Removed Vundo, posting hijack log2

View previous topic View next topic Go down

Removed Vundo, posting hijack log2

Post by caskaid on Tue Mar 24, 2009 2:09 pm

Second machine, ran malwarebytes and some other software got rid of most stuff, just posting this because i know i have some crap left over (ps thought i turned wordwrap off but can't seem to get it to post correctly, sorry):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:12 PM, on 3/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\WINDOWS\System32\lxcycoms.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\AOL\1214667630\ee\AOLSoftware.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\IE7-WindowsXP-x86-enu.exe
c:\f5306f272bcfb3e9171bb0fa39a2\update\iesetup.exe
c:\f5306f272bcfb3e9171bb0fa39a2\update\update.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: {6aa3c8e2-30c9-dfd9-d0b4-58ec181fd2eb} - {be2df181-ce85-4b0d-9dfd-9c032e8c3aa6} - C:\WINDOWS\System32\deodqq.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\Program Files\DashBar\DashBar21.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Lakasha Gupton\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - [You must be registered and logged in to see this link.]
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - [You must be registered and logged in to see this link.] Files\Dream Day Wedding 2 - Married in Manhattan\Images\stg_drm.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - [You must be registered and logged in to see this link.]
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - [You must be registered and logged in to see this link.] Files\Dream Day Wedding 2 - Married in Manhattan\Images\armhelper.ocx
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - [You must be registered and logged in to see this link.]
O18 - Filter hijack: text/html - {A8981DB9-B2B3-47D7-A890-9C9D9F4C5552} - (no file)
O20 - AppInit_DLLs: deodqq.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxcy_device - - C:\WINDOWS\System32\lxcycoms.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9056 bytes

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by Belahzur on Tue Mar 24, 2009 2:12 pm

Hello. We'll use MBAM again with an updated database.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: {6aa3c8e2-30c9-dfd9-d0b4-58ec181fd2eb} - {be2df181-ce85-4b0d-9dfd-9c032e8c3aa6} - C:\WINDOWS\System32\deodqq.dll
    O3 - Toolbar: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Lakasha Gupton\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
    O18 - Filter hijack: text/html - {A8981DB9-B2B3-47D7-A890-9C9D9F4C5552} - (no file)
    O20 - AppInit_DLLs: deodqq.dll
    O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by caskaid on Tue Mar 24, 2009 2:49 pm

Malwarebytes' Anti-Malware 1.34
Database version: 1892
Windows 5.1.2600 Service Pack 3

3/24/2009 2:49:26 PM
mbam-log-2009-03-24 (14-49-26).txt

Scan type: Quick Scan
Objects scanned: 79267
Time elapsed: 13 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\deodqq.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{be2df181-ce85-4b0d-9dfd-9c032e8c3aa6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{be2df181-ce85-4b0d-9dfd-9c032e8c3aa6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{be2df181-ce85-4b0d-9dfd-9c032e8c3aa6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\deodqq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\dspafigi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\HouseGuest\Local Settings\Temp\dogeow.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\HouseGuest\Local Settings\Temp\wchyxfvv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\HouseGuest\Local Settings\Temporary Internet Files\Content.IE5\WUB6TYAP\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by Belahzur on Tue Mar 24, 2009 2:53 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by caskaid on Tue Mar 24, 2009 2:57 pm

DDS (Ver_09-03-16.01) - NTFSx86
Run by ino solutions at 14:55:35.31 on Tue 03/24/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.781 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\lxcycoms.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\ino solutions\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: DashBar Toolbar: {cc90cda0-74a0-45b4-80ef-d89ca8c249b8} - c:\program files\dashbar\DashBar21.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: Zango Information Window: {2aa2fbf8-9c76-4e97-a226-25c5f4ab6358} - c:\program files\zango\bin\10.3.74.0\HostIE.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0411.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Sonic RecordNow!]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [VerizonServicepoint.exe] c:\program files\verizon\servicepoint\VerizonServicepoint.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - [You must be registered and logged in to see this link.]
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - [You must be registered and logged in to see this link.]
DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - [You must be registered and logged in to see this link.]
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - [You must be registered and logged in to see this link.] files\dream day wedding 2 - married in manhattan\images\stg_drm.ocx
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - [You must be registered and logged in to see this link.]
DPF: {33564D57-0000-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - [You must be registered and logged in to see this link.]
DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - [You must be registered and logged in to see this link.]
DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - [You must be registered and logged in to see this link.]
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - [You must be registered and logged in to see this link.] files\dream day wedding 2 - married in manhattan\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} - [You must be registered and logged in to see this link.]
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\inosol~1\applic~1\mozilla\firefox\profiles\smzz38fl.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-24 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-24 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-24 107912]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-24 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-24 298264]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\nexon\maplestory beginner version\gameguard\dump_wmimmc.sys --> c:\nexon\maplestory beginner version\gameguard\dump_wmimmc.sys [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-10-19 10664]
S4 iWinGamesInstaller;iWinGamesInstaller;c:\program files\iwin games\iWinGamesInstaller.exe [2008-3-5 78104]

=============== Created Last 30 ================

2009-03-24 14:35 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-24 14:35 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-24 14:35 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-24 14:34 --d-h--- C:\$AVG8.VAULT$
2009-03-24 14:22 --d----- c:\docume~1\inosol~1\applic~1\OpenOffice.org
2009-03-24 14:12 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-24 14:12 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-24 14:12 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-24 14:12 --d----- c:\windows\system32\drivers\Avg
2009-03-24 14:12 --d----- c:\program files\AVG
2009-03-24 14:12 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-24 14:06 6,066,688 -------- c:\windows\system32\dllcache\ieframe.dll
2009-03-24 14:06 991,232 -------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-24 14:06 459,264 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-24 14:06 383,488 -------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-24 14:06 267,776 -------- c:\windows\system32\dllcache\iertutil.dll
2009-03-24 14:06 52,224 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-24 14:06 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-03-24 14:06 2,455,488 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-03-24 14:06 63,488 -------- c:\windows\system32\dllcache\icardie.dll
2009-03-24 14:04 --d----- c:\program files\Trend Micro
2009-03-24 13:56 --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-24 13:51 --d----- c:\program files\MSXML 4.0
2009-03-24 13:26 --d----- c:\program files\JRE
2009-03-24 13:26 --d----- c:\program files\OpenOffice.org 3
2009-03-24 13:21 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-24 12:54 --d----- c:\windows\system32\scripting
2009-03-24 12:54 --d----- c:\windows\l2schemas
2009-03-24 12:54 --d----- c:\windows\system32\en
2009-03-24 12:49 --d----- c:\windows\network diagnostic
2009-03-24 12:41 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2009-03-24 12:41 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-03-24 12:40 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-03-24 12:40 1,160,192 -------- c:\windows\system32\dllcache\urlmon.dll
2009-03-24 12:40 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-03-24 12:40 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-24 12:40 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-24 12:40 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-24 12:40 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-24 12:40 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2009-03-24 12:39 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-03-24 12:39 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-24 12:39 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-03-24 12:39 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-03-24 12:38 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-03-24 12:36 19,569 a------- c:\windows\005075_.tmp
2009-03-24 12:32 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-03-24 12:20 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-03-24 12:20 268,648 a------- c:\windows\system32\mucltui.dll
2009-03-24 12:15 1,374 a------- c:\windows\imsins.BAK
2009-03-24 12:12 221,184 a------- c:\windows\system32\wmpns.dll
2009-03-24 12:11 --d----- c:\windows\provisioning
2009-03-24 12:11 --d----- c:\windows\peernet
2009-03-24 12:10 --d----- c:\windows\ServicePackFiles
2009-03-24 12:03 --d----- c:\windows\EHome
2009-03-24 12:00 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-03-24 12:00 --ds---- c:\documents and settings\ino solutions\UserData
2009-03-24 11:49 --d----- c:\docume~1\inosol~1\applic~1\Verizon
2009-03-24 11:48 --d----- c:\docume~1\inosol~1\applic~1\Malwarebytes
2009-03-24 11:48 --d----- c:\docume~1\inosol~1\applic~1\Symantec
2009-03-24 11:48 --d----- c:\documents and settings\ino solutions
2009-03-24 11:18 --d----- c:\program files\CCleaner
2009-03-24 11:05 1,400,760 ---sh--- c:\windows\system32\xslbhgjb.ini

==================== Find3M ====================

2009-03-24 12:58 78,587 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2008-05-13 14:27 0 a------- c:\program files\temp01

============= FINISH: 14:56:11.68 ===============

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by Belahzur on Tue Mar 24, 2009 2:59 pm

Hello.
There is 2 leftovers to get rid of in the log, but I want to see what's installed first.

