lesser-equity

Magazine
Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

Removing Trojan.Vundo.H

Register Site Spy Member List Donate Search Today's Posts Mark Forums Read Forum Rules


Register


Reply
 
Thread Tools
  #1  
Old 27th Apr 2009, 00:47
New Member Group
  
I got the Vundo.H trojan around Friday and have been working on removing it since. I've been looking at alot of forums and it feels like ive tried everything but i just cant figure out what to do, so any help or advice would be greatly appreciated. I'm fairly new with computers so go easy on me =P

Edit: I'm not really sure if im 100% infected because it dosnt seem like that trojan is doing anything to my system. IE and everything else is running normal, if that means anything.

Malwarebytes' log-

Malwarebytes' Anti-Malware 1.36
Database version: 2046
Windows 5.1.2600 Service Pack 3
4/27/2009 2:41:32 AM
mbam-log-2009-04-27 (02-41-25).txt
Scan type: Quick Scan
Objects scanned: 72350
Time elapsed: 1 minute(s), 36 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{57e0e419-0f36-42a2-bdcb-aa4ddb4c6f7f} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jdfpvrcc (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{57e0e419-0f36-42a2-bdcb-aa4ddb4c6f7f} (Trojan.Vundo.H) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\rtwwqbk.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\Temp\xcqvmxup.dat (Rootkit.Agent) -> No action taken.
  #2  
Old 27th Apr 2009, 00:48
New Member Group
  
hijackthis-


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:51 AM, on 4/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system\CMGxMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.ex e
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Ryan\My Documents\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {57E0E419-0F36-42A2-BDCB-AA4DDB4C6F7F} - c:\windows\system32\rtwwqbk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio8788GX] C:\WINDOWS\system\CMGxMon.exe Envoke
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NCProTray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.4.1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1210489691421
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/Driver...aSmartScan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F74E235-12DB-4946-B782-CBBE7792E563}: NameServer = 64.86.16.3,64.86.16.99
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: lwbmcj.dll
O20 - Winlogon Notify: jdfpvrcc - C:\WINDOWS\SYSTEM32\rtwwqbk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8362 bytes
  #3  
Old 27th Apr 2009, 04:51
Malware Group
  
Howdy there and welcome to the CJ Forums

I'm Steve and I will be helping you throughout this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
__________________
Proud member of ASAP & UNITE
__________________

My System: Steves Rig

Processor(s):
AMD Athlon 64x2 6000+
Motherboard:
ASUS M3N78 Pro
RAM Memory:
Corsair 4GB Dual Channel
Graphics Card(s):
NVIDIA GeForce 8400 GS
Sound Card:
Onboard
Hard Drive(s):
640GB Western Digital HD
Optical Drive(s):
LG Lightscribe
Case / PSU:
Cooling:
Stock HSF
Network / Internet:
20Mb Virgin Media Broadband
Monitor(s):
Hanns-G 19" Widescreen
Operating System(s):
Vista Premium 64x
  #4  
Old 27th Apr 2009, 11:03
New Member Group
  
Hi Steve, thx for the quick reply. Heres the scan from combofix...

Also combofix said avg was running but i dont have any files or programs affiliated with avg. Add/Remove program list also does not show AVG so im not sure if it was/is really running.


