Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Conhook.d And Vundo.gen!e, G And H Infections


  • Please log in to reply
11 replies to this topic

#1 zxon

zxon

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 05 July 2008 - 03:11 PM

Hi. I hope I'm doing this right. I've not had to do this before.

My PC seems to be infected by the above trojans. My Norton AV and Windows Defender pick them up and delete the files, but they keep coming back. I've also tried removing suspicious programs from system startup via msconfig but they continue to reappear. I think they're meant to show popups in IE, but I always use Firefox so never noticed them. Nonetheless, I don't like the idea of being infected at all so I wanna get rid of them.

-------------------------------------------------------------

I have attached my latest HijackThis log. Please help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:38:01, on 05/07/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\vVX6000.exe
C:\Windows\System32\rundll32.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\O2\bin\sprtcmd.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Nokia\NNPCS\NNPCSUI.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9B105577-EB6D-450E-92BE-1A8B49D9192C} - C:\Windows\system32\pmnmnKDS.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\Windows\vVX6000.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: Nokia Nseries PC Suite.lnk = C:\Program Files\Nokia\NNPCS\RunLauncher.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (file missing)
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 11178 bytes

-------------------------------------------------------------

Thanks in advance :thumbsup:

BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:33 AM

Posted 06 July 2008 - 10:33 AM

Hello zxon and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately and. If you are still having problems, then please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log. Please also post the problems you are having.

When posting your log, please make sure you post the HijackThis log as a reply and not as an attachment. If we do not hear back from you within a couple of days we will need to close your topic.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 zxon

zxon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 06 July 2008 - 06:18 PM

Hi. Yes, I'm still having the problems. I have pasted a new HijackThis log below as per your instructions. The problem I having is that Norton and Windows Defender are frequently showing pop up messages saying that they've found Vundo and Trojans and wants me to remove them. I tell them to do so, and (almost) the same messages appear a few minutes later. I've done full scans with both programs and they find files that are infected with the same viruses and removes them, but the same problem occurs again. Both programs say that the viruses I have are meant to show pop-up adverts when I use Internet Explorer. I use Firefox instead so I have not noticed any popups, but naturally I still want to get rid of these viruses. I did a google search a few days ago, before I posted on here, and it was suggested I try a Vundofixer. It said it found 4 files and removed them, but the problem continues.

--HijackThis Log--

Deckard's System Scanner v20071014.68
Run by Andy on 2008-07-06 23:58:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
18: 2008-07-05 20:06:58 UTC - RP203 - Windows Update
17: 2008-07-03 22:40:26 UTC - RP202 - Windows Defender Checkpoint
16: 2008-07-03 21:43:01 UTC - RP200 - Windows Defender Checkpoint
15: 2008-07-03 20:13:17 UTC - RP198 - Windows Defender Checkpoint
14: 2008-07-03 20:05:17 UTC - RP196 - Windows Update


-- First Restore Point --
1: 2008-06-24 19:47:47 UTC - RP177 - Windows Update


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Andy.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:02:20, on 07/07/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\vVX6000.exe
C:\Windows\System32\rundll32.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\O2\bin\sprtcmd.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Nokia\NNPCS\NNPCSUI.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exe
G:\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Andy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9B105577-EB6D-450E-92BE-1A8B49D9192C} - C:\Windows\system32\pmnmnKDS.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\Windows\vVX6000.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [6c9f53cd] rundll32.exe "C:\Windows\system32\rynhrcma.dll",b
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: Nokia Nseries PC Suite.lnk = C:\Program Files\Nokia\NNPCS\RunLauncher.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (file missing)
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 11314 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080703-224748-711 O2 - BHO: (no name) - {F7F6584C-864B-411D-A410-BB2DE0D33CA1} - (no file)
backup-20080703-234507-223 O2 - BHO: (no name) - {9B105577-EB6D-450E-92BE-1A8B49D9192C} - C:\Windows\system32\pmnmnKDS.dll
backup-20080703-234522-319 O2 - BHO: (no name) - {9B105577-EB6D-450E-92BE-1A8B49D9192C} - C:\Windows\system32\pmnmnKDS.dll

-- File Associations -----------------------------------------------------------

.js - jsfile - DefaultIcon - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe",7
.js - jsfile - shell\open\command - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 PCIMS - \??\c:\windows\system32\drivers\pcims.sys
R2 DgiVecp - \??\c:\windows\system32\drivers\dgivecp.sys
R2 SSPORT - \??\c:\windows\system32\drivers\ssport.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

