arachnid40

Hijackthis.log Vundo Trojan[RESOLVED]

Recommended Posts

I want to make sure I got all of the crap out here is the hijackthis log and the log from malwarebytes:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:13:47 AM, on 3/22/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Weather Pulse\weatherpulse.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\WINDOWS\system32\wuauclt.exe

c:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\SoftwareDistribution\Download\Install\msxml4-KB954430-enu.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

c:\WINDOWS\system32\MsiExec.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,[email protected]

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Weather Pulse] C:\Program Files\Weather Pulse\weatherpulse.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKUS\S-1-5-19\..\Run: [votugedope] Rundll32.exe "C:\WINDOWS\system32\tikiyabu.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [votugedope] Rundll32.exe "C:\WINDOWS\system32\tikiyabu.dll",s (User 'NETWORK SERVICE')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: c:\windows\system32\zahuzewi.dll c:\windows\system32\powenewe.dll rqktfr.dll ,

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

--

End of file - 8774 bytes

Malwarebytes' Anti-Malware 1.34

Database version: 1884

Windows 5.1.2600 Service Pack 3

3/22/2009 10:08:11 AM

mbam-log-2009-03-22 (10-08-11).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 218864

Time elapsed: 1 hour(s), 2 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 11

Registry Values Infected: 5

Registry Data Items Infected: 7

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\zayopupa.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\system32\midogiru.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\rqktfr.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d81a483c-8dfa-46b8-8cab-d09007143e7c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{d81a483c-8dfa-46b8-8cab-d09007143e7c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b2ded852-13cc-49e1-9759-f01d4e9e5e28} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{b2ded852-13cc-49e1-9759-f01d4e9e5e28} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d81a483c-8dfa-46b8-8cab-d09007143e7c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b2ded852-13cc-49e1-9759-f01d4e9e5e28} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6c97f32a (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\votugedope (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm6fa4c0b6 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\zayopupa.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\zayopupa.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\zayopupa.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\midogiru.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\midogiru.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\rqktfr.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\rewuvafu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ufavuwer.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\midogiru.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\pologodi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\zayopupa.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\timinebe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

Hey there,

Step 1

Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKUS\S-1-5-19\..\Run: [votugedope] Rundll32.exe "C:\WINDOWS\system32\tikiyabu.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [votugedope] Rundll32.exe "C:\WINDOWS\system32\tikiyabu.dll",s (User 'NETWORK SERVICE')

O20 - AppInit_DLLs: c:\windows\system32\zahuzewi.dll c:\windows\system32\powenewe.dll rqktfr.dll ,

Now close all windows other than Hijackthis, then click Fix Checked. Close HijackThis.

Step 2

Please download the OTMoveIt3 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the fix below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :processes
    explorer.exe

    :files
    C:\WINDOWS\system32\tikiyabu.dll
    c:\windows\system32\zahuzewi.dll
    c:\windows\system32\powenewe.dll
    c:\windows\system32\rqktfr.dll

    :commands
    [purity]
    [emptytemp]
    [start explorer]


  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Share this post


Link to post
Share on other sites

========== PROCESSES ==========

Process explorer.exe killed successfully.

========== FILES ==========

File/Folder C:\WINDOWS\system32\tikiyabu.dll not found.

File/Folder c:\windows\system32\zahuzewi.dll not found.

File/Folder c:\windows\system32\powenewe.dll not found.

File/Folder c:\windows\system32\rqktfr.dll not found.

========== COMMANDS ==========

File delete failed. C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\hpodvd09.log scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\_hphtra07.log scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.

Local Service Temp folder emptied.

Local Service Temporary Internet Files folder emptied.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_65c.dat scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

Temp folders emptied.

Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03232009_114457

Edited by arachnid40

Share this post


Link to post
Share on other sites

Hey,

Very sorry for the delay! I never got an email saying you responded.