  • Open HijackThis
  • Click "Open the Misc Tools section"
  • Click "Open Uninstall Manager"
  • Click "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by caskaid on Tue Mar 24, 2009 3:00 pm

3D Groove Playback Engine
3DEE Browser 4.1
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player ActiveX
Adobe Reader 7.0
Adobe Shockwave Player 11
America Online
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
AOL Toolbar 4.0
Avatar - Legends of The Arena
AVG 8.5
BCM V.92 56K Modem
Ben 10 Alien Force Bounty Hunters
Broadcom Management Programs
CCleaner (remove only)
DashBar Toolbar
Dell Digital Jukebox Driver
Dell Media Experience
Dell Solution Center
Disney's Toontown Online
DVDSentry
FinePixViewer Ver.4.3
FUJIFILM USB Driver
GoToAssist 8.0.0.514
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
iWin Games (remove only)
Java 2 Runtime Environment, SE v1.4.2
Java(TM) 6 Update 11
Java(TM) 6 Update 6
Java(TM) 6 Update 7
Learn2 Player (Uninstall Only)
LG USB Modem driver
LimeWire 4.18.2
Malwarebytes' Anti-Malware
MapleStory Beginner Version
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 Redistributable
Modem Helper
Mozilla Firefox (3.0.7)
MSXML 4.0 SP2 (KB954430)
MUSICMATCH® Jukebox
Network Play System (Patching)
Norton PC Checkup
OpenOffice.org 3.0
PartyPoker
PowerDVD
QuickTime
RealOne Player
RedLightCenter
Rhapsody Player Engine
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Shockwave
Soccer Mania
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy 1.3
StormFront
The Sims 2
The Sims 2 Family Fun Stuff
The Sims 2 Glamour Life Stuff
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 University
The Sims™ 2 Celebration! Stuff
The Sims™ 2 H&M® Fashion Stuff
The Sims™ 2 Kitchen & Bath Interior Design Stuff
The Sims™ 2 Seasons
The Sims™ 2 Teen Style Stuff
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
V CAST Music with Rhapsody
Verizon Online DSL
Verizon Online Help and Support
Verizon Servicepoint 1.3.21
Verizon Yahoo! Applications
Viewpoint Media Player
Virtools 3D Life Player
Windows Internet Explorer 7
Windows XP Service Pack 3
Wizard101
WordPerfect Office 11

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by Belahzur on Tue Mar 24, 2009 3:04 pm

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.
Should you choose to remove them, but you are having trouble doing so, please let me know in your next post here and I will aid you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • iWin Games (remove only)
  • Java 2 Runtime Environment, SE v1.4.2
  • Java(TM) 6 Update 6
  • Java(TM) 6 Update 7
  • LimeWire 4.18.2
  • Viewpoint Media Player
Then please find and delete this folder in bold (if present):
C:\Program Files\Limewire

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    iWinGamesInstaller

    :files
    c:\windows\005075_.tmp
    c:\windows\system32\xslbhgjb.ini
    c:\program files\iwin games
    c:\program files\viewpoint


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by caskaid on Tue Mar 24, 2009 3:11 pm

done with the above,:

========== SERVICES/DRIVERS ==========

Service\Driver iWinGamesInstaller deleted successfully.
========== FILES ==========
c:\windows\005075_.tmp moved successfully.
c:\windows\system32\xslbhgjb.ini moved successfully.
c:\program files\iWin Games\sounds moved successfully.
c:\program files\iWin Games\pages moved successfully.
c:\program files\iWin Games\firefox\chrome moved successfully.
c:\program files\iWin Games\firefox moved successfully.
c:\program files\iWin Games moved successfully.
File/Folder c:\program files\viewpoint not found.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03242009_151029

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by Belahzur on Tue Mar 24, 2009 3:14 pm

Hello.
This looks fine now. We just have to do some updates because 2 programs from the uninstall list are old versions and have security holes in them.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Adobe Reader 7.0
  • Spybot - Search & Destroy 1.3

Both are old versions, so please read below and download the new versions.

First, download Spybot version 1.6.2 from [You must be registered and logged in to see this link.].

Download and search for any updates and allow them to be downloaded.

Then download and install Adobe Reader version 9 from [You must be registered and logged in to see this link.].

Once you have done this, let me know how the machine is running.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by caskaid on Tue Mar 24, 2009 3:29 pm

Machine is running fine Right On!

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by Belahzur on Tue Mar 24, 2009 3:43 pm

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by caskaid on Wed Mar 25, 2009 12:01 pm

Well i think all the malware is gone but I spoke too soon about trojan downloaders. AVG keeps recognizing them and I can't seem to be able to delete them. Also, avg doesn't seem to keep a log so I can't copy and paste their locations into notepad and now I've closed the window.

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by Belahzur on Wed Mar 25, 2009 1:57 pm

Hello.
Post a new DDS log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by caskaid on Wed Mar 25, 2009 2:04 pm

DDS (Ver_09-03-16.01) - NTFSx86
Run by Lakasha Gupton at 14:02:44.62 on Wed 03/25/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.600 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\lxcycoms.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Lakasha Gupton\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Zango Information Window: {2aa2fbf8-9c76-4e97-a226-25c5f4ab6358} - c:\program files\zango\bin\10.3.74.0\HostIE.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0411.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Aida] "c:\progra~1\common~1\sembly~1\userinit.exe" -vt yazb
uRun: [GetModule23] "c:\program files\getmodule\GetModule23.exe"
uRun: [VnrBlock21] "c:\program files\vnrblock\VnrBlock21.exe"
uRun: [GetPack21] "c:\program files\getpack\GetPack21.exe"
uRun: [Tefrvim] c:\windows\system32\?asks\w?wexec.exe
uRun: [Twain] c:\program files\twain\Twain.exe
uRun: [SpeedRunner] c:\documents and settings\lakasha gupton\application data\speedrunner\SpeedRunner.exe
uRun: [SfKg6wIP] c:\documents and settings\lakasha gupton\application data\microsoft\windows\eskwrf.exe
uRun: [mzur] c:\progra~1\common~1\mzur\mzurm.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
StartupFolder: c:\docume~1\lakash~1\startm~1\programs\startup\imvu.lnk - c:\program files\imvu\IMVUClient.exe
uPolicies-system: NoDispBackgroundPage = 1 (0x1)
uPolicies-system: NoDispScrSavPage = 1 (0x1)
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-us\local\search.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_11.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - [You must be registered and logged in to see this link.]
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - [You must be registered and logged in to see this link.]
DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - [You must be registered and logged in to see this link.]
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - [You must be registered and logged in to see this link.] files\dream day wedding 2 - married in manhattan\images\stg_drm.ocx
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - [You must be registered and logged in to see this link.]
DPF: {33564D57-0000-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - [You must be registered and logged in to see this link.]
DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - [You must be registered and logged in to see this link.]
DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - [You must be registered and logged in to see this link.]
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - [You must be registered and logged in to see this link.] files\dream day wedding 2 - married in manhattan\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} - [You must be registered and logged in to see this link.]
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lakash~1\applic~1\mozilla\firefox\profiles\8n22ttf1.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-24 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-24 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-24 107912]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-24 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-24 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\nexon\maplestory beginner version\gameguard\dump_wmimmc.sys --> c:\nexon\maplestory beginner version\gameguard\dump_wmimmc.sys [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-10-19 10664]

