Help With Log, Vundo Has Been A Real Pain!

Senorpablo
Senorpablo
in Logs analysis

Noticed trouble starting yesterday. Been reading on the Forums and tried to proceed with some of the common steps first.


Bitdefender found Trojan.Vundo.EWZ


Have Run each of these several times:


1. Vundofix --found and fixed several items


2. SUPERAntiSpyware --found and fixed several items


3. Malwarebytes Anti-Malware --found and fixed several items


I have killed most anything that I didn't need or that looked suspicious with HiJackThis or msconfig. Every time I restart, there is a process with a random name, for example: "HWA97A7.EXE"


Thanks for any help you might be able to give!


Here is my logfile:


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 6:26:33 PM, on 7/31/2008


Platform: Windows XP SP2 (WinNT 5.01.2600)


MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Boot mode: Normal


Running processes:


C:\WINDOWS\System32\smss.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\system32\services.exe


C:\WINDOWS\system32\lsass.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\system32\brsvc01a.exe


C:\WINDOWS\system32\spoolsv.exe


C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe


C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe


C:\Program Files\Bonjour\mDNSResponder.exe


C:\Program Files\DCPFLICS\dcpflics.exe


C:\WINDOWS\system32\sesinetd.exe


C:\WINDOWS\system32\hserver.exe


C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe


C:\Program Files\Dell\OpenManage\Client\Iap.exe


C:\Program Files\Kaseya\Agent\AgentMon.exe


C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE


C:\WINDOWS\system32\nvsvc32.exe


C:\WINDOWS\system32\svchost.exe


C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe


C:\Program Files\UPHClean\uphclean.exe


C:\Program Files\RealVNC\VNC4\WinVNC4.exe


C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\Explorer.EXE


C:\Program Files\TortoiseSVN\bin\TSVNCache.exe


C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe


C:\WINDOWS\stsystra.exe


C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe


C:\Program Files\Acronis\TrueImageServer\TrueImageMonitor.exe


C:\Program Files\Acronis\TrueImageServer\TimounterMonitor.exe


C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe


C:\WINDOWS\system32\RUNDLL32.EXE


C:\Program Files\Kaseya\Agent\KaUsrTsk.exe


C:\Program Files\Logitech\MouseWare\system\em_exec.exe


C:\Program Files\iTunes\iTunesHelper.exe


C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE


C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


C:\WINDOWS\system32\ctfmon.exe


C:\Program Files\iPod\bin\iPodService.exe


C:\WINDOWS\system32\brss01a.exe


C:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe


C:\Documents and Settings\pforgy\Desktop\HiJackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com


R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local


O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll (file missing)


O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe


O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe


O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"


O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow


O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe


O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageServer\TrueImageMonitor.exe


O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageServer\TimounterMonitor.exe


O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"


O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


O4 - HKLM\..\Run: [streamline Managed Services Agent Service Helper] C:\Program Files\Kaseya\Agent\KaUsrTsk.exe


O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime


O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"


O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"


O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe


O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)


O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)


O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll


O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll


O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll


O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O16 - DPF: {3AC3D009-2E89-4F1E-9F51-04D4FBD50122} (Shoretel SClientInstall) - http://192.168.200.20/ShorewareDirector/Cl...ientInstall.ocx


O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155681380593


O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155681318328


O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CI.tld


O17 - HKLM\Software\..\Telephony: DomainName = CI.tld


O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CI.tld


O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CI.tld


O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = CI.tld


O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe


O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe


O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe


O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe


O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe


O23 - Service: DCPFLICS service (DCPFLICS) - Unknown owner - C:\Program Files\DCPFLICS\dcpflics.exe


O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe


O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


O23 - Service: HoudiniLicenseServer - Side Effects Software Inc. - C:\WINDOWS\system32\sesinetd.exe


O23 - Service: HoudiniServer - Side Effects Software Inc. - C:\WINDOWS\system32\hserver.exe


O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe


O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe


O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


O23 - Service: Kaseya Agent (KaseyaAgent) - Kaseya - C:\Program Files\Kaseya\Agent\AgentMon.exe


O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe


O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe


O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe


O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe


O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe


O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe


O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe


O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


--


End of file - 10663 bytes

Comments

  • Niels
    Niels

    Hello Sr Pablo,


    Can you please download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post. So I or someone else can see if there is still some infections.


    Kind regards,


    Niels

  • Senorpablo
    Senorpablo

    Thanks Niels.


    Here is the log:


    ComboFix 08-08-03.05 - pforgy 2008-08-04 11:42:35.1 - NTFSx86


    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2456 [GMT -7:00]


    Running from: C:\Documents and Settings\pforgy\Desktop\ComboFix.exe


    Command switches used :: C:\Documents and Settings\pforgy\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe


    * Created a new restore point


    .


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    C:\Documents and Settings\pforgy\Application Data\macromedia\Flash Player\#SharedObjects\2R3L7FPU\interclick.com


    C:\Documents and Settings\pforgy\Application Data\macromedia\Flash Player\#SharedObjects\2R3L7FPU\interclick.com\ud.sol


    C:\Documents and Settings\pforgy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com


    C:\Documents and Settings\pforgy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol


    C:\WINDOWS\pskt.ini


    C:\WINDOWS\system32\lsprst7.dll


    C:\WINDOWS\system32\mcrh.tmp


    C:\WINDOWS\system32\ssprs.dll


    .


