Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Cleanup after Trojan.Metajuan +others (New)

Reply  
Thread Tools
smithy21's Avatar
Junior Member with 1 posts.
  
Join Date: Sep 2008
Experience: Intermediate
14-Sep-2008, 07:24 AM #1
Post Cleanup after Trojan.Metajuan +others
My step-daughter complained that her system was getting slower each week, with pop-ups appearing regularly, until it eventually got to the stage that it would hang during boot – not quite getting to the desktop. I booted in Safe Mode, and the problem was the same.

System:
- HP Pavilion 724a
- Pentium 4 2.4GHz
-512 MB RAM
- Windows XP Home SP2

I extracted the Hard Disk, and ran a Symantec scan using another PC. Symantec reported multiple instances of five different types of problems that were Quarantined (and subsequently removed):
- Trojan.Metajuan
- Trojan Horse
- Trojan.Vundo
- Trojan.Mascript!html
- Downloader

(List of files & locations available if required or helpful)

I located removal instructions on the Synamtec website for each of these, and removed specified files.

I then returned the Hard Disk to its original machine (Pavilion), and removed the specified registry entries – however there only a few of the numerous listed. At least the machine was now booting and (sort of) usable.

However I felt there was still issues with system: When I booted into Safe Mode: the warning box stating that the system was in Safe Mode appeared several times – about 2 to 5 minutes apart.

I then began searching for answers – and found this forum. I read one thread that made reference to ComboFix & HiJackThis. I downloaded these and ran them on the on the troubled Pavilion. System appears to be running better again, but is there more to fix?

As I am not accomplished at analysing these logfiles, could someone please inspect these and instruct me on the next step(s).

As I tend to be the “computer guy” of the family, I guess I would end up having a few computers where I may need to do similar repairs/cleanups – is there some reading or instructions on how to analyse these logs, and therefore complete the task?

I have not run any other anti-virus nor any anti-adware software, nor any registry cleaning software.

However, I manually deleted ALL Temp & Temporary Internet Files under the “Document & Settings” folder & sub-folders, as I noted that a number of the Downloader, Trojan.Malscript!html, Trojan Horse, & Trojan.Vundo files were found there.

Anyway, here are the logfiles - I hope this post is not too large :

