Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.vundo Virus


  • Please log in to reply
12 replies to this topic

#1 TLONG

TLONG

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 19 July 2007 - 03:13 AM

Somehow I got the Trojan.Vundo virus. I have read up on numerous ways to fix it. Some have worked, but then it keeps coming back. I did a log file and will include it in this post. Can anyone help me get rid of this for good?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:43 AM, on 7/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f574.mail.yahoo.com/dc/launch?ac...d=0h1u24c8odft7
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1FB63E52-4D6E-48C1-A08F-F630FE50F337} - C:\WINDOWS\system32\gebcdbc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {98FDCA4F-7741-4F60-B9C0-851E460ABA00} - C:\WINDOWS\system32\vtuts.dll (file missing)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: MSVPS System - {C87D64B5-DF92-4703-90CB-B465B6982941} - (no file)
O2 - BHO: (no name) - {F55E5462-748D-4A68-B39D-D7FF1B9037FB} - C:\WINDOWS\system32\ddayv.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O20 - Winlogon Notify: gebcdbc - C:\WINDOWS\SYSTEM32\gebcdbc.dll
O20 - Winlogon Notify: winbug32 - C:\WINDOWS\SYSTEM32\winbug32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8149 bytes

BC AdBot (Login to Remove)

 


#2 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 19 July 2007 - 03:22 AM

Hi Tlong,

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please post the logs from Vundofix, combofix and a new HijackThis log in your next reply.
Posted Image
Proud member of ASAP since 2007

#3 TLONG

TLONG
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 19 July 2007 - 03:25 AM

Hi Tlong,

Please download VundoFix.exe to your desktop

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please post the logs from Vundofix, combofix and a new HijackThis log in your next reply.


Thanks for the reply. I've run that before and it seemed to get rid of it for a day or so, then it always comes back. I'll try it again and post the logs here in a minute or so..be right back.

#4 TLONG

TLONG
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 19 July 2007 - 03:40 AM

I ran Vundofix again and here is the TXT Log:

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Scan started at 4:39:31 PM 7/17/2007

Listing files found while scanning....

C:\windows\system32\cvtkmfiw.dll
C:\WINDOWS\system32\emigtwgi.dll
C:\WINDOWS\system32\fuytpujd.dll
C:\windows\system32\igwtgime.ini
C:\windows\system32\joqxwwgo.ini
C:\windows\system32\ogwwxqoj.dll
C:\WINDOWS\system32\vtuts.dll

Beginning removal...

Attempting to delete C:\windows\system32\cvtkmfiw.dll
C:\windows\system32\cvtkmfiw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\emigtwgi.dll
C:\WINDOWS\system32\emigtwgi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fuytpujd.dll
C:\WINDOWS\system32\fuytpujd.dll Has been deleted!

Attempting to delete C:\windows\system32\igwtgime.ini
C:\windows\system32\igwtgime.ini Has been deleted!

Attempting to delete C:\windows\system32\joqxwwgo.ini
C:\windows\system32\joqxwwgo.ini Has been deleted!

Attempting to delete C:\windows\system32\ogwwxqoj.dll
C:\windows\system32\ogwwxqoj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\vtuts.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Scan started at 12:45:51 AM 7/19/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\vyadd.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddayv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\vyadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\vyadd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.tmp
C:\WINDOWS\system32\vyadd.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Scan started at 1:25:18 AM 7/19/2007

Listing files found while scanning....

C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\yybeg.bak1
C:\WINDOWS\system32\yybeg.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\gebyy.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\yybeg.bak1
C:\WINDOWS\system32\yybeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yybeg.ini
C:\WINDOWS\system32\yybeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\gebyy.dll Has been deleted!

Performing Repairs to the registry.
Done!