S2 TVersityMediaServer - c:\program files\tversity\media server\mediaserver.exe
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 Symantec RemoteAssist - "c:\program files\common files\symantec shared\support controls\ssrc.exe" (file missing)
S3 VundoFixSvc (VundoFix Service) - vundofixsvc.exe <Not Verified; Atribune.org; Vundofix Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0003
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #2
PNP Device ID: ROOT\*ISATAP\0003
Service: tunnel

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB CF Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_CF_READER&REV_1.01#9205291&1#
Manufacturer: Generic
Name: USB CF Reader
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_CF_READER&REV_1.01#9205291&1#
Service: WUDFRd

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Flash Disk
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_USB_2.0&PROD_FLASH_DISK&REV_8.07#BE2B0654&0#
Manufacturer: USB 2.0
Name: Flash Disk
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_USB_2.0&PROD_FLASH_DISK&REV_8.07#BE2B0654&0#
Service: WUDFRd

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia N70
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Nokia N95
Device ID: ROOT\WPD\0001
Manufacturer: Nokia
Name: Nokia N95
PNP Device ID: ROOT\WPD\0001
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-07-06 23:56:21 416 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{4DBF6757-2A51-4C57-9A2D-C1F392CE1EDD}.job
2008-07-06 00:46:00 252 --a------ C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job


-- Files created between 2008-06-07 and 2008-07-07 -----------------------------

2008-07-05 20:40:11 92224 --a------ C:\Windows\system32\rynhrcma.dll
2008-07-05 20:35:05 90456 --a------ C:\Windows\system32\evsoxauq.dll
2008-07-03 23:30:08 0 d-------- C:\Windows\system32\N360_BACKUP
2008-07-03 23:18:59 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-07-03 22:52:04 0 d-------- C:\VundoFix Backups
2008-07-03 21:39:18 556465 --ahs---- C:\Windows\system32\SDKnmnmp.ini2
2008-07-03 21:37:50 0 d-------- C:\Program Files\Trend Micro
2008-06-28 13:36:53 0 d-------- C:\NSS
2008-06-28 13:36:45 0 d-------- C:\Program Files\CCleaner
2008-06-28 12:13:01 0 d-------- C:\Program Files\MagicISO
2008-06-25 21:36:14 0 d-------- C:\Users\All Users\Apple Computer
2008-06-23 19:37:51 0 d-------- C:\Program Files\Norton 360
2008-06-23 19:34:54 0 d-------- C:\Program Files\Symantec
2008-06-23 18:25:14 280064 -----n--- C:\Windows\system32\pmnmnKDS.dll
2008-06-23 18:23:41 0 d-------- C:\Users\All Users\Symantec Temporary Files
2008-06-23 18:04:49 0 d-------- C:\Users\All Users\SupportSoft
2008-06-23 18:04:27 0 d-------- C:\Program Files\O2
2008-06-23 17:59:40 0 d-------- C:\Program Files\Common Files\SupportSoft
2008-06-15 22:13:00 0 d-------- C:\Users\All Users\Macrovision
2008-06-15 21:41:44 210432 --a------ C:\Windows\system32\ifsdrives.dll <Not Verified; Stephan Schreiber; IFS for Windows>