Combofix log-

ComboFix 09-04-27.02 - Ryan 04/27/2009 12:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2869 [GMT -5:00]
Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.
2009-04-27 05:22 . 2009-04-27 05:22 61440 ----a-w c:\windows\system32\drivers\lsikrx.sys
2009-04-27 02:44 . 2009-04-27 02:44 61440 ----a-w c:\windows\system32\drivers\jcqjvdhk.sys
2009-04-26 23:52 . 2009-04-27 06:13 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-26 22:31 . 2009-04-26 23:55 -------- d-----w C:\VundoFix Backups
2009-04-26 22:30 . 2009-04-26 22:29 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-26 22:12 . 2009-04-26 22:12 -------- d-----w c:\program files\Alwil Software
2009-04-26 19:28 . 2009-04-26 19:28 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-26 19:28 . 2009-04-26 19:28 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-26 19:28 . 2009-04-26 19:28 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-26 19:27 . 2009-04-26 19:47 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-26 19:27 . 2009-04-26 19:27 -------- d-----w c:\program files\AVG
2009-04-26 00:42 . 2009-04-26 00:42 61440 ----a-w c:\windows\system32\drivers\jccwed.sys
2009-04-25 21:29 . 2009-04-25 21:29 81408 ----a-w c:\windows\system32\drivers\xtcevrxnkinmdxbq.sys
2009-04-23 19:17 . 2009-04-23 19:18 512 ----a-w C:\drmHeader.bin
2009-04-20 01:01 . 2009-04-20 01:01 -------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2009-04-20 00:46 . 2009-04-20 00:56 -------- d-----w c:\documents and settings\Ryan\Application Data\GetRightToGo
2009-04-20 00:36 . 2009-04-20 00:36 -------- d-----w c:\program files\Ubisoft
2009-04-19 23:10 . 2009-04-20 00:28 -------- d-----w c:\documents and settings\Ryan\Application Data\IGN_DLM
2009-04-19 23:09 . 2009-04-19 23:09 -------- d-----w c:\program files\Download Manager
2009-04-17 00:09 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 00:09 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 00:09 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 00:09 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 00:09 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 00:09 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 00:09 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 00:09 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 00:09 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 00:09 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 00:09 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-07 01:52 . 2009-04-07 01:52 -------- d-----w c:\documents and settings\Ryan\Local Settings\Application Data\Matt_Chambers
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-04-27 17:50 . 2008-11-21 06:54 -------- d-----w c:\program files\Steam
2009-04-27 06:09 . 2008-02-08 05:52 -------- d-----w c:\program files\GemMaster
2009-04-27 05:13 . 2008-06-26 21:42 -------- d-----w c:\program files\Java
2009-04-27 02:44 . 2009-04-27 02:44 498 ----a-w c:\program files\stdke.txt
2009-04-26 00:42 . 2009-04-26 00:42 918 ----a-w c:\program files\fcxbc.txt
2009-04-25 21:27 . 2008-08-06 18:39 189496 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-25 21:25 . 2008-12-27 22:16 -------- d-----w c:\program files\Full Tilt Poker
2009-04-23 05:32 . 2008-02-08 19:04 -------- d-----w c:\program files\World of Warcraft
2009-04-20 00:36 . 2008-02-08 06:56 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-11 03:12 . 2008-12-04 20:08 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-07 06:46 . 2008-07-20 03:50 413696 ----a-w c:\windows\system32\wrap_oal.dll
2009-04-07 06:46 . 2008-07-20 03:50 102400 ----a-w c:\windows\system32\OpenAL32.dll
2009-04-07 06:46 . 2009-02-13 01:38 -------- d-----w c:\program files\ASUS Xonar DX Audio
2009-04-06 20:32 . 2008-12-04 20:08 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-12-04 20:08 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 22:27 . 2009-04-05 22:27 2342128 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-03-27 15:03 . 2009-02-09 19:18 401408 ----a-w c:\windows\system32\nvcuvid.dll
2009-03-27 15:03 . 2009-01-15 14:19 466944 ----a-w c:\windows\system32\nvshell.dll
2009-03-27 15:03 . 2009-01-15 14:19 449056 ----a-w c:\windows\system32\nvappbar.exe
2009-03-27 15:03 . 2009-01-15 14:19 436768 ----a-w c:\windows\system32\keystone.exe
2009-03-27 15:03 . 2009-01-15 14:19 1724416 ----a-w c:\windows\system32\nvwdmcpl.dll
2009-03-27 15:03 . 2009-01-15 14:19 1657376 ----a-w c:\windows\system32\nwiz.exe
2009-03-27 15:03 . 2009-01-15 14:19 1503232 ----a-w c:\windows\system32\nview.dll
2009-03-27 15:03 . 2009-01-15 14:19 143360 ----a-w c:\windows\system32\nvcolor.exe
2009-03-27 15:03 . 2009-01-15 14:19 1346080 ----a-w c:\windows\system32\nvdspsch.exe
2009-03-27 15:03 . 2009-01-15 14:19 1101824 ----a-w c:\windows\system32\nvwimg.dll
2009-03-27 15:03 . 2008-03-25 07:52 801312 ----a-w c:\windows\system32\nvcplui.exe
2009-03-27 15:03 . 2008-02-08 06:01 453152 ----a-w c:\windows\system32\nvudisp.exe
2009-03-27 13:14 . 2008-02-08 07:34 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-03-26 20:48 . 2009-01-13 04:55 4215500 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-26 20:48 . 2009-01-13 04:55 320721440 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-20 02:36 . 2009-03-20 02:44 235008 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-03-14 20:22 . 2009-03-14 20:24 2748416 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-03-14 20:16 . 2009-03-14 20:16 109 --sha-w c:\windows\system32\3839063229.dat
