Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo!grb and popups


  • This topic is locked This topic is locked
5 replies to this topic

#1 Sonophax

Sonophax

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 09 April 2009 - 11:59 PM

Recently, I started getting virus notifications on my computer about a Vundo!grb. Although my antivirus software said it had been either quarantined or deleted within the infected files, I'm still getting popups every time I navigate to a new website and things seem to be running slowly in my browser. I'm at a loss for what to do.

EDIT: A .tmp file, umiyatup, is consistently being deleted by my on-access scan, saying it's in association with the Vundo!grb trojan.

Here's the DDS file:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Angel at 23:48:02.67 on Thu 04/09/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Basic

6.0.6001.1.1252.1.1033.18.1917.803 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\lxczcoms.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\STacSV.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common

Files\logishrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Lexmark 1200 Series\LXCZbmgr.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\sttray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\logitech\quickcam\lu\lulnchr.exe
C:\program files\logitech\quickcam\lu\LogitechUpdate.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\MUSHclient\MUSHclient.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Users\Angel\AppData\Local\Microsoft\Windows\Temporary Internet

Files\Content.IE5\YYVD0QNG\dds[1].scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-

784b7d6be0b3} - c:\program files\adobe\acrobat 7.0

\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c}

- c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} -

c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} -

c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-

ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-

76c02e2e7c4e} - c:\program files\google\google

toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-

a07c3db8f777} - c:\program files\bae\BAE.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -

c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US

ee://aol/imApp
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe"

/background
uRun: [swg] c:\program

files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -

silent
uRun: [60d2f46e] rundll32.exe "c:\programdata\putayimu\putayimu.dll",b
uRun: [CPM63e1c7f2] Rundll32.exe

"c:\programdata\mepolude\mepolude.dll",a
uRun: [rihozefewo] Rundll32.exe

"c:\programdata\luvejalu\luvejalu.dll",s
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -

hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ISUSScheduler] "c:\program files\common

files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [dscactivate] c:\dell\dsca.exe 3
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop

search\GoogleDesktop.exe" /startup
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan

enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common

framework\UdaterUI.exe" /StartedFromRunKey
mRun: [FaxCenterServer] "c:\program files\lexmark fax

solutions\fm3032.exe" /s
mRun: [LogitechCommunicationsManager] "c:\program files\common

files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program

files\logitech\quickcam\Quickcam.exe" /hide
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile

device support\bin\AppleSyncNotifier.exe
mRun: [lxczbmgr.exe] "c:\program files\lexmark 1200

series\lxczbmgr.exe"
mRun: [IntelliPoint] "c:\program files\microsoft

intellipoint\ipoint.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [TkBellExe] "c:\program files\common

files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -

atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\users\angel\appdata\roaming\micros~1

\windows\startm~1\programs\startup\logite~1.lnk - c:\program

files\logitech\quickcam\eReg.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1

\programs\startup\adobeg~1.lnk - c:\program files\common

files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1

\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0

\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1

\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean

access agent\CCAAgentLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1

\programs\startup\digita~1.lnk - c:\program files\digital line

detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1

\programs\startup\exifla~1.lnk - c:\program

files\finepixviewers\QuickDCF2.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1

\programs\startup\micros~1.lnk - c:\program files\microsoft

office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1

\programs\startup\quickset.lnk - c:\program

files\dell\quickset\quickset.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1

\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music

jukebox\ymetray.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-

ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-

D32B190E9B07} - c:\program files\skype\toolbars\internet

explorer\SkypeIEPlugin.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-

CED9E648EADD} - c:\program files\common files\microsoft shared\encarta

search bar\ENCSBAR.DLL
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} -

hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} -

hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} -

hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-

us/wlscctrl2.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} -

hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultr

ashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program

files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath -

c:\users\angel\appdata\roaming\mozilla\firefox\profiles\pq8t55gk.defaul

t\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - component: c:\program files\mozilla

firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience

technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-09 13:54 <DIR> --d----- c:\program files\Trend