-- Find3M Report ---------------------------------------------------------------

2008-06-28 11:45:01 0 d-------- C:\Users\Andy\AppData\Roaming\Mozilla
2008-06-25 21:37:34 0 d-------- C:\Program Files\QuickTime
2008-06-25 00:17:09 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-25 00:14:46 0 d-------- C:\Users\Andy\AppData\Roaming\Nokia
2008-06-25 00:12:54 0 d-------- C:\Program Files\Nokia
2008-06-24 23:53:24 0 d-------- C:\Users\Andy\AppData\Roaming\Symantec
2008-06-24 19:03:14 0 d-------- C:\Program Files\Windows Mail
2008-06-23 19:39:17 0 d-------- C:\Program Files\Common Files
2008-06-15 22:13:50 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-15 22:12:58 0 d-------- C:\Users\Andy\AppData\Roaming\Macromedia
2008-06-03 20:23:52 7 --a------ C:\tw0001.dat
2008-05-08 11:26:35 0 d-------- C:\Program Files\Windows Live Safety Center
2008-05-07 06:53:20 0 d-------- C:\Program Files\BitComet
2008-04-21 19:26:44 0 -rahs---- C:\MSDOS.SYS
2008-04-21 19:26:44 0 -rahs---- C:\IO.SYS
2008-04-11 13:09:03 2560 --a------ C:\Windows\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
30/06/2008 13:44 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
23/06/2008 19:39 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B105577-EB6D-450E-92BE-1A8B49D9192C}]
23/06/2008 18:25 280064 --------- C:\Windows\system32\pmnmnKDS.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll [30/06/2008 13:44 349552]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 00:38]
"NokiaMServer"="C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles" []
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [05/02/2007 16:52]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [21/11/2006 18:08]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 08:00]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [14/03/2007 22:01]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [08/01/2007 23:17]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 05:25]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [17/05/2007 15:45]
"VX6000"="C:\Windows\vVX6000.exe" [10/04/2007 15:46]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [12/09/2007 06:28]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [12/09/2007 06:28]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [12/09/2007 06:28]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [22/03/2008 00:35]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Windows\system32\NeroCheck.exe" [09/07/2001 12:50]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"SoundMan"="SOUNDMAN.EXE" [09/03/2007 17:28 C:\Windows\SOUNDMAN.EXE]
"O2"="C:\Program Files\O2\bin\sprtcmd.exe" [08/03/2007 19:21]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [18/02/2008 20:37]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [26/02/2008 15:50]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27/05/2008 10:50]
"6c9f53cd"="C:\Windows\system32\rynhrcma.dll" [05/07/2008 20:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [19/01/2008 00:33]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 12:34]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [27/03/2008 17:32]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [19/01/2008 00:33]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Nokia Nseries PC Suite.lnk - C:\Program Files\Nokia\NNPCS\RunLauncher.exe [1/14/2008 4:16:32 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\pmnmnKDS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
"C:\Program Files\Kontiki\KHost.exe" -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\6c9f53cd]
rundll32.exe "C:\Windows\system32\quqwabrx.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6fac6051]
Rundll32.exe "C:\Windows\system32\utybfvsv.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\Program Files\Kontiki\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaPortal]
C:\Program Files\Team MediaPortal\MediaPortal\MediaPortal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
GPSvcGroup GPSvc

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-07 00:04:54 ------------

Thanks for your help.

#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:33 AM

Posted 07 July 2008 - 02:12 PM

hi zxon.

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case BitComet). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

I can see some traces of Vundo there. We will take care of that just after doing the following steps:

step #1

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
step #2

Run HijackThis, press Scan, and put a check mark next to all these entries:

O2 - BHO: (no name) - {9B105577-EB6D-450E-92BE-1A8B49D9192C} - C:\Windows\system32\pmnmnKDS.dll
O4 - HKLM\..\Run: [6c9f53cd] rundll32.exe "C:\Windows\system32\rynhrcma.dll",b
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe


Close all other windows and browsers, and press the Fix Checked button.

step #3

Please download the Suspicious File Packer from here: http://www.safer-networking.org/files/sfp.zip
  • Unzip it to the desktop and run it.
  • Paste the following bold part into the Suspicious File Packer window:

    C:\Windows\system32\pmnmnKDS.dll
    C:\Windows\system32\rynhrcma.dll
    c:\windows\system32\drivers\pcims.sys
    C:\Windows\system32\rynhrcma.dll
    C:\Windows\system32\evsoxauq.dll


  • Allow SFP to pack the file. This will generate a CAB archive on your desktop.
step #4

Please go to the Malware Upload Channel and upload the following file by reproducing the below steps:
  • Please enter the link to the topic in the text box next to: Link to topic where this file was requested:
  • Then click "Browse" on the line below and navigate to the just created CAB file.
  • In the comment section, please make a note that I asked you to upload the file here: Yourhighness
  • Click Send File
Please let me know when the submission has finished. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 zxon

zxon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 07 July 2008 - 03:19 PM

Thanks for the help. I have followed all the steps and uploaded the file you requested.

O2 - BHO: (no name) - {9B105577-EB6D-450E-92BE-1A8B49D9192C} - C:\Windows\system32\pmnmnKDS.dll
...
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe


I encountered one problem. When trying to remove these entries using HijackThis, they wouldn't go away. I checked them, clicked Fix Now, did another scan and they were still there. I tried a couple of times but they're persistant. I thought I'd let you know.

I await your reply. :thumbsup:

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:33 AM

Posted 07 July 2008 - 03:23 PM

Hi,

please reboot your pc and see if the entries are still there then. I received the file. I will look at it tonight, but need to go to bed soon. I will reply tomorrow morning hopefully, latest though when I get back from work.

