Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware removal (vundo?)


  • This topic is locked This topic is locked
2 replies to this topic

#1 nfkn17

nfkn17

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 18 February 2009 - 12:20 PM

help ! this sucker wont go away... here's my DDS.txt log....



DDS (Ver_09-02-01.01) - NTFSx86
Run by Shano Warner at 10:17:29.48 on Wed 02/18/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.170 [GMT -7:00]

FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Shano Warner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shanow~1\applic~1\mozilla\firefox\profiles\u4o0cn0b.default\
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-1-3 353680]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 gupdate1c974d6c3832a;Google Update Service (gupdate1c974d6c3832a);c:\program files\google\update\GoogleUpdate.exe [2009-1-12 133104]
S3 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2005-6-15 57344]

=============== Created Last 30 ================

2009-02-18 09:56 <DIR> a-dshr-- C:\cmdcons
2009-02-18 09:55 161,792 a------- c:\windows\SWREG.exe
2009-02-18 09:55 98,816 a------- c:\windows\sed.exe
2009-02-18 09:45 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-02-18 09:43 6,456 a---h--- c:\windows\system32\dumaruna
2009-02-18 08:03 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-02-10 08:02 <DIR> --d----- c:\program files\SimulationExams
2009-02-10 08:02 249,856 -------- c:\windows\Setup1.exe
2009-02-10 08:02 73,216 a------- c:\windows\ST6UNST.EXE
2009-02-10 08:01 <DIR> --d----- C:\aplus_test
2009-02-10 08:01 303 a------- c:\windows\ST6UNST.000
2009-02-02 16:03 0 a------- c:\windows\system32\winconfig.dll.tmp.tmp
2009-01-27 07:39 0 a------- c:\windows\system32\otnlyagc.tmp

==================== Find3M ====================

2009-01-04 10:07 1,737 a------- c:\windows\mozver.dat
2009-01-04 09:19 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-24 00:25 267,152 a------- C:\zaSetup_en.exe
2008-12-18 17:50 732,200 a------- C:\WindowsXP-KB943232-x86-ENU.exe
2008-12-18 17:03 741,744 a------- C:\WindowsXP-KB943232-v2-x86-ENU.exe
2008-12-14 12:49 685,056 a------- c:\windows\isRS-000.tmp
2008-12-10 14:40 221,040 a------- C:\du.exe
2008-04-23 09:18 79,616 a------- c:\docume~1\shanow~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 10:17:41.45 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:40 AM

Posted 28 February 2009 - 05:51 PM

Hello nfkn17,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:40 AM

Posted 08 March 2009 - 04:59 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users