After that was run, I ran another Hijackthis log. Here is that:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:24 AM, on 7/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\windows\system\hpsysdrv.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f574.mail.yahoo.com/dc/launch?ac...d=0h1u24c8odft7
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14F7D04A-A97B-435A-8352-EA5636F54EA1} - C:\WINDOWS\system32\gebyy.dll (file missing)
O2 - BHO: (no name) - {1FB63E52-4D6E-48C1-A08F-F630FE50F337} - C:\WINDOWS\system32\gebcdbc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {98FDCA4F-7741-4F60-B9C0-851E460ABA00} - C:\WINDOWS\system32\vtuts.dll (file missing)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: MSVPS System - {C87D64B5-DF92-4703-90CB-B465B6982941} - (no file)
O2 - BHO: (no name) - {F55E5462-748D-4A68-B39D-D7FF1B9037FB} - C:\WINDOWS\system32\ddayv.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O20 - Winlogon Notify: gebcdbc - C:\WINDOWS\SYSTEM32\gebcdbc.dll
O20 - Winlogon Notify: winbug32 - C:\WINDOWS\SYSTEM32\winbug32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8333 bytes

See anything unusual?

#5 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 19 July 2007 - 03:54 AM

Hi TLONG,

looks already better. And the combofix log? Plese run this after you have fixed the entries in HijackThis!!!

* Download OTMoveIt.exe from here and place it on your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

* Open OTMoveIt.exe.
In the left pane where it says: "Paste List of Files/Folders to be Moved", copy and paste next part:

C:\WINDOWS\SYSTEM32\gebcdbc.dll
C:\WINDOWS\SYSTEM32\winbug32.dll


Then click the MoveIt button below.
In case you get a "Bad Image" error, just click OK at the promt. It will move the file anyway.
When done, it will create a log (********_******.log -- * stands for date and time) in next folder: C:\_OTMoveIt\MovedFiles.
Copy and paste this log in your next reply.

Download ATF Cleaner.
Do not run it yet, we will shortly.

Next please open HijackThis, click do a scan only and place a check next to the following entries:

O2 - BHO: (no name) - {14F7D04A-A97B-435A-8352-EA5636F54EA1} - C:\WINDOWS\system32\gebyy.dll (file missing)
O2 - BHO: (no name) - {1FB63E52-4D6E-48C1-A08F-F630FE50F337} - C:\WINDOWS\system32\gebcdbc.dll
O2 - BHO: (no name) - {98FDCA4F-7741-4F60-B9C0-851E460ABA00} - C:\WINDOWS\system32\vtuts.dll (file missing)
O2 - BHO: MSVPS System - {C87D64B5-DF92-4703-90CB-B465B6982941} - (no file)
O2 - BHO: (no name) - {F55E5462-748D-4A68-B39D-D7FF1B9037FB} - C:\WINDOWS\system32\ddayv.dll (file missing)
O20 - Winlogon Notify: gebcdbc - C:\WINDOWS\SYSTEM32\gebcdbc.dll
O20 - Winlogon Notify: winbug32 - C:\WINDOWS\SYSTEM32\winbug32.dll

Now close all other windows and browsers,ecxept HijackThis and click"Fix Checked". Close HijackThis.

Now run ATF-Cleaner:
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Please reboot and post the logs from OtMoveit, combofix and a new HijackThis log.
Posted Image
Proud member of ASAP since 2007

#6 TLONG

TLONG
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 19 July 2007 - 04:20 AM

OTMOVEIT LOG was:

DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\gebcdbc.dll
C:\WINDOWS\SYSTEM32\gebcdbc.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\gebcdbc.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\SYSTEM32\winbug32.dll not found.