2009-03-13 04:17 . 2009-01-13 04:49 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-03-12 02:53 . 2008-06-09 00:32 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-06 14:22 . 2004-08-10 11:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 05:45 . 2008-08-06 18:40 138584 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-03 00:18 . 2004-08-10 11:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-23 05:10 . 2008-08-06 18:39 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-02-20 19:43 . 2008-02-08 05:59 29456 ----a-w c:\documents and settings\Ryan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 18:09 . 2004-08-10 11:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-14 05:13 . 2008-08-06 18:40 22328 ----a-w c:\documents and settings\Ryan\Application Data\PnkBstrK.sys
2009-02-14 05:12 . 2009-02-13 03:53 2250024 ----a-w c:\windows\system32\pbsvc.exe
2009-02-11 15:17 . 2009-02-13 01:39 2029888 ----a-w c:\windows\system32\drivers\cmudaxp.sys
2009-02-09 12:10 . 2004-08-10 11:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 11:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-10 11:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-10 11:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-10 11:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-10 11:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 11:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-10 11:00 56832 ----a-w c:\windows\system32\secur32.dll
.
------- Sigcheck -------
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2004-08-10 11:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-27_04.53.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-27 17:49 . 2009-04-27 17:49 16384 c:\windows\Temp\Perflib_Perfdata_29c.dat
+ 2009-04-27 17:49 . 2009-04-27 17:49 16384 c:\windows\Temp\Perflib_Perfdata_178.dat
+ 2009-01-13 05:00 . 2009-04-27 06:44 496956 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2009-01-13 05:00 . 2009-04-27 04:20 496956 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57E0E419-0F36-42A2-BDCB-AA4DDB4C6F7F}]
2004-08-10 11:00 102912 ----a-w c:\windows\system32\rtwwqbk.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"Steam"="c:\program files\steam\steam.exe" [2008-11-21 1410296]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-17 2356088]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-02-25 1103216]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"Ai Nap"="c:\program files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-09-06 1426432]
"CPU Power Monitor"="c:\program files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe" [2007-10-16 626176]
"Cpu Level Up help"="c:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-09-11 880640]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"Cmaudio8788GX"="c:\windows\system\CMGxMon.exe " [2007-12-19 20480]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-01-15 86016]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\M SCONFIG.EXE" [2008-04-14 169984]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-26 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2008-10-2 49220]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jdfpvrcc]
2004-08-10 11:00 102912 ----a-w c:\windows\system32\rtwwqbk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=lwbmcj.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.1.8125-to-2.4.2.8278-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Dell Wireless 2350 Control Utility\\ControlUtility.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\rome total war gold\\RomeTW.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\rome total war gold\\RomeTW-BI.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R1 89becbee;89becbee; [x]
R2 avg8emc;AVG Free8 E-mail Scanner; [x]
R2 avg8wd;AVG Free8 WatchDog; [x]
S0 muntohnl;muntohnl;c:\windows\system32\drivers\munt ohnl.sys [2004-08-10 23424]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-26 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-26 108552]
S3 cmudaxp;ASUS Xonar DX Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [2009-02-11 2029888]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
oepaeome
.
Contents of the 'Scheduled Tasks' folder
2009-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
2009-04-26 c:\windows\Tasks\At1.job
- c:\windows\system32\rtwwqbk.dll [2004-08-10 11:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
TCP: {7F74E235-12DB-4946-B782-CBBE7792E563} = 64.86.16.3,64.86.16.99
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 12:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1801674531-839522115-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3f,b0,f4,b9,68,e6,f8,47,09,a0,30,0b,a9,f6 ,1a,74,fb,f9,08,f9,9b,6e,92,
da,8f,2f,26,c7,27,e5,ef,4b,19,1f,07,56,3b,16,d2,0b ,58,9c,b6,c4,b0,86,a0,fa,\
"??"=hex:8b,6f,8d,02,a4,6d,fc,be,97,5e,01,64,c4,bb ,83,53
[HKEY_USERS\S-1-5-21-1801674531-839522115-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:0c,85,dc,9c,3a,fc,a0,d2,e2,86,da,45 ,0a,b6,a5,b1,8a,6f,dd,3a,cd,
79,c5,29,c7,b6,4b,1d,c2,6a,df,4d,c8,3a,e6,69,84,61 ,4e,e8,25,e9,df,b3,4d,8c,\
"rkeysecu"=hex:5d,a7,72,c6,9d,d2,78,62,03,33,d4,11 ,f0,c0,76,92
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3752)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
************************************************** ************************
.
Completion time: 2009-04-27 12:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-27 17:56
ComboFix2.txt 2009-04-27 06:02
ComboFix3.txt 2009-04-27 04:58
Pre-Run: 20,391,206,912 bytes free
Post-Run: 20,410,224,640 bytes free
264 --- E O F --- 2009-04-17 02:29
  #5  
Old 27th Apr 2009, 16:12
Malware Group
  
