Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had Virtumonde On And Off


  • This topic is locked This topic is locked
7 replies to this topic

#1 Faix87

Faix87

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 05 July 2008 - 12:58 AM

I have had virtumonde no doubt. I used spybot, adaware and symantec antivirus to remove it. It would randomly show up in scans within a few days but I havent seen it in the past few days. But now I can hardly use the internet. A lot of random websites wont load for me, clicking links to them will simply give me an error message "windows explorer needs to be restarted" and it does so. If it happens once it will happen from then on with that specific link. I'd say about 40% of links/sites do this (even some google search terms will give me this error instead of returning the results) and 60% are fine. I am on vista btw...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:53, on 2008-07-05
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\LVCOMSX.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: (no name) - {049EE910-637A-4E78-BF77-BE5A2868FEDB} - C:\Windows\system32\khFvSmmJ.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5665F3D6-AACE-4DE3-A015-0075D9C7E3F6} - C:\Windows\system32\vtUmNdEX.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\Windows\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [BM757dc37f] Rundll32.exe "C:\Windows\system32\utonptnv.dll",s
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: yfplxlyu.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7640 bytes

BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:22 PM

Posted 05 July 2008 - 09:28 AM

Hello Faix87,

Welcome to Bleeping Computer :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Faix87

Faix87
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 05 July 2008 - 12:32 PM

here you go

ComboFix 08-07-04.2 - Jon 2008-07-05 10:48:11.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1197 [GMT -4:00]
Running from: C:\Users\Jon\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Windows\system32\emltkrop.dll
C:\Windows\system32\fqapedsk.ini
C:\Windows\system32\fsxditpk.dll
C:\Windows\system32\jeuvwijw.dll
C:\Windows\System32\JmmSvFhk.ini
C:\Windows\System32\JmmSvFhk.ini2
C:\Windows\System32\MUxFNqss.ini
C:\Windows\System32\MUxFNqss.ini2
C:\Windows\system32\oivjdssx.ini
C:\Windows\system32\pwgujjjh.ini
C:\Windows\system32\qixtmtps.dll
C:\Windows\system32\qrvcnuhr.ini
C:\Windows\system32\qyvquihp.dll
C:\Windows\System32\utBaKlTv.ini
C:\Windows\System32\utBaKlTv.ini2
C:\Windows\system32\utonptnv.dll
C:\Windows\system32\vqgmphka.ini
C:\Windows\System32\XEdNmUtv.ini
C:\Windows\System32\XEdNmUtv.ini2
C:\Windows\system32\xgchvuvj.ini
C:\Windows\system32\xkmmyyrv.dll
C:\Windows\system32\yfplxlyu.dll
.
---- Previous Run -------
.
C:\Windows\system32\mcrh.tmp

----- BITS: Possible infected sites -----

hxxp://updates.pitt.edu
.
((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