Thanks for your understanding.

YoHi

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:33 AM

Posted 07 July 2008 - 03:29 PM

Hang on. Just revisited the uploaded file. I think to make it easier for both of us, you should please do the following:

Please download ComboFix from here and save it to your Desktop.

When done downloading, please print out and follow these instructions: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
  • When you have completed the ComboFix instructions, copy and paste the contents of C:\ComboFix.txt in your next reply.
  • When done, be sure to re-enable your anti-virus and other security programs.

Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.


"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#8 zxon

zxon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 07 July 2008 - 05:05 PM

Hi. As directed I downloaded and run ComboFix, disabling all firewalls and anti-viruses before scanning (as per instructions). Below is a copy of the ComboFix.txt log file.

ComboFix 08-07-05.1 - Andy 2008-07-07 22:17:29.2 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.1240 [GMT 1:00]
Running from: C:\Users\Andy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\amcrhnyr.ini
C:\Windows\system32\auhoqv.dll
C:\Windows\system32\gcqoccsv.dll
C:\Windows\system32\iwpdvbme.ini
C:\Windows\system32\jbtwyedg.ini
C:\Windows\system32\kjdtaxas.ini
C:\Windows\system32\lejeccfh.ini
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\odmtmccu.ini
C:\Windows\system32\oxyqrckl.ini
C:\Windows\system32\pmnmnKDS.dll
C:\Windows\system32\rbmpnwig.ini
C:\Windows\System32\SDKnmnmp.ini
C:\Windows\System32\SDKnmnmp.ini2
C:\Windows\System32\uoahdaww.ini
C:\Windows\system32\wwadhaou.dll
C:\Windows\system32\xrbawquq.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 )))))))))))))))))))))))))))))))
.