=============== Created Last 30 ================

2009-03-25 12:40 --d----- c:\program files\Unlocker
2009-03-24 23:24 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-24 20:44 -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-24 20:44 --d----- c:\program files\Lavasoft
2009-03-24 16:04 --d----- c:\program files\Defraggler
2009-03-24 15:10 --d----- C:\_OTMoveIt
2009-03-24 14:35 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-24 14:35 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-24 14:35 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-24 14:34 --d-h--- C:\$AVG8.VAULT$
2009-03-24 14:12 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-24 14:12 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-24 14:12 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-24 14:12 --d----- c:\windows\system32\drivers\Avg
2009-03-24 14:12 --d----- c:\program files\AVG
2009-03-24 14:12 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-24 14:06 6,066,688 -------- c:\windows\system32\dllcache\ieframe.dll
2009-03-24 14:06 991,232 -------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-24 14:06 459,264 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-24 14:06 383,488 -------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-24 14:06 267,776 -------- c:\windows\system32\dllcache\iertutil.dll
2009-03-24 14:06 52,224 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-24 14:06 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-03-24 14:06 2,455,488 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-03-24 14:06 63,488 -------- c:\windows\system32\dllcache\icardie.dll
2009-03-24 14:04 --d----- c:\program files\Trend Micro
2009-03-24 13:56 --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-24 13:51 --d----- c:\program files\MSXML 4.0
2009-03-24 13:26 --d----- c:\program files\JRE
2009-03-24 13:26 --d----- c:\program files\OpenOffice.org 3
2009-03-24 13:21 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-24 12:54 --d----- c:\windows\system32\scripting
2009-03-24 12:54 --d----- c:\windows\l2schemas
2009-03-24 12:54 --d----- c:\windows\system32\en
2009-03-24 12:49 --d----- c:\windows\network diagnostic
2009-03-24 12:41 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2009-03-24 12:41 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-03-24 12:40 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-03-24 12:40 1,160,192 -------- c:\windows\system32\dllcache\urlmon.dll
2009-03-24 12:40 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-03-24 12:40 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-24 12:40 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-24 12:40 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-24 12:40 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-24 12:40 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2009-03-24 12:39 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-03-24 12:39 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-24 12:39 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-03-24 12:39 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-03-24 12:38 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-03-24 12:36 184,832 -------- c:\windows\system32\eapp3hst.dll
2009-03-24 12:32 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-03-24 12:20 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-03-24 12:20 268,648 a------- c:\windows\system32\mucltui.dll
2009-03-24 12:15 1,374 a------- c:\windows\imsins.BAK
2009-03-24 12:12 221,184 a------- c:\windows\system32\wmpns.dll
2009-03-24 12:11 --d----- c:\windows\provisioning
2009-03-24 12:11 --d----- c:\windows\peernet
2009-03-24 12:10 --d----- c:\windows\ServicePackFiles
2009-03-24 12:03 --d----- c:\windows\EHome
2009-03-24 12:00 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-03-24 11:18 --d----- c:\program files\CCleaner

==================== Find3M ====================

2009-03-24 12:58 78,587 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2008-09-29 10:39 61,224 a------- c:\documents and settings\lakasha gupton\GoToAssistDownloadHelper.exe
2008-09-26 21:22 24 a------- c:\documents and settings\lakasha gupton\jagex_runescape_preferences.dat
2008-05-13 14:27 0 a------- c:\program files\temp01

============= FINISH: 14:03:23.62 ===============

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by Belahzur on Wed Mar 25, 2009 2:23 pm

Oh wow, this is back stronger than before. Please disable Ad-watch first of all, this topic here has instructions for how to disable it.
[You must be registered and logged in to see this link.]


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by caskaid on Wed Mar 25, 2009 3:04 pm

ComboFix 09-03-23.01 - Lakasha Gupton 2009-03-25 14:49:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.615 [GMT -4:00]
Running from: c:\documents and settings\Lakasha Gupton\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Lakasha Gupton\Application Data\SpeedRunner
c:\documents and settings\Lakasha Gupton\Application Data\SpeedRunner\config.cfg
c:\documents and settings\Lakasha Gupton\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Lakasha Gupton\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Lakasha Gupton\My Documents\SEMBLY~1
c:\documents and settings\Lakasha Gupton\Start Menu\Programs\Outerinfo
c:\documents and settings\Lakasha Gupton\Start Menu\Programs\Outerinfo\Terms.lnk
c:\documents and settings\Lakasha Gupton\Start Menu\Programs\Outerinfo\Uninstall.lnk
c:\program files\Altnet
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.rvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\dbx.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\dbx.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\docfile.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\iso.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\java.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mbox.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_x95.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mime.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mime.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\na.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\nelf.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\nelf.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\pdf.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\pdf.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\tar.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\update.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\update.txt.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\ve.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\ve.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\ve.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\zip.xmd.cab
c:\program files\Common Files\sembly~1
c:\program files\Common Files\sembly~1\??sembly\
c:\windows\Readme.txt
c:\windows\system32\asks~1
c:\windows\system32\befqcaoq.ini
c:\windows\system32\drivers\fad.sys
c:\windows\system32\rtc.dat
c:\windows\system32\tsuninst.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-25 to 2009-03-25 )))))))))))))))))))))))))))))))
.