Howdy there

It looks like AVG did not uninstall itself cleanly... Try running the AVG removal tool, this can be found here - AVG 32x Removal Tool

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code:
http://www.computer-juice.com/forums/f49/removing-trojan-vundo-h-23200/

Collect
c:\windows\system32\drivers\lsikrx.sys
c:\windows\system32\drivers\jcqjvdhk.sys
c:\windows\system32\drivers\jccwed.sys
c:\windows\system32\drivers\xtcevrxnkinmdxbq.sys
c:\windows\system32\drivers\muntohnl.sys

File::
c:\windows\Tasks\At1.job
c:\windows\system32\rtwwqbk.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57E0E419-0F36-42A2-BDCB-AA4DDB4C6F7F}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jdfpvrcc]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Driver::
muntohnl
oepaeome
89becbee

NetSvcs::
oepaeome
Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

In addition, it will prompt you to submit some files for analyzing.



Click OK.

Combofix will then upload the files automatically. Please do not close Combofix's window.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

======================================

Go to Start menu > Select Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

======================================

Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop and copy and paste this in your next reply


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

======================================

Please post back with:
The new combofix log
Add-Remove Programs.txt
The GMER log
__________________
Proud member of ASAP & UNITE
  #6  
Old 27th Apr 2009, 18:54
New Member Group
  
Ok, so i ran the avg removal tool and it looked like it removed avg from the pc, but combofix keeps saying its still there. Also when i dragged the CFSscript on to combofix it didnt ask to submit any files.

Combofix log-

ComboFix 09-04-27.02 - Ryan 04/27/2009 18:46.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2896 [GMT -5:00]
Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ryan\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *enabled*
* Created a new restore point
FILE ::
c:\windows\system32\rtwwqbk.dll
c:\windows\Tasks\At1.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\rtwwqbk.dll . . . . failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MUNTOHNL
-------\Service_muntohnl

