TROJAN.VUNDO.H Removal

**evilfantasy** · #11 15th Feb 2009, 22:34

You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

It is suggested to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar
Viewpoint Experience Technology

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {5CBA9728-D59E-4F53-A1E7-A02D952290BF} - (no file)
O2 - BHO: (no name) - {e12e039d-c57d-49ce-8809-915b9964a0a6} - C:\WINDOWS\system32\mikomuyo.dll (file missing)
O4 - HKLM\..\Run: [CPMebe02ab5] Rundll32.exe \"c:\windows\system32\gikosiha.dll\",a
O4 - HKLM\..\Run: [dorazehida] Rundll32.exe \"C:\WINDOWS\system32\ruyupuno.dll\",s
O20 - Winlogon Notify: ljJButQI - ljJButQI.dll (file missing)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"dorazehida"=-
"CPMebe02ab5"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

Download ComboFixÂ© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

**SK1985** · #12 16th Feb 2009, 08:16

After running HiJackThis, I was able to remove what you told me, but these 3 things didn't show up (which I presume is a good thing):

O2 - BHO: (no name) - {e12e039d-c57d-49ce-8809-915b9964a0a6} - C:\WINDOWS\system32\mikomuyo.dll (file missing)
O4 - HKLM\..\Run: [CPMebe02ab5] Rundll32.exe \"c:\windows\system32\gikosiha.dll\",a
O4 - HKLM\..\Run: [dorazehida] Rundll32.exe \"C:\WINDOWS\system32\ruyupuno.dll\",s

fixme.reg was also SUCCESSFULLY added (another good sign I presume)

Combofix asked me to install a WINDOWS RECOVERY CONSOLE so I did that as well.

**SK1985** · #13 16th Feb 2009, 08:32

ComboFix 09-02-15.01 - Saliq 2009-02-16 10:09:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.140 [GMT -5:00]
Running from: c:\documents and settings\Saliq\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\MabryObj.dll
c:\windows\system32\rakevaka.dll
c:\windows\system32\vukefese.dll
c:\windows\system32\wanisupa.dll
C:\xcrashdump.dat

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
.
((((((((((((((((((((((((( Files Created from 2009-01-16 to 2009-02-16 )))))))))))))))))))))))))))))))
.

2009-02-15 23:00 . 2009-02-15 23:00 <DIR> d-------- c:\program files\Trend Micro
2009-02-15 22:48 . 2009-02-15 22:48 <DIR> d-------- c:\program files\CCleaner
2009-02-15 22:33 . 2009-02-15 22:33 61,440 --a------ c:\windows\system32\drivers\jumdgyx.sys
2009-02-15 12:42 . 2009-02-15 12:42 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-15 12:42 . 2009-02-15 12:42 <DIR> d-------- c:\documents and settings\Saliq\Application Data\SUPERAntiSpyware.com
2009-02-15 12:42 . 2009-02-15 12:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-15 12:41 . 2009-02-15 12:41 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-15 09:34 . 2009-02-15 09:34 <DIR> d-------- c:\program files\Lavasoft
2009-02-15 04:10 . 2009-02-15 04:10 2,713 ---hs---- c:\windows\system32\wikegivi.exe
2009-02-14 21:44 . 2009-02-14 22:08 <DIR> d-------- c:\program files\a-squared Free
2009-02-14 19:58 . 2009-02-15 09:23 <DIR> d-------- c:\program files\The Cleaner Demo
2009-02-14 19:58 . 2009-02-14 19:58 5,376 --a------ c:\windows\system32\drivers\MS1000.sys
2009-02-14 19:57 . 2009-02-14 19:57 <DIR> d-------- c:\documents and settings\Saliq\Application Data\TrojanHunter
2009-02-14 19:54 . 2009-02-14 19:55 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-02-14 15:52 . 2009-02-14 15:54 496,836 --a------ C:\lxcgunst.csv
2009-02-14 15:26 . 2009-02-14 15:26 <DIR> d-------- c:\documents and settings\Administrator
2009-02-11 18:39 . 2009-02-11 18:39 <DIR> d-------- c:\program files\Schweser2008
2009-01-28 06:14 . 2009-01-28 06:14 <DIR> d-------- c:\program files\MarketBrowser