2009-03-25 12:40 . 2009-03-25 12:58 d-------- c:\program files\Unlocker
2009-03-24 23:24 . 2009-03-09 15:06 15,688 --a------ c:\windows\SYSTEM32\lsdelete.exe
2009-03-24 20:44 . 2009-03-24 20:44 d-------- c:\program files\Lavasoft
2009-03-24 20:44 . 2009-03-24 20:48 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-24 20:44 . 2009-03-24 20:44 d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-24 16:04 . 2009-03-24 16:04 d-------- c:\program files\Defraggler
2009-03-24 15:29 . 2009-03-24 15:29 d-------- c:\program files\Common Files\Adobe AIR
2009-03-24 15:10 . 2009-03-24 15:10 d-------- C:\_OTMoveIt
2009-03-24 14:35 . 2009-03-24 14:35 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-24 14:35 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-03-24 14:35 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-03-24 14:34 . 2009-03-25 14:22 d--h----- C:\$AVG8.VAULT$
2009-03-24 14:22 . 2009-03-24 14:22 d-------- c:\documents and settings\ino solutions\Application Data\OpenOffice.org
2009-03-24 14:12 . 2009-03-25 11:10 d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2009-03-24 14:12 . 2009-03-24 14:12 d-------- c:\program files\AVG
2009-03-24 14:12 . 2009-03-24 23:26 d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-24 14:12 . 2009-03-24 14:12 325,640 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2009-03-24 14:12 . 2009-03-24 14:12 107,912 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys
2009-03-24 14:12 . 2009-03-24 14:12 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-03-24 14:06 . 2008-12-20 19:15 6,066,688 --------- c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2009-03-24 14:06 . 2007-04-17 05:32 2,455,488 --------- c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dat
2009-03-24 14:06 . 2007-03-08 01:10 991,232 --------- c:\windows\SYSTEM32\DLLCACHE\ieframe.dll.mui
2009-03-24 14:06 . 2008-12-20 19:15 459,264 --------- c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
2009-03-24 14:06 . 2008-12-20 19:15 383,488 --------- c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dll
2009-03-24 14:06 . 2008-12-20 19:15 267,776 --------- c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
2009-03-24 14:06 . 2008-12-20 19:15 63,488 --------- c:\windows\SYSTEM32\DLLCACHE\icardie.dll
2009-03-24 14:06 . 2008-12-20 19:15 52,224 --------- c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
2009-03-24 14:06 . 2008-12-19 05:10 13,824 --------- c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2009-03-24 14:04 . 2009-03-24 14:04 d-------- c:\program files\Trend Micro
2009-03-24 13:56 . 2009-03-24 13:56 d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-24 13:51 . 2009-03-24 13:51 d-------- c:\program files\MSXML 4.0
2009-03-24 13:26 . 2009-03-24 13:26 d-------- c:\program files\OpenOffice.org 3
2009-03-24 13:26 . 2009-03-24 13:26 d-------- c:\program files\JRE
2009-03-24 13:21 . 2009-03-24 13:21 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2009-03-24 12:54 . 2009-03-24 12:54 d-------- c:\windows\SYSTEM32\scripting
2009-03-24 12:54 . 2009-03-24 12:54 d-------- c:\windows\SYSTEM32\en
2009-03-24 12:54 . 2009-03-24 12:54 d-------- c:\windows\l2schemas
2009-03-24 12:41 . 2008-09-04 13:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2009-03-24 12:41 . 2008-06-13 07:05 272,128 --------- c:\windows\SYSTEM32\DLLCACHE\bthport.sys
2009-03-24 12:40 . 2009-01-16 21:35 3,594,752 --------- c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2009-03-24 12:40 . 2008-08-14 06:11 2,189,184 --------- c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2009-03-24 12:40 . 2008-08-14 06:09 2,145,280 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-03-24 12:40 . 2008-08-14 05:33 2,066,048 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2009-03-24 12:40 . 2008-08-14 05:33 2,023,936 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2009-03-24 12:40 . 2008-10-15 21:00 1,499,136 --------- c:\windows\SYSTEM32\DLLCACHE\shdocvw.dll
2009-03-24 12:40 . 2008-12-20 19:15 1,160,192 --------- c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
2009-03-24 12:40 . 2008-12-20 19:15 826,368 --------- c:\windows\SYSTEM32\DLLCACHE\wininet.dll
2009-03-24 12:39 . 2008-10-24 07:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2009-03-24 12:39 . 2008-12-11 06:57 333,952 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys
2009-03-24 12:39 . 2008-05-01 10:33 331,776 --------- c:\windows\SYSTEM32\DLLCACHE\msadce.dll
2009-03-24 12:39 . 2008-05-08 10:02 203,136 --------- c:\windows\SYSTEM32\DLLCACHE\rmcast.sys
2009-03-24 12:38 . 2008-04-11 15:04 691,712 --------- c:\windows\SYSTEM32\DLLCACHE\inetcomm.dll
2009-03-24 12:36 . 2008-04-13 20:12 695,808 --------- c:\windows\SYSTEM32\DLLCACHE\drmv2clt.dll
2009-03-24 12:32 . 2008-10-15 12:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2009-03-24 12:20 . 2008-10-16 15:06 268,648 --a------ c:\windows\SYSTEM32\mucltui.dll
2009-03-24 12:20 . 2008-10-16 15:06 27,496 --a------ c:\windows\SYSTEM32\mucltui.dll.mui
2009-03-24 12:15 . 2009-03-24 14:08 1,374 --a------ c:\windows\imsins.BAK
2009-03-24 12:12 . 2008-04-13 20:12 221,184 --a------ c:\windows\SYSTEM32\wmpns.dll
2009-03-24 12:11 . 2009-03-24 12:11 d-------- c:\windows\provisioning
2009-03-24 12:11 . 2009-03-24 12:54 d-------- c:\windows\peernet
2009-03-24 12:10 . 2009-03-24 12:10 d-------- c:\windows\ServicePackFiles
2009-03-24 12:03 . 2009-03-24 12:45 d-------- c:\windows\EHome
2009-03-24 12:00 . 2009-03-24 12:00 d---s---- c:\documents and settings\ino solutions\UserData
2009-03-24 12:00 . 2008-10-16 15:07 23,576 --a------ c:\windows\SYSTEM32\wuapi.dll.mui
2009-03-24 11:51 . 2009-03-24 11:51 dr-h----- c:\documents and settings\ino solutions\Application Data\yahoo!
2009-03-24 11:49 . 2009-03-24 11:49 d-------- c:\documents and settings\ino solutions\Application Data\Verizon
2009-03-24 11:48 . 2004-02-04 09:07 d-------- c:\documents and settings\ino solutions\Application Data\Symantec
2009-03-24 11:48 . 2004-02-04 09:13 d-------- c:\documents and settings\ino solutions\Application Data\Sonic
2009-03-24 11:48 . 2009-03-24 11:48 d-------- c:\documents and settings\ino solutions\Application Data\Malwarebytes
2009-03-24 11:48 . 2004-02-04 09:19 d-------- c:\documents and settings\ino solutions\Application Data\Jasc Software Inc
2009-03-24 11:48 . 2009-03-24 12:00 d-------- c:\documents and settings\ino solutions
2009-03-24 11:35 . 2009-03-24 11:35 d---s---- c:\documents and settings\HouseGuest\UserData
2009-03-24 11:18 . 2009-03-24 11:18 d-------- c:\program files\CCleaner
2009-03-24 11:01 . 2009-03-24 11:01 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by caskaid on Wed Mar 25, 2009 3:04 pm

Here is part two:


.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 16:50 --------- d-----w c:\documents and settings\Lakasha Gupton\Application Data\LimeWire
2009-03-25 04:01 --------- d-----w c:\program files\Common Files\mzur
2009-03-24 19:28 --------- d-----w c:\program files\Common Files\Adobe
2009-03-24 19:17 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-24 19:17 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-24 19:08 --------- d-----w c:\program files\Java
2009-03-24 16:12 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-24 15:55 --------- d-----w c:\program files\Norton AntiVirus
2009-03-24 15:55 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-09 11:13 1,846,784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-09-29 14:39 61,224 ----a-w c:\documents and settings\Lakasha Gupton\GoToAssistDownloadHelper.exe
2008-09-27 01:22 24 ----a-w c:\documents and settings\Lakasha Gupton\jagex_runescape_preferences.dat
2008-08-25 06:35 0 ----a-w c:\documents and settings\HouseGuest\jagex_runescape_preferences.dat
2008-05-13 18:27 0 ----a-w c:\program files\temp01
2005-07-29 20:24 472 --sha-r c:\windows\TGFrYXNoYSBHdXB0b24\n3IOsrhCsm1Jxr1XvZb.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tefrvim"="c:\windows\SYSTEM32\?asks\w?wexec.exe" [?]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-24 1932568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-24 136600]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-29 10:39 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-24 14:12 10520 c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=c:\windows\pss\GStartup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lakasha Gupton^Start Menu^Programs^Startup^America Online 5.0 Tray Icon.lnk]
path=c:\documents and settings\Lakasha Gupton\Start Menu\Programs\Startup\America Online 5.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 5.0 Tray Icon.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Lakasha Gupton^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
path=c:\documents and settings\Lakasha Gupton\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
backup=c:\windows\pss\iWin Desktop Alerts.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Lakasha Gupton^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Lakasha Gupton\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2003-08-06 03:04 114741 c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a--c--- 2003-08-13 12:27 28672 c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 20:52 50736 c:\program files\Common Files\AOL\1214667630\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 02:07 114688 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a--c--- 2003-10-06 12:05 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2003-10-06 12:05 118784 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
-----c--- 2003-08-26 21:47 204800 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-02-04 09:06 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a--c--- 2003-02-13 03:01 155648 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-02-04 09:08 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2008-05-02 00:15 15872 c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
--a------ 2006-02-01 18:33 1880064 c:\program files\Verizon\Servicepoint\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
--a------ 2007-03-11 17:37 936960 c:\program files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-10-30 17:05 4662776 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 c:\progra~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a--c--- 2003-08-29 05:59 122880 c:\windows\BCMSMMSG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-03-24 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2009-03-24 107912]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-24 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-24 298264]
R2 lxcy_device;lxcy_device;c:\windows\System32\lxcycoms.exe -service --> c:\windows\System32\lxcycoms.exe -service [?]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 dump_wmimmc;dump_wmimmc;\??\c:\nexon\MapleStory Beginner Version\GameGuard\dump_wmimmc.sys --> c:\nexon\MapleStory Beginner Version\GameGuard\dump_wmimmc.sys [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\SYSTEM32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
.
Contents of the 'Scheduled Tasks' folder

2009-03-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:06]

2006-07-15 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\SYSTEM32\cleanmgr.exe [2008-04-13 20:12]

2004-02-10 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 20:12]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-GetModule23 - c:\program files\GetModule\GetModule23.exe
HKCU-Run-VnrBlock21 - c:\program files\VnrBlock\VnrBlock21.exe
HKCU-Run-GetPack21 - c:\program files\GetPack\GetPack21.exe
HKCU-Run-mzur - c:\progra~1\COMMON~1\mzur\mzurm.exe
MSConfigStartUp-AltnetPointsManager - c:\program files\Altnet\Points Manager\Points Manager.exe
MSConfigStartUp-CMESys - c:\program files\Common Files\CMEII\CMESys.exe
MSConfigStartUp-KAZAA - c:\program files\Kazaa\kazaa.exe
MSConfigStartUp-Registry Cleaner - c:\program files\Registry Cleaner\RegClean.exe
MSConfigStartUp-SearchUpgrader - c:\program files\Common files\SearchUpgrader\SearchUpgrader.exe
MSConfigStartUp-SysUpd - c:\windows\sysupd.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} - [You must be registered and logged in to see this link.]
DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Lakasha Gupton\Application Data\Mozilla\Firefox\Profiles\8n22ttf1.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-25 14:52:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2009-03-25 14:56:18
ComboFix-quarantined-files.txt 2009-03-25 18:55:01

Pre-Run: 50,734,522,368 bytes free
Post-Run: 51,979,046,912 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

314 --- E O F --- 2009-03-24 18:22:26

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by Belahzur on Wed Mar 25, 2009 3:08 pm

Hello.
Nearly there.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\TGFrYXNoYSBHdXB0b24\n3IOsrhCsm1Jxr1XvZb.vbs
c:\documents and settings\Lakasha Gupton\Start Menu\Programs\Startup\LimeWire On Startup.lnk
c:\documents and settings\Lakasha Gupton\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk

Folder::
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire
c:\program files\Norton AntiVirus
c:\program files\Common Files\Symantec Shared
c:\documents and settings\All Users\Application Data\Symantec
C:\_OTMoveIt

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Lakasha Gupton^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^Lakasha Gupton^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by caskaid on Wed Mar 25, 2009 3:31 pm

Post1:

ComboFix 09-03-23.01 - Lakasha Gupton 2009-03-25 15:11:15.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.664 [GMT -4:00]
Running from: c:\documents and settings\Lakasha Gupton\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lakasha Gupton\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\Lakasha Gupton\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
c:\documents and settings\Lakasha Gupton\Start Menu\Programs\Startup\LimeWire On Startup.lnk
c:\windows\TGFrYXNoYSBHdXB0b24\n3IOsrhCsm1Jxr1XvZb.vbs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_OTMoveIt
c:\_otmoveit\MovedFiles\03242009_151029.log
c:\_otmoveit\MovedFiles\03242009_151029.res
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\AdminWorker.exe
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\firefox\chrome\iwinarcade.jar
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\firefox\install.rdf
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\firefox\iWinArcadeLauncher.exe
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\ftdownload.dat
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\host.cfg
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\iWinGames.exe
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\iWinGamesInstaller.exe
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\pages\alert32x32.gif
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\pages\blank.html
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\pages\blank2.html
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\pages\error.html
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\pages\iwin_logo.gif
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\pages\login.html
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\pages\maintenance.html
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\pages\offline_tag.gif
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\pages\offlineBg.gif
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\sounds\animation.wav
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\sounds\animationBack.wav
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\sounds\button_click.wav
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\sounds\download_completed.wav
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\sounds\start.wav
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\Uninstall.exe
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\WebInstaller.exe
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\WebUpdater.bmp
c:\_otmoveit\MovedFiles\03242009_151029\program files\iWin Games\WebUpdater.exe
c:\_otmoveit\MovedFiles\03242009_151029\windows\005075_.tmp
c:\_otmoveit\MovedFiles\03242009_151029\windows\system32\xslbhgjb.ini
c:\documents and settings\All Users\Application Data\Symantec
c:\documents and settings\All Users\Application Data\Symantec\LiveSubscribe\Catalog.LiveSubscribe
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Settings.LiveUpdate
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\downloads.dat
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\filters.props
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\gnutella.net
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\installation.props
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\library.dat
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\limewire.props
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\mojito.props
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\questions.props
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\responses.cache
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\simpp.xml
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\spam.dat
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\tables.props
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\version.xml
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\versions.props
c:\documents and settings\Lakasha Gupton\Application Data\LimeWire\xml\data\audio.sxml2
c:\program files\Common Files\Symantec Shared

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by caskaid on Wed Mar 25, 2009 3:32 pm

post2:




c:\program files\Common Files\Symantec Shared\Registry Backup\ccReg.reg
c:\program files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg
c:\program files\Common Files\Symantec Shared\Support Controls\SymXPep2.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\ERASER.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\ERASER.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\ERASER.SPM
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\ERASER.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\HH
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\hub.scr
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\TINF.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\TINFL.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\V.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\V.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081001.003\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\ERASER.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\ERASER.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\ERASER.SPM
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\ERASER.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\HH
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\hub.scr
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\TINF.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\TINFL.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\V.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\V.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081008.003\ZDONE.DAT