((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.
2009-04-27 05:22 . 2009-04-27 05:22 61440 ----a-w c:\windows\system32\drivers\lsikrx.sys
2009-04-27 02:44 . 2009-04-27 02:44 61440 ----a-w c:\windows\system32\drivers\jcqjvdhk.sys
2009-04-26 23:52 . 2009-04-27 06:13 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-26 22:31 . 2009-04-26 23:55 -------- d-----w C:\VundoFix Backups
2009-04-26 22:30 . 2009-04-26 22:29 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-26 22:12 . 2009-04-26 22:12 -------- d-----w c:\program files\Alwil Software
2009-04-26 19:27 . 2009-04-26 19:27 -------- d-----w c:\program files\AVG
2009-04-26 00:42 . 2009-04-26 00:42 61440 ----a-w c:\windows\system32\drivers\jccwed.sys
2009-04-25 21:29 . 2009-04-25 21:29 81408 ----a-w c:\windows\system32\drivers\xtcevrxnkinmdxbq.sys
2009-04-23 19:17 . 2009-04-23 19:18 512 ----a-w C:\drmHeader.bin
2009-04-20 01:01 . 2009-04-20 01:01 -------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2009-04-20 00:46 . 2009-04-20 00:56 -------- d-----w c:\documents and settings\Ryan\Application Data\GetRightToGo
2009-04-20 00:36 . 2009-04-20 00:36 -------- d-----w c:\program files\Ubisoft
2009-04-19 23:10 . 2009-04-20 00:28 -------- d-----w c:\documents and settings\Ryan\Application Data\IGN_DLM
2009-04-19 23:09 . 2009-04-19 23:09 -------- d-----w c:\program files\Download Manager
2009-04-17 00:09 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 00:09 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 00:09 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 00:09 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 00:09 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 00:09 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 00:09 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 00:09 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 00:09 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 00:09 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 00:09 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-07 01:52 . 2009-04-07 01:52 -------- d-----w c:\documents and settings\Ryan\Local Settings\Application Data\Matt_Chambers
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-04-27 23:49 . 2008-11-21 06:54 -------- d-----w c:\program files\Steam
2009-04-27 06:09 . 2008-02-08 05:52 -------- d-----w c:\program files\GemMaster
2009-04-27 05:13 . 2008-06-26 21:42 -------- d-----w c:\program files\Java
2009-04-27 02:44 . 2009-04-27 02:44 498 ----a-w c:\program files\stdke.txt
2009-04-26 00:42 . 2009-04-26 00:42 918 ----a-w c:\program files\fcxbc.txt
2009-04-25 21:27 . 2008-08-06 18:39 189496 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-25 21:25 . 2008-12-27 22:16 -------- d-----w c:\program files\Full Tilt Poker
2009-04-23 05:32 . 2008-02-08 19:04 -------- d-----w c:\program files\World of Warcraft
2009-04-20 00:36 . 2008-02-08 06:56 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-11 03:12 . 2008-12-04 20:08 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-07 06:46 . 2008-07-20 03:50 413696 ----a-w c:\windows\system32\wrap_oal.dll
2009-04-07 06:46 . 2008-07-20 03:50 102400 ----a-w c:\windows\system32\OpenAL32.dll
2009-04-07 06:46 . 2009-02-13 01:38 -------- d-----w c:\program files\ASUS Xonar DX Audio
2009-04-06 20:32 . 2008-12-04 20:08 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-12-04 20:08 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 22:27 . 2009-04-05 22:27 2342128 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-03-27 15:03 . 2009-02-09 19:18 401408 ----a-w c:\windows\system32\nvcuvid.dll
2009-03-27 15:03 . 2009-01-15 14:19 466944 ----a-w c:\windows\system32\nvshell.dll
2009-03-27 15:03 . 2009-01-15 14:19 449056 ----a-w c:\windows\system32\nvappbar.exe
2009-03-27 15:03 . 2009-01-15 14:19 436768 ----a-w c:\windows\system32\keystone.exe
2009-03-27 15:03 . 2009-01-15 14:19 1724416 ----a-w c:\windows\system32\nvwdmcpl.dll
2009-03-27 15:03 . 2009-01-15 14:19 1657376 ----a-w c:\windows\system32\nwiz.exe
2009-03-27 15:03 . 2009-01-15 14:19 1503232 ----a-w c:\windows\system32\nview.dll
2009-03-27 15:03 . 2009-01-15 14:19 143360 ----a-w c:\windows\system32\nvcolor.exe
2009-03-27 15:03 . 2009-01-15 14:19 1346080 ----a-w c:\windows\system32\nvdspsch.exe
2009-03-27 15:03 . 2009-01-15 14:19 1101824 ----a-w c:\windows\system32\nvwimg.dll
2009-03-27 15:03 . 2008-03-25 07:52 801312 ----a-w c:\windows\system32\nvcplui.exe
2009-03-27 15:03 . 2008-02-08 06:01 453152 ----a-w c:\windows\system32\nvudisp.exe
2009-03-27 13:14 . 2008-02-08 07:34 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-03-26 20:48 . 2009-01-13 04:55 4215500 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-26 20:48 . 2009-01-13 04:55 320721440 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-20 02:36 . 2009-03-20 02:44 235008 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-03-14 20:22 . 2009-03-14 20:24 2748416 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-03-14 20:16 . 2009-03-14 20:16 109 --sha-w c:\windows\system32\3839063229.dat
2009-03-13 04:17 . 2009-01-13 04:49 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-03-12 02:53 . 2008-06-09 00:32 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-06 14:22 . 2004-08-10 11:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 05:45 . 2008-08-06 18:40 138584 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-03 00:18 . 2004-08-10 11:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-23 05:10 . 2008-08-06 18:39 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-02-20 19:43 . 2008-02-08 05:59 29456 ----a-w c:\documents and settings\Ryan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 18:09 . 2004-08-10 11:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-14 05:13 . 2008-08-06 18:40 22328 ----a-w c:\documents and settings\Ryan\Application Data\PnkBstrK.sys
2009-02-14 05:12 . 2009-02-13 03:53 2250024 ----a-w c:\windows\system32\pbsvc.exe
2009-02-11 15:17 . 2009-02-13 01:39 2029888 ----a-w c:\windows\system32\drivers\cmudaxp.sys
2009-02-09 12:10 . 2004-08-10 11:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 11:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-10 11:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-10 11:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-10 11:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-10 11:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 11:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-10 11:00 56832 ----a-w c:\windows\system32\secur32.dll
.
------- Sigcheck -------
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2004-08-10 11:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-27_04.53.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-27 23:49 . 2009-04-27 23:49 16384 c:\windows\Temp\Perflib_Perfdata_fc.dat
+ 2009-04-27 23:49 . 2009-04-27 23:49 16384 c:\windows\Temp\Perflib_Perfdata_134.dat
+ 2009-01-13 05:00 . 2009-04-27 18:10 496956 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2009-01-13 05:00 . 2009-04-27 04:20 496956 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57E0E419-0F36-42A2-BDCB-AA4DDB4C6F7F}]
2004-08-10 11:00 102912 ----a-w c:\windows\system32\rtwwqbk.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"Steam"="c:\program files\steam\steam.exe" [2008-11-21 1410296]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-17 2356088]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-02-25 1103216]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"Ai Nap"="c:\program files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-09-06 1426432]
"CPU Power Monitor"="c:\program files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe" [2007-10-16 626176]
"Cpu Level Up help"="c:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-09-11 880640]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"Cmaudio8788GX"="c:\windows\system\CMGxMon.exe " [2007-12-19 20480]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-01-15 86016]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\M SCONFIG.EXE" [2008-04-14 169984]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-26 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2008-10-2 49220]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jdfpvrcc]
2004-08-10 11:00 102912 ----a-w c:\windows\system32\rtwwqbk.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.1.8125-to-2.4.2.8278-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Dell Wireless 2350 Control Utility\\ControlUtility.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\rome total war gold\\RomeTW.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\rome total war gold\\RomeTW-BI.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
S0 muntohnl;muntohnl;c:\windows\system32\drivers\munt ohnl.sys [2004-08-10 23424]
S3 cmudaxp;ASUS Xonar DX Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [2009-02-11 2029888]