Please go HERE to run Panda ActiveScan 2.0

  • Click the big green Scan now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Once the scan is completed, please hit the notepad icon next to the text Export to:
  • Save it to a convenient location such as your Desktop
  • Post the contents of the ActiveScan.txt in your next reply

Share this post


Link to post
Share on other sites

;*******************************************************************************

*********************************************************************************

*******************

ANALYSIS: 2009-03-30 16:13:30

PROTECTIONS: 1

MALWARE: 26

SUSPECTS: 0

;*******************************************************************************

*********************************************************************************

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

=================================================================================

===================

AVG Anti-Virus Free 8.5 Yes Yes

;===============================================================================

=================================================================================

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

=================================================================================

===================

00020994 W32/Bagle.pwdzip Virus No 0 Yes No C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent61.zip

00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner.YOUR-27E1513D96\Cookies\[email protected][1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt

00167653 Cookie/Outster TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt

00167653 Cookie/Outster TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][3].txt

00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt

00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt

00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt

00168059 Cookie/Mp3s Hits TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner.YOUR-27E1513D96\Cookies\[email protected][2].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner.YOUR-27E1513D96\Cookies\[email protected][1].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][4].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt

00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt

00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][3].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt

00171633 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt

00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][3].txt

00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt

00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][4].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][3].txt

00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner.YOUR-27E1513D96\Cookies\[email protected][2].txt

00286736 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt

00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt

00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt

00487624 Trj/Banker.LNO Virus/Trojan No 1 Yes No C:\hp\recovery\wizard\SWR_Wizard.exe

01343147 Application/MyWay HackTools No 0 Yes No D:\I386\Apps\APP31789\SRC\HPSummer2005.exe

01343147 Application/MyWay HackTools No 0 Yes No C:\hp\bin\wbug\HPSummer2005.exe

05067985 Generic Trojan Virus/Trojan No 0 Yes No C:\_OTMoveIt\MovedFiles\01072009_135728\PROGRAM FILES\Rapid Antivirus\Uninstall.exe

;===============================================================================

=================================================================================

===================

SUSPECTS

Sent Location .

;===============================================================================

=================================================================================

===================

;===============================================================================

=================================================================================

===================

VULNERABILITIES

Id Severity Description .

;===============================================================================

=================================================================================

===================

;===============================================================================

=================================================================================

===================

Share this post


Link to post
Share on other sites

Nice job your log looks clean!

Please use the following suggestions to help prevent reinfection.

System Restore maintains a backup of your programs and may also backup infections, so please reset it to make a clean Restore Point.

Please do this:

On the Desktop, right-click My Computer > click Properties > click the System Restore tab.

Check Turn off System Restore.

Click Apply > a window will pop up and ask if you really want to turn it off > click Yes.

Please wait a few moments to let it clear.

Now please remove the check from Turn off System Restore.

Click Apply, and then click OK.

System Restore will be working again and will have a new Restore Point.

  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit3 to reach the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

The following is a list of tools and utilities that I like to suggest to people to help keep from getting infected again. As a note, all of the tools and utilities mentioned are either free or have free versions available.

SpywareBlaster - Great prevention tool to keep malware from installing on your system.

**Tutorial on installing & using this product can be found HERE**

Secunia Personal Software Inspector - Stay up to date on all of your applications with this powerful tool that will scan, detect, check, and secure the applications installed on your computer.

MVPS Hosts file - This handy download replaces your current HOSTS file with one containing well known ad sites and other bad/malicous sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out malware that like to reside in temporary folders.

Firewall A firewall is very important, in order to protect your computer from hackers. I notice that you don't have one installed! Therefore I recommend Comodo, Online Armor, or Outpost.

**Tutorial on Firewalls can be found HERE**

Internet Browser - Internet Explorer is not the safest not the fastest internew browser anymore. There are way better alternatives out there that are faster, more secure, and have many more useful features. I recommend Opera or Google Chrome

It is important to run only one of each type of protection program in resident mode at a time since conflicts can make them less effective. This would mean only one resident antivirus, firewall and scanning type of anti-spyware. Programs like Spyware Blaster and MBAM do not conflict with any of these since they don't have a real time scanning engine that would conflict.

Windows Updates - It is highly recommended to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Finally, I strongly recommend action-smiley-036.gifHow did I get infected in the first place? (by Tony Klein)

Good luck and safe surfing :)

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.