Micro
2009-04-09 12:05 <DIR> --d----- c:\programdata\wakeniwi
2009-04-09 12:05 <DIR> --d----- c:\programdata\mepolude
2009-04-09 12:05 <DIR> --d----- c:\progra~2\wakeniwi
2009-04-09 12:05 <DIR> --d----- c:\progra~2\mepolude
2009-04-09 00:06 <DIR> --d----- c:\programdata\sorofumo
2009-04-09 00:06 <DIR> --d----- c:\programdata\sofubose
2009-04-09 00:06 <DIR> --d----- c:\programdata\luvejalu
2009-04-09 00:06 <DIR> --d----- c:\progra~2\sorofumo
2009-04-09 00:06 <DIR> --d----- c:\progra~2\sofubose
2009-04-09 00:06 <DIR> --d----- c:\progra~2\luvejalu
2009-04-09 00:05 <DIR> --d----- c:\programdata\vutevuza
2009-04-09 00:05 <DIR> --d----- c:\programdata\putayimu
2009-04-09 00:05 <DIR> --d----- c:\programdata\lukodiku
2009-04-09 00:05 <DIR> --d----- c:\programdata\fegovumi
2009-04-09 00:05 <DIR> --d----- c:\progra~2\vutevuza
2009-04-09 00:05 <DIR> --d----- c:\progra~2\putayimu
2009-04-09 00:05 <DIR> --d----- c:\progra~2\lukodiku
2009-04-09 00:05 <DIR> --d----- c:\progra~2\fegovumi
2009-04-09 00:05 <DIR> --d----- c:\programdata\yitanomi
2009-04-09 00:05 <DIR> --d----- c:\programdata\nelitaru
2009-04-09 00:05 <DIR> --d----- c:\progra~2\yitanomi
2009-04-09 00:05 <DIR> --d----- c:\progra~2\nelitaru
2009-04-01 21:24 <DIR> --d----- C:\Games
2009-04-01 21:22 <DIR> --d----- c:\program

files\DOSBox-0.72
2009-03-29 04:32 <DIR> --d-----

c:\users\angel\appdata\roaming\Malwarebytes
2009-03-29 04:32 15,504 a------- c:\windows\system32

\drivers\mbam.sys
2009-03-29 04:32 38,496 a------- c:\windows\system32

\drivers\mbamswissarmy.sys
2009-03-29 04:32 <DIR> --d-----

c:\programdata\Malwarebytes
2009-03-29 04:32 <DIR> --d----- c:\progra~2

\Malwarebytes
2009-03-29 04:31 <DIR> --d----- c:\program

files\Malwarebytes' Anti-Malware
2009-03-29 04:17 <DIR> --d----- c:\program

files\CCleaner
2009-03-29 03:55 55,640 a------- c:\windows\system32

\drivers\avgntflt.sys
2009-03-29 03:55 <DIR> --d----- c:\programdata\Avira
2009-03-29 03:55 <DIR> --d----- c:\progra~2\Avira
2009-03-29 03:55 <DIR> --d----- c:\program files\Avira
2009-03-29 03:07 <DIR> --d----- c:\programdata\wufehina
2009-03-29 03:07 <DIR> --d----- c:\programdata\vofobuyi
2009-03-29 03:07 <DIR> --d----- c:\programdata\javufese
2009-03-29 03:07 <DIR> --d----- c:\progra~2\wufehina
2009-03-29 03:07 <DIR> --d----- c:\progra~2\vofobuyi
2009-03-29 03:07 <DIR> --d----- c:\progra~2\javufese
2009-03-29 03:02 <DIR> --d----- c:\programdata\zokefafo
2009-03-29 03:02 <DIR> --d----- c:\programdata\pejokehe
2009-03-29 03:02 <DIR> --d----- c:\programdata\nizowodu
2009-03-29 03:02 <DIR> --d----- c:\progra~2\zokefafo
2009-03-29 03:02 <DIR> --d----- c:\progra~2\pejokehe
2009-03-29 03:02 <DIR> --d----- c:\progra~2\nizowodu
2009-03-17 13:11 107,368 a------- c:\windows\system32

\GEARAspi.dll
2009-03-17 13:11 23,848 a------- c:\windows\system32

\drivers\GEARAspiWDM.sys
2009-03-17 13:10 <DIR> --d----- c:\program files\iPod
2009-03-17 13:10 <DIR> --d-----

c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-17 13:10 <DIR> --d----- c:\program files\iTunes
2009-03-17 13:10 <DIR> --d----- c:\progra~2\{00D89592-

F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-17 13:07 <DIR> --d----- c:\program

files\Bonjour
2009-03-11 10:51 7,680 a------- c:\windows\system32

\spwmp.dll
2009-03-11 10:51 4,096 a------- c:\windows\system32

\msdxm.ocx
2009-03-11 10:51 4,096 a------- c:\windows\system32

\dxmasf.dll
2009-03-11 10:51 8,147,456 a-------

c:\windows\system32\wmploc.DLL
2009-03-11 10:51 268,288 a------- c:\windows\system32

\schannel.dll
2009-03-11 10:51 2,033,152 a-------

c:\windows\system32\win32k.sys

==================== Find3M ====================

2009-04-08 13:59 31,400 a-------

c:\users\angel\appdata\roaming\wklnhst.dat
2009-03-17 13:00 86,016 a-------

c:\windows\inf\infstor.dat
2009-03-17 13:00 51,200 a-------

c:\windows\inf\infpub.dat
2009-03-17 13:00 143,360 a-------

c:\windows\inf\infstrng.dat
2009-03-03 21:19 717,296 a------- c:\windows\system32

\drivers\sptd.sys
2009-02-18 12:16 0 a---h--- c:\windows\system32

\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-02-04 23:14 107,888 a------- c:\windows\system32

\CmdLineExt.dll
2009-02-03 00:38 43,520 a------- c:\windows\system32

\CmdLineExt03.dll
2009-01-15 01:11 827,392 a------- c:\windows\system32

\wininet.dll
2008-12-08 22:29 174 a--sh--- c:\program

files\desktop.ini
2008-12-08 22:08 665,600 a-------

c:\windows\inf\drvindex.dat
2008-11-25 12:45 141,936 a-------

c:\users\angel\appdata\roaming\GDIPFONTCACHEV1.DAT
2008-07-21 12:30 56 a---h---

c:\programdata\ezsidmv.dat
2008-07-21 12:30 56 a---h--- c:\progra~2\ezsidmv.dat
2008-03-22 16:31 32 a-------

c:\programdata\ezsid.dat
2008-03-22 16:31 32 a------- c:\progra~2\ezsid.dat
2008-02-29 13:37 262,144 a------- c:\progra~2\ntuser.dat
2006-11-02 07:39 287,440 a-------

c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:39 287,440 a-------

c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:39 30,674 a-------

c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:39 30,674 a-------

c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a-------

c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a-------

c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a-------

c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a-------

c:\windows\inf\perflib\0000\perfc.dat
2007-08-30 11:50 8,192 a--sh---

c:\windows\users\default\NTUSER.DAT

============= FINISH: 23:52:00.49 ===============

Attached Files


Edited by Sonophax, 10 April 2009 - 12:23 AM.


BC AdBot (Login to Remove)

 


#2 Sonophax

Sonophax
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 10 April 2009 - 05:26 PM

And I've apparently now contracted vundo.gen.ao as well, PLEASE HELP. They're getting into everything, it's kind of scaring me!

#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:43 AM

Posted 15 April 2009 - 06:09 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please. Make sure word wrap is disabled first to make log appear in more readable format.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#4 Sonophax

Sonophax
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 15 April 2009 - 08:23 PM

I hope this fixes the wordwrap issue. I don't know if that virus is gone, I've been repeatedly running virus scans and quarantining/deleting what I find. It seems to have helped but can't ever be too sure...

