vundo infection

View previous topic View next topic Go down

HERE IS MY REPORT

Post by ralphie78 on Wed Mar 18, 2009 1:16 am

DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 21:05:44.79 on Tue 03/17/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1401 [GMT -4:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated)
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: BitDefender Firewall *enabled*
FW: COMODO Firewall Pro *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
F:\Programs\bitdefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Programs\bitdefender\BitDefender 2009\bdagent.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\DNA\btdna.exe
F:\Programs\bitdefender\BitDefender 2009\seccenter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - f:\programs\bitdefender\bitdefender 2009\IEToolbar.dll
TB: {D593DE91-7B41-45C2-830E-E9A99AB142AA} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: []
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [BDAgent] "f:\programs\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "f:\programs\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: PimpFish Grab movies on this page - c:\program files\pimpfish\GRABPAGEMOVIES.HTM
IE: PimpFish Grab pictures on this page - c:\program files\pimpfish\GRABPAGEPICS.HTM
IE: PimpFish Grab pictures this page links to - c:\program files\pimpfish\GRABPAGELINKS.HTM
IE: PimpFish Grab Target File - c:\program files\pimpfish\GRABLINK.HTM
IE: PimpFish Grab This Picture - c:\program files\pimpfish\GRABPIC.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - [You must be registered and logged in to see this link.]
DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - [You must be registered and logged in to see this link.]
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - [You must be registered and logged in to see this link.]
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\progra~1\dvdreg~1\DVDShell.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\geBrRIya

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\97o31571.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\97o31571.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\97o31571.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07061050.dll
FF - plugin: c:\program files\ksolo\npAVX.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: f:\programs\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: f:\programs\divx\divx web player\npdivx32.dll

ralphie78
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-03-18
OS OS : xp
Points Points : 28226
# Likes # Likes : 0

View user profile

Back to top Go down

part 2

Post by ralphie78 on Wed Mar 18, 2009 1:16 am

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-28 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-28 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-28 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-28 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-28 298264]
R2 BDVEDISK;BDVEDISK;f:\programs\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-10-6 82696]
R2 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-2-3 104328]
S3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2007-11-28 199440]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-03-17 20:18 2,538 a------- c:\windows\system32\tmp.reg
2009-03-17 16:25 664 a------- c:\windows\system32\d3d9caps.dat
2009-03-17 15:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-17 15:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-17 15:16 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-16 22:32 --d----- c:\program files\Trend Micro
2009-03-16 21:16 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-16 20:06 --d----- c:\program files\Unlocker
2009-03-16 19:30 --d----- c:\program files\Enigma Software Group
2009-03-16 18:35 16,896 a------- c:\windows\syssvc.exe
2009-03-16 07:07 81,984 a------- c:\windows\system32\bdod.bin
2009-03-16 06:37 850 a------- c:\windows\system32\ProductTweaks.xml
2009-03-16 06:37 385 a------- c:\windows\system32\user_gensett.xml
2009-03-16 06:33 --d----- c:\windows\system32\logs
2009-03-16 06:33 --d----- c:\docume~1\owner\applic~1\BitDefender
2009-03-16 06:32 --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-03-16 06:31 --d----- c:\program files\common files\BitDefender
2009-03-16 06:13 --d----- C:\fixwareout
2009-03-15 20:18 --d----- c:\program files\common files\xing shared
2009-03-15 19:23 --d----- c:\program files\Crawler
2009-03-15 00:14 --d----- c:\program files\MySpace
2009-03-14 15:42 23,552 a------- c:\windows\system32\~.exe
2009-03-13 18:04 --d----- c:\docume~1\owner\applic~1\BitTorrent
2009-03-13 17:59 --d----- c:\program files\DNA
2009-03-13 17:59 --d----- c:\docume~1\owner\applic~1\DNA
2009-03-13 14:25 --d----- c:\program files\Steam
2009-03-13 00:50 --d----- c:\program files\AskBarDis

