Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 littiot

littiot

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 16 December 2008 - 03:59 PM

I was referred from the general "Am I Infected?" board, and am trying to remove Vundo. DSS logs:

Topic referenced is here: http://www.bleepingcomputer.com/forums/t/186418/vundo-trojan/ ~ OB

DDS (Version 1.1.0) - NTFSx86
Run by Compaq_Owner at 15:54:52.70 on Tue 12/16/2008
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.71 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {804F389A-11EB-450B-8347-1FC64BEF1FA2} - c:\windows\system32\opnLfFXq.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {c6256372-7d60-4702-924f-3d42ad12275f} - c:\windows\system32\gefuvura.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [f0395b8a] rundll32.exe "c:\windows\system32\yowokifo.dll",b
mRun: [wowobobugo] Rundll32.exe "c:\windows\system32\mohafilu.dll",s
mRun: [CPMf30a6816] Rundll32.exe "c:\windows\system32\giribemi.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runreg~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\compaq_owner\start menu\programs\imvu\Run IMVU.lnk
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\compaq_owner\start menu\programs\imvu\Run IMVU.lnk
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: avgrsstx.dll guiyxr.dll awyybf.dll,c:\windows\system32\jepazeje.dll c:\windows\system32\lahofipe.dll c:\windows\system32\giribemi.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lahofipe.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\giribemi.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll,
LSA: Notification Packages = scecli c:\windows\system32\jepazeje.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\gq65jgoh.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-6 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-6 26824]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-5-13 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-5-13 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-6 76040]
S3 hitmanpro2;Hitman Pro 2 Driver;\??\c:\program files\hitman pro\hitmanpro2.sys [2007-1-24 10336]
S3 mbr;mbr;\??\c:\docume~1\compaq~1\locals~1\temp\mbr.sys []
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-5-13 7408]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2008-12-16 15:06 1,588,726 ---sh--- c:\windows\system32\ofikowoy.ini
2008-12-15 16:20 250 a------- c:\windows\gmer.ini
2008-12-15 16:08 120 ---sh--- c:\windows\system32\ugojogut.ini
2008-12-14 20:48 53,248 a------- c:\windows\system32\Process.exe
2008-12-14 15:51 --d----- c:\windows\ERUNT
2008-12-14 14:33 1,647,120 ---sh--- c:\windows\system32\yuidejtv.ini
2008-12-14 14:32 938,279 a--sh--- c:\windows\system32\qXFfLnpo.ini2
2008-12-14 14:32 938,279 a--sh--- c:\windows\system32\qXFfLnpo.ini
2008-12-14 14:30 --d----- C:\SDFix
2008-12-13 22:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-13 22:07 --d----- C:\VundoFix Backups
2008-12-13 17:13 --d----- C:\Lop SD
2008-12-13 16:43 --d----- c:\docume~1\compaq~1\applic~1\Twain
2008-12-13 16:38 898,104 a--sh--- c:\windows\system32\KjTsBJjl.ini2
2008-12-13 16:38 898,104 a--sh--- c:\windows\system32\KjTsBJjl.ini
2008-12-13 12:09 21,456 a------- c:\windows\system32\drivers\SilvrLnk.sys
2008-12-13 12:08 --d----- c:\program files\TI Education
2008-12-13 12:08 --d----- c:\program files\common files\TI Shared
2008-12-06 19:18 --d----- c:\docume~1\alluse~1\applic~1\TomTom
2008-12-06 19:17 --d----- c:\program files\TomTom HOME 2
2008-12-06 19:14 --d----- c:\program files\TomTom DesktopSuite

==================== Find3M ====================

2008-12-16 15:06 87,325 a--sh--- c:\windows\system32\yowokifo.dll
2008-12-16 15:06 93,782 a--sh--- c:\windows\system32\lahofipe.dll
2008-12-16 15:06 63,589 a--sh--- c:\windows\system32\wufewoga.dll
2008-12-15 16:08 66,160 a--sh--- c:\windows\system32\tadezuzu.dll
2008-12-15 16:08 96,995 a--sh--- c:\windows\system32\giribemi.dll
2008-12-15 16:08 90,311 a--sh--- c:\windows\system32\tugojogu.dll
2008-12-14 20:48 2,492 a------- c:\windows\system32\tmp.reg
2008-12-11 16:52 2,498 a------- c:\docume~1\compaq~1\applic~1\wklnhst.dat
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-10-24 06:10 453,632 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 06:10 453,632 a------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 a------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-15 11:57 332,800 a------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 04:45 18,432 a------- c:\windows\system32\dllcache\iedw.exe
2008-10-03 05:15 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 05:15 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-06-11 16:06 0 a--sh--- c:\docume~1\compaq~1\applic~1\00100000000.dat
2008-09-16 15:06 63,589 a--sh--- c:\windows\system32\gefuvura.dll
2008-09-16 15:06 63,589 a--sh--- c:\windows\system32\jepazeje.dll
2008-09-16 15:06 63,589 a--sh--- c:\windows\system32\mohafilu.dll