2008-07-07 20:37 . 2008-07-07 20:37 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-07 20:27 . 2008-07-07 20:34 <DIR> d-------- C:\Users\Andy\.SunDownloadManager
2008-07-06 23:58 . 2008-07-06 23:58 <DIR> d-------- C:\Deckard
2008-07-03 23:30 . 2008-07-03 23:30 <DIR> d-------- C:\Windows\System32\N360_BACKUP
2008-07-03 23:18 . 2008-07-03 23:18 24,576 --a------ C:\Windows\System32\VundoFixSVC.exe
2008-07-03 22:52 . 2008-07-03 23:18 <DIR> d-------- C:\VundoFix Backups
2008-07-03 21:37 . 2008-07-03 21:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-03 21:16 . 2008-07-03 21:16 33,832 --a------ C:\Windows\System32\whdophmo.exe
2008-06-29 10:06 . 2008-07-07 22:06 337,254,587 --a------ C:\Windows\MEMORY.DMP
2008-06-28 13:36 . 2008-06-28 13:36 <DIR> d-------- C:\Program Files\CCleaner
2008-06-28 13:36 . 2008-06-28 13:37 <DIR> d-------- C:\NSS
2008-06-28 12:13 . 2008-06-28 12:13 <DIR> d-------- C:\Program Files\MagicISO
2008-06-26 19:21 . 2008-06-26 19:21 0 --a------ C:\Windows\System32\oxyqrckl.tmp
2008-06-25 21:36 . 2008-06-25 21:36 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-06-25 21:36 . 2008-06-25 21:36 <DIR> d-------- C:\ProgramData\Apple Computer
2008-06-24 20:47 . 2008-05-03 04:38 1,555,456 --a------ C:\Windows\System32\mshtml.tlb
2008-06-24 20:47 . 2008-05-03 07:31 830,464 --a------ C:\Windows\System32\wininet.dll
2008-06-24 00:59 . 2008-04-26 09:08 1,314,816 --a------ C:\Windows\System32\quartz.dll
2008-06-24 00:59 . 2008-05-10 02:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-23 19:37 . 2008-07-03 20:56 <DIR> d-------- C:\Program Files\Norton 360
2008-06-23 19:35 . 2008-06-25 00:19 123,952 --a------ C:\Windows\System32\drivers\SYMEVENT.SYS
2008-06-23 19:34 . 2008-06-25 00:19 <DIR> d-------- C:\Program Files\Symantec
2008-06-23 19:28 . 2008-06-24 23:53 <DIR> d-------- C:\Users\Andy\AppData\Roaming\Symantec
2008-06-23 18:23 . 2008-06-24 00:52 <DIR> d-------- C:\Users\All Users\Symantec Temporary Files
2008-06-23 18:23 . 2008-06-24 00:52 <DIR> d-------- C:\ProgramData\Symantec Temporary Files
2008-06-23 18:17 . 2008-06-23 18:17 129 --a------ C:\Windows\System32\MRT.INI
2008-06-23 18:13 . 2008-03-08 03:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-06-23 18:13 . 2008-03-08 05:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
2008-06-23 18:04 . 2008-06-23 18:04 <DIR> d-------- C:\Users\All Users\SupportSoft
2008-06-23 18:04 . 2008-06-23 18:04 <DIR> d-------- C:\ProgramData\SupportSoft
2008-06-23 18:04 . 2008-06-23 18:04 <DIR> d-------- C:\Program Files\O2
2008-06-23 18:04 . 2008-06-23 18:04 728 --a------ C:\Windows\{4507868A-A9CD-4ECC-BD54-0EAB6EE81D42}_WiseFW.ini
2008-06-23 17:59 . 2008-06-23 17:59 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-06-15 22:13 . 2008-06-15 22:13 <DIR> d-------- C:\Users\All Users\Macrovision
2008-06-15 22:13 . 2008-06-15 22:13 <DIR> d-------- C:\ProgramData\Macrovision
2008-06-15 21:41 . 2007-12-27 23:47 210,432 --a------ C:\Windows\System32\ifsdrives.dll
2008-06-15 21:41 . 2008-01-20 17:56 187,840 --a------ C:\Windows\System32\drivers\ext2fs.sys
2008-06-15 21:41 . 2007-12-16 17:13 77,760 --a------ C:\Windows\System32\ifsdrives.exe
2008-06-15 21:41 . 2007-12-29 19:50 58,816 --a------ C:\Windows\System32\drivers\ifsmount.sys
2008-06-15 21:41 . 2007-08-26 13:11 724 --a------ C:\Windows\System32\ifsdrives_tasks.xml
2008-06-13 14:14 . 2008-06-13 14:14 24,112 --a------ C:\Windows\System32\drivers\SymIMV.sys
2008-06-13 14:14 . 2008-06-13 14:14 13,093 --a------ C:\Windows\System32\drivers\SymRedir.cat
2008-06-13 14:14 . 2008-06-13 14:14 1,611 --a------ C:\Windows\System32\drivers\SymRedir.inf
2008-06-13 14:13 . 2008-06-13 14:13 184,240 --a------ C:\Windows\System32\drivers\symtdi.sys
2008-06-13 14:13 . 2008-06-13 14:13 96,432 --a------ C:\Windows\System32\drivers\symfw.sys
2008-06-13 14:13 . 2008-06-13 14:13 41,008 --a------ C:\Windows\System32\drivers\symndisv.sys
2008-06-13 14:13 . 2008-06-13 14:13 38,576 --a------ C:\Windows\System32\drivers\symids.sys
2008-06-13 14:13 . 2008-06-13 14:13 22,320 --a------ C:\Windows\System32\drivers\symredrv.sys
2008-06-13 14:13 . 2008-06-13 14:13 13,616 --a------ C:\Windows\System32\drivers\symdns.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-07 21:25 --------- d-----w C:\ProgramData\Kontiki
2008-07-07 19:38 --------- d-----w C:\Program Files\Java
2008-06-25 20:37 --------- d-----w C:\Program Files\QuickTime
2008-06-24 23:19 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-06-24 23:19 10,671 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-06-24 23:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-24 23:14 --------- d-----w C:\Users\Andy\AppData\Roaming\Nokia
2008-06-24 23:12 --------- d-----w C:\Program Files\Nokia
2008-06-24 18:03 --------- d-----w C:\Program Files\Windows Mail
2008-06-23 23:56 --------- d-----w C:\ProgramData\Symantec
2008-06-23 19:52 --------- d-----w C:\ProgramData\Microsoft Help
2008-06-15 21:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-03 19:23 7 ----a-w C:\tw0001.dat
2008-05-08 10:26 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-05-07 08:55 767,488 ----a-w C:\Windows\system32\drivers\athr.sys