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by caskaid on Wed Mar 25, 2009 3:32 pm

post3:



c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\catalog.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\cceraser.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ecmsvr32.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\eeCtrl.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.grd
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.sig
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.spm
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\esrdef.bin
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\hh
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\naveng.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\naveng32.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\navex15.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\navex32a.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ncsacert.txt
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\scrauth.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\symaveng.cat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\symaveng.inf
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\SymErase.cat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\SymErase.inf
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcdefs.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcscan7.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcscan8.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcscan9.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\technote.txt
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tinf.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tinfidx.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tinfl.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tscan1.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tscan1hd.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\v.grd
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\v.sig
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan.inf
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan1.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan2.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan3.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan4.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan5.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan6.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan7.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan8.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan9.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\whatsnew.txt
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\zdone.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\definfo.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\usage.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\0000NAV~.TMP
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\ECBOOTIL.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\HH
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\NAVENG.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\NAVENG.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\NAVEX15.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\NAVEX15.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\TINF.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\TINFL.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\UPDATE.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\V.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\V.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20070530.020\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\CATALOG.999
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\CUR.SCR
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\ECBOOTIL.998
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\ECMSVR32.997
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\HH.996
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\NAVENG.993
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\NAVENG.994
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\NAVENG.995
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\NAVENG32.992
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\NAVEX15.989
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\NAVEX15.990
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\NAVEX15.991
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\NAVEX32A.988
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\NCSACERT.987
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\SCRAUTH.986
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\SYMAVENG.984
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\SYMAVENG.985
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\TCDEFS.983
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\TCSCAN7.982
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\TCSCAN8.981
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\TCSCAN9.980
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\TECHNOTE.979
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\TINF.978
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\TINFIDX.977
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\TINFL.976
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\TSCAN1.975
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\TSCAN1HD.974
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\V.972
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\V.973
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\VIRSCAN.971
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\VIRSCAN1.970
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\VIRSCAN2.969
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\VIRSCAN3.968
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\VIRSCAN4.967
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\VIRSCAN5.966
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\VIRSCAN6.965
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\VIRSCAN7.964
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\VIRSCAN8.963
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\VIRSCAN9.962
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\VIRSCANT.961
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\WHATSNEW.960
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B8.tmp\ZDONE.959
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\catalog.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\ECBOOTIL.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\HH
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\naveng.exp
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\naveng.sys
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\naveng.vxd
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\naveng32.dll
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\navex15.exp
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\navex15.sys
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\navex15.vxd
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\navex32a.dll
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\ncsacert.txt
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\scrauth.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\symaveng.cat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\symaveng.inf
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\technote.txt
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\tinf.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\tinfidx.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\tinfl.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\tscan1.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\tscan1hd.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\V.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\V.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\virscan.inf
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\virscan1.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\virscan2.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\virscan3.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\virscan4.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\virscan5.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\virscan6.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\virscan7.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\virscan8.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\virscan9.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\whatsnew.txt
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1B9.tmp\zdone.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp1BB.tmp\virscant.dat
c:\program files\Norton AntiVirus
c:\program files\Norton AntiVirus\NAVLUCBK(2).DLL
c:\windows\TGFrYXNoYSBHdXB0b24\n3IOsrhCsm1Jxr1XvZb.vbs

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by caskaid on Wed Mar 25, 2009 3:34 pm

post4:

((((((((((((((((((((((((( Files Created from 2009-02-25 to 2009-03-25 )))))))))))))))))))))))))))))))
.

2009-03-25 12:40 . 2009-03-25 12:58 d-------- c:\program files\Unlocker
2009-03-24 23:24 . 2009-03-09 15:06 15,688 --a------ c:\windows\SYSTEM32\lsdelete.exe
2009-03-24 20:44 . 2009-03-24 20:44 d-------- c:\program files\Lavasoft
2009-03-24 20:44 . 2009-03-24 20:48 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-24 20:44 . 2009-03-24 20:44 d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-24 16:04 . 2009-03-24 16:04 d-------- c:\program files\Defraggler
2009-03-24 15:29 . 2009-03-24 15:29 d-------- c:\program files\Common Files\Adobe AIR
2009-03-24 14:35 . 2009-03-24 14:35 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-24 14:35 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-03-24 14:35 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-03-24 14:34 . 2009-03-25 14:22 d--h----- C:\$AVG8.VAULT$
2009-03-24 14:22 . 2009-03-24 14:22 d-------- c:\documents and settings\ino solutions\Application Data\OpenOffice.org
2009-03-24 14:12 . 2009-03-25 11:10 d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2009-03-24 14:12 . 2009-03-24 14:12 d-------- c:\program files\AVG
2009-03-24 14:12 . 2009-03-24 23:26 d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-24 14:12 . 2009-03-24 14:12 325,640 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2009-03-24 14:12 . 2009-03-24 14:12 107,912 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys
2009-03-24 14:12 . 2009-03-24 14:12 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-03-24 14:06 . 2008-12-20 19:15 6,066,688 --------- c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2009-03-24 14:06 . 2007-04-17 05:32 2,455,488 --------- c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dat
2009-03-24 14:06 . 2007-03-08 01:10 991,232 --------- c:\windows\SYSTEM32\DLLCACHE\ieframe.dll.mui
2009-03-24 14:06 . 2008-12-20 19:15 459,264 --------- c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
2009-03-24 14:06 . 2008-12-20 19:15 383,488 --------- c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dll
2009-03-24 14:06 . 2008-12-20 19:15 267,776 --------- c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
2009-03-24 14:06 . 2008-12-20 19:15 63,488 --------- c:\windows\SYSTEM32\DLLCACHE\icardie.dll
2009-03-24 14:06 . 2008-12-20 19:15 52,224 --------- c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
2009-03-24 14:06 . 2008-12-19 05:10 13,824 --------- c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2009-03-24 14:04 . 2009-03-24 14:04 d-------- c:\program files\Trend Micro
2009-03-24 13:56 . 2009-03-24 13:56 d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-24 13:51 . 2009-03-24 13:51 d-------- c:\program files\MSXML 4.0
2009-03-24 13:26 . 2009-03-24 13:26 d-------- c:\program files\OpenOffice.org 3
2009-03-24 13:26 . 2009-03-24 13:26 d-------- c:\program files\JRE
2009-03-24 13:21 . 2009-03-24 13:21 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2009-03-24 12:54 . 2009-03-24 12:54 d-------- c:\windows\SYSTEM32\scripting
2009-03-24 12:54 . 2009-03-24 12:54 d-------- c:\windows\SYSTEM32\en
2009-03-24 12:54 . 2009-03-24 12:54 d-------- c:\windows\l2schemas
2009-03-24 12:41 . 2008-09-04 13:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2009-03-24 12:41 . 2008-06-13 07:05 272,128 --------- c:\windows\SYSTEM32\DLLCACHE\bthport.sys
2009-03-24 12:40 . 2009-01-16 21:35 3,594,752 --------- c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2009-03-24 12:40 . 2008-08-14 06:11 2,189,184 --------- c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2009-03-24 12:40 . 2008-08-14 06:09 2,145,280 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-03-24 12:40 . 2008-08-14 05:33 2,066,048 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2009-03-24 12:40 . 2008-08-14 05:33 2,023,936 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2009-03-24 12:40 . 2008-10-15 21:00 1,499,136 --------- c:\windows\SYSTEM32\DLLCACHE\shdocvw.dll
2009-03-24 12:40 . 2008-12-20 19:15 1,160,192 --------- c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
2009-03-24 12:40 . 2008-12-20 19:15 826,368 --------- c:\windows\SYSTEM32\DLLCACHE\wininet.dll
2009-03-24 12:39 . 2008-10-24 07:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2009-03-24 12:39 . 2008-12-11 06:57 333,952 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys
2009-03-24 12:39 . 2008-05-01 10:33 331,776 --------- c:\windows\SYSTEM32\DLLCACHE\msadce.dll
2009-03-24 12:39 . 2008-05-08 10:02 203,136 --------- c:\windows\SYSTEM32\DLLCACHE\rmcast.sys
2009-03-24 12:38 . 2008-04-11 15:04 691,712 --------- c:\windows\SYSTEM32\DLLCACHE\inetcomm.dll
2009-03-24 12:36 . 2008-04-13 20:12 695,808 --------- c:\windows\SYSTEM32\DLLCACHE\drmv2clt.dll
2009-03-24 12:32 . 2008-10-15 12:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2009-03-24 12:20 . 2008-10-16 15:06 268,648 --a------ c:\windows\SYSTEM32\mucltui.dll
2009-03-24 12:20 . 2008-10-16 15:06 27,496 --a------ c:\windows\SYSTEM32\mucltui.dll.mui
2009-03-24 12:15 . 2009-03-24 14:08 1,374 --a------ c:\windows\imsins.BAK
2009-03-24 12:12 . 2008-04-13 20:12 221,184 --a------ c:\windows\SYSTEM32\wmpns.dll
2009-03-24 12:11 . 2009-03-24 12:11 d-------- c:\windows\provisioning
2009-03-24 12:11 . 2009-03-24 12:54 d-------- c:\windows\peernet
2009-03-24 12:10 . 2009-03-24 12:10 d-------- c:\windows\ServicePackFiles
2009-03-24 12:03 . 2009-03-24 12:45 d-------- c:\windows\EHome
2009-03-24 12:00 . 2009-03-24 12:00 d---s---- c:\documents and settings\ino solutions\UserData
2009-03-24 12:00 . 2008-10-16 15:07 23,576 --a------ c:\windows\SYSTEM32\wuapi.dll.mui
2009-03-24 11:51 . 2009-03-24 11:51 dr-h----- c:\documents and settings\ino solutions\Application Data\yahoo!
2009-03-24 11:49 . 2009-03-24 11:49 d-------- c:\documents and settings\ino solutions\Application Data\Verizon
2009-03-24 11:48 . 2004-02-04 09:07 d-------- c:\documents and settings\ino solutions\Application Data\Symantec
2009-03-24 11:48 . 2004-02-04 09:13 d-------- c:\documents and settings\ino solutions\Application Data\Sonic
2009-03-24 11:48 . 2009-03-24 11:48 d-------- c:\documents and settings\ino solutions\Application Data\Malwarebytes
2009-03-24 11:48 . 2004-02-04 09:19 d-------- c:\documents and settings\ino solutions\Application Data\Jasc Software Inc
2009-03-24 11:48 . 2009-03-24 12:00 d-------- c:\documents and settings\ino solutions
2009-03-24 11:35 . 2009-03-24 11:35 d---s---- c:\documents and settings\HouseGuest\UserData
2009-03-24 11:18 . 2009-03-24 11:18 d-------- c:\program files\CCleaner
2009-03-24 11:01 . 2009-03-24 11:01 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by caskaid on Wed Mar 25, 2009 3:35 pm