============= FINISH: 15:56:05.73 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/24/2007 11:41:40 PM
System Uptime: 12/16/2008 3:03:32 PM (0 hours ago)

Motherboard: ASUSTek Computer INC. | | Amberine M
Processor: AMD Sempron™ Processor 3200+ | Socket 939 | 1800/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 87 GiB total, 56.384 GiB free.
D: is FIXED (FAT32) - 6 GiB total, 1.42 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP450: 12/14/2008 1:52:49 AM - System Checkpoint
RP451: 12/14/2008 1:52:49 AM - System Checkpoint
RP452: 12/14/2008 1:52:49 AM - System Checkpoint
RP453: 12/14/2008 1:52:49 AM - System Checkpoint
RP454: 12/14/2008 1:52:49 AM - System Checkpoint
RP455: 12/14/2008 1:52:50 AM - System Checkpoint
RP456: 12/14/2008 1:52:50 AM - System Checkpoint
RP457: 12/14/2008 1:52:50 AM - System Checkpoint
RP458: 12/14/2008 1:52:50 AM - System Checkpoint
RP459: 12/14/2008 1:52:50 AM - System Checkpoint
RP460: 12/14/2008 1:52:51 AM - System Checkpoint
RP461: 12/14/2008 1:52:51 AM - System Checkpoint
RP462: 12/14/2008 1:52:51 AM - Avg8 Update
RP463: 12/14/2008 1:52:51 AM - System Checkpoint
RP464: 12/14/2008 1:52:52 AM - System Checkpoint
RP465: 12/14/2008 1:52:52 AM - System Checkpoint
RP466: 12/14/2008 1:52:52 AM - System Checkpoint
RP467: 12/14/2008 1:52:52 AM - System Checkpoint
RP468: 12/14/2008 1:52:52 AM - System Checkpoint
RP469: 12/14/2008 1:52:52 AM - System Checkpoint
RP470: 12/14/2008 1:52:53 AM - System Checkpoint
RP471: 12/14/2008 1:52:53 AM - System Checkpoint
RP472: 12/14/2008 1:52:53 AM - System Checkpoint
RP473: 12/14/2008 1:52:53 AM - System Checkpoint
RP474: 12/14/2008 1:52:53 AM - System Checkpoint
RP475: 12/14/2008 1:52:53 AM - Software Distribution Service 3.0
RP476: 12/14/2008 1:52:54 AM - System Checkpoint
RP477: 12/14/2008 1:52:54 AM - System Checkpoint
RP478: 12/14/2008 1:52:54 AM - System Checkpoint
RP479: 12/14/2008 1:52:55 AM - System Checkpoint
RP480: 12/14/2008 1:52:55 AM - System Checkpoint
RP481: 12/14/2008 1:52:55 AM - Avg8 Update
RP482: 12/14/2008 1:52:55 AM - System Checkpoint
RP483: 12/14/2008 1:52:55 AM - System Checkpoint
RP484: 12/14/2008 1:52:55 AM - Software Distribution Service 3.0
RP485: 12/14/2008 1:52:56 AM - System Checkpoint
RP486: 12/14/2008 1:52:56 AM - System Checkpoint
RP487: 12/14/2008 1:52:56 AM - System Checkpoint
RP488: 12/14/2008 1:52:56 AM - System Checkpoint
RP489: 12/14/2008 1:52:56 AM - System Checkpoint
RP490: 12/14/2008 1:52:56 AM - System Checkpoint
RP491: 12/14/2008 1:52:57 AM - System Checkpoint
RP492: 12/14/2008 1:52:57 AM - System Checkpoint
RP493: 12/14/2008 1:52:57 AM - System Checkpoint
RP494: 12/14/2008 1:52:57 AM - System Checkpoint
RP495: 12/14/2008 1:52:57 AM - Shockwave Player
RP496: 12/14/2008 1:52:57 AM - Shockwave Player
RP497: 12/14/2008 1:52:58 AM - System Checkpoint
RP498: 12/14/2008 1:52:58 AM - System Checkpoint
RP499: 12/14/2008 1:52:58 AM - System Checkpoint
RP500: 12/14/2008 1:52:58 AM - System Checkpoint
RP501: 12/14/2008 1:52:58 AM - System Checkpoint
RP502: 12/14/2008 1:52:58 AM - System Checkpoint
RP503: 12/14/2008 1:52:58 AM - Software Distribution Service 3.0
RP504: 12/14/2008 1:52:59 AM - System Checkpoint
RP505: 12/14/2008 1:52:59 AM - System Checkpoint
RP506: 12/14/2008 1:52:59 AM - Avg8 Update
RP507: 12/14/2008 1:52:59 AM - System Checkpoint
RP508: 12/14/2008 1:52:59 AM - System Checkpoint
RP509: 12/14/2008 1:52:59 AM - System Checkpoint
RP510: 12/14/2008 1:52:59 AM - System Checkpoint
RP511: 12/14/2008 1:53:00 AM - System Checkpoint
RP512: 12/14/2008 1:53:00 AM - System Checkpoint
RP513: 12/14/2008 1:53:00 AM - System Checkpoint
RP514: 12/14/2008 1:53:00 AM - System Checkpoint
RP515: 12/14/2008 1:53:00 AM - Avg8 Update
RP516: 12/14/2008 1:53:00 AM - System Checkpoint
RP517: 12/14/2008 1:53:01 AM - System Checkpoint
RP518: 12/14/2008 1:53:01 AM - System Checkpoint
RP519: 12/14/2008 1:53:01 AM - System Checkpoint
RP520: 12/14/2008 1:53:02 AM - System Checkpoint
RP521: 12/14/2008 1:53:02 AM - System Checkpoint
RP522: 12/14/2008 1:53:02 AM - System Checkpoint
RP523: 12/14/2008 1:53:02 AM - System Checkpoint
RP524: 12/14/2008 1:53:02 AM - System Checkpoint
RP525: 12/14/2008 1:53:02 AM - Software Distribution Service 3.0
RP526: 12/14/2008 1:53:02 AM - System Checkpoint
RP527: 12/14/2008 1:53:03 AM - System Checkpoint
RP528: 12/14/2008 1:53:03 AM - Avg8 Update
RP529: 12/14/2008 1:53:03 AM - Installed TI Connect 1.6
RP530: 12/14/2008 1:53:03 AM - Last known good configuration
RP531: 12/14/2008 1:53:04 AM - Software Distribution Service 3.0
RP532: 12/14/2008 1:53:17 AM - Last known good configuration
RP533: 12/15/2008 3:48:46 PM - System Checkpoint