2008-05-07 05:53 --------- d-----w C:\Program Files\BitComet
2008-04-11 12:09 2,560 ----a-w C:\Windows\System32\bitcometres.dll
2008-03-22 11:50 32 ----a-w C:\Users\All Users\ezsid.dat
2008-03-22 11:50 32 ----a-w C:\ProgramData\ezsid.dat
2008-03-21 23:19 174 --sha-w C:\Program Files\desktop.ini
2008-03-21 02:07 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-03-21 02:07 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2006-05-03 10:06 163,328 --sh--r C:\Windows\System32\flvDX.dll
2007-02-21 11:47 31,232 --sh--r C:\Windows\System32\msfDX.dll
2007-12-17 13:43 27,648 --sh--w C:\Windows\System32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 00:33 1233920]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-03-27 17:32 1682368]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 00:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 16:52 849280]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 18:08 813912]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 22:01 71216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 23:17 52256]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 15:45 279912]
"VX6000"="C:\Windows\vVX6000.exe" [2007-04-10 15:46 996712]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-12 06:28 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-12 06:28 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-12 06:28 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-22 00:35 185896]
"NeroFilterCheck"="C:\Windows\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"O2"="C:\Program Files\O2\bin\sprtcmd.exe" [2007-03-08 19:21 198184]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 20:37 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 15:50 988512]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"SoundMan"="SOUNDMAN.EXE" [2007-03-09 17:28 598016 C:\Windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Nokia Nseries PC Suite.lnk - C:\Program Files\Nokia\NNPCS\RunLauncher.exe [1/14/2008 4:16:32 PM 679936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.i420"= i420vfw.dll
"msacm.divxa32"= divxa32.acm
"vidc.yv12"= yv12vfw.dll
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
--a------ 2007-04-23 12:23 1032640 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2007-04-23 12:23 1032640 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaPortal]
--a------ 2007-11-15 10:53 1261568 C:\Program Files\Team MediaPortal\MediaPortal\MediaPortal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1784797244-2349850700-714088059-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{08DC9905-5F09-4C4D-A3E4-4908E184AFA8}"= UDP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{74FCE5F3-030E-499F-B0C8-22472D7BFD57}"= TCP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{DE29B166-7A19-4A72-B645-E2DEC6A28BC2}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{059A0A40-E7A4-4333-A06D-4C91E75FBC5C}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{890FA2BC-8316-4287-BE8B-5480179854E4}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{C36965E1-E8A1-49A2-A29B-8ECEDC26CEF1}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3C4A111B-2CCD-4316-82B3-582E3C8DA990}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8C388430-8904-412A-A93F-A3113FA221D7}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{580122F4-5D85-4BBD-AC5E-DABF548625EB}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9C97160F-A318-45A5-9633-2395AF2E8DA0}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{B4DB3AE0-198C-47CB-B635-70662D97F66D}"= UDP:C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe:Belkin Network USB Hub Control Center
"{BBB6947C-A0A0-4936-B378-485BEB825FE4}"= TCP:C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe:Belkin Network USB Hub Control Center
"{7EB3C456-30DE-4A49-834E-25F3B07C72B3}"= TCP:19540:SXUPTP
"{6FDFCF5E-5C7B-4857-A527-10832F377D6F}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{64F1FB64-9A23-428C-97CA-66DC143C2422}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{14AC19CB-7A75-49B0-98C1-BB7B3CBF252C}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{BBAE01BF-BCB7-457B-B50F-196461CF68A3}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{5D30C86D-19D1-4CED-8294-885E2F54DC41}"= C:\Program Files\Cyberlink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{72170B34-0A20-4667-B3A0-4DFEEB641F5C}"= UDP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{0D53652D-7E99-427A-8DD6-6F1C0926ED00}"= TCP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{F28CC75C-7384-4BFA-AF4F-BD664FDB1126}"= UDP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{26EDD66C-FC5D-46C8-8506-1D74F521073E}"= TCP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{DC51CA05-D41E-45E0-A91F-1424014E0028}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{8785568E-AA6E-4D14-B536-75E6FB5DE04F}"= UDP:17520:BitComet 17520 TCP
"{77F0A3B0-8D38-4147-80CD-40C9DD21C814}"= TCP:17520:BitComet 17520 UDP
"TCP Query User{89E00EC3-46B4-4576-A94A-1546210B6495}C:\\program files\\bitcomet\\bitcomet.exe"= UDP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{0ECC6521-801A-467B-8A64-86E7B59E9972}C:\\program files\\bitcomet\\bitcomet.exe"= TCP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{AB350D6E-DC49-43EA-AB07-49EBC79EC279}C:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= UDP:C:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{591A54DC-DE45-4282-9D8C-1083EC0BD016}C:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= TCP:C:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"TCP Query User{7FC79C22-FDE7-4C55-AC98-3B1DABE18C97}C:\\program files\\nokia\\software updater\\nsu_ui_client.exe"= UDP:C:\program files\nokia\software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{C1F40F7B-400E-45AE-B92B-25E86AB259F7}C:\\program files\\nokia\\software updater\\nsu_ui_client.exe"= TCP:C:\program files\nokia\software updater\nsu_ui_client.exe:Nokia Software Updater
"{34B91C44-2E7E-40A2-B47D-3532F6BC284B}"= UDP:41952:TVersity
"{A88F04B1-F1CB-4482-808C-71A755950312}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{48E93B01-F441-4BE2-BBEF-FE049343FD64}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"TCP Query User{A67255D1-DA38-43D0-88DD-DCCEB1A01150}C:\\program files\\kontiki\\khost.exe"= UDP:C:\program files\kontiki\khost.exe:Delivery Manager
"UDP Query User{08FFA2D9-BED5-47DC-8799-63BFBB0AA56B}C:\\program files\\kontiki\\khost.exe"= TCP:C:\program files\kontiki\khost.exe:Delivery Manager
"TCP Query User{574EBE73-3B43-4DA6-A282-6D3C83E91582}C:\\program files\\adobe\\adobe dreamweaver cs3\\dreamweaver.exe"= UDP:C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3
"UDP Query User{3993A006-AF89-4622-BA61-2683FC14DD65}C:\\program files\\adobe\\adobe dreamweaver cs3\\dreamweaver.exe"= TCP:C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3
"TCP Query User{24C4D45D-67E2-43C4-9BD2-C4BE5DCB6965}C:\\program files\\secondlife\\slvoice.exe"= UDP:C:\program files\secondlife\slvoice.exe:SLVoice
"UDP Query User{99E46E3A-FA35-4660-A20D-ABDBF573D5BB}C:\\program files\\secondlife\\slvoice.exe"= TCP:C:\program files\secondlife\slvoice.exe:SLVoice
"TCP Query User{7A85A110-C510-4C74-BE8E-B54C774663C4}C:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= UDP:C:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{4BF3227F-59D8-4A0B-8CFA-F2B19E80B294}C:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= TCP:C:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"TCP Query User{4E618984-AB1D-44C1-917F-91D5BF29B5A5}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{17D6D745-8169-4818-8F6F-8C14CF626575}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"{4FDF06F8-C250-48B3-9CAD-CFD86E5A9D48}"= UDP:C:\Program Files\O2\bin\wificfg.exe:sprtcmd.exe
"{D154E137-0690-4A63-8168-E8600A85FAAC}"= TCP:C:\Program Files\O2\bin\wificfg.exe:sprtcmd.exe
"{5896B139-DDC6-4036-9D78-CD3E55F54605}"= UDP:C:\Program Files\O2\agent\bin\bcont.exe:bcont.exe
"{03AAD42A-8FF4-4795-87F1-06625246011D}"= TCP:C:\Program Files\O2\agent\bin\bcont.exe:bcont.exe
"{1C7D31D1-379C-4FC3-A1AB-F13995D9B75C}"= UDP:C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe:ssrc.exe
"{45A8EA87-675D-484E-B32F-3397DEAE52B7}"= TCP:C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe:ssrc.exe
"{152CF77F-A01B-40D9-9E52-64DABD4EE97F}"= UDP:C:\Program Files\O2\agent\bin\bcont_nm.exe:bcont_nm.exe
"{40C94ECE-802F-45B6-A287-C2E722D40C1C}"= TCP:C:\Program Files\O2\agent\bin\bcont_nm.exe:bcont_nm.exe
"TCP Query User{28ECD336-C763-4B0A-880F-909EC5D9B4A0}C:\\users\\andy\\appdata\\local\\temp\\wzse0.tmp\\symnrt.exe"= UDP:C:\users\andy\appdata\local\temp\wzse0.tmp\symnrt.exe:symnrt.exe
"UDP Query User{AE75C287-6223-4E08-A587-56B4734FDF97}C:\\users\\andy\\appdata\\local\\temp\\wzse0.tmp\\symnrt.exe"= TCP:C:\users\andy\appdata\local\temp\wzse0.tmp\symnrt.exe:symnrt.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 Ext2fs;Ext2fs;C:\Windows\system32\DRIVERS\ext2fs.sys [2008-01-20 17:56]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20080623.001\IDSvix86.sys [2008-06-03 16:28]
R1 IfsMount;IfsMount;C:\Windows\system32\DRIVERS\ifsmount.sys [2007-12-29 19:50]
R1 PCIMS;PCIMS;C:\Windows\system32\drivers\PCIMS.sys [2008-05-06 18:07]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 20:37]
R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 15:45]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);C:\Program Files\O2\bin\sprtsvc.exe [2007-06-05 08:25]
R2 SSPORT;SSPORT;C:\Windows\system32\Drivers\SSPORT.sys [2006-11-22 09:52]
R3 3xHybrid;3xHybrid service;C:\Windows\system32\DRIVERS\3xHybrid.sys [2007-04-20 14:34]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 14:13]
R3 VX6000;Microsoft LifeCam VX-6000;C:\Windows\system32\DRIVERS\VX6000Xp.sys [2007-04-10 15:46]
S3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\Windows\system32\drivers\nmwcdnsu.sys [2008-02-01 15:17]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\Windows\system32\drivers\nmwcdnsuc.sys [2008-02-01 15:17]
S3 Ph3xIB32;Philips 713x Inbox PCI TV Card;C:\Windows\system32\DRIVERS\Ph3xIB32.sys [2006-11-02 09:27]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
GPSvcGroup REG_MULTI_SZ GPSvc

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-07 20:46:04 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-07-06 23:11:20 C:\Windows\Tasks\User_Feed_Synchronization-{4DBF6757-2A51-4C57-9A2D-C1F392CE1EDD}.job"
- C:\Windows\system32\msfeedssync.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BM6fac6051 - C:\Windows\system32\qcxygfup.dll
HKLM-Run-6c9f53cd - C:\Windows\system32\wwadhaou.dll
HKLM-Run-NWEReboot - (no file)
MSConfigStartUp-6c9f53cd - C:\Windows\system32\quqwabrx.dll
MSConfigStartUp-BM6fac6051 - C:\Windows\system32\utybfvsv.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 22:25:24
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Nokia\NNPCS\NNPCSUI.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\wsqmcons.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-07-07 22:35:23 - machine was rebooted [Andy]
ComboFix-quarantined-files.txt 2008-07-07 21:35:00

Pre-Run: 30,077,046,784 bytes free
Post-Run: 29,802,901,504 bytes free

303 --- E O F --- 2008-07-07 19:26:23


Hopefully this nightmare is nearly at an end.

#9 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:33 AM

Posted 08 July 2008 - 12:43 PM

Hi zxon,

Step #1
  • Open notepad and copy/paste the text in the codebox below into it:

    File::
    C:\Windows\System32\VundoFixSVC.exe
    C:\Windows\System32\oxyqrckl.tmp
    C:\Windows\system32\rynhrcma.dll
    c:\windows\system32\drivers\pcims.sys
    C:\Windows\system32\evsoxauq.dll
    
    Folder::
    C:\VundoFix Backups
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
Step #2

Please do a scan with Kaspersky Online Scanner (You need to use InternetExplorer or enable IEView in Firefox)
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #3

Please post back with a fresh HijackThis log and the Kaspersky Log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#10 zxon

zxon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 09 July 2008 - 06:43 PM

Hi.

I'm afraid I encountered a major problem while carrying out the above tasks. I managed to run the ComboFix step ok, and I left my computer overnight to perform the kaspersky scan (it took 4 hours and 20 mins eventually). However when I went to save the log from it, my computer bluescreened and restarted.

After that my computer wasn't the same. Items in the sidebar wouldn't load, Norton would complain about an internal problem, and services in windows failed to load (this latter problem would stop me from being able to use my network card so can't go online with it).

I've tried to perform a repair install of vista but it's having none of it. It looks like I'll have to do a full reinstall of Vista :thumbsup: If that's the case, then at least the virus will be gone.

I'll keep you updated.

#11 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:33 AM

Posted 10 July 2008 - 12:35 PM

Hi zxon,

can you check if ComboFix created a log? Same for Kaspersky? If we also know what the BSOD was, we may be able to get things back on track.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#12 zxon

zxon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 12 July 2008 - 03:34 PM

Yes ComboFix made a log but Kaspersky didn't because the computer bluescreened as I was about to look at it.

It came to a point where I couldn't do anything other than sit there and look at the desktop. I don't think we could've done anything to save it, so I backed up my files, formatted the drive and reinstalled Vista.

Everythings ok now and after I did updates to norton and defender I did a thorough scan of all my drives and partitions. No sign of the viruses now.

Thanks for all the help. I didn't mean for it to all be in vain :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users