==================== Find3M ====================

2009-03-02 19:02 11,063 a--sh--- c:\windows\system32\ayIRrBeg.ini2
2009-03-02 17:59 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-02 17:59 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-02 17:58 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-03 17:03 104,328 a------- c:\windows\system32\drivers\bdfndisf.sys
2007-08-19 11:06 774,144 a------- c:\program files\RngInterstitial.dll
2006-12-04 11:38 265,984 a------- c:\windows\inf\wg511v2\WG511v2XP.sys
2006-12-04 11:38 265,856 a------- c:\windows\inf\wg511v2\WG511v2.sys
2006-12-04 11:38 249,856 a------- c:\windows\inf\wg511v2\InsDrvlh.exe
2006-12-04 11:38 212,992 a------- c:\windows\inf\wg511v2\CopyWHQLDriver.exe
2006-12-04 11:38 53,248 a------- c:\windows\inf\wg511v2\snetcfg .exe
2006-12-04 11:38 21,376 a------- c:\windows\inf\wg511v2\wlndis51.sys
2008-12-14 20:47 934,208 a--sh--- c:\windows\system32\HNqWxGgh.ini2
2008-09-05 03:44 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 21:07:35.42 ===============

ralphie78
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-03-18
OS OS : xp
Points Points : 28226
# Likes # Likes : 0

View user profile

Back to top Go down

Re: vundo infection

Post by Belahzur on Wed Mar 18, 2009 1:26 am

Hello.

I see that you are running DNA Bittorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.
Should you choose to remove them, but you are having trouble doing so, please let me know in your next post here and I will aid you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • DNA Bittorrent
Then please find and delete this folder in bold (if present):
C:\Program Files\DNA
C:\Program Files\AskBarDis
C:\fixwareout <== outdated and not needed

You are also running two AV's, this is a bad idea as they can conflict and cause problems. I see Bitdefender and AVG8.
I would recommend that you remove AVG8 to avoid conflict and other future problems.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • AVG 8 free


Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    Viewpoint Manager Service

    :files
    c:\windows\system32\tmp.reg
    c:\windows\syssvc.exe
    c:\windows\system32\~.exe
    c:\windows\system32\ayIRrBeg.ini2
    c:\windows\system32\HNqWxGgh.ini2

    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


Last edited by Belahzur on Wed Mar 18, 2009 1:29 am; edited 1 time in total


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: vundo infection

Post by ralphie78 on Wed Mar 18, 2009 1:29 am

I think i posted twice, Sorry about that but i will remove the bittorrent DNA

ralphie78
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-03-18
OS OS : xp
Points Points : 28226
# Likes # Likes : 0

View user profile

Back to top Go down

Re: vundo infection

Post by Belahzur on Wed Mar 18, 2009 1:30 am

It's okay.
Remove Bittorrent and AVG as instructed and then run OTMoveIt using the script I have made for you.
We'll see how it goes from there.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: vundo infection

Post by ralphie78 on Wed Mar 18, 2009 2:17 am

This is the results, thanks


========== SERVICES/DRIVERS ==========

Service\Driver Viewpoint Manager Service deleted successfully.
========== FILES ==========
c:\windows\system32\tmp.reg moved successfully.
c:\windows\syssvc.exe moved successfully.
c:\windows\system32\~.exe moved successfully.
c:\windows\system32\ayIRrBeg.ini2 moved successfully.
c:\windows\system32\HNqWxGgh.ini2 moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\\"SecurityProviders"|"msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" /E : value set successfully!
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Authentication Packages"|hex(7):6d,73,76,31,5f,30,00,00 /E : value set successfully!

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03172009_221532

ralphie78
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-03-18
OS OS : xp
Points Points : 28226
# Likes # Likes : 0

View user profile

Back to top Go down

Re: vundo infection

Post by ralphie78 on Wed Mar 18, 2009 2:34 am

Also when i search online and i click on the links it directs me to some other links.

I also downloaded malwarebytes it wont i wont run i have downloaded.

my bitdefender is on a trial version, can i download agv after bitdefender expires or do you recommend a better antivirus?