--- Other Services/Drivers In Memory ---
*NewlyCreated* - MUNTOHNL
.
Contents of the 'Scheduled Tasks' folder
2009-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
TCP: {7F74E235-12DB-4946-B782-CBBE7792E563} = 64.86.16.3,64.86.16.99
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 18:49
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1801674531-839522115-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3f,b0,f4,b9,68,e6,f8,47,09,a0,30,0b,a9,f6 ,1a,74,fb,f9,08,f9,9b,6e,92,
da,8f,2f,26,c7,27,e5,ef,4b,19,1f,07,56,3b,16,d2,0b ,58,9c,b6,c4,b0,86,a0,fa,\
"??"=hex:8b,6f,8d,02,a4,6d,fc,be,97,5e,01,64,c4,bb ,83,53
[HKEY_USERS\S-1-5-21-1801674531-839522115-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:0c,85,dc,9c,3a,fc,a0,d2,e2,86,da,45 ,0a,b6,a5,b1,8a,6f,dd,3a,cd,
79,c5,29,c7,b6,4b,1d,c2,6a,df,4d,c8,3a,e6,69,84,61 ,4e,e8,25,e9,df,b3,4d,8c,\
"rkeysecu"=hex:5d,a7,72,c6,9d,d2,78,62,03,33,d4,11 ,f0,c0,76,92
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3220)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
************************************************** ************************
.
Completion time: 2009-04-27 18:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-27 23:54
ComboFix2.txt 2009-04-27 23:40
ComboFix3.txt 2009-04-27 17:56
ComboFix4.txt 2009-04-27 06:02
ComboFix5.txt 2009-04-27 23:45
Pre-Run: 20,377,759,744 bytes free
Post-Run: 20,367,863,808 bytes free
265 --- E O F --- 2009-04-17 02:29


