NFAPU721\button2[6].swf 154 bytes
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\V0C1ENGF\468x60[1].htm 0 bytes
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\V0C1ENGF\728x90[1].htm 0 bytes
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\V0C1ENGF\IBM_CXO_inside_BOB[1].gif 0 bytes
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\V0C1ENGF\S52XQBCAX6W9ILCABWOO1YC A4P41BJCAV8DTSXCARC0QHDCAICKWBTCAS5T0NBCAETBMMTCAE 9QZI7CASXDEEPCAN4RGPFCAT9ZC7UCAXIX5WSCAD6TOR5CAHHE 6N2CAE7PMGCCAIFRU07CAK879VP.gif 43 bytes
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\V0C1ENGF\TFSMFlashWrapper201rev2[9].js 2074 bytes
---- EOF - GMER 1.0.15 ----
  #6  
Old 24th Mar 2009, 22:26
Malware Group
  
Hi there

Go to start menu - Select Run and in the command box type in notepad
Next - copy/paste the text in the code box below into it:

Quote:
Skipfix::

AtJob::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaykapcc]

Reglock::
[HKEY_USERS\S-1-5-21-3847709511-1297092624-2346641620-500\Software\Microsoft\Internet Explorer\User Preferences]
- Save this to your desktop as CFScript.txt
- Drag the CFScript.txt over onto Combofix.exe and release.



Combofix will then execute the script and produce a fresh log

===============================

Download and scan with CCleaner Slim
1.Double click the file and install ccleaner

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.

In the Applications Tab:
  • Clean all in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

===============================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


This animation will guide you through the process:


**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

===============================

[b]Please post back with:[/b[
The log from combofix
The log from Kaspersky
__________________
Proud member of ASAP & UNITE
  #7  
Old 25th Mar 2009, 15:11
New Member Group
  
Hi,

I am a little confused. I am not the smartest computer person so please bare with me. you wrote the following in your last post:

"2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
  • <LI itxtvisited="1">Clean all entries in the "Internet Explorer" section. <LI itxtvisited="1">Clean all the entries in the "Windows Explorer" section. <LI itxtvisited="1">Clean all entries in the "System" section. <LI itxtvisited="1">Clean all entries in the "Advanced" section.
  • Clean any others that you choose.
In the Applications Tab:
  • <LI itxtvisited="1">Clean all in the Firefox/Mozilla section if you use it. <LI itxtvisited="1">Clean all in the Opera section if you use it. <LI itxtvisited="1">Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done."


Where do I find Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
I looked in Internet Options and found Advanced but do not see the items you have listed.
  #8  
Old 26th Mar 2009, 05:38
New Member Group
  
Try ewiro anti-malware 3.5.
  #9  
Old 26th Mar 2009, 08:38
Malware Group
  
@healtoss - Please be aware there is no such software as ewiro... Unless you have good clear advice then please do not post it

@Drhunter2k,

All appologies if my post was not clear enough for you to follow, anymore problems then please let me know

Regarding ccleaner, open up the program ccleaner and you will see the following screen below

Click on options then select the advanced tab



Once you have clicked on options then make sure the top option is unchecked as follows



Now click back on the ccleaner tab and select the following options below then click the Run Cleaner button



Once done follow the instructions for kaspersky and post back the report it generates
__________________
Proud member of ASAP & UNITE
Reply

Register
Thread Tools



Arabic Bulgarian Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Latvian Lithuanian Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Thai Turkish Ukrainian

Copyright ©2006 - 2009 Computer Juice.
Contact - Privacy - Sitemap - Top

Powered by vBulletin® Copyright ©2000 - 2009 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.