    ((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))


    .


    2008-08-01 17:52 . 2008-08-01 18:08 345 --a------ C:\WINDOWS\gmer.ini


    2008-08-01 16:59 . 2008-08-01 16:59 22 --a------ C:\s28g..tag


    2008-08-01 16:59 . 2008-08-01 16:59 1 --a------ C:\s28g


    2008-08-01 16:23 . 2008-08-01 16:23 <DIR> d-------- C:\Program Files\RootKit Hook Analyzer


    2008-08-01 16:23 . 2007-07-07 00:39 19,248 --a------ C:\WINDOWS\system32\drivers\rspsc32.sys


    2008-08-01 16:12 . 2008-08-01 16:13 23,813,410 --a------ C:\WINDOWS\system32\F


    2008-08-01 16:02 . 2008-08-01 16:08 23,813,210 --a------ C:\WINDOWS\system32\OPSVQB


    2008-07-31 17:29 . 2008-07-31 17:29 22 --a------ C:\s258..tag


    2008-07-31 17:29 . 2008-07-31 17:29 1 --a------ C:\s258


    2008-07-31 16:31 . 2008-07-31 16:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware


    2008-07-31 16:31 . 2008-07-31 16:31 <DIR> d-------- C:\Documents and Settings\pforgy\Application Data\Malwarebytes


    2008-07-31 16:31 . 2008-07-31 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes


    2008-07-31 16:31 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys


    2008-07-31 16:31 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys


    2008-07-31 16:04 . 2008-07-31 16:04 <DIR> d-------- C:\Program Files\SUPERAntiSpyware


    2008-07-31 16:04 . 2008-07-31 16:04 <DIR> d-------- C:\Documents and Settings\pforgy\Application Data\SUPERAntiSpyware.com


    2008-07-31 16:04 . 2008-07-31 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com


    2008-07-31 13:59 . 2008-07-31 13:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


    2008-07-31 12:26 . 2008-07-31 17:02 <DIR> d-------- C:\VundoFix Backups


    2008-07-31 11:29 . 2008-08-04 11:55 121 --a------ C:\WINDOWS\bdagent.INI


    2008-07-30 18:22 . 2008-08-04 12:02 81,984 --a------ C:\WINDOWS\system32\bdod.bin


    2008-07-30 18:20 . 2008-07-30 18:20 <DIR> d-------- C:\Documents and Settings\pforgy\Application Data\BitDefender


    2008-07-30 18:19 . 2008-07-30 18:19 <DIR> d-------- C:\Program Files\BitDefender


    2008-07-30 18:19 . 2008-07-30 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender


    2008-07-30 18:18 . 2008-07-30 18:19 <DIR> d-------- C:\Program Files\Common Files\BitDefender


    2008-07-30 17:12 . 2008-07-30 17:17 <DIR> d-------- C:\Documents and Settings\pforgy\.housecall6.6


    2008-07-30 12:11 . 2008-07-30 16:31 <DIR> d-------- C:\Program Files\DCPFLICS


    2008-07-30 12:11 . 1996-08-20 19:37 15,840 --a------ C:\WINDOWS\system32\Machnm1.exe


    2008-07-30 12:11 . 2003-08-12 23:27 2,304 --a------ C:\WINDOWS\system32\Machnm32.sys


    2008-07-21 11:58 . 2008-07-21 11:58 <DIR> d-------- C:\Program Files\Smith Micro


    2008-07-21 11:58 . 2008-07-21 11:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Smith Micro


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-08-01 20:00 --------- d-----w C:\Program Files\Java


    2008-08-01 00:46 --------- d-----w C:\Program Files\Google


    2008-07-31 23:11 --------- d-----w C:\Documents and Settings\pforgy\Application Data\ShoreWare Client


    2008-07-30 23:31 --------- d--h--w C:\Program Files\InstallShield Installation Information


    2008-07-30 19:03 --------- d-----w C:\Program Files\Autodesk


    2008-07-30 00:53 --------- d-----w C:\Program Files\PolyTrans


    2008-06-18 00:28 --------- d-----w C:\Program Files\eMachineShop


    2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys


    2008-06-10 23:00 --------- d-----w C:\Program Files\MSECache


    2008-06-05 01:43 --------- d-----w C:\Program Files\EPSON Print CD


    2008-05-30 23:41 479,232 ----a-w C:\WINDOWS\PICSDK.dll


    2008-02-21 00:51 302,577 ----a-w C:\Program Files\Uninstal_BP3D_Demo.log


    2006-09-17 07:05 476,672 ----a-w C:\Program Files\7za.exe


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]


    @="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"


    [HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]


    2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]


    @="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"


    [HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]


    2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]


    @="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"


    [HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]


    2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]


    @="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"


    [HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]


    2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]


    @="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"


    [HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]


    2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]


    @="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"


    [HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]


    2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]


    @="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"


    [HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]