Add Remove Programs-

3DMark03
Ace Media Player
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
AI Suite
AIM 6
Apple Mobile Device Support
Apple Software Update
ASUS Xonar DX Audio
AutoUpdate
Bonjour
Call of Duty(R) - World at War(TM)
Call of Duty(R) - World at War(TM) 1.2 Patch
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
Company of Heroes
Critical Update for Windows Media Player 11 (KB959772)
Crysis(R) SP Demo
Dell Resource CD
Dell TrueMobile 2300 Wireless Broadband Router Control Utility
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DNA
Download Manager 2.3.8
EA Download Manager
Empire: Total War
ESPNMotion
Fraps
Full Tilt Poker
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
IL-2 Sturmovik 1946
Impulse
iTunes
J2SE Runtime Environment 5.0 Update 12
Java(TM) 6 Update 13
Malwarebytes' Anti-Malware
Medieval II Total War
Medieval II Total War : Kingdoms : Americas
Medieval II Total War : Kingdoms : Britannia
Medieval II Total War : Kingdoms : Crusades
Medieval II Total War : Kingdoms : Teutonic
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
MSN
MSXML 6.0 Parser (KB925673)
Natural Color Pro
NVIDIA Drivers
NVIDIA nTune
NVIDIA PhysX
NVTweak
Oblivion
OpenAL
Otto
PC Wizard 2008.1.85.1
PunkBuster Services
QuickTime
Roma Victor
Rome - Total War(TM)
Rome Total War - patch 1.3
Rome: Total War Gold
Safari
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Sins of a Solar Empire
Sonic Encoders
Steam
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC 9.0 Runtime
Ventrilo Client
VLC media player 0.9.8a
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WinRAR archiver
Works Suite OS Pack
Works Synchronization
World of Warcraft
XML Paper Specification Shared Components Pack 1.0
ZoneAlarm Security Suite


Gmer Log-

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-27 20:45:54
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB2D736E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xB2D80490]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB2D73C70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB2D80D10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xB2D80AC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB2D81230]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB2D812B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB2D73AD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB2D81970]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB2D813D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB2D817C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB2D73EA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xB2D80800]
Code \??\C:\DOCUME~1\Ryan\LOCALS~1\Temp\catchme.sys pIofCallDriver
---- Devices - GMER 1.0.15 ----
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \FileSystem\Fastfat \Fat AA167D20
---- EOF - GMER 1.0.15 ----
Reply

Register
Thread Tools



Arabic Bulgarian Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Latvian Lithuanian Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Thai Turkish Ukrainian

Copyright ©2006 - 2009 Computer Juice.
Contact - Privacy - Sitemap - Top

Powered by vBulletin® Copyright ©2000 - 2009 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.