DDS (Ver_09-03-16.01) - NTFSx86
Run by Angel at 20:17:19.43 on Wed 04/15/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1917.808 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\lxczcoms.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\logishrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Lexmark 1200 Series\LXCZbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\sttray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\program files\logitech\quickcam\lu\lulnchr.exe
C:\program files\logitech\quickcam\lu\LogitechUpdate.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe
C:\Program Files\MUSHclient\MUSHclient.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Angel\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [dscactivate] c:\dell\dsca.exe 3
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [lxczbmgr.exe] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\angel\appdata\roaming\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\quickcam\eReg.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgentLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewers\QuickDCF2.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\angel\appdata\roaming\mozilla\firefox\profiles\pq8t55gk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-14 17:31 <DIR> --d----- c:\program files\HTTP-Tunnel
2009-04-11 19:00 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-04-11 19:00 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-11 18:59 <DIR> --d----- c:\program files\iPod
2009-04-11 18:59 <DIR> --d----- c:\program files\iTunes
2009-04-10 00:20 <DIR> --d----- c:\program files\iPod(23)
2009-04-10 00:20 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-10 00:20 <DIR> --d----- c:\program files\iTunes(24)
2009-04-10 00:20 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-09 13:54 <DIR> --d----- c:\program files\Trend Micro
2009-04-09 12:05 <DIR> --d----- c:\programdata\wakeniwi
2009-04-09 12:05 <DIR> --d----- c:\progra~2\wakeniwi
2009-04-09 00:06 <DIR> --d----- c:\programdata\luvejalu
2009-04-09 00:06 <DIR> --d----- c:\progra~2\luvejalu
2009-04-09 00:05 <DIR> --d----- c:\programdata\vutevuza
2009-04-09 00:05 <DIR> --d----- c:\progra~2\vutevuza
2009-04-09 00:05 <DIR> --d----- c:\programdata\yitanomi
2009-04-09 00:05 <DIR> --d----- c:\programdata\nelitaru
2009-04-09 00:05 <DIR> --d----- c:\progra~2\yitanomi
2009-04-09 00:05 <DIR> --d----- c:\progra~2\nelitaru
2009-04-01 21:24 <DIR> --d----- C:\Games
2009-04-01 21:22 <DIR> --d----- c:\program files\DOSBox-0.72
2009-03-29 04:32 <DIR> --d----- c:\users\angel\appdata\roaming\Malwarebytes
2009-03-29 04:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-29 04:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-29 04:32 <DIR> --d----- c:\programdata\Malwarebytes
2009-03-29 04:32 <DIR> --d----- c:\progra~2\Malwarebytes
2009-03-29 04:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-29 04:17 <DIR> --d----- c:\program files\CCleaner
2009-03-29 03:55 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-03-29 03:55 <DIR> --d----- c:\programdata\Avira
2009-03-29 03:55 <DIR> --d----- c:\progra~2\Avira
2009-03-29 03:55 <DIR> --d----- c:\program files\Avira
2009-03-29 03:07 <DIR> --d----- c:\programdata\wufehina
2009-03-29 03:07 <DIR> --d----- c:\programdata\vofobuyi
2009-03-29 03:07 <DIR> --d----- c:\programdata\javufese
2009-03-29 03:07 <DIR> --d----- c:\progra~2\wufehina
2009-03-29 03:07 <DIR> --d----- c:\progra~2\vofobuyi
2009-03-29 03:07 <DIR> --d----- c:\progra~2\javufese
2009-03-29 03:02 <DIR> --d----- c:\programdata\zokefafo
2009-03-29 03:02 <DIR> --d----- c:\programdata\pejokehe
2009-03-29 03:02 <DIR> --d----- c:\programdata\nizowodu
2009-03-29 03:02 <DIR> --d----- c:\progra~2\zokefafo
2009-03-29 03:02 <DIR> --d----- c:\progra~2\pejokehe
2009-03-29 03:02 <DIR> --d----- c:\progra~2\nizowodu
2009-03-17 13:10 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-17 13:10 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-17 13:07 <DIR> --d----- c:\program files\Bonjour

==================== Find3M ====================

2009-04-13 13:45 31,500 a------- c:\users\angel\appdata\roaming\wklnhst.dat
2009-03-17 13:00 86,016 a------- c:\windows\inf\infstor.dat
2009-03-17 13:00 51,200 a------- c:\windows\inf\infpub.dat
2009-03-17 13:00 143,360 a------- c:\windows\inf\infstrng.dat
2009-03-16 22:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 22:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 22:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-03 21:19 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-03-02 23:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-02 23:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-02 23:40 827,392 a------- c:\windows\system32\wininet.dll
2009-03-02 23:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-02 23:39 551,424 a------- c:\windows\system32\rpcss.dll
2009-03-02 23:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-02 23:37 78,336 a------- c:\windows\system32\ieencode.dll
2009-03-02 23:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-02 23:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-02 23:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-02 22:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-02 21:38 17,408 a------- c:\windows\system32\iashost.exe
2009-03-02 21:28 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-02-18 12:16 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-02-13 03:49 72,704 a------- c:\windows\system32\secur32.dll
2009-02-13 03:49 1,255,936 a------- c:\windows\system32\lsasrv.dll
2009-02-08 22:10 2,033,152 a------- c:\windows\system32\win32k.sys
2009-02-04 23:14 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-02-03 00:38 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2008-12-08 22:29 174 a--sh--- c:\program files\desktop.ini
2008-12-08 22:08 665,600 a------- c:\windows\inf\drvindex.dat
2008-11-25 12:45 141,936 a------- c:\users\angel\appdata\roaming\GDIPFONTCACHEV1.DAT
2008-07-21 12:30 56 a---h--- c:\programdata\ezsidmv.dat
2008-07-21 12:30 56 a---h--- c:\progra~2\ezsidmv.dat
2008-03-22 16:31 32 a------- c:\programdata\ezsid.dat
2008-03-22 16:31 32 a------- c:\progra~2\ezsid.dat
2008-02-29 13:37 262,144 a------- c:\progra~2\ntuser.dat
2006-11-02 07:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-08-30 11:50 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 20:20:28.19 ===============

Attached Files


Edited by Sonophax, 15 April 2009 - 08:24 PM.


#5 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:43 AM

Posted 16 April 2009 - 12:16 PM

Hi

You seem to have multiple antivirus programs installed there. Recommendation is to have only one installed in same system. Decide which one you want to keep. I don't see Norton installed there but still something related is there in the log.

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
    and OK any prompts.
  • Restart your computer

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:43 AM

Posted 26 April 2009 - 12:23 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users