Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Downloader Trojan & Trojan.vundo


  • Please log in to reply
11 replies to this topic

#1 paders

paders

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 02 November 2007 - 06:57 AM

Hi im having problems with 2 viruses or maybe even more, anyway norton keeps on poping up saying that I have a downloader trojan and a trojan.vundo and that it has either resolved the issue or deleted it, but after a while the same message pops up. other problems I am having include pop ups and slow internet speed, I have used norton, AVG, Ad-Aware and Spybot to try to remove them but they still seem to come back. I would be very gratefull if someone could help me.

Here is the Log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:57, on 02/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/webhp?sourceid=nav...ADBF_en-GBGB244
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [dc6ee600] rundll32.exe "C:\WINDOWS\system32\ehrsnxis.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\mlmqoalv.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192359767453
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0077C7E.dat
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8038 bytes

BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:41 PM

Posted 02 November 2007 - 07:05 AM

Hi, Wellcome to Bleeping Computer Forums!

Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 paders

paders
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 02 November 2007 - 08:30 AM

thanx i look forward to your reply :thumbsup:

#4 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:41 PM

Posted 02 November 2007 - 09:37 AM

Hi,

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#5 paders

paders
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 03 November 2007 - 07:34 AM

heres the combo fix log

ComboFix 07-11-01.1 - James 2007-11-03 12:23:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1455 [GMT 0:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\James\Desktop\internet.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\dlwepmva.dll
C:\WINDOWS\system32\fdpfniru.dll
C:\WINDOWS\system32\ganepjdq.dll
C:\WINDOWS\system32\imyolfyt.dll
C:\WINDOWS\system32\lsliqaiy.dll
C:\WINDOWS\system32\nbmsqktp.dll
C:\WINDOWS\system32\opxgjnmt.dll
C:\WINDOWS\system32\orilwehe.dll
C:\WINDOWS\system32\qdjpenag.ini
C:\WINDOWS\system32\vmikjqqj.dll
C:\WINDOWS\system32\vrbpdqny.dll
C:\WINDOWS\system32\wyadd.bak1
C:\WINDOWS\system32\wyadd.bak2
C:\WINDOWS\system32\wyadd.ini
C:\WINDOWS\system32\wyadd.ini2
C:\WINDOWS\system32\wyadd.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-03 12:24 340,032 --a------ C:\WINDOWS\system32\svkjqsho.dll
2007-11-03 12:23 340,032 --a------ C:\WINDOWS\system32\hfrstrpu.dll
2007-11-03 12:22 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-02 17:24 86,080 --a------ C:\WINDOWS\system32\lemoamuj.dll
2007-11-02 17:18 82,496 --a------ C:\WINDOWS\system32\cjvqjugr.dll
2007-11-02 12:06 <DIR> d-------- C:\Program Files\Java
2007-11-02 12:03 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-02 11:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-01 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-01 23:20 2,612 --a------ C:\WINDOWS\system32\cuhsbmge.dll
2007-11-01 20:54 <DIR> d-------- C:\VundoFix Backups
2007-10-31 23:16 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-10-31 23:16 60,416 --a------ C:\WINDOWS\ALCFDRTM.EXE
2007-10-31 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-30 23:59 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-29 15:35 <DIR> d-------- C:\WINDOWS\pss
2007-10-26 21:17 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-10-26 21:17 <DIR> d-------- C:\Program Files\Veoh Networks
2007-10-22 12:49 <DIR> d-------- C:\Program Files\PowerISO
2007-10-21 13:58 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-21 13:58 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-10-21 13:57 58,288 -ra------ C:\WINDOWS\system32\drivers\w810bus.sys
2007-10-21 13:57 5,808 -ra------ C:\WINDOWS\system32\drivers\w810whnt.sys
2007-10-21 13:57 5,808 -ra------ C:\WINDOWS\system32\drivers\w810wh.sys
2007-10-20 11:17 <DIR> d-------- C:\Program Files\Disc2Phone
2007-10-20 11:11 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-10-18 18:37 <DIR> d-------- C:\Documents and Settings\James\Shared
2007-10-18 18:37 <DIR> d-------- C:\Documents and Settings\James\Incomplete
2007-10-18 18:37 <DIR> d-------- C:\Documents and Settings\James\Application Data\LimeWire
2007-10-18 18:33 <DIR> d-------- C:\Program Files\LimeWire
2007-10-18 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-18 17:11 <DIR> d-------- C:\Program Files\MagicISO
2007-10-15 22:29 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-15 22:25 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-15 22:25 3,424 --a------ C:\WINDOWS\mozver.dat
2007-10-15 22:24 <DIR> d-------- C:\Program Files\Real
2007-10-15 22:24 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-15 22:20 <DIR> d-------- C:\My Downloads
2007-10-15 22:13 <DIR> d-------- C:\Program Files\DivX
2007-10-15 13:40 <DIR> d-------- C:\Program Files\WinISO
2007-10-15 11:08 <DIR> d-------- C:\Program Files\Autodesk
2007-10-15 10:48 <DIR> d-------- C:\FLEXLM
2007-10-15 10:38 <DIR> d-------- C:\WINDOWS\system32\RNBOSENT
2007-10-15 10:38 <DIR> d-------- C:\Program Files\GLOBEtrotter Software Inc
2007-10-15 10:38 <DIR> d-------- C:\Documents and Settings\James\WINDOWS
2007-10-15 10:38 73,728 --a------ C:\WINDOWS\system32\drivers\SENTINEL.SYS
2007-10-15 10:38 49,664 --a------ C:\WINDOWS\system32\SNTI386.DLL
2007-10-15 10:38 47,616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys
2007-10-15 10:38 20,032 -ra------ C:\WINDOWS\system32\drivers\SNTNLUSB.SYS
2007-10-15 10:38 18,432 --a------ C:\WINDOWS\system32\RNBOVDD.DLL
2007-10-15 10:38 7,328 --a------ C:\WINDOWS\system32\drivers\ds1410d.sys
2007-10-15 10:38 6,656 --a------ C:\WINDOWS\system32\haspvdd.dll
2007-10-15 10:38 383 --a------ C:\WINDOWS\system32\haspdos.sys
2007-10-15 10:37 <DIR> d-------- C:\Program Files\Alias
2007-10-15 10:35 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2007-10-15 10:35 <DIR> d-------- C:\Program Files\Common Files\Alias Shared
2007-10-15 10:27 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-14 21:00 <DIR> d-------- C:\Program Files\CDBurnerXP Pro 3
2007-10-14 20:59 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-14 20:59 <DIR> d-------- C:\Documents and Settings\James\Application Data\Lavasoft
2007-10-14 19:29 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-14 15:14 <DIR> d-------- C:\Program Files\Fusion
2007-10-14 15:14 685,056 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
2007-10-14 15:00 <DIR> d-------- C:\Program Files\Folder Lock
2007-10-14 13:29 <DIR> d-------- C:\Program Files\Valve
2007-10-14 13:17 <DIR> d-------- C:\Documents and Settings\James\Application Data\vlc