Thanks, I really appreciate i haven't been able to get online without the hassle.

ralphie78
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-03-18
OS OS : xp
Points Points : 28226
# Likes # Likes : 0

View user profile

Back to top Go down

Re: vundo infection

Post by Belahzur on Wed Mar 18, 2009 1:32 pm

Hello.
I think we can find what's causing the Google hijack, but I need to see a new DDS log first, so please run DDS again and post the new log and we'll see where we stand.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: vundo infection

Post by ralphie78 on Wed Mar 18, 2009 9:49 pm

or
DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 17:44:21.64 on Wed 03/18/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1524 [GMT -4:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated)
FW: BitDefender Firewall *enabled*
FW: COMODO Firewall Pro *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
F:\Programs\bitdefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Programs\bitdefender\BitDefender 2009\bdagent.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
F:\Programs\bitdefender\BitDefender 2009\seccenter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\New Stuff\dds.com

============== Pseudo HJT Report ===============

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - f:\programs\bitdefender\bitdefender 2009\IEToolbar.dll
TB: {D593DE91-7B41-45C2-830E-E9A99AB142AA} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: []
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [BDAgent] "f:\programs\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "f:\programs\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: PimpFish Grab movies on this page - c:\program files\pimpfish\GRABPAGEMOVIES.HTM
IE: PimpFish Grab pictures on this page - c:\program files\pimpfish\GRABPAGEPICS.HTM
IE: PimpFish Grab pictures this page links to - c:\program files\pimpfish\GRABPAGELINKS.HTM
IE: PimpFish Grab Target File - c:\program files\pimpfish\GRABLINK.HTM
IE: PimpFish Grab This Picture - c:\program files\pimpfish\GRABPIC.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - [You must be registered and logged in to see this link.]
DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - [You must be registered and logged in to see this link.]
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - [You must be registered and logged in to see this link.]
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\progra~1\dvdreg~1\DVDShell.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

ralphie78
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-03-18
OS OS : xp
Points Points : 28226
# Likes # Likes : 0

View user profile

Back to top Go down

Re: vundo infection

Post by ralphie78 on Wed Mar 18, 2009 9:50 pm

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\97o31571.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\97o31571.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\97o31571.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07061050.dll
FF - plugin: c:\program files\ksolo\npAVX.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: f:\programs\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: f:\programs\divx\divx web player\npdivx32.dll

============= SERVICES / DRIVERS ===============

R2 BDVEDISK;BDVEDISK;f:\programs\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-10-6 82696]
R2 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-2-3 104328]
S3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2007-11-28 199440]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]

=============== Created Last 30 ================

2009-03-17 22:15 --d----- C:\_OTMoveIt
2009-03-17 16:25 664 a------- c:\windows\system32\d3d9caps.dat
2009-03-17 15:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-17 15:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-17 15:16 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-16 22:32 --d----- c:\program files\Trend Micro
2009-03-16 21:16 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-16 20:06 --d----- c:\program files\Unlocker
2009-03-16 19:30 --d----- c:\program files\Enigma Software Group
2009-03-16 07:07 81,984 a------- c:\windows\system32\bdod.bin
2009-03-16 06:37 850 a------- c:\windows\system32\ProductTweaks.xml
2009-03-16 06:37 385 a------- c:\windows\system32\user_gensett.xml
2009-03-16 06:33 --d----- c:\windows\system32\logs
2009-03-16 06:33 --d----- c:\docume~1\owner\applic~1\BitDefender
2009-03-16 06:32 --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-03-16 06:31 --d----- c:\program files\common files\BitDefender
2009-03-15 20:18 --d----- c:\program files\common files\xing shared
2009-03-15 19:23 --d----- c:\program files\Crawler
2009-03-15 00:14 --d----- c:\program files\MySpace
2009-03-13 14:25 --d----- c:\program files\Steam

==================== Find3M ====================

2009-02-03 17:03 104,328 a------- c:\windows\system32\drivers\bdfndisf.sys
2007-08-19 11:06 774,144 a------- c:\program files\RngInterstitial.dll
2006-12-04 11:38 265,984 a------- c:\windows\inf\wg511v2\WG511v2XP.sys
2006-12-04 11:38 265,856 a------- c:\windows\inf\wg511v2\WG511v2.sys
2006-12-04 11:38 249,856 a------- c:\windows\inf\wg511v2\InsDrvlh.exe
2006-12-04 11:38 212,992 a------- c:\windows\inf\wg511v2\CopyWHQLDriver.exe
2006-12-04 11:38 53,248 a------- c:\windows\inf\wg511v2\snetcfg .exe
2006-12-04 11:38 21,376 a------- c:\windows\inf\wg511v2\wlndis51.sys
2008-09-05 03:44 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 17:48:31.23 ===============

ralphie78
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-03-18
OS OS : xp
Points Points : 28226
# Likes # Likes : 0

View user profile

Back to top Go down

Re: vundo infection

Post by Belahzur on Wed Mar 18, 2009 9:58 pm

Hello.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

Lets see if we can find the cause of the Google hijack.