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 15:04 --------- d-----w c:\documents and settings\Saliq\Application Data\U3
2009-02-16 14:51 --------- d-----w c:\program files\Viewpoint
2009-02-16 14:51 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-15 14:34 --------- d-----w c:\documents and settings\Saliq\Application Data\Lavasoft
2009-02-15 14:31 --------- d-----w c:\program files\Bonjour
2009-02-15 14:29 --------- d-----w c:\program files\PokerStars
2009-02-15 14:28 --------- d-----w c:\program files\PartyGaming
2009-02-14 17:57 --------- d-----w c:\program files\Total Video Converter
2009-02-14 16:58 --------- d-----w c:\documents and settings\Saliq\Application Data\Skype
2009-02-14 14:43 --------- d-----w c:\documents and settings\Saliq\Application Data\skypePM
2009-02-12 13:45 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-01 20:34 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-01 20:31 --------- d-----w c:\program files\Microsoft Works
2009-01-30 03:53 --------- d-----w c:\program files\Lx_cats
2009-01-30 01:40 --------- d-----w c:\program files\Apple Software Update
2009-01-28 11:14 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-11 16:25 --------- d-----w c:\program files\iTunes
2009-01-11 16:25 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-11 16:24 --------- d-----w c:\program files\iPod
2009-01-11 16:24 --------- d-----w c:\program files\Common Files\Apple
2009-01-11 16:20 --------- d-----w c:\program files\QuickTime
2009-01-02 22:45 --------- d-----w c:\program files\Skype
2009-01-02 22:45 --------- d-----w c:\program files\Common Files\Skype
2009-01-02 22:45 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-31 16:14 --------- d-----w c:\documents and settings\Saliq\Application Data\EPSON
2008-12-24 23:29 --------- d--h--w c:\documents and settings\Saliq\Application Data\Move Networks
2008-12-24 23:22 --------- d-----w c:\program files\DivX
2006-05-30 23:25 56 --sh--r c:\windows\system32\936D996ADC.sys
2007-04-03 21:01 88 -csh--r c:\windows\system32\DC6A996D93.sys
2007-04-03 21:01 4,184 -csha-w c:\windows\system32\KGyGaAvL.sys
2008-08-27 00:33 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-15 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Saliq\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-09-25 110592]
LClock.lnk - c:\program files\LClock\LClock.exe [2004-09-19 65536]
UberIcon.lnk - c:\program files\UberIcon\UberIcon Manager.exe [2005-08-12 180224]
YzShadow.lnk - c:\program files\YzShadow\YzShadow.exe [2002-09-30 151552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-09-25 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Saliq^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Glass2k
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Copernic Desktop Search 2]
--a--c--- 2006-12-08 10:58 1546544 c:\program files\Copernic Desktop Search 2\DesktopSearchService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a--c--- 2005-10-05 03:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-08-22 16:28 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Morpheus\\Morpheus.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Sun\\Creator2_1\\java\\bin\\java.exe"=
"c:\\Program Files\\Sun\\Creator2_1\\SunAppServer8\\lib\\appserv.exe"=
"c:\\Program Files\\Sun\\Creator2_1\\java\\jre\\bin\\java.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-13 99376]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-09-17 42112]

--- Other Services/Drivers In Memory ---

*Deregistered* - 6to4
*Deregistered* - a2free
*Deregistered* - AOL ACS
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Bonjour Service
*Deregistered* - ccEvtMgr
*Deregistered* - ccSetMgr
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fax
*Deregistered* - helpsvc
*Deregistered* - ImapiService
*Deregistered* - iPod Service
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - lxcg_device
*Deregistered* - MDM
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SASDIFSV
*Deregistered* - SASKUTIL
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SmcService
*Deregistered* - SPBBCDrv
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - SRTSP
*Deregistered* - SRTSPX
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - Symantec AntiVirus
*Deregistered* - SymEvent
*Deregistered* - SYMREDRV
*Deregistered* - SYMTDI
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - Tcpip6
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - tunmp
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - w32time
*Deregistered* - Wanarp
*Deregistered* - wanatw
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87533ef0-ddd6-11dd-870d-0006251a1a9e}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-16 c:\windows\Tasks\iTunes.job
- c:\documents and settings\All Users\Start Menu\Programs\iTunes\iTunes.lnk [2009-02-16 04:24]