2008-07-05 01:49 . 2008-07-05 01:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-03 11:03 . 2008-07-04 00:24 <DIR> d-------- C:\Users\Jon\AppData\Roaming\mIRC
2008-07-03 11:03 . 2008-07-03 18:08 <DIR> d-------- C:\Program Files\mIRC
2008-07-02 11:59 . 2008-07-02 11:59 54,156 --ah----- C:\Windows\QTFont.qfn
2008-07-02 11:59 . 2008-07-02 11:59 1,409 --a------ C:\Windows\QTFont.for
2008-06-29 00:13 . 2008-06-29 00:13 <DIR> d-------- C:\Program Files\MozBackup
2008-06-28 15:50 . 2008-06-28 15:50 <DIR> d-------- C:\VundoFix Backups
2008-06-28 12:36 . 2008-06-28 12:36 <DIR> d-------- C:\Users\Jon\AppData\Roaming\My Games
2008-06-28 12:20 . 2008-06-28 12:20 <DIR> d-------- C:\Users\Jon\AppData\Roaming\InstallShield Installation Information
2008-06-25 19:56 . 2008-06-25 19:56 <DIR> d-------- C:\Program Files\CDisplay
2008-06-25 17:54 . 2008-06-25 17:54 <DIR> d-------- C:\perflogs
2008-06-24 01:49 . 2008-06-24 13:34 <DIR> d-------- C:\Program Files\The Cleaner Free
2008-06-20 18:14 . 2008-06-24 19:35 327 --a------ C:\Windows\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 05:13 --------- d-----w C:\Program Files\Java
2008-07-05 04:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-02 22:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-07-01 23:35 --------- d-----w C:\Users\Jon\AppData\Roaming\uTorrent
2008-06-30 21:04 --------- d-----w C:\Program Files\Steam
2008-06-30 21:04 --------- d-----w C:\Program Files\Common Files\Steam
2008-06-25 02:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-25 01:21 --------- d-----w C:\Program Files\TrojanHunter 5.0
2008-06-25 01:19 --------- d-----w C:\Program Files\Total Video2DVD Author
2008-06-24 19:21 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-06-16 21:02 --------- d-----w C:\Program Files\Windows Mail
2008-06-06 01:37 --------- d-----w C:\ProgramData\TrackMania
2008-05-28 00:13 --------- d-----w C:\Users\Jon\AppData\Roaming\Move Networks
2008-05-26 16:19 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-26 03:55 --------- d-----w C:\Program Files\Netflix
2008-05-15 14:43 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-13 00:35 --------- d-----w C:\Users\Jon\AppData\Roaming\.bsnes
2008-05-12 23:15 --------- d-----w C:\Program Files\AIM
2008-05-10 03:30 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-05-10 01:21 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-05-06 02:13 --------- d-----w C:\ProgramData\Trymedia
2008-04-29 03:50 181,760 ----a-w C:\Windows\System32\fsquirt.exe
2008-04-26 08:02 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 04:23 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-25 04:23 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-25 04:23 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-25 04:22 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-04-23 04:27 428,032 ----a-w C:\Windows\System32\EncDec.dll
2008-04-23 04:27 292,352 ----a-w C:\Windows\System32\psisdecd.dll
2008-04-23 04:27 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2008-04-11 21:23 38,400 ----a-w C:\Windows\System32\SoundSchemes.exe
2007-10-18 19:42 174 --sha-w C:\Program Files\desktop.ini
2007-07-26 21:01 114,688 ----a-w C:\Program Files\internet explorer\plugins\ChimeShim.dll
1999-12-07 07:10 5,120 --sh--w C:\Windows\System32\idesync.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{049EE910-637A-4E78-BF77-BE5A2868FEDB}]
C:\Windows\system32\khFvSmmJ.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 17:12 107112]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 06:34 134808]
"LVCOMSX"="C:\Windows\system32\LVCOMSX.EXE" [2006-04-06 20:22 225280]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-07 12:46:46 719664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=yfplxlyu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4800 Series]
--a------ 2007-01-19 05:00 177664 C:\Windows\System32\spool\drivers\w32x86\3\E_FATIADA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 19:10 1688872 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechRegisterVideoApplications]
--a------ 2006-04-06 20:06 73728 C:\Program Files\Acer\OrbiCam\InstallHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 14:21 2213160 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
--a------ 2006-04-29 09:21 94208 C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-10-10 01:28 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe
"AIM"=C:\Program Files\AIM\aim.exe -cnetwait.odl
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3084585801-2107798225-2349486442-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{3D86771C-6650-485C-8F02-257184B61DE7}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{C441D7C4-B63F-4C58-B55A-1B3EBC7E0106}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{D2AAEF20-5529-4E01-AD46-972C78A67A2D}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{B01B77FE-135C-42F3-8378-6FCD085E7453}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9BCF1183-9AB7-4567-8DEF-76EDCA552B42}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D6E1AE0D-AEE9-443F-BA5E-8113CDA73D4D}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{FDA5A556-EE92-4BBE-BD07-8DD1A434BA78}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{FE969F46-398C-42C8-B82B-76E59AE40775}"= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{D81C3400-E436-4F16-BF04-B093D98E685C}"= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"TCP Query User{C16BA55C-264D-4D30-BBDE-7444C8BFD3F3}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{A0FC6093-C1BC-4ED2-8FD5-96448CFDA36C}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{930E6DB4-96C2-447D-B571-A7F047D30061}C:\\program files\\steam\\steam.exe"= UDP:C:\program files\steam\steam.exe:Steam
"UDP Query User{81343F2A-069C-4DD6-BCAD-1D6E5E692934}C:\\program files\\steam\\steam.exe"= TCP:C:\program files\steam\steam.exe:Steam
"TCP Query User{6804A388-4615-468E-A2C5-C5AA9CEF80B8}C:\\program files\\aim\\aim.exe"= UDP:C:\program files\aim\aim.exe:AOL Instant Messenger
"UDP Query User{E20974EA-EAD9-4A22-8AD7-5BD2AF0DB1A2}C:\\program files\\aim\\aim.exe"= TCP:C:\program files\aim\aim.exe:AOL Instant Messenger
"{150B2539-87C7-4676-9396-83FE2D785294}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{791DD276-23EA-4B23-8332-B56D8CB58D23}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{AF79B140-2955-4CD1-8155-40362F7F361C}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis SP Demo\Bin32\Crysis.exe:Crysis_32_sp_demo
"{0FB2A6D8-6F45-413A-9C54-B4ACC2B07E1C}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis SP Demo\Bin32\Crysis.exe:Crysis_32_sp_demo
"TCP Query User{9A908715-4942-4A70-9B29-E955FECA2B7B}C:\\program files\\steam\\steamapps\\metaldrummer87@hotmail.com\\counter-strike source\\hl2.exe"= UDP:C:\program files\steam\steamapps\metaldrummer87@hotmail.com\counter-strike source\hl2.exe:hl2
"UDP Query User{3BB002EF-ABCB-4F72-B91E-26CD20175124}C:\\program files\\steam\\steamapps\\metaldrummer87@hotmail.com\\counter-strike source\\hl2.exe"= TCP:C:\program files\steam\steamapps\metaldrummer87@hotmail.com\counter-strike source\hl2.exe:hl2
"TCP Query User{07DDC4B7-3731-41A2-8867-8FBD95B1DEF8}C:\\program files\\steam\\steamapps\\metaldrummer87@hotmail.com\\day of defeat source\\hl2.exe"= UDP:C:\program files\steam\steamapps\metaldrummer87@hotmail.com\day of defeat source\hl2.exe:hl2
"UDP Query User{C31DC109-54D8-468F-B369-81978CB2A83A}C:\\program files\\steam\\steamapps\\metaldrummer87@hotmail.com\\day of defeat source\\hl2.exe"= TCP:C:\program files\steam\steamapps\metaldrummer87@hotmail.com\day of defeat source\hl2.exe:hl2
"TCP Query User{24197E6D-E39B-4FB5-8692-D98262FFBE4B}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{69F786FF-C64C-442A-8497-96C68E1AC4F9}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{15CF8E26-678C-4F14-8157-9006C5C2FD52}C:\\program files\\steam\\steamapps\\metaldrummer87@hotmail.com\\counter-strike source\\hl2.exe"= UDP:C:\program files\steam\steamapps\metaldrummer87@hotmail.com\counter-strike source\hl2.exe:hl2
"UDP Query User{0071656F-1A3A-4DF2-8ACF-93B247578F55}C:\\program files\\steam\\steamapps\\metaldrummer87@hotmail.com\\counter-strike source\\hl2.exe"= TCP:C:\program files\steam\steamapps\metaldrummer87@hotmail.com\counter-strike source\hl2.exe:hl2
"TCP Query User{9AD71CEB-4710-41C5-88E2-6C572C2FE138}C:\\program files\\aim\\aim.exe"= UDP:C:\program files\aim\aim.exe:AOL Instant Messenger
"UDP Query User{89A83D11-0932-41BE-A0F7-AA3C03823E4F}C:\\program files\\aim\\aim.exe"= TCP:C:\program files\aim\aim.exe:AOL Instant Messenger
"TCP Query User{A767D783-A9F4-4075-B64F-882CFAE6DCB4}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{D974A8E4-FBB4-4674-AAEB-DF20E177DD4A}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{B025BF0D-B70C-4E48-B682-C0EF1A049307}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{BF9AB5D5-793E-47A2-B726-51401398A542}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{29F19FC3-7589-419A-9757-6F60A79602F1}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{ECCDE094-A1FA-4FCD-980C-453AC9713D5F}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"{6015648B-C105-45A8-9843-8023A2CBE070}"= UDP:D:\cod4\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty® 4 - Modern Warfare™
"{D153EBAB-CA32-431D-98F6-8CB20BA454D5}"= TCP:D:\cod4\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty® 4 - Modern Warfare™
"TCP Query User{74B4B6D2-52B0-4D00-8C0E-0DA6E2A11E6A}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{139EA2F7-0989-468B-8861-020F4F9D095C}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{9239091C-63E5-485D-9F83-92D3A9E6EC64}C:\\program files\\steam\\steamapps\\metaldrummer87@hotmail.com\\half-life\\hl.exe"= UDP:C:\program files\steam\steamapps\metaldrummer87@hotmail.com\half-life\hl.exe:Half-Life Launcher
"UDP Query User{4C92C15B-46A0-4F4B-AF13-C94BE632BBA7}C:\\program files\\steam\\steamapps\\metaldrummer87@hotmail.com\\half-life\\hl.exe"= TCP:C:\program files\steam\steamapps\metaldrummer87@hotmail.com\half-life\hl.exe:Half-Life Launcher
"{80B5AECB-D51C-455B-B59F-422FFDFC6597}"= UDP:C:\Old comp\Desktop\utorrent.exe:µTorrent
"{0FE21C3F-D6F0-49F6-9CB1-05E8E8E73850}"= TCP:C:\Old comp\Desktop\utorrent.exe:µTorrent
"TCP Query User{16F0AF4D-8F40-44C0-BD00-9A5DC8F007F6}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{9545048C-BD4D-422D-9971-38923B9E7B71}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"TCP Query User{3DCB6034-D4D3-4D6E-95C4-9E1561CFE3A4}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{8F61764C-D49C-4D44-9AE7-4D7A10592597}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"{522613E3-F3B9-465A-ABD3-C8103BB56638}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{29DF36E1-F084-4747-AA59-8DBA00704F01}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{A2C7A687-4866-4FF6-A160-937FE1493015}C:\\program files\\steam\\steamapps\\common\\trackmania nations forever\\tmforever.exe"= UDP:C:\program files\steam\steamapps\common\trackmania nations forever\tmforever.exe:TmForever
"UDP Query User{D08F0E8C-69C0-46BE-81CA-3CBA526225CA}C:\\program files\\steam\\steamapps\\common\\trackmania nations forever\\tmforever.exe"= TCP:C:\program files\steam\steamapps\common\trackmania nations forever\tmforever.exe:TmForever