Created on 07/19/2007 02:09:30

**I did reboot and I believe the file is gone now, even though it says scheduled to be moved on reboot.


The combofix.exe file you gave me didn't work. It came up with this error message:

404 Not Found
The requested URL '/sUBs/combofix.exe' was not found on this server.

New HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:17 AM, on 7/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f574.mail.yahoo.com/dc/launch?ac...d=0h1u24c8odft7
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7255 bytes

#7 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 19 July 2007 - 05:11 AM

Hi try this link for combofix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Posted Image
Proud member of ASAP since 2007

#8 TLONG

TLONG
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 19 July 2007 - 11:09 AM

Ok thanks, that link worked. Here is the log:

"Compaq_Owner" - 2007-07-19 8:53:54 - ComboFix 07-07-14.6 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\awtqpnk.dll
C:\WINDOWS\system32\awtqpnk.dll
C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\stutv.bak1
C:\WINDOWS\system32\stutv.bak2
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\stutv.ini2
C:\WINDOWS\system32\stutv.tmp
C:\WINDOWS\system32\pmnli.dll
C:\WINDOWS\system32\gebcdbc.dll
C:\WINDOWS\system32\gebcdbc.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\COMPAQ~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\NQT93WGA\www.broadcaster.com
C:\DOCUME~1\COMPAQ~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\NQT93WGA\www.broadcaster.com\played_list.sol
C:\DOCUME~1\COMPAQ~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\NQT93WGA\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\COMPAQ~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\COMPAQ~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\COMPAQ~1\Desktop.\internet explorer.lnk
C:\DOCUME~1\COMPAQ~1\FAVORI~1.\Error Cleaner.url
C:\DOCUME~1\COMPAQ~1\FAVORI~1.\Privacy Protector.url
C:\DOCUME~1\COMPAQ~1\FAVORI~1.\Spyware&Malware Protection.url
C:\WINDOWS\dat.txt
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000014_.tmp.dll
C:\WINDOWS\system32\_000018_.tmp.dll
C:\WINDOWS\system32\_000019_.tmp.dll
C:\WINDOWS\system32\_000022_.tmp.dll
C:\WINDOWS\system32\_000023_.tmp.dll
C:\WINDOWS\system32\_000024_.tmp.dll
C:\WINDOWS\system32\_000025_.tmp.dll


((((((((((((((((((((((((( Files Created from 2007-06-19 to 2007-07-19 )))))))))))))))))))))))))))))))