2009-02-13 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2007-11-11 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/cpucheck_1_0_0_5.cab
DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/Entriq_3_4_0_15_Silent.cab
DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/NBCUniversal_1_0_0_3.cab
FF - ProfilePath - c:\documents and settings\Saliq\Application Data\Mozilla\Firefox\Profiles\l8ojpuia.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\Saliq\Application Data\Mozilla\Firefox\Profiles\l8ojpuia.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 10:16:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-837775763-1522542022-1759965914-1006\Software\Local AppWizard-Generated Applications\MMDiag]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-21-837775763-1522542022-1759965914-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop]
@DACL=(02 0000)
@SACL=
"Toolbars"=hex:11,00,00,00,00,00,00,00
"TaskbarWinXP"=hex:0c,00,00,00,08,00,00,00,02,00,00,00,00,00,00,00,b0,e2,2b,d8,
64,57,d0,11,a9,6e,00,c0,4f,d7,05,a2,22,00,1c,00,0a,11,00,00,1a,00,00,00,01,\
"Upgrade"=dword:00000001

[HKEY_USERS\S-1-5-21-837775763-1522542022-1759965914-1006\Software\Microsoft\Windows\Shell\Bags\1]
@DACL=(02 0000)
@SACL=

[HKEY_USERS\S-1-5-21-837775763-1522542022-1759965914-1006\Software\MusicMatch, Inc.\Musicmatch for WMP]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\BVRP Software\Modem Helper]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\BVRP Software, Inc\Digital Line Detect]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\BVRP Software, Inc\NetWaiting]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\ProgID]
@DACL=(02 0000)
@="AcroAccess.AcrobatAccess.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\Programmable]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\TypeLib]
@DACL=(02 0000)
@="{C523F390-9C83-11D3-9094-00104BD0D535}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\VersionIndependentProgID]
@DACL=(02 0000)
@="AcroAccess.AcrobatAccess"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{3F578A46-082A-4C83-947A-CC7FF8B4A089}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{3F578A46-082A-4C83-947A-CC7FF8B4A089}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{3F578A46-082A-4C83-947A-CC7FF8B4A089}\TypeLib]
@DACL=(02 0000)
@="{54635C92-DFAF-4A99-8802-92FB068A6154}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9781-280D-11CF-A24D-444553540000}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9781-280D-11CF-A24D-444553540000}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9781-280D-11CF-A24D-444553540000}\TypeLib]
@DACL=(02 0000)
@="{CA8A9783-280D-11CF-A24D-444553540000}"
"Version"="1.3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9782-280D-11CF-A24D-444553540000}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9782-280D-11CF-A24D-444553540000}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9782-280D-11CF-A24D-444553540000}\TypeLib]
@DACL=(02 0000)
@="{CA8A9783-280D-11CF-A24D-444553540000}"
"Version"="1.3"

[HKEY_LOCAL_MACHINE\software\Classes\MMJB.M3U\shell]
@DACL=(02 0000)
@="Play"

[HKEY_LOCAL_MACHINE\software\Classes\MMJB.MMZ\shell]
@DACL=(02 0000)
@="Install"

[HKEY_LOCAL_MACHINE\software\Classes\MMJB.MP3\shell]
@DACL=(02 0000)
@="Play"

[HKEY_LOCAL_MACHINE\software\Classes\MMJB.WAV\shell]
@DACL=(02 0000)
@="Play"

[HKEY_LOCAL_MACHINE\software\Classes\MMJB.WMA\shell]
@DACL=(02 0000)
@="Play"

[HKEY_LOCAL_MACHINE\software\Clients\Media\MUSICMATCH Jukebox\shell]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Creative Tech\Installation]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Intel\PROSetWired\NCS\PROSet\SupportTabKey]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Intel\PROSetWired\NCS\SyncLayer\8023Adapters]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Intel\PROSetWired\NCS\WMI]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IEHomePageInfo\RegBackup]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT]
@DACL=(02 0000)
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
@DACL=(02 0000)
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL]
@DACL=(02 0000)
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD]
@DACL=(02 0000)
"WMPlayer.exe"=dword:00000001
"msimn.exe"=dword:00000001
"winmail.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND]
@DACL=(02 0000)
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK]
@DACL=(02 0000)
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL]
@DACL=(02 0000)
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\Start Page]
@DACL=(02 0000)
"Home_Page"="http://www.dell.com"
"Help_Page"="http://support.dell.com"

[HKEY_LOCAL_MACHINE\software\Microsoft\Java VM\System Properties]
@DACL=(02 0000)
"http.agent"="Java 1.1"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\10.0]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\services]
@DACL=(02 0000)
"NoServices"=dword:00000000
"ServiceExtra"="Partner=Dell&MachineID=DQZ9X91\00\00????i\00Å¸'?\06\00'??\1d\00?'\00'\00\00?\06???\06???\00?\06??\00'??\00'?'\00\00\00\00\00\00?? \00????Å¸'\00'\00\00\00'?\06???\06?\01\04\00?\06???\06??????????\00'\00\00???????\06\00'??\03\00?'\00'???\06???\06??????????????\0e\00???\06?\06\00\00???????'\00'???\06?\06?\06??\08\00??????Å¸'????????????Å¸'???????\06\00'Å¸'?\06\01\00???'?\06???'?????'?????"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\services\MTVN]
@DACL=(02 0000)
"FriendlyName"="URGE"
"ImageLargeURL"="http://store.urge.com/sitewide/wmp/img/urge_tmp.png"
"ImageMenuURL"="http://store.urge.com/sitewide/wmp/img/wmpdms_menuicon.jpg"
"ContentPartner"="true"
"ImageSmallURL"="http://store.urge.com/sitewide/wmp/img/error_logo.png"
"Task1ButtonText"="URGE"
"Task1ButtonTip"="URGE"
"Type"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Settings]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\SwFlash]
@DACL=(02 0000)
@SACL=
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Netscape Online\DellWrapper]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\WildTangent\CDA]
@DACL=(02 0000)
"PersistentInstall"=dword:00000000
"Directory"="c:\\Program Files\\WildTangent\\Apps\\CDA\\"
"Version"="5.1.0.40"
"MonitorSettings"="0,5,40 0,60,120 3,5,120 3,60,1200 5,86400,21000000 6,86400,500000000 8,5,120 8,60,200 9,5,40 9,60,200 12,5,120 12,60,200 5,1800,500000"
"FileName0400"="c:\\Program Files\\WildTangent\\Apps\\CDA\\CDAEngine0501.dll"
"FileName0401"="c:\\Program Files\\WildTangent\\Apps\\CDA\\CDAEngine0501.dll"
"FileName0402"="c:\\Program Files\\WildTangent\\Apps\\CDA\\CDAEngine0501.dll"
"FileName0403"="c:\\Program Files\\WildTangent\\Apps\\CDA\\CDAEngine0501.dll"
"FileName0404"="c:\\Program Files\\WildTangent\\Apps\\CDA\\CDAEngine0501.dll"
"FileName0405"="c:\\Program Files\\WildTangent\\Apps\\CDA\\CDAEngine0501.dll"
"FileName0406"="c:\\Program Files\\WildTangent\\Apps\\CDA\\CDAEngine0501.dll"
"FileName0407"="c:\\Program Files\\WildTangent\\Apps\\CDA\\CDAEngine0501.dll"
"FileName0408"="c:\\Program Files\\WildTangent\\Apps\\CDA\\CDAEngine0501.dll"
"FileName0409"="c:\\Program Files\\WildTangent\\Apps\\CDA\\CDAEngine0501.dll"
"FileName0490"="c:\\Program Files\\WildTangent\\Apps\\CDA\\CDAEngine0501.dll"
"FileName0500"="c:\\Program Files\\WildTangent\\Apps\\CDA\\CDAEngine0501.dll"
"FileName0501"="c:\\Program Files\\WildTangent\\Apps\\CDA\\CDAEngine0501.dll"
"LaunchCmd"="\"c:\\Program Files\\WildTangent\\Apps\\CDA\\GameDrvr.exe\" \"c:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0501.dll\""
"StartupCmd"="\"c:\\Program Files\\WildTangent\\Apps\\CDA\\GameDrvr.exe\" /startup \"c:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0501.dll\""
"FileName0502"="c:\\Program Files\\WildTangent\\Apps\\CDA\\CDAEngine0501.dll"