post5:

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 04:01 --------- d-----w c:\program files\Common Files\mzur
2009-03-24 19:28 --------- d-----w c:\program files\Common Files\Adobe
2009-03-24 19:17 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-24 19:17 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-24 19:08 --------- d-----w c:\program files\Java
2008-09-29 14:39 61,224 ----a-w c:\documents and settings\Lakasha Gupton\GoToAssistDownloadHelper.exe
2008-09-27 01:22 24 ----a-w c:\documents and settings\Lakasha Gupton\jagex_runescape_preferences.dat
2008-08-25 06:35 0 ----a-w c:\documents and settings\HouseGuest\jagex_runescape_preferences.dat
2008-05-13 18:27 0 ----a-w c:\program files\temp01
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-25 19:14:21 16,384 ----atw c:\windows\temp\Perflib_Perfdata_768.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tefrvim"="c:\windows\SYSTEM32\?asks\w?wexec.exe" [?]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-24 1932568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-24 136600]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-29 10:39 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-24 14:12 10520 c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=c:\windows\pss\GStartup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lakasha Gupton^Start Menu^Programs^Startup^America Online 5.0 Tray Icon.lnk]
path=c:\documents and settings\Lakasha Gupton\Start Menu\Programs\Startup\America Online 5.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 5.0 Tray Icon.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2003-08-06 03:04 114741 c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a--c--- 2003-08-13 12:27 28672 c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 20:52 50736 c:\program files\Common Files\AOL\1214667630\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 02:07 114688 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a--c--- 2003-10-06 12:05 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2003-10-06 12:05 118784 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
-----c--- 2003-08-26 21:47 204800 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-02-04 09:06 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a--c--- 2003-02-13 03:01 155648 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-02-04 09:08 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2008-05-02 00:15 15872 c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
--a------ 2006-02-01 18:33 1880064 c:\program files\Verizon\Servicepoint\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
--a------ 2007-03-11 17:37 936960 c:\program files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-10-30 17:05 4662776 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 c:\progra~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a--c--- 2003-08-29 05:59 122880 c:\windows\BCMSMMSG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-03-24 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2009-03-24 107912]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-24 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-24 298264]
R2 lxcy_device;lxcy_device;c:\windows\System32\lxcycoms.exe -service --> c:\windows\System32\lxcycoms.exe -service [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\nexon\MapleStory Beginner Version\GameGuard\dump_wmimmc.sys --> c:\nexon\MapleStory Beginner Version\GameGuard\dump_wmimmc.sys [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\SYSTEM32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
.
Contents of the 'Scheduled Tasks' folder

2009-03-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:06]

2006-07-15 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\SYSTEM32\cleanmgr.exe [2008-04-13 20:12]

2004-02-10 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 20:12]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} - [You must be registered and logged in to see this link.]
DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Lakasha Gupton\Application Data\Mozilla\Firefox\Profiles\8n22ttf1.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-25 15:14:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\lxcycoms.exe
c:\windows\wanmpsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-25 15:25:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-25 19:25:12
ComboFix2.txt 2009-03-25 18:56:20

Pre-Run: 52,181,954,560 bytes free
Post-Run: 52,138,942,464 bytes free

591 --- E O F --- 2009-03-24 18:22:26

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by Belahzur on Wed Mar 25, 2009 3:38 pm

Hello.
Please en-able AVG guard again and let me know how the machine is running now.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by caskaid on Wed Mar 25, 2009 3:45 pm

Computer is running fine, however, will I have to do this again if there are additional users on the system? What led me back here was that I ran an AVG scan with another user (since it was picking up locked directories/files that I knew had infections but couldn't delete them since I wasn't on that user's profile) and it could delete the infections only once I was on the other user's profile, do i need to do these steps again on the one last profile?

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by Belahzur on Wed Mar 25, 2009 3:46 pm

So how many profiles are there? 3?

Two of them should be clean now anyway.
Logon to the third user account and run DDS from there too and we'll see if that picks anything up from that user account.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by caskaid on Wed Mar 25, 2009 3:58 pm

DDS (Ver_09-03-16.01) - NTFSx86
Run by Ryan Davidson at 15:56:43.06 on Wed 03/25/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.745 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Ryan Davidson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0494D0D9-F8E0-41AD-92A3-14154ECE70AC} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0411.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Sonic RecordNow!]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Yahoo! Pager] c:\program files\yahoo!\messenger\ypager.exe -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-us\local\search.html
IE: Yahoo! Dictionary - [You must be registered and logged in to see this link.] files\yahoo!\Common/ycdict.htm
IE: Yahoo! Search - [You must be registered and logged in to see this link.] files\yahoo!\Common/ycsrch.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_11.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - [You must be registered and logged in to see this link.]
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - [You must be registered and logged in to see this link.]
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - [You must be registered and logged in to see this link.] files\dream day wedding 2 - married in manhattan\images\stg_drm.ocx
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - [You must be registered and logged in to see this link.]
DPF: {33564D57-0000-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - [You must be registered and logged in to see this link.]
DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - [You must be registered and logged in to see this link.]
DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - [You must be registered and logged in to see this link.]
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - [You must be registered and logged in to see this link.] files\dream day wedding 2 - married in manhattan\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} - [You must be registered and logged in to see this link.]
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ryanda~1\applic~1\mozilla\firefox\profiles\fvbl9xib.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-24 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-24 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-24 107912]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-24 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-24 298264]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\nexon\maplestory beginner version\gameguard\dump_wmimmc.sys --> c:\nexon\maplestory beginner version\gameguard\dump_wmimmc.sys [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-10-19 10664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]