  • Now open a new notepad file.
  • Input this into the notepad file:

    regedit /e C:\look.txt "HKEY_Local_Machine\software\microsoft\windows nt\currentversion\drivers32"
    start notepad C:\look.txt

  • Save this as look.bat, save it to your desktop.
  • Double click look.bat to run it.
  • Copy and paste the report back here.

Please download [You must be registered and logged in to see this link.] and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt). Note: Do not run Option #2 yet.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Look-Bat Report

Post by ralphie78 on Wed Mar 18, 2009 10:34 pm

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"VIDC.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"vidc.xvid"="xvidvfw.dll"
"vidc.ffds"="ffdshow.ax"
"vidc.X264"="x264vfw.dll"
"vidc.wmv3"="wmv9vcm.dll"
"vidc.vp60"="C:\\WINDOWS\\system32\\vp6vfw.dll"
"vidc.vp61"="C:\\WINDOWS\\system32\\vp6vfw.dll"
"vidc.vp62"="vp6vfw.dll"
"vidc.hfyu"="huffyuv.dll"
"msacm.ac3acm"="AC3ACM.acm"
"msacm.at3"="atrac3.acm"
"msacm.divxa32"="DivXa32.acm"
"msacm.lameacm"="LameACM.acm"
"VIDC.MPG4"="mpg4c32.dll"
"VIDC.MP42"="mpg4c32.dll"
"vidc.LEAD"="LCODCCMP.DLL"
"MSVideo8"="VfWWDM32.dll"
"wave1"="wdmaud.drv"
"midi1"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"aux"="wdmaud.drv"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"mixer"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"

ralphie78
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-03-18
OS OS : xp
Points Points : 28226
# Likes # Likes : 0

View user profile

Back to top Go down

GooreLog

Post by ralphie78 on Wed Mar 18, 2009 10:38 pm

GooredFix v1.92 by jpshortstuff
Log created at 18:37 on 18/03/2009 running Option #1 (Owner)
Firefox version 3.0.7 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"FFToolbar@bitdefender.com"="F:\Programs\bitdefender\BitDefender 2009\FFToolbar\"

ralphie78
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-03-18
OS OS : xp
Points Points : 28226
# Likes # Likes : 0

View user profile

Back to top Go down

Re: vundo infection

Post by Belahzur on Wed Mar 18, 2009 10:49 pm

Okay, it's not them. We have to go deeper.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Bitdefender)
  • Please make sure that Bitdefender is fully disabled before running Combofix.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

combo fix 1

Post by ralphie78 on Wed Mar 18, 2009 11:46 pm

ComboFix 09-03-18.01 - Owner 2009-03-18 19:28:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1673 [GMT -4:00]
Running from: f:\new stuff\Comfix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
FW: BitDefender Firewall *disabled*
FW: COMODO Firewall Pro *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Misty\Application Data\FunWebProducts
c:\documents and settings\Misty\Application Data\FunWebProducts\Data\Misty\avatar.dat
c:\documents and settings\Misty\Application Data\FunWebProducts\Data\Misty\register.dat
c:\documents and settings\Misty\Application Data\gadcom
c:\documents and settings\Misty\Application Data\SpeedRunner
c:\documents and settings\Misty\Application Data\SpeedRunner\config.cfg
c:\documents and settings\Misty\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Owner\Application Data\gadcom
c:\program files\Mjcore
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\ayIRrBeg.ini
c:\windows\system32\drivers\UACsbciqdsv.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\HNqWxGgh.ini
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\mcrh.tmp
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\UACerfoqfvk.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjelujnae.log
c:\windows\system32\UACjoqqomkb.dll
c:\windows\system32\UACkspvixdq.dat
c:\windows\system32\UACqmnacncp.dll
c:\windows\system32\UACtnyyrryi.log
c:\windows\system32\UACtpfklttr.dll
c:\windows\system32\UACutpetrdo.dll
c:\windows\system32\UACuxiuxxta.log
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\system32\xkjdsmxp.ini
c:\windows\system32\ylgifujr.ini
c:\windows\Tasks\cvnenzhs.job
c:\windows\wiaserviv.log
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-02-18 to 2009-03-18 )))))))))))))))))))))))))))))))
.