=========== Start of CombFix Log ==============
ComboFix 08-09-13.05 - Owner 2008-09-14 17:45:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.225 [GMT 10:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL
C:\Program Files\FunWebProducts\Installr\Cache\0012A7C1
C:\Program Files\FunWebProducts\Installr\Cache\0012C711
C:\Program Files\FunWebProducts\Installr\Cache\0012D598
C:\Program Files\FunWebProducts\Installr\Cache\0012E4CA
C:\Program Files\FunWebProducts\Installr\Cache\0012F881
C:\Program Files\FunWebProducts\Installr\Cache\files.ini
C:\Program Files\FunWebProducts\Shared\1629500
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\MyWay
C:\Program Files\MyWay\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWay\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWay\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWay\bar\1.bin\MWSBAR.DLL
C:\Program Files\MyWay\bar\1.bin\MWSOEMON.EXE
C:\Program Files\MyWay\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWay\bar\Cache\0014B70A.bin
C:\Program Files\MyWay\bar\Cache\0014DA32.bin
C:\Program Files\MyWay\bar\Cache\0014F22E.bin
C:\Program Files\MyWay\bar\Cache\0014FC50.bin
C:\Program Files\MyWay\bar\Cache\00150316.bin
C:\Program Files\MyWay\bar\Cache\00154698.bin
C:\Program Files\MyWay\bar\Cache\001553A7.bin
C:\Program Files\MyWay\bar\Cache\00155DE8.bin
C:\Program Files\MyWay\bar\Cache\0015655B.bin
C:\Program Files\MyWay\bar\Cache\001576A1.bin
C:\Program Files\MyWay\bar\Cache\0060565A.bin
C:\Program Files\MyWay\bar\Cache\0A34FF5E
C:\Program Files\MyWay\bar\Cache\files.ini
C:\Program Files\MyWay\bar\History\search
C:\Program Files\MyWay\bar\Settings\prevcfg.htm
C:\Program Files\MyWay\bar\Settings\settings.dat
C:\Program Files\MyWay\bar\Settings\settings.dat.bak
C:\Program Files\MyWay\bar\Settings\settings.htm
C:\Program Files\MyWay\bar\Settings\settings.htm.bak
C:\Program Files\MyWay\SearchAt\1.bin\MWSSRCAS.DLL
C:\Program Files\MyWay\SearchAt\Cache\00230361
C:\Program Files\MyWay\SearchAt\Cache\files.ini
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
C:\Program Files\ShoppingReport\Uninst.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bgoufuoy.ini
C:\WINDOWS\system32\BLoVELRu.ini
C:\WINDOWS\system32\BLoVELRu.ini2
C:\WINDOWS\system32\bmpadsed.ini
C:\WINDOWS\system32\cbowsqwj.ini
C:\WINDOWS\system32\cdjmlfyw.ini
C:\WINDOWS\system32\cnqlkxnl.ini
C:\WINDOWS\system32\eloddntg.ini
C:\WINDOWS\system32\elrhmqnr.ini
C:\WINDOWS\system32\gjqjaqfa.ini
C:\WINDOWS\system32\gvgcqnfv.ini
C:\WINDOWS\system32\hgdhvcmn.ini
C:\WINDOWS\system32\huxypbpu.ini
C:\WINDOWS\system32\ioowcdmo.ini
C:\WINDOWS\system32\ittybwtv.ini
C:\WINDOWS\system32\jmsdmfsw.ini
C:\WINDOWS\system32\mmvruwae.ini
C:\WINDOWS\system32\mtfnvcjq.ini
C:\WINDOWS\system32\mttmauwx.ini
C:\WINDOWS\system32\naaojctc.ini
C:\WINDOWS\system32\nepetkkn.ini
C:\WINDOWS\system32\pcqemfqo.ini
C:\WINDOWS\system32\plkusrbg.ini
C:\WINDOWS\system32\qacwlwws.ini
C:\WINDOWS\system32\rhqetbmr.ini
C:\WINDOWS\system32\sahgwudr.ini
C:\WINDOWS\system32\sjvldeni.ini
C:\WINDOWS\system32\tnjcnddt.ini
C:\WINDOWS\system32\uacsoipb.ini
C:\WINDOWS\system32\uRLEVoLB.dll
C:\WINDOWS\system32\vdnsvcan.ini
C:\WINDOWS\system32\vupmvqjo.ini
C:\WINDOWS\system32\xbxtxuio.ini
C:\WINDOWS\system32\xudtclsf.ini
C:\WINDOWS\system32\xxhrklbc.ini
C:\WINDOWS\system32\yahvtqly.ini
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-08-14 to 2008-09-14 )))))))))))))))))))))))))))))))
.
2008-08-17 10:18 . 2002-11-08 03:24 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-08-17 10:18 . 2002-11-08 02:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\VERITAS
2008-08-17 10:18 . 2002-11-08 02:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-08-17 10:18 . 2002-11-08 03:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-08-17 10:18 . 2002-11-08 03:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-08-17 10:18 . 2008-09-14 14:03 <DIR> d-------- C:\Documents and Settings\Administrator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-09-09 114688]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-09-06 820736]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 176128]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 30248]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 46632]
"PPort11reminder"="C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 C:\WINDOWS\ALCXMNTR.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\PROGRA~1\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-13 54472]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 40960]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=mfzhjq.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp Silent Service]
--a------ 2002-06-18 19:24 32768 C:\WINDOWS\system32\HpSrvUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2000-07-13 18:00 28739 C:\Program Files\Microsoft Works\WkDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-06-14 14:39 81920 C:\WINDOWS\system32\ps2.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2002-06-18 07:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB]
--a------ 2001-07-03 19:14 102400 C:\WINDOWS\system32\usb.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
--a------ 2004-03-12 15:53 20480 C:\WINDOWS\wt\updater\wcmdmgrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
--a------ 2003-05-01 08:21 184784 C:\Program Files\WildTangent\Apps\GameChannel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2002-09-30 22:39 548933 C:\WINDOWS\system32\nview.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2002-09-30 22:39 372736 C:\WINDOWS\system32\nwiz.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{61412ee0-9524-4470-8859-4f636ce6c78e} - C:\WINDOWS\system32\mfzhjq.dll
BHO-{97B612B9-2DF1-473D-8D71-DFED4151788C} - C:\WINDOWS\system32\uRLEVoLB.dll
Notify-__c00ED4D6 - C:\WINDOWS\system32\__c00ED4D6.dat
Notify-opnlMDTK - opnlMDTK.dll
MSConfigStartUp-AutoTBar - C:\hp\bin\autotbar.exe
MSConfigStartUp-MyWebSearch Email Plugin - C:\PROGRA~1\MyWay\bar\1.bin\mwsoemon.exe

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com.au/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.optusnet.com.au/
R1 -: HKCU-Internet Settings,ProxyOverride = 0;localhost;<local>
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O9 -: {C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} -
O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-14 17:59:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
.
**************************************************************************
.
Completion time: 2008-09-14 18:09:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-14 08:09:04
Pre-Run: 48,217,759,744 bytes free
Post-Run: 48,056,033,280 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
246 --- E O F --- 2008-05-28 12:16:33
=========== End of CombFix Log ==============
=========== Start of HiJackThis Log ==============
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:26 PM, on 14/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 0;localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\PROGRA~1\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\PROGRA~1\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yaho...bio5_0_2_7.cab
O20 - AppInit_DLLs: mfzhjq.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Unknown owner - C:\PROGRA~1\SCS\SAV\DefWatch.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\SCS\SAV\Rtvscan.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
--
End of file - 7698 bytes
=========== End of HiJackThis Log ==============
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply

Tags
combofix, hijackthis, trojan.malscript, trojan.metajuan, trojan.vudno

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 10:20 PM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.