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R3 lv321av;Logitech USB PC Camera (VC0321);C:\Windows\system32\DRIVERS\lv321av.sys [2006-04-06 19:46]
R3 LVPrcMon;Logitech LVPrcMon Driver;C:\Windows\system32\drivers\LVPrcMon.sys [2006-04-06 20:30]
R3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 03:36]
S3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2006-12-05 02:07]
S3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys [2006-12-05 02:05]
S3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2006-12-05 02:09]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-06-24 21:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
GPSvcGroup REG_MULTI_SZ GPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\Madden08.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c72d92e-e939-11dc-85eb-000000000000}]
\shell\AutoRun\command - F:\autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
"2008-07-03 00:06:52 C:\Windows\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-06-24 19:21:34 C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{049EE910-637A-4E78-BF77-BE5A2868FEDB} - (no file)
BHO-{5665F3D6-AACE-4DE3-A015-0075D9C7E3F6} - C:\Windows\system32\vtUmNdEX.dll
HKLM-Run-BM757dc37f - C:\Windows\system32\utonptnv.dll
MSConfigStartUp-THGuard - C:\Program Files\TrojanHunter 5.0\THGuard.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 12:45:33
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> ?:\Windows\system32\LINKINFO.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-07-05 13:07:31 - machine was rebooted [Jon]
ComboFix-quarantined-files.txt 2008-07-05 17:07:25