2007-07-19 08:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-19 00:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-19 00:46 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-07-19 00:46 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-07-19 00:46 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-07-19 00:04 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-19 00:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-17 16:39 <DIR> d----c--- C:\VundoFix Backups
2007-07-17 14:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-17 13:26 <DIR> d----c--- C:\PFiles
2007-07-16 21:52 2,108 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-16 16:27 <DIR> d----c--- C:\53f0dc1e5e70ee4714caf6c9
2007-07-16 14:47 <DIR> d----c--- C:\23d49cd5c6640ed412ef70a1
2007-07-13 16:13 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-07-13 15:52 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-13 15:52 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-03 13:56 8,320 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2007-07-03 13:56 18,432 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2007-07-03 13:56 <DIR> d-------- C:\Program Files\Garmin GPS Plugin
2007-07-03 11:13 <DIR> d----c--- C:\OtsLabs
2007-07-03 11:08 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2007-07-03 11:08 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2007-07-03 11:08 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-07-03 11:08 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2007-06-30 13:14 <DIR> d----c--- C:\Customize
2007-06-29 18:19 <DIR> d----c--- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Snapfish
2007-06-29 17:16 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-06-29 17:16 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-06-29 17:16 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-06-29 17:16 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-06-29 17:16 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-06-29 17:15 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-06-29 17:15 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-06-29 17:15 2,180,096 --a------ C:\WINDOWS\system32\drivers\lvsvf2.sys
2007-06-29 17:15 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-06-29 16:30 <DIR> d----c--- C:\DOCUME~1\COMPAQ~1\APPLIC~1\FotoWire
2007-06-29 16:30 <DIR> d-------- C:\Program Files\Common Files\FotoWire
2007-06-29 16:28 53,248 -ra------ C:\WINDOWS\system32\InstMed.exe
2007-06-29 16:27 90,112 --a------ C:\WINDOWS\system32\LQCUI2.dll
2007-06-29 16:27 856,064 --a------ C:\WINDOWS\system32\Ltwvc12n.dll
2007-06-29 16:27 78,336 --a------ C:\WINDOWS\system32\lffax12n.dll
2007-06-29 16:27 466,944 --a------ C:\WINDOWS\system32\QCUI2.dll
2007-06-29 16:27 462,848 --a------ C:\WINDOWS\system32\LCamCpl.dll
2007-06-29 16:27 406,016 --a------ C:\WINDOWS\system32\ltkrn12n.dll
2007-06-29 16:27 328,704 --a------ C:\WINDOWS\system32\LFCMP12n.DLL
2007-06-29 16:27 30,720 --a------ C:\WINDOWS\system32\lfbmp12n.dll
2007-06-29 16:27 259,072 --a------ C:\WINDOWS\system32\LTDIS12n.dll
2007-06-29 16:27 215,552 --a------ C:\WINDOWS\system32\Lvkrn12n.dll
2007-06-29 16:27 207,872 --a------ C:\WINDOWS\system32\ltefx12n.dll
2007-06-29 16:27 164,864 --a------ C:\WINDOWS\system32\ltimg12n.dll
2007-06-29 16:27 141,312 --a------ C:\WINDOWS\system32\lftif12n.dll
2007-06-29 16:27 131,072 --a------ C:\WINDOWS\system32\ltfil12n.DLL
2007-06-29 16:27 <DIR> d-------- C:\Program Files\Logitech
2007-06-29 16:16 51,120 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-06-29 16:16 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-06-29 16:15 21,744 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2007-06-29 16:15 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-06-29 16:14 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-06-29 16:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-06-29 16:14 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-06-29 16:14 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-06-29 16:14 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-06-29 16:14 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-06-29 15:01 <DIR> d----c--- C:\temp
2007-06-29 14:57 <DIR> d----c--- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Image Zone Express
2007-06-29 12:45 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-06-29 12:42 <DIR> dr-hsc--- C:\cmdcons
2007-06-29 12:42 <DIR> d-------- C:\WINDOWS\setupupd
2007-06-29 11:40 3,145,728 --a------ C:\DOCUME~1\COMPAQ~1\NTUSER.DAT
2007-06-29 11:40 <DIR> d----c--- C:\DOCUME~1\COMPAQ~1\WINDOWS
2007-06-29 11:40 <DIR> d----c--- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Symantec
2007-06-29 11:40 <DIR> d----c--- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Real
2007-06-29 11:40 <DIR> d----c--- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Intuit
2007-06-29 11:38 262,144 --a------ C:\DOCUME~1\APPLIC~1\NTUSER.DAT
2007-06-29 11:37 <DIR> d----c--- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Symantec
2007-06-29 11:36 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-06-29 11:33 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-06-29 11:33 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-06-29 11:15 <DIR> dr-h-c--- C:\MSOCache
2007-06-29 11:11 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2007-06-27 17:25 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Avant Profiles
2007-06-21 15:22 <DIR> d-------- C:\Program Files\Full Tilt Poker


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-19 08:42:30 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-19 07:04:45 -------- d-----w C:\Program Files\Lavasoft
2007-07-17 16:55:46 -------- d-----w C:\Program Files\Google
2007-07-16 23:18:10 -------- d-----w C:\Program Files\Norton Internet Security
2007-07-16 16:21:09 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-07-15 05:27:31 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\Vso
2007-07-13 23:13:41 -------- d-----w C:\Program Files\Common Files\Real
2007-07-11 21:58:06 -------- d-----w C:\Program Files\Bodog Poker
2007-07-03 18:12:28 -------- d-----w C:\Program Files\coolpro2
2007-07-02 19:17:35 -------- d-----w C:\Program Files\FxFoto
2007-07-01 18:31:01 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\FxFotoDB
2007-06-30 20:11:51 87,608 ----a-w C:\DOCUME~1\COMPAQ~1\APPLIC~1\inst.exe
2007-06-30 20:11:51 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2007-06-30 20:11:51 47,360 ----a-w C:\DOCUME~1\COMPAQ~1\APPLIC~1\pcouffin.sys
2007-06-30 20:11:48 -------- d-----w C:\Program Files\DVDFab Platinum 3
2007-06-30 01:19:20 4,940 -c--a-w C:\WINDOWS\mozver.dat
2007-06-29 23:27:41 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-29 23:26:18 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-29 23:20:16 112,911 ----a-w C:\WINDOWS\hpoins07.dat
2007-06-29 23:19:34 -------- d-----w C:\Program Files\HP
2007-06-29 21:56:24 -------- d-----w C:\Program Files\PC-Doctor 5 for Windows
2007-06-29 19:37:24 -------- d-----w C:\Program Files\Symantec
2007-06-29 19:37:23 806 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-06-29 19:37:23 8,014 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-06-29 19:37:23 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-06-29 19:37:23 115,000 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-06-29 18:43:21 1,829 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_EX311AA-ABA SR1911X NA630_YC_0Pres_QCNH629_E63NAheREA2_48_INAGAMI2L_SASUSTek Computer INC._V2.00_B3.11_T060919_WXH2_L409_M447_J200_7AMD_8Athlon 64_92.2_#061019_N_Z14F12F20_G10DE0241.MRK
2007-06-21 21:03:52 -------- d-----w C:\Program Files\DVDFab HD Decrypter 3
2007-06-14 00:19:57 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\Apple Computer
2007-06-09 07:09:18 -------- d-----w C:\Program Files\Free Window Registry Repair
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-04 07:21:37 -------- d-----w C:\Program Files\Microsoft Bootvis
2007-05-24 23:05:40 -------- d-----w C:\Program Files\SONICblue
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-03-26 08:23:52 87,608 ----a-w C:\DOCUME~1\COMPAQ~1\APPLIC~1\ezpinst.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2005-09-24 03:12 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14F7D04A-A97B-435A-8352-EA5636F54EA1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98FDCA4F-7741-4F60-B9C0-851E460ABA00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}]
2007-05-23 12:13 140912 --a------ c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}]
2006-06-19 09:22 217088 --a------ C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C87D64B5-DF92-4703-90CB-B465B6982941}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F55E5462-748D-4A68-B39D-D7FF1B9037FB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 22:34]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-13 16:13]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-24 19:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbug32]
winbug32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]
"Reminder"="C:\Windows\Creator\Remind_XP.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
"RTHDCPL"=RTHDCPL.EXE
"nwiz"=nwiz.exe /install
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"LogitechVideoRepair"=C:\Program Files\Logitech\Video\ISStart.exe
"LogitechVideoTray"=C:\Program Files\Logitech\Video\LogiTray.exe
" "=
"PCDrProfiler"=

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-07-14 03:00:39 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Compaq_Owner.job
2007-07-14 03:00:04 C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Compaq_Owner.job
2007-06-29 18:43:14 C:\WINDOWS\tasks\Warranty Reminder 11 month.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-19 09:00:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-19 9:01:49 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-19 09:01

--- E O F ---

#9 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 19 July 2007 - 12:45 PM

Hi TLONG,

thanks for the logs.

Lets do a final check.

Please download DrWeb-CureIt & save it to your desktop.
Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Also let me know how things are running.
Posted Image
Proud member of ASAP since 2007

#10 TLONG

TLONG
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 19 July 2007 - 04:33 PM

Here is the log:

Setup.exe;C:\Documents and Settings\Compaq_Owner\My Documents\My Music;Trojan.DownLoader.19426;Deleted.;
Process.exe;C:\Documents and Settings\Compaq_Owner\My Documents\SmitfraudFix;Tool.Prockill;Moved.;
restart.exe;C:\Documents and Settings\Compaq_Owner\My Documents\SmitfraudFix;Tool.ShutDown.11;Moved.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Moved.;
MiniBugTransporter.dll;C:\Program Files\AWS\WeatherBug;Adware.Aws;Moved.;
crack.exe;C:\Program Files\Mozilla Firefox;Trojan.MulDrop.7651;Deleted.;
keygen.exe;C:\Program Files\Mozilla Firefox;Trojan.Virtumod;Deleted.;
Process.exe;C:\Program Files\Mozilla Firefox\SmitfraudFix;Tool.Prockill;Moved.;
restart.exe;C:\Program Files\Mozilla Firefox\SmitfraudFix;Tool.ShutDown.11;Moved.;
inetchk.exe;C:\Program Files\music_now;Trojan.Click.2093;Deleted.;
backup-20070719-021339-449.dll;C:\Program Files\Trend Micro\HijackThis\backups;Trojan.Virtumod;Deleted.;
awtqpnk.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
gebcdbc.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
pmnli.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
A0014700.exe;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP31;Adware.BusMedia.30;Moved.;
A0014701.dll;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP31;Adware.BusMedia.35;Moved.;
A0014703.dll;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP31;Adware.BusMedia.33;Moved.;
A0014743.exe;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP32;Tool.Prockill;Moved.;
A0014750.dll;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP32;Trojan.Virtumod;Deleted.;
A0014751.dll;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP32;Trojan.Virtumod;Deleted.;
A0014752.dll;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP32;Trojan.Virtumod;Deleted.;
A0015008.exe;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP34;Trojan.Virtumod;Deleted.;
A0015009.exe;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP34;Trojan.Virtumod;Deleted.;
A0015012.dll;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP34;Trojan.Virtumod;Deleted.;
A0015023.dll;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP34;Trojan.Virtumod;Deleted.;
A0015067.dll;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP35;Trojan.Virtumod;Deleted.;
A0015070.dll;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP35;Trojan.Virtumod;Deleted.;
A0015071.dll;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP35;Trojan.Virtumod;Deleted.;
A0015145.exe;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP35;Trojan.MulDrop.7651;Deleted.;
A0015146.exe;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP35;Trojan.Virtumod;Deleted.;
A0015147.exe;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP35;Trojan.Click.2093;Deleted.;
A0015148.dll;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP35;Trojan.Virtumod;Deleted.;
ddayv.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
gebyy.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
vtuts.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Moved.;

The computer is running much better. The only thing happening is an error message while restarting or shutting down. It's the Caaap error. I think its with Norton checking the A drive. Not sure how to fix that

#11 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 20 July 2007 - 02:11 AM

Hi TLONG,

The computer is running much better. The only thing happening is an error message while restarting or shutting down. It's the Caaap error. I think its with Norton checking the A drive. Not sure how to fix that

I also don't know how to fix that! But I'll do some research for you and let you know.

Your log looks clean.
How are things running?

Disable and Enable System Restore. - You should disable and enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide.

Let's clear out the programmes we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.

* Download OTMoveIt.exe from here and place it on your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Double click OTMoveIt.exe to launch the programme.

Click on the CleanUp! button.

OTMoveIt will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.

You will be prompted to allow the clean up procedure, click Yes

When finished exit out of OTMoveIt

Now delete OTMoveIt.exe


I also recommend that you remove the folder C:\_OTMoveIt

EDIT:fixed a tag!

Edited by Rosty, 20 July 2007 - 02:12 AM.

Posted Image
Proud member of ASAP since 2007

#12 TLONG

TLONG
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 20 July 2007 - 11:50 AM

Disable and Enable System Restore. - You should disable and enable system restore to make sure there are no infected files found in a restore point.

How do I do this?

#13 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 20 July 2007 - 04:09 PM

Disable and Enable System Restore. - You should disable and enable system restore to make sure there are no infected files found in a restore point.

How do I do this?


You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide. <-- look here for more info.
Posted Image
Proud member of ASAP since 2007




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users