2007-10-14 13:16 <DIR> d-------- C:\Program Files\VideoLAN
2007-10-14 13:15 <DIR> d-------- C:\Program Files\FileStream
2007-10-14 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2007-10-14 12:49 <DIR> d-------- C:\Documents and Settings\James\Application Data\BitTorrent
2007-10-14 12:48 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2007-10-14 12:48 <DIR> d-------- C:\Program Files\BitTorrent
2007-10-14 12:48 <DIR> d-------- C:\Documents and Settings\James\Application Data\BitTorrent DNA
2007-10-14 12:34 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-10-14 12:33 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-14 12:33 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-14 12:20 <DIR> d-------- C:\NVIDIA
2007-10-14 11:57 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-10-14 11:16 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-10-14 11:16 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-14 11:15 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-14 11:15 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-13 17:57 <DIR> d-------- C:\Program Files\PKR
2007-10-13 17:02 <DIR> d-------- C:\Documents and Settings\James\Contacts
2007-10-13 17:00 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-13 17:00 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-13 16:49 <DIR> d-------- C:\Program Files\Google
2007-10-13 16:37 <DIR> d-------- C:\Documents and Settings\James\Application Data\Symantec
2007-10-13 15:58 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-10-13 15:58 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-10-13 15:57 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-13 15:57 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-13 14:20 <DIR> d--hs---- C:\Documents and Settings\James\UserData
2007-10-13 14:01 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-13 14:01 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-02 12:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-19 00:12 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-13 17:00 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-13 17:00 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-13 17:00 --------- d-----w C:\Program Files\Symantec
2007-10-13 16:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-13 13:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-13 13:54 --------- d-----w C:\Program Files\ASUS
2007-10-13 13:51 --------- d-----w C:\Program Files\Marvell
2007-10-13 13:50 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-13 13:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-10-13 13:32 --------- d-----w C:\Program Files\Realtek Sound Manager
2007-10-13 13:32 --------- d-----w C:\Program Files\Realtek AC97
2007-10-13 13:32 --------- d-----w C:\Program Files\AvRack
2007-10-13 13:31 --------- d-----w C:\Program Files\AMD
2007-10-13 13:11 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvusmb.exe
2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvunrm.exe
2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvuide.exe
2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-09-17 00:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-09-17 00:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-09-17 00:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-09-17 00:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-09-17 00:07 6,853,088 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-09-17 00:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-09-17 00:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-09-17 00:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-09-17 00:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-09-17 00:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-09-17 00:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-09-17 00:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-09-17 00:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-09-17 00:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-09-17 00:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-09-17 00:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-09-17 00:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-09-17 00:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-09-17 00:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-17 00:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-09-17 00:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-09-17 00:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-09-17 00:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-09-17 00:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-09-17 00:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-17 00:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-09-17 00:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-09-17 00:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-09-17 00:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-09-17 00:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-08-27 16:13 537,992 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-08-27 16:13 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-13 17:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-13 17:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-13 17:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-13 17:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-13 17:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-13 17:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-13 17:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-13 17:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-13 17:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5047b70f-071d-4352-a493-011ca41ed7b1}]
2007-11-02 17:18 82496 --a------ C:\WINDOWS\system32\cjvqjugr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-03 12:24 340032 --a------ C:\WINDOWS\system32\svkjqsho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\svkjqsho.dll [2007-11-03 12:24 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 10:39 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07]
"nwiz"="nwiz.exe" [2007-09-17 00:07 C:\WINDOWS\system32\nwiz.exe]
"Launch Ai Booster"="C:\Program Files\ASUS\Ai Booster\OverClk.exe" [2005-08-04 13:24]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 21:19]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 00:07]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"dc6ee600"="C:\WINDOWS\system32\lemoamuj.dll" [2007-11-02 17:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-14 17:10]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-10-14 12:48]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-10-17 00:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\svkjqsho]
svkjqsho.dll 2007-11-03 12:24 340032 C:\WINDOWS\system32\svkjqsho.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddayw.dll