Pre-Run: 5,734,477,824 bytes free
Post-Run: 6,515,331,072 bytes free

259 --- E O F --- 2008-07-05 15:06:46

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:22 PM

Posted 05 July 2008 - 08:06 PM

Hello,

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

How is it running now please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Faix87

Faix87
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 06 July 2008 - 04:20 PM

Detected and removed vundo. Didnt ask for a restart so these logs were done directly after no restart. Ill add a reply when I test out the websites that were giving me trouble.

Malwarebytes' Anti-Malware 1.19
Database version: 927
Windows 6.0.6000

4:24:13 PM 7/6/2008
mbam-log-7-6-2008 (16-24-13).txt

Scan type: Quick Scan
Objects scanned: 36607
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.



Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:17:59 PM, on 7/6/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\LVCOMSX.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {049EE910-637A-4E78-BF77-BE5A2868FEDB} - C:\Windows\system32\khFvSmmJ.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5665F3D6-AACE-4DE3-A015-0075D9C7E3F6} - C:\Windows\system32\vtUmNdEX.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\Windows\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: yfplxlyu.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7342 bytes

#6 Faix87

Faix87
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 06 July 2008 - 05:22 PM

I havent had a single windows explorer restart in a couple hours!

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:22 PM

Posted 06 July 2008 - 07:15 PM

Excellent. :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {049EE910-637A-4E78-BF77-BE5A2868FEDB} - C:\Windows\system32\khFvSmmJ.dll (file missing)
O2 - BHO: (no name) - {5665F3D6-AACE-4DE3-A015-0075D9C7E3F6} - C:\Windows\system32\vtUmNdEX.dll (file missing)
O20 - AppInit_DLLs: yfplxlyu.dll


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Do a Windows search for this file and delete it, if it's even there : yfplxlyu.dll

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:22 PM

Posted 20 July 2008 - 03:21 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users