    2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 17:13 1207080]


    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]


    "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 06:50 139264]


    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 18:29 49152]


    "OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-10-29 11:17 398784]


    "TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageServer\TrueImageMonitor.exe" [2006-08-01 18:34 1114490]


    "AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageServer\TimounterMonitor.exe" [2006-08-01 18:38 1852314]


    "Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-08-01 18:34 126976]


    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]


    "Streamline Managed Services Agent Service Helper"="C:\Program Files\Kaseya\Agent\KaUsrTsk.exe" [2007-06-04 20:04 192512]


    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]


    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]


    "EPSON Stylus Photo R320 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 03:00 98304]


    "BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 16:46 61440]


    "BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-05-23 19:16 368640]


    "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 21:20 339968 C:\WINDOWS\stsystra.exe]


    "nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]


    "Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]


    C:\Documents and Settings\pforgy\Start Menu\Programs\Startup\


    Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 21:16:50 113664]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]


    "NoWelcomeScreen"= 1 (0x1)


    [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]


    "NoAutoUpdate"= 1 (0x1)


    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]


    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]


    2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]


    Authentication Packages REG_MULTI_SZ msv1_0 relog_ap


    [HKEY_LOCAL_MACHINE\software\microsoft\security center]


    "AntiVirusDisableNotify"=dword:00000001


    "UpdatesDisableNotify"=dword:00000001


    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]


    "DisableMonitoring"=dword:00000001


    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]


    "DisableMonitoring"=dword:00000001


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]


    "%windir%\\system32\\sessmgr.exe"=


    "C:\\Program Files\\iTunes\\iTunes.exe"=


    "C:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe"=


    "C:\\Program Files\\Autodesk\\backburner\\monitor.exe"=


    "C:\\Program Files\\Autodesk\\backburner\\manager.exe"=


    "C:\\Program Files\\Autodesk\\backburner\\server.exe"=


    "C:\\Program Files\\Messenger\\msmsgs.exe"=


    "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager


    "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager


    "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service


    R2 KaseyaAgent;Kaseya Agent;C:\Program Files\Kaseya\Agent\AgentMon.exe [2007-06-04 19:52]


    R2 Stuffit Archive Name Service;Stuffit Archive Name Service;C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe [2008-01-31 08:37]


    R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-06-02 16:16]


    S3 JRJHRXDAL;JRJHRXDAL;C:\DOCUME~1\pforgy\LOCALS~1\Temp\JRJHRXDAL.exe []


    S3 RSPHOOKANALYZER;RSPHOOKANALYZER;C:\DOCUME~1\pforgy\LOCALS~1\Temp\rspsc32.sys []


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]


    bdx REG_MULTI_SZ scan


    .


    Contents of the 'Scheduled Tasks' folder


    2008-07-29 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]


    .


    - - - - ORPHANS REMOVED - - - -


    MSConfigStartUp-38315316 - C:\WINDOWS\system32\ksqsyfrr.dll


    MSConfigStartUp-BM3b02608a - C:\WINDOWS\system32\ngkxjbuf.dll


    .


    ------- Supplementary Scan -------


    .


    FireFox -: Profile - C:\Documents and Settings\pforgy\Application Data\Mozilla\Firefox\Profiles\lba6f7ff.default\


    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/


    **************************************************************************


    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-08-04 11:57:46


    Windows 5.1.2600 Service Pack 2 NTFS


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    --------------------- DLLs Loaded Under Running Processes ---------------------


    PROCESS: C:\WINDOWS\explorer.exe


    -> C:\Program Files\TortoiseSVN\iconv\_tbl_simple.so


    -> C:\Program Files\TortoiseSVN\iconv\windows-1252.so


    -> C:\Program Files\TortoiseSVN\iconv\utf-8.so


    .


    ------------------------ Other Running Processes ------------------------


    .


    C:\WINDOWS\system32\BRSS01A.EXE


    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe


    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe


    C:\Program Files\Bonjour\mDNSResponder.exe


    C:\Program Files\DCPFLICS\DCPFLICS.exe


    C:\WINDOWS\system32\sesinetd.exe


    C:\WINDOWS\system32\hserver.exe


    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe


    C:\Program Files\Dell\OpenManage\Client\Iap.exe


    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\Program Files\UPHClean\uphclean.exe


    C:\Program Files\RealVNC\VNC4\WinVNC4.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe


    C:\Program Files\Trend Micro\Client Server Security Agent\PccNTUpd.exe


    C:\WINDOWS\system32\rundll32.exe


    C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE


    C:\PROGRA~1\MI3AA1~1\rapimgr.exe


    C:\Program Files\iPod\bin\iPodService.exe


    C:\WINDOWS\system32\taskmgr.exe


    .


    **************************************************************************


    .


    Completion time: 2008-08-04 12:34:11 - machine was rebooted


    ComboFix-quarantined-files.txt 2008-08-04 19:34:07


    Pre-Run: 136,231,878,656 bytes free


    Post-Run: 136,428,134,400 bytes free


    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe


    [boot loader]


    timeout=2


    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS


    [operating systems]


    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect


    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


    230

All Time Leaders

Categories

Defenders of the month