*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 19:50:17 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - James.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 12:27:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-03 12:28:16 - machine was rebooted
.
--- E O F ---

and heres the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:56, on 03/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/webhp?sourceid=nav...ADBF_en-GBGB244
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {1b7de14a-c110-394a-2534-d170f07b7405} - {5047b70f-071d-4352-a493-011ca41ed7b1} - C:\WINDOWS\system32\cjvqjugr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\svkjqsho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\svkjqsho.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [dc6ee600] rundll32.exe "C:\WINDOWS\system32\lemoamuj.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192359767453
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O20 - Winlogon Notify: svkjqsho - C:\WINDOWS\SYSTEM32\svkjqsho.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9396 bytes

#6 paders

paders
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 03 November 2007 - 07:53 AM

hi I think that got rid of the downloader Virus but the trojan.vundo is definitly still there plus now i seem to be getting balloon messages at the bottom of my screen and popups trying to get me to download spyware software ill post a image of my desktop so that you can see for yourself.

Attached File  clip_image002.jpg   40.07KB   20 downloads

Edited by paders, 03 November 2007 - 07:56 AM.


#7 paders

paders
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 05 November 2007 - 06:43 AM

hi i think ive got rid of all of the viruses. The problem i had before when i last ran combofix was that I was still connected to the internet and when I disabled all of my security progams.

here are some updated logs please say if there is still any viruses lurking in there.

Combofix Log

ComboFix 07-11-01.1 - James 2007-11-03 16:29:04.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1777 [GMT 0:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk

.
((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-03 12:22 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-02 17:24 86,080 --a------ C:\WINDOWS\system32\lemoamuj.dll
2007-11-02 17:18 82,496 --a------ C:\WINDOWS\system32\cjvqjugr.dll
2007-11-02 12:06 <DIR> d-------- C:\Program Files\Java
2007-11-02 12:03 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-02 11:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-01 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-01 23:20 2,612 --a------ C:\WINDOWS\system32\cuhsbmge.dll
2007-11-01 20:54 <DIR> d-------- C:\VundoFix Backups
2007-10-31 23:16 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-10-31 23:16 60,416 --a------ C:\WINDOWS\ALCFDRTM.EXE
2007-10-31 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-30 23:59 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-29 15:35 <DIR> d-------- C:\WINDOWS\pss
2007-10-26 21:17 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-10-26 21:17 <DIR> d-------- C:\Program Files\Veoh Networks
2007-10-22 12:49 <DIR> d-------- C:\Program Files\PowerISO
2007-10-21 13:58 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-21 13:58 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-10-21 13:57 58,288 -ra------ C:\WINDOWS\system32\drivers\w810bus.sys
2007-10-21 13:57 5,808 -ra------ C:\WINDOWS\system32\drivers\w810whnt.sys
2007-10-21 13:57 5,808 -ra------ C:\WINDOWS\system32\drivers\w810wh.sys
2007-10-20 11:17 <DIR> d-------- C:\Program Files\Disc2Phone
2007-10-20 11:11 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-10-18 18:37 <DIR> d-------- C:\Documents and Settings\James\Shared
2007-10-18 18:37 <DIR> d-------- C:\Documents and Settings\James\Incomplete
2007-10-18 18:37 <DIR> d-------- C:\Documents and Settings\James\Application Data\LimeWire
2007-10-18 18:33 <DIR> d-------- C:\Program Files\LimeWire
2007-10-18 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-18 17:11 <DIR> d-------- C:\Program Files\MagicISO
2007-10-15 22:29 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-15 22:25 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-15 22:25 3,424 --a------ C:\WINDOWS\mozver.dat
2007-10-15 22:24 <DIR> d-------- C:\Program Files\Real
2007-10-15 22:24 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-15 22:20 <DIR> d-------- C:\My Downloads
2007-10-15 22:13 <DIR> d-------- C:\Program Files\DivX
2007-10-15 13:40 <DIR> d-------- C:\Program Files\WinISO
2007-10-15 11:08 <DIR> d-------- C:\Program Files\Autodesk
2007-10-15 10:48 <DIR> d-------- C:\FLEXLM
2007-10-15 10:38 <DIR> d-------- C:\WINDOWS\system32\RNBOSENT
2007-10-15 10:38 <DIR> d-------- C:\Program Files\GLOBEtrotter Software Inc
2007-10-15 10:38 <DIR> d-------- C:\Documents and Settings\James\WINDOWS
2007-10-15 10:38 73,728 --a------ C:\WINDOWS\system32\drivers\SENTINEL.SYS
2007-10-15 10:38 49,664 --a------ C:\WINDOWS\system32\SNTI386.DLL
2007-10-15 10:38 47,616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys
2007-10-15 10:38 20,032 -ra------ C:\WINDOWS\system32\drivers\SNTNLUSB.SYS
2007-10-15 10:38 18,432 --a------ C:\WINDOWS\system32\RNBOVDD.DLL
2007-10-15 10:38 7,328 --a------ C:\WINDOWS\system32\drivers\ds1410d.sys
2007-10-15 10:38 6,656 --a------ C:\WINDOWS\system32\haspvdd.dll
2007-10-15 10:38 383 --a------ C:\WINDOWS\system32\haspdos.sys
2007-10-15 10:37 <DIR> d-------- C:\Program Files\Alias
2007-10-15 10:35 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2007-10-15 10:35 <DIR> d-------- C:\Program Files\Common Files\Alias Shared
2007-10-15 10:27 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-14 21:00 <DIR> d-------- C:\Program Files\CDBurnerXP Pro 3
2007-10-14 20:59 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-14 20:59 <DIR> d-------- C:\Documents and Settings\James\Application Data\Lavasoft
2007-10-14 19:29 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-14 15:14 <DIR> d-------- C:\Program Files\Fusion
2007-10-14 15:14 685,056 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
2007-10-14 15:00 <DIR> d-------- C:\Program Files\Folder Lock
2007-10-14 13:29 <DIR> d-------- C:\Program Files\Valve
2007-10-14 13:17 <DIR> d-------- C:\Documents and Settings\James\Application Data\vlc
2007-10-14 13:16 <DIR> d-------- C:\Program Files\VideoLAN
2007-10-14 13:15 <DIR> d-------- C:\Program Files\FileStream
2007-10-14 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2007-10-14 12:49 <DIR> d-------- C:\Documents and Settings\James\Application Data\BitTorrent
2007-10-14 12:48 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2007-10-14 12:48 <DIR> d-------- C:\Program Files\BitTorrent
2007-10-14 12:48 <DIR> d-------- C:\Documents and Settings\James\Application Data\BitTorrent DNA
2007-10-14 12:34 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-10-14 12:33 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-14 12:33 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-14 12:20 <DIR> d-------- C:\NVIDIA
2007-10-14 11:57 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-10-14 11:16 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-10-14 11:16 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-14 11:15 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-14 11:15 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-13 17:57 <DIR> d-------- C:\Program Files\PKR