=============== Created Last 30 ================

2009-03-25 14:31 a-dshr-- C:\cmdcons
2009-03-25 14:30 161,792 a------- c:\windows\SWREG.exe
2009-03-25 14:30 98,816 a------- c:\windows\sed.exe
2009-03-25 12:40 --d----- c:\program files\Unlocker
2009-03-24 23:24 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-24 20:44 -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-24 20:44 --d----- c:\program files\Lavasoft
2009-03-24 16:04 --d----- c:\program files\Defraggler
2009-03-24 14:35 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-24 14:35 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-24 14:35 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-24 14:34 --d-h--- C:\$AVG8.VAULT$
2009-03-24 14:12 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-24 14:12 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-24 14:12 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-24 14:12 --d----- c:\windows\system32\drivers\Avg
2009-03-24 14:12 --d----- c:\program files\AVG
2009-03-24 14:12 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-24 14:04 --d----- c:\program files\Trend Micro
2009-03-24 13:56 --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-24 13:51 --d----- c:\program files\MSXML 4.0
2009-03-24 13:26 --d----- c:\program files\JRE
2009-03-24 13:26 --d----- c:\program files\OpenOffice.org 3
2009-03-24 13:21 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-24 12:54 --d----- c:\windows\system32\scripting
2009-03-24 12:54 --d----- c:\windows\l2schemas
2009-03-24 12:54 --d----- c:\windows\system32\en
2009-03-24 12:49 --d----- c:\windows\network diagnostic
2009-03-24 12:36 184,832 -------- c:\windows\system32\eapp3hst.dll
2009-03-24 12:20 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-03-24 12:20 268,648 a------- c:\windows\system32\mucltui.dll
2009-03-24 12:15 1,374 a------- c:\windows\imsins.BAK
2009-03-24 12:12 221,184 a------- c:\windows\system32\wmpns.dll
2009-03-24 12:11 --d----- c:\windows\provisioning
2009-03-24 12:11 --d----- c:\windows\peernet
2009-03-24 12:10 --d----- c:\windows\ServicePackFiles
2009-03-24 12:03 --d----- c:\windows\EHome
2009-03-24 12:00 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-03-24 11:18 --d----- c:\program files\CCleaner

==================== Find3M ====================

2009-03-24 12:58 78,587 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-09-21 16:22 0 a------- c:\documents and settings\ryan davidson\jagex_runescape_preferences.dat
2008-05-13 14:27 0 a------- c:\program files\temp01

============= FINISH: 15:56:57.25 ===============

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by Belahzur on Wed Mar 25, 2009 4:00 pm

Looks fine to me. Wink


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by caskaid on Wed Mar 25, 2009 4:04 pm

One last user:


DDS (Ver_09-03-16.01) - NTFSx86
Run by HouseGuest at 16:02:58.14 on Wed 03/25/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.683 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HouseGuest\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0411.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Sonic RecordNow!]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Yahoo! Pager] c:\program files\yahoo!\messenger\ypager.exe -quiet
uRun: [MS Juan] rundll32 "c:\docume~1\houseg~1\locals~1\temp\dogeow.dll",run
uRun: [88b11979] rundll32.exe "c:\docume~1\houseg~1\locals~1\temp\gmwydfcv.dll",b
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-us\local\search.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_11.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - [You must be registered and logged in to see this link.]
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - [You must be registered and logged in to see this link.]
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - [You must be registered and logged in to see this link.] files\dream day wedding 2 - married in manhattan\images\stg_drm.ocx
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - [You must be registered and logged in to see this link.]
DPF: {33564D57-0000-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - [You must be registered and logged in to see this link.]
DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - [You must be registered and logged in to see this link.]
DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - [You must be registered and logged in to see this link.]
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - [You must be registered and logged in to see this link.] files\dream day wedding 2 - married in manhattan\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} - [You must be registered and logged in to see this link.]
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\houseg~1\applic~1\mozilla\firefox\profiles\zeqky88b.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-24 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-24 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-24 107912]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-24 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-24 298264]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\nexon\maplestory beginner version\gameguard\dump_wmimmc.sys --> c:\nexon\maplestory beginner version\gameguard\dump_wmimmc.sys [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-10-19 10664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]

=============== Created Last 30 ================

2009-03-25 14:31 a-dshr-- C:\cmdcons
2009-03-25 14:30 161,792 a------- c:\windows\SWREG.exe
2009-03-25 14:30 98,816 a------- c:\windows\sed.exe
2009-03-25 12:40 --d----- c:\program files\Unlocker
2009-03-24 23:24 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-24 20:44 -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-24 20:44 --d----- c:\program files\Lavasoft
2009-03-24 16:04 --d----- c:\program files\Defraggler
2009-03-24 14:35 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-24 14:35 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-24 14:35 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-24 14:34 --d-h--- C:\$AVG8.VAULT$
2009-03-24 14:12 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-24 14:12 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-24 14:12 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-24 14:12 --d----- c:\windows\system32\drivers\Avg
2009-03-24 14:12 --d----- c:\program files\AVG
2009-03-24 14:12 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-24 14:04 --d----- c:\program files\Trend Micro
2009-03-24 13:56 --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-24 13:51 --d----- c:\program files\MSXML 4.0
2009-03-24 13:26 --d----- c:\program files\JRE
2009-03-24 13:26 --d----- c:\program files\OpenOffice.org 3
2009-03-24 13:21 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-24 12:54 --d----- c:\windows\system32\scripting
2009-03-24 12:54 --d----- c:\windows\l2schemas
2009-03-24 12:54 --d----- c:\windows\system32\en
2009-03-24 12:49 --d----- c:\windows\network diagnostic
2009-03-24 12:36 184,832 -------- c:\windows\system32\eapp3hst.dll
2009-03-24 12:20 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-03-24 12:20 268,648 a------- c:\windows\system32\mucltui.dll
2009-03-24 12:15 1,374 a------- c:\windows\imsins.BAK
2009-03-24 12:12 221,184 a------- c:\windows\system32\wmpns.dll
2009-03-24 12:11 --d----- c:\windows\provisioning
2009-03-24 12:11 --d----- c:\windows\peernet
2009-03-24 12:10 --d----- c:\windows\ServicePackFiles
2009-03-24 12:03 --d----- c:\windows\EHome
2009-03-24 12:00 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-03-24 11:35 --ds---- c:\documents and settings\houseguest\UserData
2009-03-24 11:18 --d----- c:\program files\CCleaner

==================== Find3M ====================

2009-03-24 12:58 78,587 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-08-25 02:35 0 a------- c:\documents and settings\houseguest\jagex_runescape_preferences.dat
2008-05-13 14:27 0 a------- c:\program files\temp01

============= FINISH: 16:03:11.89 ===============

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by Belahzur on Wed Mar 25, 2009 4:05 pm

Both looks fine.

What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Removed Vundo, posting hijack log2

Post by caskaid on Wed Mar 25, 2009 4:27 pm

all should be well unless avg picks up anything additional. Thank you!

caskaid
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-03-05
OS OS : Windows XP
Points Points : 28507
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum