Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

bleep this, hijack log


  • Please log in to reply
6 replies to this topic

#1 lodoss900

lodoss900

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 24 June 2005 - 01:50 PM

I thought i made spyware my bleep until this one. I have no idea, maybe this MDM.exe, or this vunann.exe, which I cannot locate anywhere on my computer.

I just have no idea


Logfile of HijackThis v1.99.1
Scan saved at 12:43:45 PM, on 6/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\vunann.exe
C:\Program Files\Internet Explorer\iexplore.exe

C:\DOCUME~1\Justin\LOCALS~1\Temp\Rar$EX33.77695\HijackThis.exe

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vunann.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

BC AdBot (Login to Remove)

 


m

#2 lodoss900

lodoss900
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 24 June 2005 - 02:08 PM

another one nrtc.exe..

anyways, I went into dos, and tried to delete C:\windows\system32\vunann.exe
and it said access denied. This file does come up on seraches or manual scan...

However, I was able to rename it to .old.. so we will see. This has been the worse one since the peperworm. Hopefully it works..

#3 lodoss900

lodoss900
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 24 June 2005 - 02:23 PM

did the same thing to nrtc.exe, renamed, NOT VISABLE at all...
cleared it up, and now vunann.exe reg_run is back..

i swear, i will kill this thing... and with out formating...

if I dedicate myself to this, I will become more then a man, I become something else.. a ledgend.. or just have no popups..

#4 lodoss900

lodoss900
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 25 June 2005 - 10:57 AM

anybody?

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:39 PM

Posted 25 June 2005 - 10:08 PM

Hello lodoss900 and welcome to the BC forums. Let's start out with a couple of other scans here.

Download PFind.zip and unzip the contents to its own permanent folder.

Important! Reboot in SAFE MODE !!

Start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the pfind.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

After you have rebooted start HijackThis and follow these steps:
  • Click on Config button
  • Click on the Misc Tools button
  • Check the checkbox for List minor sections (full)
  • Check the checkbox for List empty sections (complete)
  • Click on the Generate StartupList Log button
  • Click the Yes button to create the list
Post the contents of C:\pfind.txt and the information from the StartupList back here and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 lodoss900

lodoss900
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 29 June 2005 - 01:27 PM

wow.. that did it. Found all those programs I couldn't see. Thank you..

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:39 PM

Posted 29 June 2005 - 10:02 PM

Hi lodoss900. Ok, so let's have you post a new hijackThis log because there were some things in the original log that need checking and then we weill see what is what.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users