2007-10-13 17:02 <DIR> d-------- C:\Documents and Settings\James\Contacts
2007-10-13 17:00 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-13 17:00 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-13 16:49 <DIR> d-------- C:\Program Files\Google
2007-10-13 16:37 <DIR> d-------- C:\Documents and Settings\James\Application Data\Symantec
2007-10-13 15:58 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-10-13 15:58 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-10-13 15:57 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-13 15:57 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-13 14:20 <DIR> d--hs---- C:\Documents and Settings\James\UserData
2007-10-13 14:01 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-13 14:01 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-02 12:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-19 00:12 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-13 17:00 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-13 17:00 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-13 17:00 --------- d-----w C:\Program Files\Symantec
2007-10-13 16:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-13 13:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-13 13:54 --------- d-----w C:\Program Files\ASUS
2007-10-13 13:51 --------- d-----w C:\Program Files\Marvell
2007-10-13 13:50 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-13 13:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-10-13 13:32 --------- d-----w C:\Program Files\Realtek Sound Manager
2007-10-13 13:32 --------- d-----w C:\Program Files\Realtek AC97
2007-10-13 13:32 --------- d-----w C:\Program Files\AvRack
2007-10-13 13:31 --------- d-----w C:\Program Files\AMD
2007-10-13 13:11 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvusmb.exe
2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvunrm.exe
2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvuide.exe
2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-09-17 00:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-09-17 00:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-09-17 00:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-09-17 00:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-09-17 00:07 6,853,088 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-09-17 00:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-09-17 00:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-09-17 00:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-09-17 00:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-09-17 00:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-09-17 00:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-09-17 00:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-09-17 00:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-09-17 00:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-09-17 00:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-09-17 00:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-09-17 00:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-09-17 00:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-09-17 00:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-17 00:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-09-17 00:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-09-17 00:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-09-17 00:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-09-17 00:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-09-17 00:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-17 00:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-09-17 00:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-09-17 00:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-09-17 00:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-09-17 00:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-08-27 16:13 537,992 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-08-27 16:13 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-13 17:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-13 17:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-13 17:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-13 17:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-13 17:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-13 17:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-13 17:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-13 17:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-13 17:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5047b70f-071d-4352-a493-011ca41ed7b1}]
2007-11-02 17:18 82496 --a------ C:\WINDOWS\system32\cjvqjugr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 10:39 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07]
"nwiz"="nwiz.exe" [2007-09-17 00:07 C:\WINDOWS\system32\nwiz.exe]
"Launch Ai Booster"="C:\Program Files\ASUS\Ai Booster\OverClk.exe" [2005-08-04 13:24]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 21:19]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 00:07]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"dc6ee600"="C:\WINDOWS\system32\lemoamuj.dll" [2007-11-02 17:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-14 17:10]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-10-14 12:48]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-10-17 00:29]


*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 19:50:17 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - James.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 16:30:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-03 16:30:55
C:\ComboFix2.txt ... 2007-11-03 12:28
.
--- E O F ---

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:05, on 05/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/webhp?sourceid=nav...ADBF_en-GBGB244
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {1b7de14a-c110-394a-2534-d170f07b7405} - {5047b70f-071d-4352-a493-011ca41ed7b1} - C:\WINDOWS\system32\cjvqjugr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [dc6ee600] rundll32.exe "C:\WINDOWS\system32\lemoamuj.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192359767453
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/James/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 9278 bytes

#8 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:41 PM

Posted 05 November 2007 - 11:00 AM

Hello Pader,
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below,"if still present":

O2 - BHO: {1b7de14a-c110-394a-2534-d170f07b7405} - {5047b70f-071d-4352-a493-011ca41ed7b1} - C:\WINDOWS\system32\cjvqjugr.dll
O4 - HKLM\..\Run: [dc6ee600] rundll32.exe "C:\WINDOWS\system32\lemoamuj.dll",b
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/James/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

Click on Posted Image button. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



2. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/ind...st&p=654218
Collect::
C:\WINDOWS\system32\lemoamuj.dll
C:\WINDOWS\system32\cjvqjugr.dll
C:\WINDOWS\system32\cuhsbmge.dll
C:/DOCUME~1/James/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

  • Save the above as CFScript.txt
  • Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
  • Posted Image
  • This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed, and read it carefully.
  • With the above script, ComboFix will capture a file to submit for analysis.
  • Ensure you are connected to the internet and click OK.
  • A browser will open. Simply follow the instructions to copy/paste/send the requested file.
2. Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


3. Please go here to run an online scannner from ESET:
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems

4. In your next reply, please post:
  • New HijackThis log.
  • Combofix log.
  • SmitfraudFix log.
  • EsetOnlineScanner results.

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#9 paders

paders
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 06 November 2007 - 03:37 PM

hi lusitano here are the Logs

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:32:43, on 06/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/webhp?sourceid=nav...ADBF_en-GBGB244
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192359767453
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9183 bytes


Heres the Combofix Log

ComboFix 07-11-01.1 - James 2007-11-05 23:08:30.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1486 [GMT 0:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cjvqjugr.dll
C:\WINDOWS\system32\cuhsbmge.dll
C:\WINDOWS\system32\lemoamuj.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.

2007-11-04 23:27 <DIR> d-------- C:\Program Files\Veoh Networks
2007-11-04 14:43 <DIR> d-------- C:\Documents and Settings\James\Application Data\dvdcss
2007-11-03 12:22 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-02 12:06 <DIR> d-------- C:\Program Files\Java
2007-11-02 12:03 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-02 11:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-01 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-01 20:54 <DIR> d-------- C:\VundoFix Backups
2007-10-31 23:16 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-10-31 23:16 60,416 --a------ C:\WINDOWS\ALCFDRTM.EXE
2007-10-31 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-30 23:59 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-29 15:35 <DIR> d-------- C:\WINDOWS\pss
2007-10-26 21:17 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-10-22 12:49 <DIR> d-------- C:\Program Files\PowerISO
2007-10-21 13:58 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-21 13:58 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-10-21 13:57 58,288 -ra------ C:\WINDOWS\system32\drivers\w810bus.sys
2007-10-21 13:57 5,808 -ra------ C:\WINDOWS\system32\drivers\w810whnt.sys
2007-10-21 13:57 5,808 -ra------ C:\WINDOWS\system32\drivers\w810wh.sys
2007-10-20 11:17 <DIR> d-------- C:\Program Files\Disc2Phone
2007-10-20 11:11 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-10-18 18:37 <DIR> d-------- C:\Documents and Settings\James\Shared
2007-10-18 18:37 <DIR> d-------- C:\Documents and Settings\James\Incomplete
2007-10-18 18:37 <DIR> d-------- C:\Documents and Settings\James\Application Data\LimeWire
2007-10-18 18:33 <DIR> d-------- C:\Program Files\LimeWire
2007-10-18 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-18 17:11 <DIR> d-------- C:\Program Files\MagicISO
2007-10-15 22:29 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-15 22:25 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-15 22:25 3,424 --a------ C:\WINDOWS\mozver.dat
2007-10-15 22:24 <DIR> d-------- C:\Program Files\Real
2007-10-15 22:24 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-15 22:20 <DIR> d-------- C:\My Downloads
2007-10-15 22:13 <DIR> d-------- C:\Program Files\DivX
2007-10-15 13:40 <DIR> d-------- C:\Program Files\WinISO
2007-10-15 11:08 <DIR> d-------- C:\Program Files\Autodesk
2007-10-15 10:48 <DIR> d-------- C:\FLEXLM
2007-10-15 10:38 <DIR> d-------- C:\WINDOWS\system32\RNBOSENT
2007-10-15 10:38 <DIR> d-------- C:\Program Files\GLOBEtrotter Software Inc
2007-10-15 10:38 <DIR> d-------- C:\Documents and Settings\James\WINDOWS
2007-10-15 10:38 73,728 --a------ C:\WINDOWS\system32\drivers\SENTINEL.SYS
2007-10-15 10:38 49,664 --a------ C:\WINDOWS\system32\SNTI386.DLL
2007-10-15 10:38 47,616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys
2007-10-15 10:38 20,032 -ra------ C:\WINDOWS\system32\drivers\SNTNLUSB.SYS
2007-10-15 10:38 18,432 --a------ C:\WINDOWS\system32\RNBOVDD.DLL
2007-10-15 10:38 7,328 --a------ C:\WINDOWS\system32\drivers\ds1410d.sys
2007-10-15 10:38 6,656 --a------ C:\WINDOWS\system32\haspvdd.dll
2007-10-15 10:38 383 --a------ C:\WINDOWS\system32\haspdos.sys
2007-10-15 10:37 <DIR> d-------- C:\Program Files\Alias
2007-10-15 10:35 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2007-10-15 10:35 <DIR> d-------- C:\Program Files\Common Files\Alias Shared
2007-10-15 10:27 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-14 21:00 <DIR> d-------- C:\Program Files\CDBurnerXP Pro 3
2007-10-14 20:59 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-14 20:59 <DIR> d-------- C:\Documents and Settings\James\Application Data\Lavasoft
2007-10-14 19:29 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-14 15:14 <DIR> d-------- C:\Program Files\Fusion
2007-10-14 15:14 685,056 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
2007-10-14 15:00 <DIR> d-------- C:\Program Files\Folder Lock
2007-10-14 13:29 <DIR> d-------- C:\Program Files\Valve
2007-10-14 13:17 <DIR> d-------- C:\Documents and Settings\James\Application Data\vlc
2007-10-14 13:16 <DIR> d-------- C:\Program Files\VideoLAN
2007-10-14 13:15 <DIR> d-------- C:\Program Files\FileStream
2007-10-14 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2007-10-14 12:49 <DIR> d-------- C:\Documents and Settings\James\Application Data\BitTorrent
2007-10-14 12:48 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2007-10-14 12:48 <DIR> d-------- C:\Program Files\BitTorrent
2007-10-14 12:48 <DIR> d-------- C:\Documents and Settings\James\Application Data\BitTorrent DNA
2007-10-14 12:34 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-10-14 12:33 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-14 12:33 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-14 12:20 <DIR> d-------- C:\NVIDIA
2007-10-14 11:57 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-10-14 11:16 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-10-14 11:16 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-14 11:15 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-14 11:15 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-13 17:57 <DIR> d-------- C:\Program Files\PKR
2007-10-13 17:02 <DIR> d-------- C:\Documents and Settings\James\Contacts
2007-10-13 17:00 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-13 17:00 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-13 16:49 <DIR> d-------- C:\Program Files\Google
2007-10-13 16:37 <DIR> d-------- C:\Documents and Settings\James\Application Data\Symantec
2007-10-13 15:58 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-10-13 15:58 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-10-13 15:57 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-13 15:57 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-13 14:20 <DIR> d--hs---- C:\Documents and Settings\James\UserData
2007-10-13 14:01 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-13 14:01 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-05 22:57 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-03 23:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-19 00:12 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-13 17:00 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-13 17:00 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-13 17:00 --------- d-----w C:\Program Files\Symantec
2007-10-13 16:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-13 13:54 --------- d-----w C:\Program Files\ASUS
2007-10-13 13:51 --------- d-----w C:\Program Files\Marvell
2007-10-13 13:50 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-13 13:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-10-13 13:32 --------- d-----w C:\Program Files\Realtek Sound Manager
2007-10-13 13:32 --------- d-----w C:\Program Files\Realtek AC97
2007-10-13 13:32 --------- d-----w C:\Program Files\AvRack
2007-10-13 13:31 --------- d-----w C:\Program Files\AMD
2007-10-13 13:11 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvusmb.exe
2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvunrm.exe
2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvuide.exe
2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-09-17 00:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-09-17 00:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-09-17 00:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-09-17 00:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-09-17 00:07 6,853,088 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-09-17 00:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-09-17 00:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-09-17 00:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-09-17 00:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-09-17 00:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-09-17 00:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-09-17 00:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-09-17 00:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-09-17 00:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-09-17 00:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-09-17 00:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-09-17 00:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-09-17 00:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-09-17 00:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-17 00:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-09-17 00:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-09-17 00:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-09-17 00:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-09-17 00:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-09-17 00:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-17 00:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-09-17 00:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-09-17 00:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-09-17 00:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-09-17 00:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-08-27 16:13 537,992 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-08-27 16:13 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-13 17:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-13 17:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-13 17:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-13 17:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-13 17:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-13 17:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-13 17:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-13 17:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-13 17:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 10:39 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07]
"nwiz"="nwiz.exe" [2007-09-17 00:07 C:\WINDOWS\system32\nwiz.exe]
"Launch Ai Booster"="C:\Program Files\ASUS\Ai Booster\OverClk.exe" [2005-08-04 13:24]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 21:19]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 00:07]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-14 17:10]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-10-14 12:48]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-11-01 13:22]


*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 19:50:17 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - James.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 23:11:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-05 23:12:20 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-03 16:30
C:\ComboFix3.txt ... 2007-11-03 12:28
.
--- E O F ---


Heres the Smitfraudfix Log

SmitFraudFix v2.250

Scan done at 23:16:48.46, 05/11/2007
Run from C:\Documents and Settings\James\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\James


C:\Documents and Settings\James\Application Data


Start Menu


C:\DOCUME~1\James\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C80158F3-E66C-489E-B6D8-66D97D81436C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C80158F3-E66C-489E-B6D8-66D97D81436C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


Scanning for wininet.dll infection


End


and heres the EsetOnlineScanner results

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2639 (20071105)
# vers_arch_module=1.058 (20070906)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=a01f3c1db0075f40a11d0577f310dbd7
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2007-11-06 12:32:01
# local_time=2007-11-06 12:32:01 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=168193
# found=2
# scan_time=4144
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk.vir Win32/Adware.SecToolbar application 7D41C88363BCFD113DEF218A092C06AB
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application 3F3E5593CABBB48ADAADF429038EB0E2

#10 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:41 PM

Posted 07 November 2007 - 11:17 AM

Good job, yours logs are clean :thumbsup:

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    • Posted Image
  • When shown the disclaimer, Select "2"
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Read the TonyKlein's good advice: So how did I get infected in the first place?

  • Also visit the Secunia Software Inspector

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#11 paders

paders
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 07 November 2007 - 12:58 PM

:thumbsup: Thanx for all your help lusitano I really appreciate it.

#12 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:41 PM

Posted 07 November 2007 - 02:08 PM

You are very wellcome.

Glad I was able to help. :thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users