2009-03-18 19:09 . 2009-03-18 19:25 121 --a------ c:\windows\bdagent.INI
2009-03-17 22:53 . 2009-03-17 22:53 d-------- c:\documents and settings\~Summer Fae~\Application Data\Sun
2009-03-17 22:15 . 2009-03-17 22:15 d-------- C:\_OTMoveIt
2009-03-17 19:58 . 2009-03-17 19:58 d-------- c:\documents and settings\~Summer Fae~\Application Data\BitDefender
2009-03-17 16:25 . 2009-03-17 16:25 664 --a------ c:\windows\system32\d3d9caps.dat
2009-03-17 15:16 . 2009-03-17 15:16 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-17 15:16 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-17 15:16 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-16 22:32 . 2009-03-16 22:32 d-------- c:\program files\Trend Micro
2009-03-16 21:16 . 2009-03-17 16:48 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-16 20:06 . 2009-03-16 20:08 d-------- c:\program files\Unlocker
2009-03-16 19:30 . 2009-03-16 19:30 d-------- c:\program files\Enigma Software Group
2009-03-16 13:42 . 2009-03-16 13:42 d-------- c:\documents and settings\Misty\Application Data\BitDefender
2009-03-16 07:07 . 2009-03-18 19:38 81,984 --a------ c:\windows\system32\bdod.bin
2009-03-16 06:37 . 2009-03-16 06:37 850 --a------ c:\windows\system32\ProductTweaks.xml
2009-03-16 06:37 . 2009-03-16 06:37 385 --a------ c:\windows\system32\user_gensett.xml
2009-03-16 06:33 . 2009-03-16 06:33 d-------- c:\windows\system32\logs
2009-03-16 06:33 . 2009-03-16 06:33 d-------- c:\documents and settings\Owner\Application Data\BitDefender
2009-03-16 06:32 . 2009-03-16 06:36 d-------- c:\documents and settings\All Users\Application Data\BitDefender
2009-03-16 06:31 . 2009-03-16 06:33 d-------- c:\program files\Common Files\BitDefender
2009-03-15 20:18 . 2009-03-15 20:18 d-------- c:\program files\Common Files\xing shared
2009-03-15 19:23 . 2009-03-17 17:12 d-------- c:\program files\Crawler
2009-03-15 00:14 . 2009-03-15 00:14 d-------- c:\program files\MySpace
2009-03-13 21:42 . 2009-03-13 21:42 d--hs---- c:\documents and settings\~Summer Fae~\PrivacIE
2009-03-13 14:25 . 2009-03-17 05:23 d-------- c:\program files\Steam