[HKEY_LOCAL_MACHINE\software\WildTangent\CDA\ControlPanel\DMMP]
@DACL=(02 0000)
"name"="Multiplayer"
"order"="40"
"url"="DMMP/index.html"

[HKEY_LOCAL_MACHINE\software\WildTangent\ComponentRepository]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\WildTangent\GameChannel]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\WildTangent\LFS]
@DACL=(02 0000)
"AppConfig"="AppConfig"
"Scripts"="Scripts"
"CDAData"="CDAData"
"TaskStore"="TaskStore"
"WTRoot"="c:\\Program Files\\WildTangent"
"Components"=""
"Apps"="c:\\Program Files\\WildTangent\\Apps"

[HKEY_LOCAL_MACHINE\software\WildTangent\LicenseStores]
@DACL=(02 0000)
"WT"="c:\\Program Files\\WildTangent\\LicenseStores\\WT\\"

[HKEY_LOCAL_MACHINE\software\WildTangent\WebDriverPackages]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\WildTangent\WebDriverPackages\Distributed Multiplayer]
@DACL=(02 0000)
"name"="Multiplayer Support"
"version"="3.0.2.001"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\a-squared Free\a2service.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\lxcgcoms.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-16 10:26:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-16 15:26:12

Pre-Run: 65,835,778,048 bytes free
Post-Run: 65,723,871,232 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
549 --- E O F --- 2008-11-13 14:23:37

**evilfantasy** · #14 16th Feb 2009, 11:08

Scan Suspicious File(s)

Please go to VirusTotal.com
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy the file path in the below Code box:

Code:

c:\windows\system32\wikegivi.exe

2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Next click Send File
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
This will perform a scan across multiple different virus scanning engines.
Important: Wait for all of the scanning engines to complete.
5. Copy and then Paste the link to the results in the next reply.

Did you install this program?

c:\program files\MarketBrowser

This is not trusted program and should be uninstalled.

**SK1985** · #15 16th Feb 2009, 12:17

c:\windows\system32\wikegivi.exe is no where to be found. I did a search on my computer and nothing came up.

I did install marketbrowser and there used to be an option under add/remove to uninstall it, but it's not there anymore. Nothing came up under Revo Uninstaller either.

I have the option to go into the folder in my hard drive and delete that all together, should I do that?

**SK1985** · #16 16th Feb 2009, 12:19

I actually was able to paste the path which you provided, even though through manual search VirusTotal didn't find it. Here is the permalink for the results:

http://www.virustotal.com/analisis/c...f4bd1bab6a3615

**evilfantasy** · #17 16th Feb 2009, 12:32

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

Folder::
c:\program files\MarketBrowser

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Use the ESET Online Antivirus Scanner

This scanner requires Internet Explorer

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

**SK1985** · #18 16th Feb 2009, 20:04

Here is the permalink for VirusTotal you wanted:

http://www.virustotal.com/analisis/c...f4bd1bab6a3615

**SK1985** · #19 16th Feb 2009, 20:05

Sorry I didn't see that you had replied and so I re-posted the VirusTotal link.

**evilfantasy** · #20 16th Feb 2009, 20:09

No problem. Will wait for the other logs..

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Trojan Vundo.H Will Not Go Away.	jbrac25	Virus, Spyware & Security	6	15th May 2009 13:12
Need Help... Can't Get Rid of TROJAN.VUNDO.H.	sukun	Virus, Spyware & Security	1	2nd May 2009 16:27
I Can't Get Rid of TROJAN.VUNDO.H from my PC	theprodigycmb	Virus, Spyware & Security	13	16th Mar 2009 16:40
Trojan.Vundo.H Removal. Need Help Please.	SpL	Virus, Spyware & Security	10	27th Feb 2009 17:29
Trojan.vundo.h , trojan.agent , adware.mirar + MORE! :(	sillyarfer	Virus, Spyware & Security	1	14th Dec 2008 09:59