==== Installed Programs ======================

Adobe Shockwave Player
ALZip
Free Music Zilla
Hotfix for Windows XP (KB952287)
Malwarebytes' Anti-Malware
Mozilla Firefox (2.0.0.16)
MSXML 4.0 SP2 (KB954430)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
TI Connect 1.6
TomTom HOME 2.5.1.36
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
VC_MergeModuleToMSI

==== Event Viewer Messages From Past Week ========

12/13/2008 10:46:38 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 0013D4D4B49A has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
12/13/2008 9:52:46 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Windows Internet Explorer 7 for Windows XP.
12/14/2008 12:16:46 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iaStor IntelIde ViaIde
12/14/2008 3:51:07 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/14/2008 3:51:07 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/14/2008 3:51:07 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/14/2008 3:51:07 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/14/2008 3:51:07 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 AvgLdx86 AvgMfx86 Fips iaStor IntelIde IPSec MRxSmb NetBIOS NetBT ohci1394 RasAcd Rdbss SASDIFSV SASKUTIL Tcpip ViaIde
12/14/2008 3:51:20 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/14/2008 3:51:20 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/15/2008 4:56:37 PM, error: ipnathlp [31012] - The DNS proxy agent encountered an error while obtaining the local list of name-resolution servers. Some DNS or WINS servers may be inaccessible to clients on the local network. The data is the error code.

==== End Of File ===========================

Edited by Orange Blossom, 17 December 2008 - 12:24 AM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:26 AM

Posted 25 December 2008 - 04:19 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
Download and Run OTViewit
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Run Kaspersky Online Scanner
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
Important!:Please do not select the Show all checkbox during the scan..

In your next reply please include the following:
  • OTViewIt.txt
  • Extra.txt
  • Kaspersky's Log
  • GMER scan log

Important Note: For other users who are reading this topic,the instructions provided in this topic are for the original topic starter ONLY. Even if you have similar problems or even log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic and feel free to link to any relevant topics as needed.Please Do NOT follow the instructions provided for this topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:26 AM

Posted 02 January 2009 - 10:36 AM

Hi.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:26 AM

Posted 03 January 2009 - 01:41 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users