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 02:12 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-17 21:54 --------- d-----w c:\program files\AIM6
2009-03-17 21:07 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2009-03-16 09:57 --------- d-----w c:\program files\CA Yahoo! Anti-Spy
2009-03-16 00:18 --------- d-----w c:\program files\Common Files\Real
2009-03-15 04:00 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Spyware Terminator
2009-03-15 03:16 --------- d-----w c:\documents and settings\~Summer Fae~\Application Data\MP3Rocket
2009-03-13 04:52 --------- d-----w c:\documents and settings\Owner\Application Data\MP3Rocket
2009-02-13 19:37 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-13 19:37 --------- d-----w c:\program files\HOJY TECH
2009-02-03 21:03 104,328 ----a-w c:\windows\system32\drivers\bdfndisf.sys
2007-08-19 15:06 774,144 ----a-w c:\program files\RngInterstitial.dll
2006-12-04 15:38 53,248 ----a-w c:\windows\inf\WG511v2\snetcfg .exe
2006-12-04 15:38 265,984 ----a-w c:\windows\inf\WG511v2\WG511v2XP.sys
2006-12-04 15:38 265,856 ----a-w c:\windows\inf\WG511v2\WG511v2.sys
2006-12-04 15:38 249,856 ----a-w c:\windows\inf\WG511v2\InsDrvlh.exe
2006-12-04 15:38 212,992 ----a-w c:\windows\inf\WG511v2\CopyWHQLDriver.exe
2006-12-04 15:38 21,376 ----a-w c:\windows\inf\WG511v2\wlndis51.sys
2008-12-16 21:52 61,440 ----a-w c:\program files\mozilla firefox\components\FFComm.dll
2008-09-05 07:44 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 06:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 08:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2007-09-15 22:09 359808 8d8949936913b041c6a0e184fbf1030b c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
2008-09-21 11:21 361600 d24ea301e2b36c4e975fd216ca85d8e7 c:\windows\system32\dllcache\TCPIP.SYS
2008-09-21 11:21 361600 d24ea301e2b36c4e975fd216ca85d8e7 c:\windows\system32\drivers\TCPIP.SYS

ralphie78
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-03-18
OS OS : xp
Points Points : 28226
# Likes # Likes : 0

View user profile

Back to top Go down

combo fix 2

Post by ralphie78 on Wed Mar 18, 2009 11:47 pm

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-10-22 1885464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-22 344064]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-22 229438]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-15 198160]
"BDAgent"="f:\programs\bitdefender\BitDefender 2009\bdagent.exe" [2009-01-09 741376]
"BitDefender Antiphishing Helper"="f:\programs\bitdefender\BitDefender 2009\IEShow.exe" [2008-10-17 69632]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\~Summer Fae~\Start Menu\Programs\Startup\
MP3 Rocket (Minimized).lnk - f:\programs\MP3 Rocket\MP3Rocket.exe [2009-02-03 116224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"vidc.X264"= x264vfw.dll
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\docume~1\ALLUSE~1\APPLIC~1\SPYWAR~1\sp_rsdel.exe \??\c:\docume~1\ALLUSE~1\APPLIC~1\SPYWAR~1\sp_rsdel.dat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Button Manager.lnk]
backup=c:\windows\pss\HP Button Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Magic-i.lnk]
backup=c:\windows\pss\Magic-i.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG511v2 Smart Wizard.lnk]
backup=c:\windows\pss\NETGEAR WG511v2 Smart Wizard.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Misty^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
path=c:\documents and settings\Misty\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
backup=c:\windows\pss\Yahoo! Widgets.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullGuard
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
--a------ 2008-04-17 18:14 98616 c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2004-12-03 16:24 290816 c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 17:22 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2004-12-08 20:23 790528 c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 22:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
--a------ 2007-09-06 15:53 169264 c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 19:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon10]
--a------ 2007-05-03 11:55 131072 c:\program files\Multimedia Card Reader\readericon10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2009-03-13 14:26 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-02 21:26 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2009-03-15 20:18 198160 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Steam\\SteamApps\\ralphieca78\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre1.5.0_10\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\BBSPress\\AdCalls_Dialer.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"f:\\Programs\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14989:TCP"= 14989:TCP:BitComet 14989 TCP
"14989:UDP"= 14989:UDP:BitComet 14989 UDP
"7831:TCP"= 7831:TCP:BitComet 7831 TCP(ED2K)
"7831:UDP"= 7831:UDP:BitComet 7831 UDP(ED2K)
"27697:TCP"= 27697:TCP:BitComet 27697 TCP
"27697:UDP"= 27697:UDP:BitComet 27697 UDP
"12270:TCP"= 12270:TCP:BitCometBeta 12270 TCP(ED2K)
"12270:UDP"= 12270:UDP:BitCometBeta 12270 UDP(ED2K)
"8791:TCP"= 8791:TCP:BitCometBeta 8791 TCP(ED2K)
"8791:UDP"= 8791:UDP:BitCometBeta 8791 UDP(ED2K)
"7941:TCP"= 7941:TCP:BitComet 7941 TCP(ED2K)
"7941:UDP"= 7941:UDP:BitComet 7941 UDP(ED2K)

R2 BDVEDISK;BDVEDISK;f:\programs\bitdefender\BitDefender 2009\BDVEDISK.sys [2008-10-06 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-09-18 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-02-03 104328]
S3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2007-11-28 199440]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e3479a2-6652-11db-894d-806d6172696f}]
\Shell\AutoRun\command - D:\Autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34]

2009-03-18 c:\windows\Tasks\Uniblue SpyEraser Nag.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []

2008-02-12 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []

2009-03-18 c:\windows\Tasks\User_Feed_Synchronization-{18CBB97C-3172-434B-BD36-DABC530601CC}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 21:36]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1162337228\ee\AOLSoftware.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe


.
------- Supplementary Scan -------
.
IE: PimpFish Grab movies on this page - c:\program files\PimpFish\GRABPAGEMOVIES.HTM
IE: PimpFish Grab pictures on this page - c:\program files\PimpFish\GRABPAGEPICS.HTM
IE: PimpFish Grab pictures this page links to - c:\program files\PimpFish\GRABPAGELINKS.HTM
IE: PimpFish Grab Target File - c:\program files\PimpFish\GRABLINK.HTM
IE: PimpFish Grab This Picture - c:\program files\PimpFish\GRABPIC.HTM
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\97o31571.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\97o31571.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\97o31571.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07061050.dll
FF - plugin: c:\program files\kSolo\npAVX.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: f:\programs\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: f:\programs\DivX\DivX Web Player\npdivx32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-18 19:38:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????\?P?r?o??p???? ???B?????????????H<C? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-18 19:42:24
ComboFix-quarantined-files.txt 2009-03-18 23:42:10

Pre-Run: 13,105,274,880 bytes free
Post-Run: 15,015,342,080 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

313 --- E O F --- 2008-12-11 09:56:54

ralphie78
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-03-18
OS OS : xp
Points Points : 28226
# Likes # Likes : 0

View user profile

Back to top Go down

Re: vundo infection

Post by ralphie78 on Wed Mar 18, 2009 11:49 pm

also should i delete all these logs i have on my desktop after if the problem gets fixed.

ralphie78
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-03-18
OS OS : xp
Points Points : 28226
# Likes # Likes : 0

View user profile

Back to top Go down

Re: vundo infection

Post by ralphie78 on Wed Mar 18, 2009 11:52 pm

OK the problems seem to be fixed!!!! thanks! and thanks again but if you see something wrong in the last log let me know and we continue working on it. and again i must say thanks i wanted to break my laptop. and do you recommend and PSP or is that just a bad thing to have on my laptop? i do run mp3rocket. OK i think that's all


Last edited by ralphie78 on Wed Mar 18, 2009 11:54 pm; edited 1 time in total (Reason for editing : Forgot to add last question)

ralphie78
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-03-18
OS OS : xp
Points Points : 28226
# Likes # Likes : 0

View user profile

Back to top Go down

Re: vundo infection

Post by Belahzur on Thu Mar 19, 2009 12:19 am

Hello.

P2P you mean?
No, P2P is VERY dangerous, that's how 99% of infections get in nowdays.

This looks clean to me, just need to fix a Firefox setting.

Open Firefox, and in the URL bar, type in about:config, and okay the warning.
This opens Firefox's hidden control panel, so do not mess around with this if I'm not supervising you.

The options are all in alphabetical order, so this should be easy to find. Scroll down to these two values:

browser.search.selectedEngine - Ask
keyword.URL - [You must be registered and logged in to see this link.]

Right click both > Reset them back to Google.
Close Firefox.

Please re-enable Bitdefender now, and let me know how the machine is running.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: vundo infection

Post by ralphie78 on Thu Mar 19, 2009 12:51 am

The computer is running great, even a bit faster. Thank you very much for helping me. I tell you i wanted to get rid of my laptop.

ralphie78
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-03-18
OS OS : xp
Points Points : 28226
# Likes # Likes : 0

View user profile

Back to top Go down

Re: vundo infection

Post by Belahzur on Thu Mar 19, 2009 1:05 am

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum